Access control

z/OS® provides the Resource Access Control Facility (RACF®) as the component that performs access control between subjects that act on behalf of a user and resources that are protected by the discretionary and mandatory access control policies.

The protection philosophy of RACF is based on “profiles” that represent protected resources, users, and groups. RACF uses user and resource profiles that it stores in the RACF database to determine if a user has access to a non-UNIX resource (For UNIX resources, the access permissions are carried with the resource itself). For applicable privileges, RACF looks for a match on schema name before checking RACF profiles.

Profiles are organized in profile classes, where each class represents a type of resource (such as data sets or terminals) or other entity (such as users or groups). A profile stores attributes of the subject or object that it represents. For profiles that represent a protected resource, you can assign an access list. This access list specifies the type of access that subjects can have to the resource that is represented by the profile.

Access to Db2 objects is also controlled by RACF. Db2 acts as a resource manager for those objects and calls RACF when a user attempts to access one of those objects. A set of Db2-specific classes are defined in RACF, and profiles in those classes are used to protect the Db2 resources.

Labeled Security only: Db2 uses RACF for row-level security to check the right of the user to access a field in a row, based on the labels for mandatory access control. RACF checks if the current security label of the user allows the type of access, based on the security label of the row and the rules of mandatory access control.

RACF-controlled access is available only at the table and view level (not at the row level) as the lowest granularity of discretionary access.