Understanding how the mainframe manages authorized and non-authorized code is crucial for anyone performing system-level tasks. The concepts are simple, but understanding how they relate to one another can get dicey. This post is geared towards someone who needs to write authorized mainframe code.
The system considers a task authorized when the executing program has the following characteristics:
It runs in supervisor state (bit 15 of the program status word (PSW) is zero).
It runs with PSW key 0 to 7 (bits 8 through 11 of the PSW contain a value in the range 0 to 7).
All previous programs executed in the same task were APF programs.
Here are the three things you need to know about:
APF AUTHORIZED: APF stands for A.uthorized P.rogram F.acility. It allows for the system programmer (for those of you who are new to the field, in mainframe-land a system programmer is like a system-administrator) to identify data sets and programs that are allowed to perform sensitive system functions. There are two components to APF authorization. The first is link-editing a module (program) with the AC 1 option set. By using the AC 1 option, we are making the module eligible to be APF authorized. The second component is to place the module into an APF authorized library. APF-authorized programs must reside in one of the following authorized libraries (data set):
Authorized libraries specified by your installation.
Now that we've got our module properly link-edited and placed in an authorized library, we can move onto PSW key and system state. Normally, the system will run in what's referred to as “problem state”. This means there is a set of instructions that are unavailable. Only when the user is in supervisor state are these privileged instructions available. APF authorized programs are permitted to put the system into supervisor state. THIS IS IMPORTANT ---> APF AUTHORIZED PROGRAMS DO NOT RUN IN SUPERVISOR STATE AUTOMATICALLY! APF AUTHORIZATION ONLY ALLOWS FOR THE SYSTEM TO BE PLACED SUPERVISOR STATE.
So now that we're in supervisor state, there's one more thing we need to think about. Every page of storage (a page is 4 kilobytes) has a key associated with it. Keys 0-7 are considered protected, and 8-15 are considered unprotected. If a page of storage is protected, module attempting to access it must be authorized. The system needs to be in supervisor state in order to change the default PSW key from 8 to one that is authorized.
So, let's review. To create a program that is capable of executing privileged instructions and accessing protected storage, it needs to be APF authorized (link edited with the AC 1 option and placed in an APF authorized library), it needs to use the MODESET macro to place the system in supervisor state, and it needs to use the SPKA instruction to change the PSW key to 0-7 (whatever is appropriate).
Well, that's about it. I hope it helps. Here's a link that provides a bit more info if you need it.