Special considerations for global access checking

When using global access checking, consider the following:

Global access checking is used for authorization processing invoked by the RACROUTE REQUEST=AUTH macro. It is not used for authorization processing invoked by the RACROUTE REQUEST=FASTAUTH macro.
Global access checking is bypassed for access requests by users with the RESTRICTED attribute. See Defining restricted user IDs.
RACF® authorization checking via RACROUTE REQUEST=AUTH searches the global access checking table for a matching entry, ignoring profiles in the class. If no global access checking table entry matches the search, or if the access specified in the entry is less than the access being requested, RACF then searches for a matching profile in the class. This processing occurs regardless of whether or not the class is RACLISTed (by either SETROPTS RACLIST or RACROUTE REQUEST=LIST).
RACF searches the global access checking table for an entry that best matches the name of the resource, much as RACF searches for a matching profile. The output from the RLIST command shows the order used.
The group resource classes (such as GTERMINL) are ineligible for global access checking.
When global access checking allows a request to access a data set, that data set is considered to be protected by RACF, and therefore any OS password processing and prompting that would otherwise have occurred is bypassed.
When global access checking allows a request, RACF maintains no statistics.
When global access checking allows a request, RACF performs no logging other than that requested by the SETROPTS LOGOPTIONS command.
RACF bypasses global access checking if the PROFILE, CSA, or PRIVATE operand is specified on the request for RACF authorization checking (RACROUTE REQUEST=AUTH).
Updated global access checking table entries become effective with the next IPL or after execution of the SETROPTS command with the GLOBAL(classname) operand (with or without the REFRESH operand).
The only use for an access of NONE in the global access table is to force RACF to look for a profile. This would typically be used when you have access list entries which have a lower access level than a data set's UACC, or when you want to ensure that auditing or security classification checking takes place for a specific data set.
When RACF is enabled for sysplex communication, the SETROPTS GLOBAL and SETROPTS GLOBAL(classname) REFRESH commands are propagated to the other members of the sysplex data sharing group.
A global access table entry for JESSPOOL suppresses logging based on the AUDIT options set in the resource profile. However, this entry might or might not suppress other types of logging, depending on the application accessing the resource and details of the application's design.
For example, you might define a global access table entry for JESSPOOL containing the ADDMEM operand with the &RACUID value in the second qualifier to allow user's to access to their own spool data sets without logging. However, RACF might log accesses depending on the application that users use to access their spool data sets.