How RACF protects your z/OS data

User identification and authentication

Every user in z/OS is identified by a one to eight character user ID. Access to a user ID can be controlled using authentication techniques such as passwords, password phrases, PassTickets, digitial certificates, Kerberos credentials or IBM Multifactor Authentication.

Decentralized security administration

Installations can decentralize their security administration through the use of groups and the assignment of RACF administrative, auditing, and operational attributes to group administrators.

Discretionary and mandatory access controls

Owners of z/OS data can control who has access to the data using discretionary access control mechanisms such as the access control list and universal access (UACC). In addition to discretionary access controls, security administrators can control a user's access to data through the assignment of sensitivity labels (SECLABELs) to users and data objects.

Logging to the systems management facility (SMF)

Security administrators, resource owners, and auditors all have the ability to specify the logging policy that is to be applied. Log records are written to the Systems Management Facility (SMF).

Support for auditing and reviewing security environment

RACF supplies utilities which enable a content review of the security rules contained in the RACF data base as well as the contents of the RACF log records written to SMF. RACF also provides an overall system security report utility.

RACF Remote Sharing Facility (RRSF)

Physically disparate RACF systems can be connected using the RACF Remote Sharing Facility. These installations can share the RACF database beyond normal disk-sharing among z/OS systems to provide a means of keeping RACF databases by using a communications link (either APPC or TCP/IP).

RACF general user's guide

Read the documentation