|
|
|
Certain system programs need to run with special powers. For example, programs such as disk pack backup and recovery programs might need to access password‑protected data sets without actually knowing the password. The program properties table (PPT), option 3.6, lists these programs by name and the special properties assigned to each. A program must reside in an APF‑authorized library to be assigned the special powers found in its PPT entry. The program does not have to be marked ACCODE=1 by the linkage editor.
The name of the PPT control section (CSECT) is IEFSDPPT. IEFSDPPT is a load module in SYS1.LINKLIB. PPT entries that are defined by the data center or updated by IBM are specified in the SCHEDxx logical Parmlib member. Each entry in the PPT includes the program name, attribute bytes, and a storage protection key field. Special properties are designated as flags in the attribute byte.
Certain attributes (as follows) in the Program Properties Table Analysis display are of extreme importance from the audit and security controls standpoint:
This attribute, labeled PPTNDSI in IBM documentation, permits access to a data set under exclusive control of another job. This is expressed as DISP=OLD in JCL. Because the other job does not know that its exclusive control is being overridden, the PPT‑named program must be very cautious about what it does to the data set. This attribute is ignored unless the program is running as a single‑step job or single‑step started task.
This attribute (PPTNOPAS) permits a program to access password‑protected data sets without providing the appropriate password. CA ACF2 does not honor data set password bypass; RACF and CA Top Secret do.
This attribute displays the storage protect key that the system assigns to programs in the PPT. Keys are assigned only if the PPTSKEY attribute is also provided. If omitted for the data sets it controls, z/OS assigns the default key value of 8.
Protect keys 8 through 15 are user storage keys. Most applications programs run in key 8. Keys less than 8 are system keys and are assigned to parts of the operating system and its subsystems. For example, the Information Management System (IMS) uses key 7. Telecommunications access methods, such as TCAM and VTAM, use key 6. The job entry subsystem, JES2 or JES3, uses key 1.
The master storage key, key 0, is used for many z/OS control blocks, but its use includes more than that. A program that runs in key 0 can access storage in any key. This includes control block storage that indicates whether the program is APF‑authorized. Programs that run in key 0, supervisor state, or APF‑authorized have equal power. Possession of one of these powers permits a program to gain the other two.
| Copyright © 2009 CA. All rights reserved. | Tell Technical Publications how we can improve this information |