Fact-checked by Grok 2 weeks ago

Resource Access Control Facility

The Resource Access Control Facility (RACF) is a comprehensive software product developed by for mainframe computing environments, serving as a core component of the z/OS Security Server to manage and enforce access controls on system resources. Introduced in 1976, RACF enables organizations to identify, authenticate, and authorize users while protecting sensitive data and applications through granular permission profiles, ensuring compliance with the principle of least privilege. RACF operates by maintaining a of profiles, profiles, and access authorities, which administrators use to define and delegate permissions for such as datasets, programs, and connections. Key functions include via methods like passwords, digital certificates, or tickets; authorization checks before granting access; and detailed logging of all access attempts for auditing and reporting purposes. It integrates seamlessly with z/OS subsystems like , DB2, and IMS, allowing applications to invoke RACF services through specialized macros for protection. Over its evolution, RACF has expanded beyond initial features to support advanced capabilities, including remote command execution via the RACF Remote Sharing Facility (RRSF) and enhanced in distributed environments. As a flexible and scalable solution, it remains a cornerstone of mainframe security, helping enterprises mitigate risks in high-volume and comply with regulatory standards through robust policy enforcement.

Overview

Definition and Purpose

The Resource Access Control Facility (RACF) is a core component of the z/OS Security Server, an optional feature of the operating system that delivers essential security functions including user identification, , , and auditing for protected system resources. As an add-on software product, RACF enables installations to identify users through unique user IDs, authenticate them using encrypted passwords, authorize access to resources via predefined profiles stored in its database, and audit security events to detect and report unauthorized attempts. This integrated approach ensures that only authorized entities can interact with sensitive elements of the mainframe environment, adhering to the principle of least privilege by explicitly defining and enforcing access permissions. The primary purpose of RACF is to manage and enforce secure access to critical resources such as datasets, programs, transactions, and network services within and operating environments. By protecting these assets from unauthorized use, modification, or disclosure, RACF helps maintain , , and in multi-user, high-volume mainframe systems where large-scale processing demands robust safeguards against internal and external threats. For instance, it controls access to files and subsystems like or DB2, ensuring that organizational data remains secure during routine operations and . At its core, RACF functions as an external manager (ESM) that interfaces with the System Authorization Facility () to centralize and streamline decision-making across the system. This architecture allows RACF to respond to requests from various subsystems via the router, evaluating profiles and user attributes to grant or deny access without embedding logic directly into individual applications. Such centralization simplifies administration and enhances consistency in enforcing policies throughout the environment. Developed in the mid-1970s, RACF emerged to address the growing needs of early mainframe systems, which initially lacked integrated controls for multi-user and data protection in increasingly networked and shared computing environments. Prior to its introduction, mainframes relied on fragmented, subsystem-specific or manual measures that were insufficient for protecting organizational resources against unauthorized and modification as usage scaled.

Scope and Compatibility

The Resource Access Control Facility (RACF) is primarily designed as the security component of the z/OS operating system, where it serves as the default security manager for protecting system resources. RACF is fully compatible with z/OS versions 2.3 and later, including z/OS 3.2 as of November 2025, and integrates seamlessly with related IBM mainframe subsystems such as TSO/E for interactive terminal sessions and CICS for transaction processing environments. Additionally, RACF supports operation under z/VM as a guest operating system, with database sharing between z/OS and z/VM systems supported only for z/VM releases prior to 7.3; it is not supported for z/VM 7.3 and later, including z/VM 7.4 as of November 2025. Continued support exists for pre-7.3 releases. This compatibility extends to multisystem configurations, such as sysplex environments, where RACF facilitates shared database access across multiple z/OS instances. On the hardware front, RACF operates exclusively on mainframe platforms, leveraging the for 64-bit processing. It is supported on current servers, including the z17 (machine type 9175), as well as z16, z15, and z14, provided the underlying release meets the hardware prerequisites, as of November 2025. For instance, 3.2, which includes the RACF Security Server, runs on the and utilizes its advanced features such as integrated accelerators for enhanced processing. RACF requires enabling the Security Server feature through the IFAPRDxx parmlib member in , ensuring compatibility with core components like the Base Control Program (BCP) and DFSMS for resource management. 3.2 enhancements support hybrid cloud and workloads, with z17 providing acceleration that integrates with RACF for improved in these environments. In terms of scope, RACF provides comprehensive protection for a broad array of resources within environments, encompassing data sets on direct access storage devices (DASD) and tape, program libraries, terminals for user access, and network resources such as those managed by /IP stacks and APPC/ via the System Authorization Facility () router. This coverage extends to virtualized and distributed setups, including guest machines for consolidated workloads, sysplex-shared resources using coupling facilities for high-availability data sharing, and the RACF Remote Sharing Facility (RRSF) for synchronizing access decisions across remote nodes. General resources, user IDs, and group profiles are also secured, with support for IPv6-enabled network protections through z/OS Communications Server components like AT-TLS. Despite its robust integration within ecosystems, RACF has notable limitations outside native environments; it is not designed for direct use on non- hardware or operating systems, and attempts to emulate it on such platforms yield unpredictable results, particularly when merging or managing data sets across disparate systems. For example, RACF utilities like IRRUT400 explicitly prohibit merging data sets from different system origins to avoid integrity issues, and database sharing with 7.3 or later is not supported. Furthermore, certain advanced functions, such as altering coupling facility structures or supporting managed environment elements (ACEEs) in specific exits like IRREVX01, are not available, underscoring RACF's optimization for mainframes.

History

Development and Introduction

The Resource Access Control Facility (RACF) was announced by IBM on September 24, 1976, as a licensed program designed for the Multiple Virtual Storage (MVS) operating system running on System/370 mainframes. Developed at IBM's Poughkeepsie laboratory during the mid-1970s, RACF emerged in response to escalating security requirements for enterprise computing environments, where increasing computer literacy and the centralization of sensitive data heightened risks of unauthorized access. The first shipment of RACF became available in the late 1970s, marking its initial deployment as an optional security enhancement for MVS systems. This development was influenced by industry-wide efforts, including the 1974 SHARE Security and Privacy Project, which outlined comprehensive requirements for data protection in mainframe environments following notable data breaches and privacy concerns in the early 1970s. At its inception, RACF introduced foundational capabilities, including basic user identification through user IDs and passwords, resource protection for datasets and other system elements, and lists to define permissions. These features enabled administrators to validate user access requests against predefined profiles, providing a structured mechanism to safeguard resources without relying solely on operating system controls. While not fully compliant with all contemporary standards—such as default protection for undefined resources—RACF's design emphasized flexibility and integration with , allowing it to serve as a centralized manager for multi-user environments. Key milestones in RACF's early adoption included its seamless integration with early MVS releases, such as , to address demands for standardized amid rising use of shared mainframes. This positioned RACF as a critical response to the era's push for robust access controls, driven by regulatory and organizational pressures following incidents like unauthorized data exposures in financial and government systems during the 1970s. Over time, RACF evolved to incorporate advanced functionalities, though its core principles from the 1970s remain integral to modern .

