Accessing RACF information

RACF® provides definitions of users, groups, classes, and general resources, and access control for resources. The LDAP server can provide LDAP access to this information stored in RACF.

Using SDBM, the RACF database backend of the LDAP server, you can accomplish the following tasks:

  • Add, modify, and delete RACF users, groups, and general resources. Data set resources are not supported.
  • Add, modify, and delete user connections to groups.
  • Add and remove users and groups in general resource access lists.
  • Modify SETROPTS options that affect classes (for example, RACLIST).
  • Retrieve RACF information for users, groups, connections, general resources, and class options.
  • Retrieve RACF user password and password phrase envelopes.

The SDBM backend of the LDAP server implements portions of these RACF commands: ADDUSER, ADDGROUP, RDEFINE, ALTUSER, ALTGROUP, RALTER, PERMIT, SETROPTS, DELUSER, DELGROUP, RDELETE, CONNECT, REMOVE, and SEARCH. SDBM uses the R_admin "run command" interface to start these RACF commands. As a result, this support is subject to the restrictions and authorization requirements of the R_admin interface. For more information about these topics, see z/OS® Security Server RACF Callable Services. One restriction in particular affects return of search results obtained by using the RACF SEARCH command. See RACF restriction on amount of output for more details.

SDBM uses the R_admin profile extract functions to retrieve user, group, connection, and resource information. It uses the R_admin setropts extract function to retrieve class options information. These interfaces are not subject to any restrictions on the amount of data returned, but they do require appropriate authorization.

Note that the SDBM backend only updates the default RACF on a given system. That is, the AT and ONLYAT clauses of the RACF commands, used to redirect RACF commands, are not used by SDBM.

For more information about the supported RACF commands, see z/OS Security Server RACF Command Language Reference.

See Setting up for SDBM for information about getting your LDAP server configured with SDBM.