APF - Authorized Program Facility

Enhanced Definition

APF, or Authorized Program Facility, is a crucial security mechanism in z/OS that identifies programs authorized to use sensitive system services and privileged instructions. It ensures system integrity by preventing unauthorized programs from accessing or modifying critical operating system components or performing actions that could compromise the system.

Key Characteristics

- Privileged Access: Grants programs the ability to execute privileged instructions, issue certain SVCs (Supervisor Calls), and access restricted system resources.
- System Integrity: Essential for maintaining the stability and security of the z/OS operating system by controlling which programs can perform sensitive operations.
- APF List: Programs are authorized by residing in a library (PDS or PDSE) that is explicitly defined in the system's APF list.
- Link-edit Attribute: For a program to be APF-authorized, it must be link-edited with the AC(1) (Authorization Code 1) attribute, indicating it requires authorization.
- Dynamic and Static Definition: APF-authorized libraries can be defined statically during system IPL via the PROGxx member in SYS1.PARMLIB or dynamically using the SETPROG APF operator command.
- Library Requirements: APF-authorized libraries must be non-compressed, SMS-managed, and reside on a specific type of volume, or be non-SMS managed but defined correctly.

Use Cases

- Core System Utilities: Programs like IEBCOPY, IDCAMS, DFSMS utilities, and other IBM-supplied system management tools that require privileged access.
- Security Software Components: Modules of external security managers (ESMs) such as RACF, ACF2, or Top Secret that need to intercept system calls or manage security resources.
- Database Management Systems: Control regions and critical utilities for DB2, IMS, and other database systems that manage system-level resources and data.
- Middleware and Transaction Managers: Components of CICS, MQSeries, and other transaction processing or messaging systems that interact directly with the operating system.
- Custom System Exits: User-written exit routines or specialized applications that perform system-level functions and require elevated privileges.

Related Concepts

APF works in conjunction with external security managers (ESMs) like RACF; APF authorizes the *program* to perform a privileged action, while RACF authorizes the *user* to execute that program or access specific resources. It is directly tied to the AC(1) link-edit attribute, which flags a program as requiring APF authorization. The PROGxx PARMLIB member is where the static list of APF -authorized libraries is maintained, defining the system's security posture at IPL. Many critical SVC routines check for APF authorization before allowing a program to proceed, ensuring system integrity.

Best Practices:

Minimize Authorization: Only authorize programs and libraries that absolutely require APF authorization to perform their intended functions.
Controlled Access: Strictly control write access to APF -authorized libraries and the PROGxx PARMLIB member to prevent unauthorized modifications.
Regular Review: Periodically review the APF list to ensure all entries are still necessary and valid, removing any obsolete or redundant authorizations.
Dedicated Libraries: Store APF -authorized programs in dedicated, separate libraries, distinct from general application libraries, to simplify management and auditing.
Dynamic vs. Permanent: Use dynamic SETPROG APF commands sparingly for temporary testing or emergency fixes; ensure permanent changes are reflected in PROGxx for consistency across IPLs.
Auditing and Monitoring: Implement robust auditing to track changes to APF -authorized libraries and the APF list, and monitor for any unauthorized attempts to execute privileged code.