Some resource managers, such as CICS®, have high performance requirements.
In order to do resource authorization checking with RACF®, they use RACF facilities
to load all of the profiles for a given class into the user's storage
area or into a common storage area called a data space. The resource
managers can do a fast authorization check against profiles
in the user's storage, or profiles in the data space, or both.
Fast authorization checking is different from normal authorization
checking as follows:
- The global access checking table is not used.
- Security labels are only used for READ and READWRITE mandatory
access checking (MAC) requests.
- When a user has a security label but the accessed resource does
not, mandatory access checking is bypassed, and only discretionary
access checking is done to grant or deny access to the resource, even
when SETROPTS MLS is in effect.
- WHEN(PROGRAM) conditional access checking is done for SERVAUTH
class resources.
- If reverification is required for an IMS™ transaction,
the user must also enter the SIGN ON password with the transaction
request.
- Authorization checking for nested ACEEs and access to delegated
resources is processed using RACROUTE REQUEST=FASTAUTH.
- WHEN(CRITERIA) conditional access checking is done.
- When the caller specifies the AUTHCHKS=CRITONLY keyword and provides
a valid CRITERIA, only the following subset of authorization checks
are performed:
- Enforcement of the rules for SETROPTS MLQUIET, when SETROPTS MLQUIET
is in effect.
- Security label authorization checks, when the SECLABEL class is
active.
- Security level and security category authorization checks, when
the SECLABEL class is not active and the SECDATA class is active.
- Search of the conditional access list for a matching criteria
as specified by the CRITERIA keyword.
For additional information about the following topics, see the
resources listed:
- Processing RACLISTed profiles:
- Using RACROUTE REQUEST=LIST to place profiles in storage:
- Using RACF to provide security
for CICS:
- Nested ACEEs and delegated resources: