When using global access checking, consider the following:
- Global access checking is used for authorization processing invoked
by the RACROUTE REQUEST=AUTH macro. It is not used for authorization
processing invoked by the RACROUTE REQUEST=FASTAUTH macro.
- Global access checking is bypassed for access requests by users
with the RESTRICTED attribute. See Defining restricted user IDs.
- RACF® authorization checking
via RACROUTE REQUEST=AUTH searches the global access checking table
for a matching entry, ignoring profiles in the class. If no global
access checking table entry matches the search, or if the access specified
in the entry is less than the access being requested, RACF then searches for a matching profile in
the class. This processing occurs regardless of whether or not the
class is RACLISTed (by either SETROPTS RACLIST or RACROUTE REQUEST=LIST).
- RACF searches the global
access checking table for an entry that best matches the name of the
resource, much as RACF searches
for a matching profile. The output from the RLIST command shows the
order used.
- The group resource classes (such as GTERMINL) are ineligible for
global access checking.
- When global access checking allows a request to access a data
set, that data set is considered to be protected by RACF, and therefore any OS password processing
and prompting that would otherwise have occurred is bypassed.
- When global access checking allows a request, RACF maintains no statistics.
- When global access checking allows a request, RACF performs no logging other than that requested
by the SETROPTS LOGOPTIONS command.
- RACF bypasses global access
checking if the PROFILE, CSA, or PRIVATE operand is specified on the
request for RACF authorization
checking (RACROUTE REQUEST=AUTH).
- Updated global access checking table entries become effective
with the next IPL or after execution of the SETROPTS command with
the GLOBAL(classname) operand (with or without
the REFRESH operand).
- The only use for an access of NONE in the global access table
is to force RACF to look for
a profile. This would typically be used when you have access list
entries which have a lower access level than a data set's UACC, or
when you want to ensure that auditing or security classification checking
takes place for a specific data set.
- When RACF is enabled for
sysplex communication, the SETROPTS GLOBAL and SETROPTS GLOBAL(classname)
REFRESH commands are propagated to the other members of the sysplex
data sharing group.
- A global access table entry for JESSPOOL suppresses logging based
on the AUDIT options set in the resource profile. However, this entry
might or might not suppress other types of logging, depending on the
application accessing the resource and details of the application's
design.
For example, you might define a global access table entry
for JESSPOOL containing the ADDMEM operand with the &RACUID value
in the second qualifier to allow user's to access to their own spool
data sets without logging. However, RACF might
log accesses depending on the application that users use to access
their spool data sets.