The RACF database

The RACF® database holds all RACF access-control information. RACF processing uses the information from the database:
  • Each time a RACF-defined user enters a system.
  • Each time a user wants to access a RACF-protected resource.

You maintain your RACF database through commands, macros, and utilities.

The format of the database is described in z/OS® Security Server RACF Diagnosis Guide.

The database templates are documented in z/OS Security Server RACF Macros and Interfaces and z/OS Security Server RACROUTE Macro Reference.

Information on protecting the RACF database is in z/OS Security Server RACF Security Administrator's Guide.

Information on estimating the size of the RACF database is in RACF database storage requirements.

As of z/OS V2R5, you can configure RACF to use a VSAM linear data set as the RACF database, subject to certain restrictions. Subsequently, with the installation of APAR OA62267 for z/OS V2R5, most of these restrictions are removed. It is recommended that you install this APAR on all of the systems that share the RACF database.

Table 1 summarizes the removal of VSAM data set restrictions with the application of APAR OA62267.
Table 1. APAR OA62267 removes most restrictions on using a VSAM linear data set as the RACF database
Restrictions for RACF VSAM data set z/OS V2R5 without APAR OA62267applied z/OS V2R5 with OA62267 applied
RACF VSAM database can be shared. Not allowed Allowed, with the limitations described in Serialization of the RACF data set.
RACF VSAM database can be a split database. Not allowed Allowed
RACF VSAM data set is SMS managed. Not allowed Allowed
RACF is in sysplex communications mode. Not allowed Allowed
RACF is in sysplex data sharing mode. Not allowed Allowed
RACF database is at application identity mapping (AIM) stage 3. Required Required
RACF data set can be encrypted. Not allowed Allowed
RACF data set is not defined in MSTRJCL. Required Required

Serialization of the RACF data set

Serialization of the RACF data set is essential to the proper operation of RACF. With a RACF VSAM data set, the serialization of the RACF database can be maintained only if:
  • All of the systems that share RACF data sets are defined within the same global resource serialization (GRS) complex and no other systems are defined within that GRS environment.
  • The RACF SYSZRACF <dsn> ENQ RESERVEs are converted into GLOBAL ENQs.
  • The members of the sysplex must match exactly the systems that share the RACF data sets and all of the systems must have the same RACF sysplex communication setting.
Note: RACF does not enforce these sharing restrictions. Sharing the RACF data sets with systems not in the same GRS environment can cause data corruption. Having other RACF data sets in the same sysplex can cause contention issues.