RACF administration

As the security administrator for one or more CICS® regions, and for the users of the CICS applications, it is your job to ensure that your installation's data is properly protected.

Using RACF®, you are responsible for protecting all system resources, and, in the context of this manual, CICS resources in particular.

A key feature of RACF is its hierarchical management structure. The RACF security administrator is defined at the top of the hierarchy, with authority to control security for the whole system. If you are not yourself the RACF security administrator, you must ask that person to delegate to you sufficient authority to work with RACF profiles and system-wide settings. You must also work with the RACF auditor, who can produce reports of security-relevant activity based on auditing records generated by RACF.

RACF security administrators have either the system-SPECIAL attribute, the group-SPECIAL attribute, or a combination of other authorities.

  • If you have the system-SPECIAL attribute, you can issue any RACF command, and you can change any RACF profile (except for some auditing-related operands).
  • If you have the group-SPECIAL attribute, your authority is limited to the scope of the RACF group for which you have the SPECIAL attribute.
  • The other authorities include:
    • The CLAUTH (class authority) attribute, which allows you to define RACF profiles in specific RACF classes
    • That authority which goes with being the OWNER of existing RACF profiles, allows you to list profiles, change the access, and delete them
    • Having a group authority such as CONNECT or JOIN in a RACF group

For complete information about the authorities required to issue RACF commands, and for information on delegating authority and on the scope of a RACF group, see the z/OS Security Server RACF Auditor's Guide .

For information on the RACF requirements for issuing RACF commands, see the descriptions of the commands in the z/OS Security Server RACF Command Language Reference.

You can find out whether you have the system-SPECIAL or group-SPECIAL attribute by issuing the LISTUSER command from a TSO session. If you have the system-SPECIAL attribute, SPECIAL appears after the USER ATTRIBUTES phrase in the first part of the output. If you have the group-SPECIAL attribute, SPECIAL appears after the USER ATTRIBUTES phrase in the offset section that describes your connection to a RACF group. For a complete description, with an example of LISTUSER output, see the z/OS Security Server RACF General User's Guide.