Major Releases and Evolution

The Resource Access Control Facility (RACF) began as a standalone program product introduced in 1976, but its major releases in the marked significant enhancements for broader system integration and monitoring capabilities. Version 1 Release 6, released in 1984, introduced the Data Security Monitor (DSMON), a tool that generates reports on the security environment, including resource protection status and potential vulnerabilities, enabling administrators to audit and strengthen access controls more effectively. During the same decade, RACF integrated with /XA, IBM's extended architecture operating system announced in 1984, allowing it to support 31-bit addressing and larger memory configurations while maintaining robust resource protection across virtual storage environments. In the 1990s, RACF evolved to address multilevel security (MLS) requirements, with Version 1 Release 9 in 1990 introducing security labels (SECLABELs) and console logon controls to enforce mandatory access controls compliant with Department of Defense B1-level standards, preventing unauthorized data flows in classified environments. This period also saw RACF's adaptation for emerging distributed computing needs, including digital certificate support introduced in OS/390 Release 4 in 1998. By the 2000s, full public key infrastructure (PKI) services for digital certificate management and Lightweight Directory Access Protocol (LDAP) interfaces were incorporated in z/OS Version 1 Release 3 in 2003, facilitating secure authentication across enterprise networks and integration with directory services. Additionally, enhanced sysplex support in the late 1990s and early 2000s enabled RACF to cache profiles in the Coupling Facility, improving performance and consistency in Parallel Sysplex environments for shared resource access. Over time, RACF transitioned from a standalone product to a core component of the Security Server, fully integrated by the era in the late 1990s and solidified in releases, allowing seamless operation within the base operating system without separate licensing for core functions. This evolution responded to standards such as NIST SP 800-53 and PCI-DSS, with ongoing enhancements like improved auditing and controls to mitigate insider threats and ensure , as evidenced by RACF's role in automated checks via Security and Compliance Center. In the 2020s, RACF continued adapting to modern hardware and cryptographic threats, with z/OS 3.1 (general availability 2023) providing compatibility for z16 processors and introducing support for quantum-resistant algorithms like ML-DSA and ML-KEM through Integrated Cryptographic Service Facility (ICSF), enabling RACF to protect certificates and keys against future quantum attacks. In z/OS 3.2 (general availability 2024), RACF introduced enhancements such as improved password management with hashing support and revocation prompt suppression for privileged users. These updates underscore RACF's enduring impact, delivering scalable that counters evolving threats like advanced persistent threats and stringent compliance demands while maintaining across z/OS versions.

Architecture

Core Components

The Resource Access Control Facility (RACF) forms a central part of the z/OS Security Server, which provides comprehensive security management for the IBM z/OS operating system. The primary components include the Security Server itself, which encompasses RACF as its core access control engine, the System Authorization Facility (SAF) router for interfacing with system services, and RACF's callable services for processing security requests. These elements work together to enforce resource protection across z/OS environments, enabling centralized authorization decisions without direct integration into individual subsystems. The router serves as the standardized interface between resource managers—such as base control program (BCP) components, subsystems, and applications—and the external security manager (ESM), typically RACF. Whenever a component encounters a control point requiring access validation, it invokes the router via macros like RACROUTE. The router then determines the appropriate ESM based on system configuration and forwards the request for processing, ensuring consistent security enforcement across diverse system elements. This allows RACF to handle without modifying the calling components, promoting and . RACF processes incoming requests through its suite of callable services, which perform tasks like verification and permission evaluation. For instance, services such as IRRSKA00 (ck_access) enable checks for resource access authority, while IRRSKP00 (ck_priv) validates privileges in contexts like UNIX or services. These services intercept and assess requests against RACF's policy definitions, returning allow or deny decisions to the caller via . Additionally, exit programs provide customization points, allowing installations to extend or alter RACF's default behavior—such as modifying logic—without altering core code. For database management, the IRRUT200 utility verifies RACF integrity, creates backups, and monitors space usage, ensuring reliable operation of the underlying storage.

Database Structure

The RACF database serves as the central repository for all information, including profiles, definitions, and group structures, stored primarily in VSAM datasets such as SYS1.RACFDB. This database supports system-wide profiles that define resource protections across classes, alongside separate catalogs for and groups to organize ownership and permissions hierarchically. The structure is hierarchical, with class-based profiles grouping related resources under specific categories, enabling efficient management of access rules for thousands of entries. To ensure availability and redundancy, RACF employs a primary volume (RACFDB) for active operations and a backup volume (RACFDB2) that maintains a synchronized copy, updated transactionally during changes to the primary. Data elements within the database include detailed entries for (such as IDs, attributes, and connect groups), (with access levels and conditional controls), and connections (linking to groups and profiles). These elements are indexed by keys like user IDs and names to optimize query performance and support rapid lookups during checks. Maintenance of the database relies on mechanisms, including Global Resource Serialization (GRS) with ENQ/DEQ requests and RESERVEs, to prevent concurrent modifications and ensure across sysplex environments. For backups and verification, utilities such as IRRUT200 perform block-by-block copies of the dataset to create synchronized backups, while the SEARCH command queries the live database for profiles, users, and groups based on criteria like class or name patterns. Additionally, IRRDBU00 can dump the database contents to sequential files for offline analysis or recovery.

Access Control Mechanisms

Users and Groups

In RACF, users are defined through the ADDUSER command, which creates a in the RACF database and establishes an initial connection to a specified default group. Key attributes include a unique ID (userid), or passphrase for setup, level for classification-based , and optional segment data such as TSO for options (e.g., account number, procedure, and storage size limits) or operations for maintenance privileges. The command also allows specification of the profile owner, default group, and attributes like SPECIAL for broad administrative control or ADSP for automatic protection. Groups in RACF are organized in a hierarchical structure to facilitate role-based access management, with each group profile created via the ADDGROUP command that defines a superior-subordinate relationship. The superior group is specified using the SUPGROUP parameter, enabling nested organization under a top-level group like SYS1, which supports delegation of administrative responsibilities along organizational lines. This structure allows group owners to manage subordinate groups and users within their scope, promoting efficient permission inheritance for common roles such as development or operations teams. Users are linked to groups using the CONNECT command, which assigns group-specific authorities like USE (basic access), CREATE (profile creation), CONNECT (user addition), or JOIN (subgroup management), allowing permissions to be inherited from the group to simplify administration. A user can connect to multiple groups but operates under one default group at a time, with authorities scoped to the connection to prevent over-privileging. Special users, such as IBMUSER, are predefined with the system-wide attribute to enable initial system configuration and full control over RACF profiles during setup. The OPERATIONS attribute, assignable via ADDUSER or ALTER, grants elevated privileges for resource maintenance, such as unrestricted access to data sets and volumes in classes like and TAPEVOL, but requires the SPECIAL attribute for delegation. These attributes are typically limited to administrative users to maintain integrity.

