The algorithm for access checking is up to the security product that is being used. If the physical file system supports ACLs, then it uses the SAF ck_access (IRRSKA00) callable service when passing the ACL to the security product.

If the security product supports ACLs, it applies its own rules to the file access request. RACF® uses the permission bits, access ACL, and various UNIXPRIV class profiles to determine whether the user is authorized to access the file with the requested access level. Read about protecting file system resources in z/OS Security Server RACF Security Administrator's Guide for details on how RACF uses ACLs when enforcing file security.