When you specify security(saf) in the attributes data set, the NFS server uses RACF or an equivalent product to control access to z/OS file systems. All RACF requests from the server are made through SAF. SAF directs control to RACF, or an equivalent security product, if it is active.

The server uses SAF to validate the z/OS user id and password supplied by the client user. It also uses SAF to validate that the client user is allowed to access z/OS data. A RACF user ID must be defined for each client user that requires access to the server.

For z/OS UNIX data, z/OS UNIX checks the UNIX permission bits, or ACLs, before granting file access to a client user. See Figure 1 and Table 1 for information on permission checking. For users accessing z/OS UNIX, their RACF user ID must have an z/OS UNIX segment defined in the RACF profile.

Figure 1. Permission checking for the security(saf) attribute