Profiles and Classes

In RACF, classes serve as predefined and user-defined categories that organize resources for protection, with over 170 supplied classes available to cover various system components and applications. These classes distinguish between discrete resource types, which protect individual, specifically named resources, and general resource types, which use patterns or wildcards to safeguard groups of related resources. Examples include the class for protecting data sets on DASD volumes, the class for miscellaneous resources like tape mounts or application interfaces, and the PROGRAM class for controlling access to load modules. Profiles within these classes define the specific rules for , particularly general profiles that specify authorities for users or groups. A typically includes a name derived from the (e.g., a specific name in the DATASET class), a universal (UACC) that sets the permission level for users not explicitly listed, and an containing permit entries. levels in profiles are hierarchical: NONE denies , READ allows viewing or executing, UPDATE permits modification, CONTROL enables management of , and ALTER provides full control including profile alteration. For instance, a DATASET profile for "PAYROLL.DATA" might grant READ to a group while setting UACC to NONE to restrict unlisted users. Access control logic in profiles relies on permit statements added via the PERMIT command, which populate the access list with users, groups, or roles and their assigned levels. Standard permits apply unconditionally, while conditional permits use the WHEN keyword to enforce access based on criteria such as terminal ID, time of day, or job name, allowing fine-grained rules like permitting UPDATE only during business hours. UACC provides a baseline, often set to NONE for high-security resources, ensuring that only explicitly permitted entities gain entry unless overridden by a broader authority like ALL in certain contexts. Profile ownership determines administrative , with the user ID that defines the profile (via RDEFINE) becoming the initial owner and receiving ALTER authority by default. can be transferred using the RALTER command, but alterations require matching authority, establishing conditional rules where only owners or those with explicit CONTROL/ALTER can modify profiles. Universal rules apply through group ownership in resource group classes, where inherits from superior groups to subordinates, simplifying by avoiding individual listings.

Features

Authentication and Identification

In Resource Access Control Facility (RACF), user identification begins with validation of the user ID against the RACF database, typically through the RACROUTE REQUEST=VERIFY macro, which confirms that the provided user ID is defined in the system and checks associated attributes such as revocation status. This process ensures that only authorized identities can proceed to , updating database fields like the revoke flag or count as needed during . For example, if the user ID is inactive or has exceeded failed attempt thresholds, access is denied immediately. Authentication in RACF primarily relies on password verification, where supplied credentials are compared against one-way encrypted values stored in the database; by default in z/OS 2.1 and later (including z/OS 3.1 as of 2025), this uses the with () algorithm, with legacy support for the (). Passwords are limited to 1-8 alphanumeric characters, while password phrases allow longer, mixed-case strings up to 255 characters including special symbols for greater . Additional methods include digital certificates for integration, tickets for networked environments, and PassTickets as temporary, one-time-use substitutes generated by applications to avoid password transmission. () is supported via external authenticators, such as IBM for z/OS, which requires additional factors like tokens or alongside passwords for select users, configurable through options like PWFALLBACK for flexibility in high-privilege scenarios. The authentication process occurs during logon to Time Sharing Option (TSO/E) for interactive sessions or at job initiation for batch processing, where the system prompts for credentials and invokes RACF verification to create an access control environment element (ACEE) for the session. If authentication succeeds, the user gains an ACEE enabling resource access; failures increment revoke counts, potentially leading to temporary lockout based on SETROPTS PASSWORD(REVOKE) settings, such as after three invalid attempts. Revocation of user access is managed via the ALTUSER command with the REVOKE operand, which sets a flag preventing future logons without affecting active sessions; a date can be specified for delayed effect, and RESUME reverses it. For environments requiring heightened confidentiality, RACF supports (MAC) through security labels assigned to users and resources when the SECLABEL class is activated, enforcing where a user's label must dominate the resource's for read access or match for equivalence in equal MAC configurations. This complements discretionary controls by preventing unauthorized based on sensitivity levels, such as classified data hierarchies. Authentication events under MAC are logged for auditing, though detailed recording is handled separately.

Auditing and Logging

RACF logs security events primarily through the System Management Facilities (SMF), generating records that capture access attempts, violations, and administrative changes to maintain an of system activity. SMF type 80 records detail RACF processing events, including authorized and unauthorized system entry attempts (such as logons and signoffs), resource access requests via RACROUTE macros, and violations like insufficient authority or invalid credentials. These records include fields for user identity, terminal details, and event outcomes to enable reconstruction of security incidents. SMF type 81 records provide statistics on RACF component usage, such as the number of and calls processed, while type 83 records focus on broader events, including attempts, decisions for s, and related violations. Type 83 subtype 1, for instance, audits changes to data set labels via commands like ADDSD or ALTDSD when is active, linking back to type 80 records for context. These record types collectively ensure comprehensive coverage of post-authentication events, such as resource accesses and policy modifications. Auditing levels are configured system-wide using the SETROPTS command with the LOGOPTIONS parameter, which defines for specific event classes. Options include ALWAYS for all attempts, SUCCESSES for granted es, FAILURES for denied attempts, and NEVER to suppress logging; these apply to classes like VIOLACC (for access violations in resources such as DATASET or ) and ALTERNAT (for alternate user ID logons or DASD volume events). Administrators with the attribute issue commands like SETROPTS LOGOPTIONS(FAILURES(VIOLACC)) to enable targeted auditing, overriding profile-level settings where needed. Report generation from these logs uses utilities like ICHCNF00 to format configuration-related outputs and the RACF report writer (RACFRW), which processes SMF types 80, 81, and 83 to produce summaries of violations, user activity, and resource usage. The IRRDBU00 utility unloads RACF database content for analysis, complementing SMF processing by allowing auditors to correlate log with profile changes, while retention policies are managed via SMF parameter settings in parmlib (e.g., SMFPRMxx) to dumping and archiving intervals, typically retaining critical for periods aligned with organizational needs. RACF's logging supports compliance with standards like the Sarbanes-Oxley Act () by providing verifiable trails of access for financial , and the General Data Protection Regulation (GDPR) through detailed monitoring of personal accesses to demonstrate accountability.

Advanced Security Capabilities

RACF provides robust support for (PKI) through its key ring facility, which enables the storage, management, and utilization of digital certificates for secure communications. Key rings in RACF serve as repositories for certificates, allowing system administrators to associate certificates with users, applications, or system components for authentication and encryption purposes. This capability is particularly vital for SSL/TLS protocols, where RACF key rings facilitate the establishment of secure channels by validating certificate chains and enforcing access based on certificate attributes. Integration with IBM Global Security Kit (GSKit) enhances this functionality, providing cryptographic APIs that leverage hardware-accelerated operations on platforms for efficient key generation, signing, and verification. Multilevel security (MLS) in RACF implements a hierarchical protection model using security labels to enforce mandatory access controls in environments requiring strict data isolation, such as government or financial systems. Security labels, defined in the SECLABEL class, combine hierarchical levels (e.g., unclassified, secret, ) with discretionary compartments to represent and need-to-know categories. Users and resources are assigned these labels, and RACF enforces the Bell-LaPadula model by permitting read access only to equal or lower levels (no read up) and write access only to equal or higher levels (no write down), with exceptions configurable via SETR MLS options. Compartments add granular control, allowing labels to restrict access within the same based on specific or role-based caveats, thereby preventing unauthorized in multi-trust domains. For , RACF employs the TCPIP to define profiles that control access to IP-based resources, including ports, addresses, and services, ensuring granular for inbound and outbound connections. These profiles support for IP addresses and port ranges, allowing administrators to permit or deny traffic based on , source, or destination attributes. In distributed environments, RACF's Remote (RRSF) enables sysplex sharing, where databases and policies are synchronized across multiple systems over TCP/IP, providing consistent enforcement without compromising performance. This setup supports dynamic profile validation in parallel sysplex configurations, reducing latency in high-availability clusters while maintaining centralized control. As of 2025, RACF incorporates emerging protections against advanced threats through z/OS extensions, including support for quantum-safe algorithms to mitigate risks from . Via integration with the Integrated Cryptographic Service Facility (ICSF), RACF supports quantum-safe such as post-quantum signatures like ML-DSA (CRYSTALS-Dilithium) and key encapsulation with ML-KEM (CRYSTALS-Kyber), ensuring long-term cryptographic resilience in operations (though the KEYSMSTR class remains based on legacy ). Additionally, AI-driven is facilitated through Threat Detection for z/OS (TDz), which analyzes RACF audit data and user behaviors in real-time to identify deviations indicative of insider threats or zero-day attacks, using models to quarantine suspicious activities without manual intervention. These features, introduced in z/OS 3.2, enhance proactive defense in hybrid cloud environments while preserving .

