Because the security requirements at every installation differ, RACF® is flexible enough to assist
each installation in meeting its own security objectives. There are
a number of ways RACF accomplishes
this:
- Administrative control: RACF allows
you a wide range of choices in controlling access to your installation's
resources. RACF allows you
to use either centralized or decentralized administration techniques
by permitting you to delegate authority, establish appropriate group
ownership structures, and specify various group-related user attributes.
In addition, RACF provides
a wide range of processing options and installation exits.
Most RACF command functions, except
those performed by RACMAP, RVARY, SET, TARGET, the RACF report writer command (RACFRW), and the
block update command (BLKUPD), have Interactive System Productivity
Facility (ISPF) entry panels and associated help panels. These panels
make it easy to enter command options on TSO.
- Generic profiles: RACF generic
profiles allow you, your group administrators, and other
users to define profiles that consolidate the security requirements
of several similarly named resources that have the same access requirements.
- Protection of installation-defined classes: RACF allows you to protect your own installation-defined
resource classes. To do this, you can add entries to the class descriptor
table (CDT) for the new classes, create profiles in the class, and,
when a user requests access to a resource (or takes an action you
want to control), issue the RACROUTE REQUEST=AUTH macro from your
application to check authorization. You can control which users and
groups can access each resource in the class by defining profiles
in the class. The profiles can include access lists and other information
such as auditing, security labels, and so forth, as with profiles
in the CDT classes supplied by IBM®.
See Supplied RACF resource classes for a description of each CDT class supplied
by IBM. See Administering the dynamic class descriptor table (CDT) for details about creating installation-defined
resource classes.
- Installation exits: RACF installation
exits allow you to tailor RACF to
specific needs of your installation. For more information, see Using RACF installation exits to customize RACF.
Because of RACF's flexible
design, you and your technical support personnel can tailor RACF to operate smoothly within
the local operating environment.