RACF (resource ACCESS control Facility) is of IBM implementation of the Sicherheitschnittstelle SAF (system Authorization Facility) of the large computer operating system MVS (core z/OS). The today's name reads Secure Way Security server - RACF.

The main functions, which are fulfilled it:

• Identification and verification the user by means of user codes and password check (Authentifizierung)
• Protection of resources by the administration of the rights of access (authorizing)
• LOGGING of the accesses to protected resources (Auditing).

The RACF administrator maintains the RACF data base by means of RACF commands. This contains the user codes (Userids) in so-called profiles, those to protecting resources (Resources) and groups (Groups).

Userids

User of the system are natural persons, with a RACF Userid in an on-line system such as TSO, CICS or CIM at a terminal log in or also server processes ("“Started tasks"” in the MVS linguistic usage), to which the RACF administration assigned a Userid.

In a user profile stores RACF apart from names users statistic and further information:

• Amendment date of the password
• Last use of the Userid
• Notes whether the Userid is closed (revoked), whether it belongs to a RACF Systemadministrator (special).
• Further characteristics, which describe and specify the use of the MVS subsystems such as Unix, CICS, TSO or the file system.

Resources

Resources are classically files, volumes, terminals, today however completely abstractly everything that judges an installation for protect worth, e.g. Console instructions, names of on-line transactions or permission for putting the password back of another user.

Resources are protected by a resources profile. A resources profile identified by a class name (e.g. DATA SET) and a name, which partly describes resources which can be protected completely (discrete profile) or (generic profile).

E.G. that protects generic DATA set profiles SYS1. ** all files, those with SYS1. begin.

A profile specifies the so-called universal ACCESS, which rights of access for individual users or user groups, specific around a list, can be extended.

RACF knows five stages of rights of access, which are interpreted by the resources managers z/OS (see below) in obvious way:

• NONE: No access
• READ: With files reading accesses
• UPDATE: With files writing accesses, contain READ
• CONTROL: With files writing accesses, contained UPDATES
• OLDER: With files unrestricted accesses: Creation, deletion, renaming the file, contains CONTROL

RACF groups

Behind RACF groups a complex concept stands:

• On the one hand they can be used, in order to summarize Userids and to give then authority to this group instead of at each individual user. A user can belong as many as desired to groups and enjoys the sum of the authority of all groups, to which belongs.
• Groups are hierarchically organized: The highest group is called SYS1. This hierarchy is the basis to decentralize the RACF administration on the basis of organizational criteria. If a user is connected to a group with administration rights, it has also administration rights for all sub-groups of this group.

Resources manager

RACF, i.e. actually SAF, work passively. The users of the system access by means of a resources manager resources. The respective resources manager forms a resources name and asks then SAF whether that is permitted access. SAF/RACF answers with, no or "„knows not "“(then, if the resource is not protected by a profile). The subsystem permits thereupon the use of resources (or also not).

Examples of resources managers are the file system of the operating system z/OS with resources file or CICS with resources (under many different) transaction code. It is also possible to drive the data base system DB2 in such a way that the data base authority separates it not with SQL Grants in the own catalog as RACF resources in the RACF puts down.

Articles in category "RACF"

We found here 2 articles.

Related Websites

We found here 4 related websites.

• RACF
  This is the welcome page for the Resource Access Control Facility (RACF) pages.


• RACF Sample Utilities
  This page contains useful RACF downloads and sample materials.


• RACF/VM
  The RACF V1R10 for VM page shows what is provided in V1R10.


• RACF/VM
  The RACF V1R10 for VM page shows what is provided in V1R10.