Implementation and Administration

Installation and Configuration

The installation of the Resource Access Control Facility (RACF), which serves as the z/OS Security Server, occurs as an integral component of the operating system deployment using the System Modification Program/Extended (SMP/E). Prerequisites include a valid base installation (such as version 2.5 or later) and activation of the Security Server feature, which is included in the base product but requires explicit enablement during system customization to support RACF operations. Following , initial begins with initializing the RACF database using the IRRMIN00 utility program. This utility formats the database s (typically SYS1.RACFDS for the primary and backups) for use as a VSAM KSDS structure; execute it with PARM=NEW to create a new, empty database, specifying the dataset names via JCL DD statements and ensuring APF for the STEPLIB. The process updates both the on-disk and in-storage templates, setting initial options like NOADDCREATOR to prevent automatic creator access additions. Subsequently, use the SETROPTS command to establish system-wide parameters, such as SETROPTS PASSWORD(INTERVAL(90) HISTORY(10) REVOKE(3)) to enforce a 90-day password change interval, retain 10 prior passwords, and revoke access after 3 failed attempts—tailoring these based on organizational policy. Best practices for deployment emphasize a phased rollout, beginning with activation of fundamental resource classes like and via SETROPTS CLASSACT, followed by iterative expansion to advanced classes to minimize disruption. For performance tuning in large-scale environments, monitor database growth using utilities like IRRDBU00 for unloading and , optimizing I/O by distributing primary and backup datasets across multiple volumes and adjusting VSAM buffer pools; regular backups via RVARY commands ensure recoverability. In sysplex configurations, run initialization on a single member to propagate changes via RACF's sysplex communication. Common challenges include inadequate volume allocation for the RACF database, which can lead to space abends (e.g., IEC030I) if primary datasets exceed 3390 track limits—mitigate by pre-allocating at least 1 per on high-performance DASD volumes and planning for expansion. Migration from older systems or non-RACF environments requires unloading profiles from the source using IRRDBU00, verifying compatibility of templates with IRRMIN00 PARM=UPDATE, and loading via IRRDAL00, with careful testing to avoid profile conflicts or access denials. In 3.2 (generally available September 2025), RACF includes enhancements such as improved APPLAUDIT capabilities and support for custom fields in the ACEE (Access Control Environment Element), which can be leveraged during for advanced auditing and .

Management Tools

RACF administration relies on a suite of command-line interfaces and utilities designed for querying, modifying, and maintaining configurations in operational environments. These tools enable security administrators to perform routine tasks such as inspecting profiles, adjusting permissions, and optimizing system settings without requiring system restarts. Central to daily operations are key RACF commands for querying and modifying access. The RLIST command displays detailed information about a general resource profile, including its attributes, access control lists, and conditional access rules, facilitating verification of resource protections. Similarly, the SEARCH command scans classes for profiles matching specified criteria, aiding in comprehensive audits of resource definitions. For access changes, the PERMIT command adds, alters, or deletes entries in resource access lists, allowing precise control over user and group authorizations; specifying the DELETE operand removes specific permits without affecting the profile itself. The REMOVE command disconnects a user from a group and reassigns ownership of associated profiles, ensuring clean separation of access rights during personnel changes. Global configurations are managed via the SETROPTS command, which dynamically activates classes, enables RACLIST processing for performance, and sets options like password controls or multilevel security enforcement. Dedicated utilities support database maintenance and specialized tasks. The IRRMIN00 utility initializes or updates the RACF database, formatting new volumes or applying changes to ensure and minimal configurations for access structures during maintenance windows. When enabled, web-based administration interfaces, such as those integrated with Security zSecure, provide graphical tools for profile management and permit adjustments, extending command-line capabilities to browser-accessible environments. Automation enhances efficiency for repetitive tasks through interactive and scripted interfaces. ISPF panels offer a menu-driven environment for navigating RACF classes, viewing profiles, and executing commands like LISTUSER or RALTER, reducing errors in interactive sessions. execs enable of multiple commands, such as bulk permit updates or profile validations, allowing administrators to automate workflows via TSO or scheduled jobs. Performance monitoring is facilitated by the STATISTICS class, where administrators use the SETROPTS STATISTICS operand to enable collection of access attempt counts, failure rates, and profile usage metrics for specified classes, helping identify high-impact resources and optimize protections. These statistics, viewable via reports or utilities like the RACF report writer, provide insights into operational efficiency without overhead from full auditing.

Integration

With z/OS and Other Systems

RACF integrates natively with through the System Authorization Facility (SAF), enabling subsystems such as Db2, Transaction Server, and IMS to perform security checks by invoking RACF services via callable interfaces like RACROUTE. For example, Db2 uses the RACF Access Control Module to enforce access to database objects, while leverages SAF calls for transaction and resource protection, ensuring consistent authorization across the operating system environment. In multi-system setups, RACF supports sysplex sharing by utilizing the coupling facility to maintain a shared view of the RACF database, allowing multiple instances to access consistent security profiles without redundant data replication. On , RACF functions as an External Security Manager (ESM), providing comprehensive user , resource protection, and directory management for virtual machines. It integrates with the Directory Maintenance Facility (DirMaint) to automate user ID creation, synchronization, and access controls for minidisks and virtual resources, ensuring that environments adhere to centralized security policies defined in RACF profiles. This ESM role allows RACF to handle privilege class authorizations and system services, bridging 's virtualization layer with z/OS-compatible security mechanisms. RACF offers internal interfaces through exit points that allow APF-authorized programs to customize processing, such as the ICHRCX01 preprocessing for RACROUTE AUTH requests or the ICHRIX01 for user verification, enabling site-specific modifications without altering core RACF code. These exits run in or problem state, supporting reentrant modules for performance in high-volume environments. Additionally, RACF couples with Management Facility (z/OSMF) for streamlined administration, where z/OSMF workflows invoke RACF to manage user IDs, groups, and resource profiles via predefined definitions during configuration. For multi-system environments, the RACF Remote Sharing Facility (RRSF) facilitates distributed access by allowing commands to be processed on remote nodes, synchronizing database changes across enterprise-wide RACF instances over or TCP/IP connections. This enables centralized administration of remote databases while maintaining local performance, with features like operative and dormant connection modes to handle network variability and ensure data consistency without full replication.

