MVS router

SAF provides an installation with centralized control over system security processing by using a system service called the MVS™ router. The MVS router provides a focal point and a common system interface for all products providing resource control. The resource managing components and subsystems call the MVS router as part of certain decision-making functions in their processing, such as access control checking and authorization-related checking. These functions are called “control points”. This single SAF interface encourages the use of common control functions shared across products and across systems.

The router is always present whether or not an external security product is present. If an external security product is available in the system, the router passes control to the external security product. Before it calls the external security product, the router calls an optional, user-supplied security processing exit if one has been installed.

Control points that issue the RACROUTE macro enter the MVS router in the same key and state as the RACROUTE issuer. Control points that continue to issue the independent RACF® system macros (RACDEF, RACINIT, RACHECK, RACLIST, RACXTRT, and FRACHECK) go directly to the external security product, bypassing the router.