z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Restrictions of RACF client ACEE support

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

As the security administrator, you need to be aware of restrictions of the RACF® client ACEE support, in which both the application server's RACF identity and the client's RACF identity are used in resolving access decisions.
  • RACROUTE REQUEST=FASTAUTH processing does not check both the server and client RACF identities automatically.

    Unauthorized application servers cannot use the RACROUTE REQUEST=LIST instruction to build in-storage profiles for RACF defined resources. Profiles must reside in storage before RACROUTE REQUEST=FASTAUTH can verify a user's access to a resource.

  • The client/server relationship is not propagated from the application server.

If you have implemented access control to resources that use both the server's RACF identity and the client's RACF identity in an access control decision, application servers that you do not trust should be treated as end points. These servers should not be allowed to submit batch jobs or use the services of other servers that run exclusively under the identity of the client. You must ensure that applications servers that do not meet this criteria are not authorized to the profile BPX.SERVER in the RACF FACILITY class.

Parent topic: z/OS UNIX application considerations

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014