Third-Party and External Interfaces

RACF provides external interfaces to integrate with directory services such as (LDAP), enabling the mapping of LDAP user IDs to RACF user IDs for and purposes. This integration allows the z/OS LDAP server to access RACF data, including , group, connection, and general profiles, with read/write capabilities configured via RACF commands like RACMAP to associate LDAP distinguished names with RACF identities. For example, activating the IDIDMAP and defining mappings ensures seamless identity propagation in environments using LDAP registries. RACF supports federation protocols including OpenID Connect (OIDC) and (SAML) through z/OS security mechanisms, where RACF manages certificates and keyrings for trusted authentication. In OIDC configurations, RACF stores certificate authorities as CERTAUTH records in keyrings, facilitating by validating tokens from external identity providers. SAML integration similarly leverages RACF for signature verification and user mapping in federated environments, often via Security Access Manager. For third-party compatibility, RACF facilitates migrations from alternative external security managers like CA Top Secret and CA-ACF2, using IBM-provided tools and services to convert databases such as LOGONID and ACCESS RULE into RACF user profiles, groups, and resource classes. This process involves assessing current environments, generating RACF commands iteratively, and testing subsystems like and , typically spanning 3-6 months to minimize disruptions. RACF offers API hooks and adapters for integration with (SIEM) tools, such as , enabling the export of audit logs and security events for centralized analysis. Tools like Security zSecure Adapters and Ironstream collect RACF data, including SMF records, and forward them to via protocols like or direct streaming, supporting real-time monitoring of access violations and compliance metrics. RACF adheres to standards like for cryptographic compliance, verified through module signature checks and class activations such as CRYPTOZ to enforce secure key management in applications. It also integrates with via the Generic Security Services Application Programming Interface (GSS-API), supporting Kerberos Version 5 binds for authentication, principal-to-user ID mapping, and keytab generation, with RACF acting as the registry for Kerberos identities. Custom exits in RACF allow user-written routines for vendor-specific authentication, such as integrating with on through exits like IRREVX01 for reconciliation and password validation. These exits, dynamically activated via commands, enable Oracle Identity Manager to interface with RACF for user provisioning and without altering core RACF behavior.

Community and Resources

User Communities

The SHARE user group, a prominent professional network for IBM Z users, hosts dedicated sessions on Resource Access Control Facility (RACF) topics, including updates, best practices, and implementation strategies, accessible through its online proceedings archive. These sessions foster collaboration among security administrators and system programmers by sharing real-world experiences and solutions to common RACF challenges. The Community provides an official online forum for RACF and broader security discussions, where users and experts exchange advice, troubleshoot issues, and discuss best practices in a moderated environment. This platform supports interaction, enabling members to post queries on topics like user profiling and access controls while benefiting from expert responses. Annual events such as the SHARE conferences feature dedicated RACF tracks, offering presentations on the latest enhancements, health checks, and integration techniques to keep attendees informed on evolving security needs. Similarly, TechXchange conferences include sessions on RACF administration and security, providing opportunities for networking and hands-on learning among mainframe professionals. IBM Developer archives serve as a key online resource, containing technical articles, tutorials, and code samples on RACF configuration and usage that support self-paced learning and problem-solving. Community-driven platforms like host threads on mainframe security topics, including RACF-specific queries on user access and permissions, aiding informal . IBM Redbooks offer comprehensive publications on RACF and management, promoting by detailing collaborative features like remote sharing and sysplex integration. IBM's channels, including the Z Security community and direct expert consultations, facilitate ongoing peer assistance for RACF deployments and troubleshooting.

Books and Documentation

The primary official documentation for the Resource Access Control Facility (RACF) is provided by through its z/OS Security Server publications, which offer detailed guidance on administration, programming, and implementation. The z/OS Security Server RACF Security Administrator's Guide (document number SA23-2289-60 for z/OS 3.1, last updated June 18, 2025) covers essential topics such as defining users, groups, and resources, managing access controls, and auditing events, serving as the core reference for administrators responsible for daily operations. Complementing this, the z/OS Security Server RACF System Programmer's Guide (document number SA23-2287-60 for z/OS 3.1, also updated June 18, 2025) focuses on , , and of RACF components within the z/OS environment, including with services and migration procedures. For introductory learning, the book Mainframe Basics for Security Professionals: Getting Started with RACF (IBM Press, first edition 2007) provides foundational concepts on RACF user management, data set protection, and basic commands, aimed at newcomers transitioning from other platforms to mainframe security. This resource emphasizes practical examples without assuming prior z/OS knowledge and remains relevant despite its age due to the stability of core RACF principles. For more advanced practitioners, IBM Mainframe Security: Beyond the Basics—A Practical Guide from a z/OS and RACF Perspective by Dinesh D. Dattani (MC Press, 2013) delves into complex scenarios like multilevel security, network authentication, and compliance auditing, drawing from real-world implementations to address gaps in standard documentation. Additional resources include PDF versions of IBM's official guides available via the IBM Documentation portal (formerly IBM Knowledge Center), which hosts downloadable files for offline reference, such as the z/OS Security Server RACF General User's Guide (SA23-2298-60, updated April 2025) for end-user perspectives on password management and profile usage. Training materials from IBM courses, including Basics of z/OS RACF Administration (course code ES19G), incorporate manuals and lab exercises on resource protection and option settings, often bundled as supplementary PDFs for certified instruction. For Department of Defense () compliance, the IBM z/OS RACF Security Technical Implementation Guide (STIG Version 9 Release 4, released June 24, 2025) outlines mandatory controls for classified systems, including access restrictions and logging requirements to align RACF with NIST and DISA standards. This guide emphasizes verifiable configurations for high-security environments and is updated annually to reflect evolving threats.

