RACF resource classes
The certified configuration covered the use of the RACF® resource classes listed in Table 1. The installation can use these classes to implement protection of the respective objects.
The use of all other RACF classes was not subject to evaluation. However, the installation can choose to use additional classes.
| Class | Function |
|---|---|
| CFIELD | Defines the installation's custom fields. |
| CONSOLE | Controls access to MCS or SMCS consoles. Also controls conditional access to other resources for commands originating from an operator console. |
| CRYPTOZ | Controls the use of PKCS #11 tokens. |
| DASDVOL | Controls access to DASD volumes for maintenance operations. |
| DEVICES | Controls access to unit record devices, teleprocessing or communication devices, and graphic devices. |
| DIGTCERT | Used to register X5.09v3 digital certificates in the RACF database. |
| DIGITCRIT | Used to define additional mapping criteria for the interpretation of X5.09v3 digital certificates presented by clients when the certificates are not specifically registered in the RACF database, and to assign a RACF user ID to the client's session as part of the client authentication process. |
| DIGITNMAP | Used to define the primary mapping rules for the interpretation of X5.09v3 digital certificates presented by clients when the certificates are not specifically registered in the RACF database, and to assign a RACF user ID to the client's session as part of the client authentication process. |
| DIGTRING | Implements key rings for servers or users in the RACF database, holding information about allowable Certificate Authority (CA) certificates and private keys for locally defined personal certificates and local signing certificates. |
| DIRAUTH | (Used in Labeled Security Mode only) Ensures that security label authorization checking is done when a user receives a message sent through the TPUT macro or the TSO SEND or LISTBC commands. Profiles are not allowed in this class. |
| FACILITY | Used by various components of z/OS® to manage specific privileges that could be assigned to users so that they do not need the SPECIAL attribute or the z/OS UNIX superuser privilege. Only a few profiles in this class are relevant for the evaluation. |
| FSACCESS | Controls access to z/OS UNIX file systems. |
| GDASDVOL | Grouping class for DASDVOL |
| GLOBAL | Defines the entries in the global access checking table. |
| GTERMINL | Resource group class for TERMINAL class. |
| GXFACILI | Resource group class for the XFACILIT class. |
| JESINPUT | Port of entry class to control which JES2 input devices a user can use to submit batch work to the system. |
| JESJOBS | Controls the submission and cancellation of jobs by job name. |
| JESSPOOL | Controls access to job data sets on the JES spool (that is, SYSIN and SYSOUT data sets). |
| KERBLINK | Used to map user identities of local and foreign user IDs. |
| LOGSTRM | Controls access to system logger resources, such as log streams and the coupling facility structures associated with them. |
| NODES | Controls the following on MVS™ systems:
|
| OPERCMDS | Controls who can issue operator commands. |
| PROGRAM | Controls access to programs (load modules). |
| PSFMPL | Used by Print Services Facility™ (PSF) to perform security functions for printing, such as separator page labeling, data page labeling, and enforcement of the user printable area. |
| PTKTDATA | Used to configure PassTicket processing. |
| RDATALIB | Used to perform authorization checking for the R_datalib callable service. |
| REALM | Used to define local and foreign Kerberos realms. |
| SDSF | Controls the use of authorized commands in the System Display and Search Facility (SDSF). |
| SECDATA | (Used in Labeled Security Mode only) Controls security classification of users and data (security levels and security categories). |
| SECLABEL | (Used in Labeled Security Mode mode only) Controls security labels. |
| SERVAUTH | Controls a client's authorization to use a server or to use resources managed by the server. |
| SERVER | Controls the validity of servers for the application environment. |
| SMESSAGE | Controls to which users a user can send messages (TSO only). |
| STARTED | Assigns an identity to a started task during the processing of an MVS START command. An alternative to the started procedures table (ICHRIN03). |
| TAPEVOL | Controls access to tape volumes. |
| TERMINAL | Controls access to terminals (TSO/E). |
| TSOPROC | TSO logon procedures. |
| UNIXPRIV | Used to grant z/OS UNIX privileges. |
| VTAMAPPL | Controls who can open ACBs from non-APF authorized programs. This prevents programs from counterfeiting login screens. |
| WRITER | Controls the user of JES2 printers and outbound NJE processing. |
| XFACILIT | Similar to the FACILITY class, but supporting longer resource and profile names (up to 246 characters, while the FACILITY class supports up to 39 characters). |