Controls access to the _cpl service.

Allows a permitted user the ability to use the _console() or _console2() services.

Daemon authority is required only when a program does a setuid(), seteuid(), setreuid(), or spawn() user ID to change the current UID without first having issued a _passwd() call to the target user ID. In order to change the MVS identity without knowing the target user ID's password or password phrase, the caller of these services must be a superuser. Additionally, if a BPX.DAEMON FACILITY class profile is defined and the FACILITY class is active, the caller must be permitted to use this profile. If a program comes from a controlled library and knows the target UID's password or password phrase, it can change the UID without having daemon authority.

The RACF WARNING mode is not supported for BPX.DAEMON.

For more information about BPX.DAEMON, see Establishing the correct level of security for daemons.

Controls which users with daemon authority are allowed to load uncontrolled programs from MVS libraries into their address space.

Restriction: BPX.DAEMON.HFSCTL does not allow generic profiles.

Users with READ access to BPX.DEBUG can debug certain types of restricted processes. These do not include processes that have a PID of 1. To debug programs that run with APF authority or with BPX.SERVER authority, they can use dbx to call the ptrace callable service.

Allows unauthorized callers of the execmvs callable service to pass an argument that is greater than 100 characters to an authorized program.

If the FACILITY class resource exists, then unauthorized callers can pass arguments greater than 100 characters to the program name that is specified in the FACILITY class profile. Individual users do not need to be given access to the profile. If you do not want unauthorized callers to pass an argument greater than 100 characters to any authorized programs, do not define any BPX.EXECMVSAPF.program_name profiles.

BPX.EXECMVSAPF.YOURPGM                                                       
BPX.EXECMVSAPF.MYPGM 

BPX.EXECMVSAPF.MYP* 

BPX.EXECMVSAPF.* 

Controls which users are allowed to set the APF-authorized attribute in a z/OS® UNIX file. This authority allows the user to create a program that will run APF-authorized. This is similar to the authority of allowing a programmer to update SYS1.LINKLIB or SYS1.LPALIB.

Controls which users are allowed to set the program control attribute. Programs marked with this attribute can execute in server address spaces that run with a high level of authority. See Defining programs in UNIX files to program control for more information.

Indicates that extra privilege is required when setting the shared library extended attribute via the chattr() callable service. This prevents the shared library region from being misused. See Defining UNIX files as shared library programs for more information.

Controls which users are allowed to set their own job names by using the _BPX_JOBNAME environment variable or the inheritance structure on spawn. Users with READ or higher permissions to this profile can define their own job names.

Extends the enhanced program security protection to your UNIX daemons and servers that do not make use of RACF execute-controlled programs. For more information, see RACF with enhanced program security, BPX.DAEMON, and BPX.MAINCHECK and RACF with enhanced program security, BPX.SERVER, and BPX.MAINCHECK.

Restriction: BPX.MAINCHECK does not allow generic profiles.

Controls access to the _map and _map_init services.

Enables automatic assignment of UIDs and GIDs. The APPLDATA field of this profile specifies a starting value, or range of values, from which RACF will derive unused UID and GID values. z/OS Security Server RACF Security Administrator's Guidehas more information about BPX.NEXT.USER.

Controls access to the _poe service.

Enables faster security checks for file system and IPC constructs. For more information, see Fastpath support for System Authorization Facility (SAF).

Restriction: BPX.SAFFASTPATH does not allow generic profiles.

Restricts the use of the pthread_security_np() service. A user with at least READ or WRITE access to the BPX.SERVER FACILITY class profile can use this service. It creates or deletes the security environment for the caller's thread.

This profile is also used to restrict the use of the BPX1ACK service, which determines access authority to z/OS resources

For more information about BPX.SERVER, see Preparing security for servers and Establishing the correct level of security for daemons.

Checks if the caller attempting to cut an SMF record is allowed to write an SMF record. It also tests if an SMF type or subtype is being recorded.

Controls access to the oe_env_np service to register and block for OMVS shutdown.

Allows users to change their UID if they have access to BPX.SRV.userid, where uuuuuuuu is the MVS user ID associated with the target UID. BPX.SRV.userid is a RACF SURROGAT class profile.

Controls which users can make address spaces nonswappable. Users permitted with at least READ access to BPX.STOR.SWAP can invoke the __mlockall() callable service to make their address space either nonswappable or swappable.

When an application makes an address space nonswappable, it might cause additional real storage in the system to be converted to preferred storage. Because preferred storage cannot be configured offline, using this service can reduce the installation's ability to reconfigure storage in the future. Any application using this service should warn the customer about this side effect in their installation documentation.

Allows users to switch to superuser authority. For more information about BPX.SUPERUSER, see Superusers in z/OS UNIX.

Allows users to use the _BPX_UNLIMITED_OUTPUT environment variable to override the default spooled output limits for processes.