z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Authorization checking for RACROUTE REQUEST=FASTAUTH requests

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

Some resource managers, such as CICS®, have high performance requirements. In order to do resource authorization checking with RACF®, they use RACF facilities to load all of the profiles for a given class into the user's storage area or into a common storage area called a data space. The resource managers can do a fast authorization check against profiles in the user's storage, or profiles in the data space, or both.

Fast authorization checking is different from normal authorization checking as follows:
  • The global access checking table is not used.
  • Security labels are only used for READ and READWRITE mandatory access checking (MAC) requests.
  • When a user has a security label but the accessed resource does not, mandatory access checking is bypassed, and only discretionary access checking is done to grant or deny access to the resource, even when SETROPTS MLS is in effect.
  • WHEN(PROGRAM) conditional access checking is done for SERVAUTH class resources.
  • If reverification is required for an IMS™ transaction, the user must also enter the SIGN ON password with the transaction request.
  • Authorization checking for nested ACEEs and access to delegated resources is processed using RACROUTE REQUEST=FASTAUTH.
  • WHEN(CRITERIA) conditional access checking is done.
  • When the caller specifies the AUTHCHKS=CRITONLY keyword and provides a valid CRITERIA, only the following subset of authorization checks are performed:
    • Enforcement of the rules for SETROPTS MLQUIET, when SETROPTS MLQUIET is in effect.
    • Security label authorization checks, when the SECLABEL class is active.
    • Security level and security category authorization checks, when the SECLABEL class is not active and the SECDATA class is active.
    • Search of the conditional access list for a matching criteria as specified by the CRITERIA keyword.
For additional information about the following topics, see the resources listed:
Parent topic: Authorization checking for RACF-protected resources

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014