Security on z/OS
Previous topic | Next topic | Contents | Glossary | Contact z/OS | PDF

What is RACF?

Security on z/OS

See what's new for the mainframe z/OS operating system

Resource Access Control Facility or RACF® provides the tools to help the installation manage access to critical resources.

Any security mechanism is only as good as the management control of the people who access the system. Access, in a computer-based environment, means the ability to do something with a computer resource (for example, use, change, or view something). Access control is the method by which this ability is explicitly enabled or restricted. It is the responsibility of the installation to see that access controls that are implemented are working the way they are supposed to work, and that variances are reported to and acted on by management.

Computer-based access controls are called logical access controls. These are protection mechanisms that limit users' access to information to only what is appropriate for them. Logical access controls are often built into the operating system, or can be part of the logic of application programs or major utilities, such as database management systems. They may also be implemented in add-on security packages that are installed into an operating system; such packages are available for a variety of systems, including PCs and mainframes. Further, logical access controls might be present in specialized components that regulate communications between computers and networks.

To be effective, access control must allow management to adopt the principle of least possible privilege for those resources that are deemed to be highly sensitive. This principle says that access to these resources is controlled in such a way that permission to use them is restricted to just those people whose normal duties require their use. Any unusual use of the resource should be approved by an administrator or manager, as well as the owner of the resource.

Resource Access Control Facility or RACF provides the tools to manage user access to critical resources. RACF is an add-on software product that provides basic security for a mainframe system (examples of other security software packages include ACF2 and Top Secret, both from Computer Associates).

RACF protects resources by granting access only to authorized users of the protected resources. RACF retains information about users, resources, and access authorities in special structures called profiles in its database, and it refers to these profiles when deciding which users should be permitted access to protected system resources.

To help your installation accomplish access control, RACF provides the ability to:

  • Identify and authenticate users
  • Authorize users to access protected resources
  • Log and report various attempts of unauthorized access to protected resources
  • Control the means of access to resources
  • Allow applications to use the RACF macros

RACF uses a user ID and a system-encrypted password to perform its user identification and verification. The user ID identifies the person to the system as a RACF user. The password verifies the user's identity. Often exits are used to enforce a password policy such as a minimum length, lack of repeating characters or adjacent keyboard letters, and also the use of numerics as well as letters. Popular words such as "password" or the use of the user ID are often banned.

The other important policy is the frequency of password change. If a user ID has not been used for a long time, it may be revoked and special action is needed to use it again. When someone leaves a company, there should be a special procedure that ensures that the user IDs are deleted from the system.

RACF, with its lists of users and lists of resources, allows management to delegate the authority to the owners of these entities in such a way as to maintain the separation of duties while maintaining a flexible, responsive access control strategy.

The delegation mechanism in RACF and the easy, nontechnical commands that change the relationship of a user to a resource mean that adopting the principle of least possible privilege need not be burdensome nor inflexible when unusual circumstances dictate that access permission should be changed. When an unforeseen circumstance requires a change in access privilege, the change can be made by a nontechnical person with access to a TSO terminal, and management can be alerted to review the fact that the change was made.

Major subsystems such as CICS® and DB2® can use the facilities of RACF to protect transactions and files. Much of the work to configure RACF profiles for these subsystems is done by the CICS and DB2 system programmers. So, there is a need for people in these roles to have a useful understanding of RACF and how it relates to the software they manage.

Copyright IBM Corporation 1990, 2010