z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Flexibility

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

Because the security requirements at every installation differ, RACF® is flexible enough to assist each installation in meeting its own security objectives. There are a number of ways RACF accomplishes this:
  • Administrative control: RACF allows you a wide range of choices in controlling access to your installation's resources. RACF allows you to use either centralized or decentralized administration techniques by permitting you to delegate authority, establish appropriate group ownership structures, and specify various group-related user attributes. In addition, RACF provides a wide range of processing options and installation exits.

    Most RACF command functions, except those performed by RACMAP, RVARY, SET, TARGET, the RACF report writer command (RACFRW), and the block update command (BLKUPD), have Interactive System Productivity Facility (ISPF) entry panels and associated help panels. These panels make it easy to enter command options on TSO.

  • Generic profiles: RACF generic profiles allow you, your group administrators, and other users to define profiles that consolidate the security requirements of several similarly named resources that have the same access requirements.
  • Protection of installation-defined classes: RACF allows you to protect your own installation-defined resource classes. To do this, you can add entries to the class descriptor table (CDT) for the new classes, create profiles in the class, and, when a user requests access to a resource (or takes an action you want to control), issue the RACROUTE REQUEST=AUTH macro from your application to check authorization. You can control which users and groups can access each resource in the class by defining profiles in the class. The profiles can include access lists and other information such as auditing, security labels, and so forth, as with profiles in the CDT classes supplied by IBM®.

    See Supplied RACF resource classes for a description of each CDT class supplied by IBM. See Administering the dynamic class descriptor table (CDT) for details about creating installation-defined resource classes.

  • Installation exits: RACF installation exits allow you to tailor RACF to specific needs of your installation. For more information, see Using RACF installation exits to customize RACF.

Because of RACF's flexible design, you and your technical support personnel can tailor RACF to operate smoothly within the local operating environment.

Parent topic: How RACF meets security needs

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014