RACF and z/OS UNIX

This topic describes using RACF® with z/OS UNIX. This topic describes factors to consider when using RACF to manage group identifiers (GIDs) and user identifiers (UIDs). It also describes how to map GIDs and UIDs to RACF group names and user IDs.

The z/OS UNIX security functions provided by RACF include user validation, file access checking, privileged user checking, and user limit checking. z/OS UNIX users are defined with RACF commands. When a job starts or a user logs on, the user ID and password are verified by RACF. When an address space requests an z/OS UNIX function for the first time, RACF:

Verifies that the user is defined as a z/OS UNIX user.
Verifies that the user's current connect group is defined as a z/OS UNIX group.
Initializes the control blocks needed for subsequent security checks.

Additional reading:

See z/OS UNIX System Services Planning for complete information on setting up and using RACF in the z/OS UNIX environment.
See z/OS Security Server RACF Auditor's Guide for complete information on auditing in the RACF environment.
See z/OS Planning for Multilevel Security and the Common Criteria for information about using security labels for z/OS UNIX files and directories.

Note: RACF program control does not control programs that are executed in any way that bypasses MVS™ contents supervision, such as load modules contained in z/OS UNIX files. Therefore, loading a program from a z/OS UNIX file prevents you from opening a data set in a PADS (program access to data sets) environment, and prevents you from loading a program from an MVS library if you only have EXECUTE authority. You should use program control to restrict access to any programs, such as these, that provide facilities for bypassing MVS contents supervision. For more information, see Protecting programs.