z/OS Utilities

z/OS utilities use standard z/OS mechanisms to access data, and therefore go through normal security validation. However, some utilities or utility functions do not go through security processing. For example:

SUPERZAP (IMASPZAP, AMASPZAP): This utility can determine if APF‑authorized can change any data anywhere including security indicators.
IEHPROGM: This utility can allow certain functions to bypass security.
IEHINITT: This utility can initialize any tape volume (overwrite header labels) with only operator authorization.

Utilities can automatically invoke the Standard Security Interface directly themselves or indirectly using OPEN. Therefore, CA Top Secret is automatically invoked.

Utilities that do not interface with security should:

Have their use restricted by program protection or by restricting use of the libraries containing these programs
Not reside in the LINKLIST where it is available to all users.