If you enable enhanced program security, and you have any daemons or servers that run execute-controlled programs (MVS™ programs defined to RACF® in the PROGRAM class using EXECUTE authority, or loaded from libraries using EXECUTE authority), then you must define the initial program executed by your daemon or server as a trusted ("MAIN") program to RACF via the PROGRAM class. If this initial program resides in the z/OS UNIX file system, rather than in an MVS library, you will need to move it to an MVS library.

Additionally, you can choose whether to extend the enhanced program security protection to your UNIX daemons and servers that do not make use of RACF execute-controlled programs. You would enable this function by defining the profile BPX.MAINCHECK to RACF in the FACILITY class. Again, you would need to ensure that the initial program executed by your daemon or server resides in an MVS library and you would need to define it to RACF as a PROGRAM with the MAIN attribute.

Kernel services that change a caller's z/OS user identity require the target z/OS user identity to have an OMVS segment defined. If you want to maintain this extra level of control at your installation, you will have to choose which daemons to permit to the BPX.DAEMON FACILITY class. You will also have to choose the users to whom you give the OMVS security profile segments. To accomplish this, refer to Steps for preparing the security program for daemons.

Steps for setting up enhanced program security explains how to set up enhanced program security.