References

  1. [1]
    IBM Resource Access Control Facility (RACF)
    RACF is a security program that serves as a component of the Security Server for z/OS. RACF governs user actions within the z/OS operating system.
  2. [2]
    [PDF] Security on the IBM Mainframe: Volume 1
    The security manager, Resource Access Control Facility (RACF), was introduced in 1976, followed by some competitor products. The early RACF provided optional ...
  3. [3]
    What is RACF? - IBM
    Resource Access Control Facility or RACF provides the tools to help the installation manage access to critical resources.
  4. [4]
    https://www.ibm.com/docs/en/zos/3.1.0?topic=racf-authorizing-users-access-protected-resources
  5. [5]
    https://www.redbooks.ibm.com/abstracts/sg248363.html
  6. [6]
    z/OS Security Server RACF - IBM
    Security Server is an optional feature of z/OS that lets you control access to protected resources. It consists of IBMs Resource Access Control Facility (RACF).
  7. [7]
    [PDF] Introduction to the New Mainframe: Security - IBM Redbooks
    This book is designed to provide students of information systems with the background knowledge and skills necessary to begin using the basic security.
  8. [8]
    The Origin and Early History of the Computer Security Software ...
    Aug 7, 2025 · This article explores the origins (in mid-1970s) and early history of the access control software products industry with IBM's RACF and startup ...
  9. [9]
    https://www.ibm.com/docs/en/zos/3.2.0?topic=guide-zos-security-server-racf-system-programmers
  10. [10]
    Hardware and software requirements - IBM
    Hardware includes IBM Z servers (z17, z16, z15, z14) and coupling facility. Software includes z/OS 3.1 or later, BCP, DFSMS, and MLz Core 3.1 or 3.2.
  11. [11]
    [PDF] 2011 NYRUG zSecure - IBM
    Happy Birthday RACF - 35 - September 24, 1976. Happy Birthday IBM - 100 ... Announcement letter at: http://www.ibm.com/common/ssi/ShowDoc.jsp?docURL ...
  12. [12]
    [PDF] Introduction - NewEra.com
    When RACF was introduced in 1976, Barry and his Team at the SHARE Security Project initially thought that they had won a great victory. However, after closer ...
  13. [13]
    Douglas E. Hammond Collection of Computer Manuals, 1962-1983
    User's Guide Nov 1978. Box 24, Folder 8. OS/VS2 MVS Resource Access Control Facility (RACF). General Information Manual May 1980. Box 24, Folder 9. OS/VS2 MVS ...Missing: shipment | Show results with:shipment
  14. [14]
    List of IBM Mainframe Software & Tools
    ACF2 was developed in response to IBM's RACF product. CA-1. Tape Library ... First announced 1988. Replacement for OS/VS COBOL (with programming changes ...
  15. [15]
    [PDF] International Business Machines Corporation MVS/XA with RACF ...
    Jun 15, 1988 · RACF was announced in 1976 and provided control for user identification and authorization, access control, and auditing. RACF was developed from ...
  16. [16]
    [PDF] Resource Access Control Facility (RACF) Auditor's Guide
    This book contains information for Version 1 Release 6, with the data security monitor, of the Resource Access Control Facility program product, RACF.
  17. [17]
    [PDF] The Role of IBM Mainframes in Cybersecurity - February 2023
    MVS/XA - eXtended Storage - 31 bit address. 1983. System Authorization ... RACF - User Authentication. ▫ Authentication options. • Password: 1-8 ...
  18. [18]
    [PDF] Introduction to MulitLevel Security - IBM
    RACF's support for Multilevel security has evolved since the mid-80s ... • 1990: RACF 1.9 - Multilevel (“B1”) support. – SECLABELs. – Console logon.
  19. [19]
    [PDF] Implementing PKI Services on z/OS - IBM Redbooks
    2.3.4 RACF for LDAP. ... The z/OS LDAP server comes in the base z/OS Security. Server; however, the TDBM back end has to be used for storing CRLs and.
  20. [20]
    [PDF] What is a Parallel Sysplex? - IBM
    The heart of the Parallel Sysplex is the Coupling Facility (CF) which provides: Locking services (IRLM for DB2 and IMS resources). Caching services (RACF ...Missing: introduction | Show results with:introduction
  21. [21]
    [PDF] Keeping Up With Security and Compliance on IBM Z
    For z/OS, the IBM Z Security and Compliance Center brings together evidence from RACF, UNIX Systems Services, CICS, IBM Db2®, IBM MQ, Communications. Server ( ...
  22. [22]
    [PDF] z/OS Introduction and Release Guide - IBM
    Jun 13, 2025 · This is an introduction and release guide for IBM z/OS 3.1, which includes base elements and optional features.
  23. [23]
    What is SAF? - IBM
    The SAF router provides a common focal point for all products providing resource control. This focal point encourages the use of common control functions shared ...
  24. [24]
    https://www.ibm.com/docs/en/SSLTBW_3.1.0/pdf/e0za100_v3r1.pdf
  25. [25]
    Callable services descriptions - IBM
    This topic describes the RACF® callable services. The services appear in alphabetic order. Table 1 lists each callable service's intended users.
  26. [26]
    IRRUT200 Utility - IBM
    The return code returned is the highest return code encountered while processing the RACF database. A nonzero return code does not mean that the utility failed.
  27. [27]
    The RACF database - IBM
    The RACF database holds all RACF access-control information. RACF processing uses the information from the database.
  28. [28]
    RACF database verification utility program (IRRUT200) - IBM
    IRRUT200 identifies inconsistencies in RACF data sets, makes copies, validates data, and monitors usable space, including creating backups.
  29. [29]
    SEARCH (Search RACF database) - IBM
    Use the SEARCH command to obtain a list of RACF® profiles, users, and groups. You can request one or more of the following:Missing: utility | Show results with:utility
  30. [30]
    Create a backup of your RACF database - IBM
    There are two utilities you can use to create a backup database: IRRUT200 serializes on the RACF® database and creates an exact, block-by-block copy of it.
  31. [31]
    ADDUSER (Add user profile) - IBM
    The command adds a profile for the new user to the RACF database and creates a connect profile that connects the user to whichever default group you specify.
  32. [32]
    ADDGROUP (Add group profile) - IBM
    The command adds a profile for the new group to the RACF database. It also establishes the relationship of the new group to the superior group you specify.Missing: hierarchical structure
  33. [33]
    CONNECT (Connect user to group) - IBM
    Purpose. Use the CONNECT command to connect a user to a group, modify a user's connection to a group, or assign the group-related user attributes.
  34. [34]
    Logging on as IBMUSER and Checking Initial Conditions
    This user ID has the system-SPECIAL attribute, which allows IBMUSER to issue most of the RACF® commands (except those reserved for users with the AUDITOR ...
  35. [35]
    The OPERATIONS attribute - IBM
    A user who has the OPERATIONS attribute has full access authorization to all RACF-protected resources in the DATASET, DASDVOL, GDASDVOL, PSFMPL, TAPEVOL, ...Missing: IBMUSER | Show results with:IBMUSER
  36. [36]
    Description of RACF Classes - IBM
    RACF classes control auditing, protect directories/files, and control access to resources, such as for tape mounts, and security data.
  37. [37]
    RACF classes and profiles for resources - IBM
    In RACF, a resource profile defines resources to be protected, and a class contains a set of profiles for the same type of resource. There are two types of  ...Missing: documentation | Show results with:documentation
  38. [38]
    Changing the universal access authority to a data set - IBM
    You can allow other users to access a data set by specifying a universal access authority. This access level pertains to any user on the system.
  39. [39]
    https://publibfp.dhe.ibm.com/epubs/pdf/ichza720.pdf
