IBM code can control dumping with SYSUDUMP, SYSABEND, and SYSMDUMP statements of address spaces that contain controlled programs by defining a profile to protect a resource called IEAABD.DMPAUTH in the FACILITY general resource class.
Release : 16.0
Component : CA ACF2 for z/OS
IEAABD.DMPAUTH resource call comes from IBM code to control dumping with SYSUDUMP, SYSABEND, and SYSMDUMP statements of address spaces. ACF2 will suppress a dump if the environment in use is PROGRAM PATHED, or EXECUTE only. When this happens, the ACFRPTDS report will show DUMPAUTH in the rmrc field of the report. The DUMPAUTH attribute in a logonid record is ACF2 only and allows a logonid to take a user dump to the SYSUDUMP or SYSABEND ddnames, rather than to the system dump data sets even if it is running a program that is from an execute-only library, or is using Program Pathing in ACF2. This is done because these rules would make the files as unreadable, but a dump would allow you to read the data, getting around security rules.
IEAABD.DMPAUTH access should be given to users that need to debug their own programs. DUMPAUTH should only be given to personnel assigned to debug a problem that requires the special data be used.
IBM defintion of IEAABD.DMPAUTH: https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.icha700/pdmpfac.htm