z/OS Security Server RACF Diagnosis Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Format of the RACF database

z/OS Security Server RACF Diagnosis Guide
GA32-0886-00

This describes the format of the RACF® database.

Each RACF database is a non-VSAM single extent data set that is made up of 4KB blocks and must be cataloged.

A RACF database consists of several types of records:
Header block (inventory control block, ICB)
Is the first block in a RACF database and provides a general description of the database.
Templates
Contain mappings of the entity records for the RACF database.
Segment table block
Contains mappings of individual segments from within a template.
BAM (block availability mask) blocks
Determine allocation of space within the RACF database.
Index blocks
Locate entity records (profiles) in the RACF database.

If you are using application identity mapping and it is in stage 1, 2, or 3, there is an alternative alias index to consider. This alias index correlates an application identity (a set field defined within a non-base segment within the RACF templates, such as the OMVS UID field) to a base profile (the user or group profile which has an application identity field set to a particular value).

Profiles (entity records)
Contain descriptions of the attributes and authorities for every entity defined to RACF. These entities are:
  • User profiles
  • Group profiles
  • DASD data set profiles
  • Profiles for resources defined by entries in the class descriptor table

Figure 1 illustrates the format of the database.

Figure 1. Format of the RACF DatabaseA graphical representation of the RACF database.

Relative byte addresses (RBA) up to the first BAM block are identified by their position. The need for more BAM blocks is driven by the size of the database. See BAM block header for more information.

Any RBAs that are after the BAMs consist of unassigned blocks, index blocks, and data blocks. A profile's segment data may begin at any 256-byte slot with a 4K data block and then continue in consecutive slots, through consecutive RBAs. Therefore, it is possible that a field definition (which is what constitutes the contents of a profiles segment data) starts in one RBA, and completes upon another, possibly spanning many RBAs. The field definition might then deposit a byte of any value in the first byte of the first slot of an RBA.

If initially it might seem a false positive for an index block (X'8A'), a forceful approach read the RACF database might not be able to determine the RBA type by just checking the first byte of the RBA. The index structure and the sequence set provide the information to find a profiles segment data, in its assigned 256-byte slot with a data block. The logical length of the profile indicates the number of consecutive 256-byte slots that are needed.

Therefore, values you might use to locate blocks are:
  • X'02'—segment table
  • X'00'—BAM
  • X'83'—data
  • X'8A'—index
  • X'C3'—empty block
Parent topic: Troubleshooting your RACF database

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014