RACF® authorization

  1. The access checks performed are XPG4 IPC permission checks defined in XPG4 System Interfaces and Headers, as follows:
    • The effective z/OS UNIX user identifier (UID) and z/OS UNIX group identifier (GID) for the calling process is used for all access checks.
    • If the CREI user type is system, IRRSKI00 allows any access. No UIDs or GIDs are used in this case because no process exists.
    • If the user being checked is a superuser, IRRSKI00 allows any access. The user is considered a superuser if the selected UID is 0 or if the ACEE indicates trusted or privileged authority.
    • If the user is not system and is not a superuser, the permission bits for the IPC key are checked to see if the access requested is allowed. If the effective UID matches either the owner UID or creator's UID of the IPC key, the USER permission bits are checked. If the UIDs do not match, the owner GID and creator's GID of the IPC key are checked against the user's effective GID and the user's supplemental group list GIDs. If any one matches, the GROUP permission bits are checked. If the UIDs and GIDs don't match, the OTHER permission bits are checked.
    • If the SECLABEL class is active and the ISP contains a security label, the accessing process must have an equivalent security label. With MLIPCOBJ active, requests will be failed if either the accessing process or the ISP does not contain a security label.