  40. [40]
    Conditional access processing - IBM
    Using RACF, you can permit a user to access resources when that user is signed on a particular terminal or console, but not otherwise.<|control11|><|separator|>
  41. [41]
    [PDF] z/OS V1R8.0 Security Server RACF General User's Guide - Index of /
    RACF stores information about users, groups, and resources in profiles. A profile is a record of RACF information that has been defined by the security ...
  42. [42]
    RALTER (Alter general resource profile) - IBM
    Use the RALTER command to: Alter the profile for one or more resources belonging to classes defined in the class descriptor table. Using RALTER to modify an ...
  43. [43]
    Define security rules in RACF - IBM
    The members of the subordinate groups will inherit the authority of the superior group. Add the group profiles to the access lists of the appropriate general ...
  44. [44]
    RACROUTE REQUEST=VERIFY: Identify and verify a RACF-defined ...
    The RACROUTE REQUEST=VERIFY macro provides RACF® user identification and verification. The macro instruction identifies a user and verifies that the user is ...Missing: validation | Show results with:validation
  45. [45]
    Passwords and password phrases - IBM
    By default, passwords are one-way encrypted in the RACF database. · A PassTicket is a one-time-use password substitute that can be used to authenticate a user.Missing: checking | Show results with:checking
  46. [46]
    Overview of Authentication - IBM
    RACF users can be configured to require authentication through MFA. For these select users, RACF calls MFA to help in making the authentication decision during ...
  47. [47]
    Determining batch TSO user IDs - IBM
    If RACF® is active, the user ID is taken from the access control environment element (ACEE), a RACF control block.
  48. [48]
    The IBM RACF PASSWORD(REVOKE) SETROPTS value must be ...
    Jun 24, 2025 · Ensure that PASSWORD(REVOKE) SETROPTS value is set to "1" or "2". This specifies the number of consecutive incorrect password attempts RACF ...Missing: TSO batch
  49. [49]
    ALTUSER (Alter user profile) - IBM
    Use the ALTUSER command to change the information in a user's profile, including the user's system-wide attributes and authorities.
  50. [50]
    Types of security label authorization checking - IBM
    When the SECLABEL class is active on your system, RACF® authorization checking uses mandatory access control (MAC), in addition to discretionary access ...Missing: sensitivity | Show results with:sensitivity<|control11|><|separator|>
  51. [51]
    Record type 80: RACF processing record - IBM
    RACF® writes record type 80 for the following detected events: Unauthorized attempts to enter the system. For example, during RACF processing of a RACROUTE ...
  52. [52]
    Record type 83: Security events - IBM
    Record type 83 is a processing record for auditing security-related events. A security event can be an authentication or authorization attempt.
  53. [53]
    SETROPTS (Set RACF options) - IBM
    Use the SETROPTS command to set system-wide RACF® options related to resource protection dynamically. Specifically, you can use SETROPTS to do the following ...Missing: ALTERNAT VIOLACC
  54. [54]
    The RACF report writer - IBM
    The RACF report writer provides a wide range of reports that enable you to monitor and verify the use of the system and resources. The RACF report writer lists ...
  55. [55]
    [PDF] RACF Utilities for Auditors - IBM
    What is the SMF Data Unload Utility? A RACF utility that translates the security relevant audit information into a set of records that can be imported to a.Missing: IRLM locking
  56. [56]
    [PDF] Introduction and Release Guide - IBM
    Jun 24, 2019 · Migrate to AT-TLS to allow the DCAS to use the latest support for SSL/TLS. ... service is enhanced to manage certificates and key rings in RACF ...
  57. [57]
    [PDF] iSeries Wired Network Security - IBM Redbooks
    5.1 SSL/TLS support in OS/400 . ... GSKit APIs allow you to access SSL and TLS functions from your sockets application program. GSKit APIs provide more ...
  58. [58]
    [PDF] Securing DB2 and Implementing MLS on z/OS - IBM Redbooks
    Chapter 3, “MLS” on page 27. In a multilevel security environment, the RACF SETR MLS(FAILURES) command enables the write-down option and the RACF SETR NOMLS.
  59. [59]
    [PDF] Sysplex eBusiness Security z/OS V1R7 Update - IBM Redbooks
    2.4 An overview of Multilevel Security (MLS) . ... In RACF, security labels are defined in the SECLABEL class, and are often called SECLABELs (versus ...
  60. [60]
    [PDF] Designing for Solution-Based Security on z/OS - IBM Redbooks
    ... RACF administrators, or resource owners, define and maintain resource profiles in the RACF data base. With the Multilevel Security (MLS) security model.
  61. [61]
    [PDF] Security Configuration in a TCP/IP Sysplex Environment
    Class UNIXMAP and VLF classes IRRUMAP and IRRGMAP. For the cross referencing, RACF uses profiles in class UNIXMAP. The profile names for UIDs are Unnnn ...
  62. [62]
    [PDF] RACF Remote Sharing Facility over TCP/IP - IBM Redbooks
    With z/OS release V1R13,. TCP/IP can be used to extend the RACF Remote Sharing Facility (RRSF) functionality to a network of RRSF nodes capable of communicating ...
  63. [63]
    [PDF] z/OS Security Server RACF System Programmer's Guide - IBM
    Jun 18, 2025 · This is the Security Server RACF System Programmer's Guide for IBM z/OS 3.1 and later releases, last updated 2025-06-18.
  64. [64]
    [PDF] RACF Update for z/OS® 3.2 - IBM
    Jun 11, 2025 · Starting with OA66458 (z/OS 2.5+) the RACF KEYSMSTR class functions provide an option for quantum-safe encryption with support for the AES ...
  65. [65]
    [PDF] Transitioning to Quantum-Safe Cryptography on IBM Z
    Oct 27, 2025 · This edition applies to the quantum-safe standardized algorithms and the capabilities available with the IBM z17, IBM z16, and IBM z15. This ...
  66. [66]
    [PDF] z/OS ICSF Overview - IBM
    Oct 27, 2025 · ICSF supports the following quantum-safe algorithms (QSA):. • ML-DSA, CRYSTALS-Dilithium Digital Signature Algorithm. • ML-KEM, CRYSTALS ...<|separator|>
  67. [67]
    AI on IBM Z
    AI-driven anomaly detection. IBM Threat Detection for z/OS® identifies anomalies in data access that might indicate a potential cyberattack. Generative AI.Missing: RACF 2025
  68. [68]
    [PDF] Getting Started with IBM Z Cyber Vault
    Oct 24, 2025 · IBM Threat Detection for z/OS (TDz) is an AI-powered solution that continuously monitors z/OS systems for suspicious or unauthorized data access ...<|control11|><|separator|>
  69. [69]
    https://www.ibm.com/docs/en/SSLTBW_3.1.0/pdf/icha200_v3r1.pdf
  70. [70]
    Software requirements for running z/OS 3.1 - IBM
    z/OS 3.1 requires specific product levels for IBM products, specific IBM middleware/application product versions, and IBM Semeru Runtime 21 for Java.Missing: scope platforms
  71. [71]
    RACF database initialization utility program (IRRMIN00) - IBM
    This utility initializes a RACF® database, and updates the database copy and the in-storage copy of the database templates. You can use it in three ways:.
  72. [72]
    https://www.ibm.com/products/z/artificial-intelligence
  73. [73]
    Passwords and password phrases - IBM
    For information about passwords, password policies, and password phrases, see z/OS Security Server RACF Security Administrator's Guide.
  74. [74]
    RACF database utilities - IBM
    The RACF® utilities are used for maintaining, modifying, copying, unloading, and monitoring the RACF database. Table 1. RACF utilities described in this chapter ...
  75. [75]
    https://www.ibm.com/docs/en/zos/3.2.0?topic=installation-software-requirements-running-zos-32
  76. [76]
    https://www.ibm.com/docs/en/zos/3.2.0?topic=utilities-racf-database-initialization-utility-program-irrmin00
