RACF considerations

Throughout this document, the use of the Resource Access Control Facility (RACF®) is recommended because DFSMShsm requests RACF authorization before it allows access to data sets by non-DFSMShsm-authorized users. RACF can also prevent access to DFSMShsm-owned data sets except by users with specific RACF authorization.

In addition, by utilizing FACILITY class profiles, RACF can control command-level access for end-users and storage administrators.

You can use SECLABEL CLASS to control data set access. During initialization, DFSMShsm checks to see if SECLABEL CLASS is active. If SECLABEL CLASS or RACF is activated or deactivated after DFSMShsm startup, you must stop and restart DFSMShsm to reset the SECLABEL indicator.

All RACF requests from DFSMShsm are made through the system authorization facility (SAF). SAF conditionally directs control to RACF (if present) or to a user-supplied processing routine. RACF is determined to be installed by inspection of control block fields. If a RACF-equivalent product sets these fields the same as RACF, DFSMShsm operates as if RACF were installed. Data management checks the user’s authority during data set open when the user attempts to access the data.

Related reading

• For more information about RACF FACILITY class profiles, see Controlling command access with RACF FACILITY class or z/OS DFSMShsm Implementation and Customization Guide.
• For more information about the system authorization facility, see z/OS MVS Programming: Assembler Services Guide.