Authorized Library

Enhanced Definition

An Authorized Library in z/OS is a partitioned data set (PDS or PDSE) that contains programs permitted to execute with special system privileges, such as supervisor state, a non-key -8 storage key, or other elevated authorities. These programs are typically APF -authorized, meaning they are listed in the Authorized Program Facility (APF) list, allowing them to perform operations that bypass standard z/OS security mechanisms.

Key Characteristics

- APF-Authorization: For a library to be considered "authorized," it must be explicitly listed in the system's APF list, either dynamically via operator commands or statically in SYS1.PARMLIB(PROGxx) or IEAAPFxx.
- Privileged Execution: Programs loaded from an authorized library can run in supervisor state, with a storage key other than 8, or with other special authorities, enabling them to access restricted system resources or perform privileged instructions.
- Security Controls: Access to modify or update an authorized library is strictly controlled by external security managers (ESMs) like RACF, ACF2, or Top Secret to prevent unauthorized code injection.
- System Integrity: Authorized libraries are fundamental to z/OS system integrity, ensuring that only trusted and verified code can perform sensitive operations.
- Data Set Type: Can be a Partitioned Data Set (PDS) or a Partitioned Data Set Extended (PDSE). PDSEs are generally preferred for their improved integrity and space management.

Use Cases

- Operating System Components: Core z/OS system modules, such as those for JES, VTAM, SMS, and other system services, reside in authorized libraries (e.g., SYS1.LINKLIB, SYS1.LPALIB).
- Subsystem Load Libraries: Load modules for major subsystems like CICS, IMS, DB2, and MQ Series are stored in authorized libraries, enabling them to manage their resources and interact with the operating system securely.
- Security Software: Components of ESMs (RACF, ACF2, Top Secret) themselves are housed in authorized libraries to ensure their integrity and ability to enforce security policies.
- System Utilities: Critical system utilities that require privileged access to perform their functions, such as those for system monitoring, diagnostics, or IPL processes.
- Custom Exits and SVCs: User-written system exits or custom Supervisor Calls (SVCs) that need elevated privileges to extend system functionality must be placed in authorized libraries.

Related Concepts

Authorized Libraries are intrinsically linked to the Authorized Program Facility (APF), which is the mechanism z/OS uses to identify and validate these libraries. They are protected by External Security Managers (ESMs) like RACF, which control who can access and modify their contents. Programs within these libraries often utilize Supervisor State or specific Storage Keys to perform privileged operations, bypassing the standard protection mechanisms that prevent unauthorized access to system resources. The integrity of the Link Pack Area (LPA) and System Queue Area (SQA) also relies on the trustworthiness of programs loaded from authorized libraries.

Best Practices:

Minimize Contents: Only place programs requiring APF authorization into an authorized library. Avoid cluttering it with non-privileged code.
Strict Access Control: Implement stringent RACF/ACF2/Top Secret profiles to restrict update access to authorized libraries to a very small, trusted group of system programmers.
Regular Auditing: Periodically audit the contents of authorized libraries and the access logs to detect any unauthorized changes or suspicious activity.
Use PDSEs: Whenever possible, use PDSEs instead of PDSs for authorized libraries due to their improved integrity, concurrency, and space management capabilities.
STEPLIB/JOBLIB Concatenation: Never concatenate an unauthorized library *before* an authorized library in a STEPLIB or JOBLIB DD statement, as this would cause the entire concatenation to be treated as unauthorized, potentially leading to program abends or security exposures.