  77. [77]
    https://www.ibm.com/docs/en/zos/3.2.0?topic=commands-setropts-set-racf-options
  78. [78]
    https://www.ibm.com/docs/en/zos/3.2.0?topic=authentication-passwords-password-phrases
  79. [79]
    https://www.ibm.com/docs/en/zos/3.2.0?topic=guide-racf-database-utilities
  80. [80]
    RACF Classes panel (RAC) - IBM
    The RACF Classes (RAC) panel shows the RACF classes and their attributes on the current system. From this panel, you view a list of profiles within a single ...
  81. [81]
    RACF Profiles panel (RACP) - IBM
    The RACF Profiles (RACP) panel shows the RACF profiles for a class. From this panel, you can issue actions to show the associated access list or browse the ...<|control11|><|separator|>
  82. [82]
    [PDF] Db2 12 for z/OS: RACF Access Control Module Guide (Last updated
    Mar 31, 2025 · • If you use IBM-supplied default RACF resource classes, use generic characters in the RACF profile names to match characters that are in ...
  83. [83]
    [PDF] CICS TS for z/OS: RACF Security Guide - IBM
    Jan 4, 2024 · This PDF describes how to plan and implement security across your CICS systems. It is intended for security administrators responsible for ...
  84. [84]
    Sysplex considerations - IBM
    RACF allows you to use the coupling facility and shared RACF data to help manage the security of resources for all systems in a sysplex. The following documents ...
  85. [85]
    [PDF] z/VM Security and Integrity
    Access Control Facility (RACF) or any equivalent external security manager (ESM) that supports this new authorization function. It is designed to provide ...
  86. [86]
    [PDF] z/VM: 7.4 Directory Maintenance Facility Commands Reference - IBM
    Tailoring and Administration Guide for configuring DirMaint's RACF connector support to provide automatic communication with RACF. CHVADDR. Chapter 3. The ...
  87. [87]
    [PDF] z/VM: 7.4 General Information
    Jun 16, 2025 · IBM Z–compatible operating systems supported as guests of z/VM .103 ... z/VM 7.3 prohibits the sharing of RACF databases between z/VM and z/OS ...
  88. [88]
    Security structures for z/OSMF - IBM
    Your security administrator can use the sample jobs to create the groups, user IDs, and resource profiles for your z/OSMF configuration.
  89. [89]
    [PDF] IBM z/OS Management Facility Configuration Guide
    For an installation that uses RACF as its security management product, the z/OSMF configuration process provides a basic set of security definitions ...
  90. [90]
    Auditing for the RACF remote sharing facility (RRSF) - IBM
    The RACF® remote sharing facility (RRSF) allows you to administer and maintain RACF databases that are distributed throughout the enterprise.
  91. [91]
    [PDF] z/OS Security Server RACF General User's Guide - IBM
    Apr 21, 2025 · Chapter 1. What is RACF? Resource Access Control Facility (RACF) is a security program. It is a component of the Security Server.
  92. [92]
    What are the capabilities of the z/OS LDAP server? - IBM
    Access to RACF data: The LDAP server can be configured to provide read/write access to RACF user, group, connection, and general resource profiles using the ...Missing: 1.1 PKI 2000
  93. [93]
    Using OpenID Connect for single sign-on - IBM
    Allocate a data set on the z/OS system for the certificate. · Add the certificate to the RACF® database as a trusted CERTAUTH with a label of your choice.Missing: SAML | Show results with:SAML
  94. [94]
    [PDF] IBM Verify Identity Access Version 11.0.1 June 2025: Federation ...
    Jun 1, 2025 · IBM Verify Identity Access provides a Federation Module so that collaborating organizations can gain secure access to each other's ...
  95. [95]
    [PDF] Migration Guide - IBM Redbooks
    Through integration with RACF, OS/390 DCE support allows RACF-authenticated. OS/390 users to access DCE-based resources and application servers without. RACF.
  96. [96]
    [PDF] Broadcom Top Secret and z/OS Security Server - IBM Redbooks
    Nov 28, 2023 · RACF integrates seamlessly upon availability of new versions and releases of IBM subsystems (for example, CICS®, Db2®) and technologies (e.g., ...
  97. [97]
    Predefined dashboards and data source types in the Splunk ... - IBM
    IBM Z Operational Log and Data Analytics provides ready-to-use dashboards for Splunk to help you troubleshoot problems in your IT operations environment.
  98. [98]
    Ironstream™ software for Splunk® integrates IBM - Product Sheet
    Integrate your critical security and operational machine data from IBM mainframe and IBM i systems with Ironstream™ software for Splunk®.
  99. [99]
    Requiring FIPS 140-2 compliance from select z/OS PKCS #11 ... - IBM
    Make sure the integrity of the cryptographic functions shipped by IBM in the module ICSF module CSFINPV2 will be verified by RACF before the module is loaded.
  100. [100]
    Setting up for Kerberos - IBM
    Kerberos Version 5 binds, defined in RFC 2222, are performed using the Generic Security Services Application Programming Interface (GSS API) defined in RFC ...
  101. [101]
    Installing and Configuring the Agents of the IBM RACF Connector on ...
    You can dynamically activate the IRREVX01 exit by using the z/OS command T PROG=75 . To deactivate or remove the IRREVX01 exit, issue the z/OS command T PROG=76 ...
  102. [102]
    3 Connector Deployment on IBM RACF
    Modifying the prclib.xmi and parmlib.xmi Files. Configuring the Started Tasks. Integrating the Exits for the Reconciliation Agent with the Target System Exits.
  103. [103]
    RACF Update - SHARE.org
    This presentation contains the latest information available at conference time from IBM about new functions and features contained in RACF and the z/OS Security ...Missing: TechU tracks
  104. [104]
    IBM Security for Z - IBM TechXchange Community
    Join this online user group to communicate across Z Security product users and IBM experts by sharing advice and best practices with peers.
  105. [105]
    Simplified RACF Administration | New to Z
    May 16, 2025 · RACFADM acts as an enhancement layer or a productivity toolkit on top of the standard RACF system, aiming to make the life of a RACF security administrator ...Missing: forums | Show results with:forums
  106. [106]
    RACF Update: MFA and z/OS 2.4 Enhancements - SHARE.org
    What are the latest RACF features that are of interest to every installation? In this session we examine the new RACF enhancements available in...
  107. [107]
    Session Catalog - IBM TechXchange 2025
    Uncover the highlights and experiences that await you on our meticulously planned agenda – explore over 1000 sessions and labs.
  108. [108]
    [PDF] z/OS Security Server RACF Security Administrator's Guide - IBM
    Jun 18, 2025 · This edition applies to IBM® z/OS® 3.1 (5655-ZOS) and to all subsequent releases and modifications until otherwise indicated in new editions.
  109. [109]
    Book Review: IBM Mainframe Security: Beyond the Basics
    Oct 28, 2013 · Beginners will have a strong foundation after reading this book. Experienced professionals will reference it frequently. There are several ...Missing: Zierler | Show results with:Zierler
  110. [110]
    z/OS Security Server RACF - IBM
    z/OS Security Server RACF Diagnosis Guide, Abstract · PDF, June 2025. SA23-2298-60, z/OS Security Server RACF General User's Guide, Abstract · PDF, April 2025.
  111. [111]
    Course: ES19G: Basics of z/OS RACF Administration - IBM Training
    This course covers z/OS environment, RACF commands, defining users/groups, protecting resources, and setting up RACF options. It is for those new to z/OS and  ...Missing: manuals | Show results with:manuals
  112. [112]
    IBM z/OS RACF Security Technical Implementation Guide
    Jun 24, 2025 · To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all ...<|control11|><|separator|>