System Installation Choices › Key z/OS Libraries

Key z/OS Libraries

Many audit and security specialists agree that the key z/OS files and libraries include all data sets with the SYS1 prefix and the APF, LPA, and the system linklist libraries. The system linklist consists of SYS1.LINKLIB and the list of libraries concatenated to it. All of these libraries should be protected from unauthorized access and update.

Most systems programmers feel that they need access to all key libraries in case of problems. There is some truth to this. The need for security cannot impede people’s ability to get their jobs done. The key is to find a tolerable balance between control and maintainability. Many specialists recommend that no one be permitted standing update access to the production z/OS libraries, although provision does need to be made for emergency access. Read access is generally permitted on a need‑to‑know basis. Even in data centers that permit standing update access, it is often possible to partition access. For example, the person who maintains CICS would not need access to the z/OS nucleus file, and the person specializing in TSO would not need access to the IMS library (IMS.RESLIB).

The key z/OS data sets are:

• APF‑authorized data sets
• LNKLST concatenation data sets
• LINK PACK data sets
• Password‑protected data set
• PASSWORD data set
• TSO brodcast data set
• Printer Imagelib data set
• IOCDS data set
• Logical Parmlib data set(s)
• Iplparm data set
• Logrec data sets
• SMF‑recording data sets or log streams
• Nucleus data sets

Use option 2.4 to display the key z/OS libraries.