Professional Documents
Culture Documents
What Is RACF and What Does It Do
What Is RACF and What Does It Do
What Is RACF and What Does It Do
A typical RACF protected system is organized in a certain manner. Users that need access to the
same resources are gathered together and placed into groups. These groups are then given access to
the data and resources needed by its members:
1. Several Users
RACF Profiles
In RACF, a profile describes the security characteristics of a user, a group of users, or one or more
mainframe resources.
Authority Description
USE Allows the user to access resources to which the group is authorized.
CREATE Allows the user to create RACF data set profiles for the group.
CONNECT Allows the user to connect other users to the group.
JOIN Allows the user to add new subgroups or users to the group, as well as
assign group authorities to the new members.
Attribute Description
SPECIAL A user who has the SPECIAL attribute at the system level can issue all
RACF commands. This attribute gives the user full control over all of
the RACF profiles in the RACF database. You can assign the
SPECIAL attribute at the group level. When you do, the group-
SPECIAL user has full control over all of the profiles within the scope
of the group.
AUDITOR The AUDITOR attribute is given to users who are responsible for
auditing RACF security controls and functions. You can assign the
AUDITOR attribute at the group level. When you do, the group-
AUDITOR user’s authority is limited to profiles that are within the
scope of that group.
OPERATION A user who has the system wide OPERATIONS attribute has full
S access authorization to all RACF-protected resources in the classes
DATASET, DASDVOL, GDASDVOL, PSFMPL, TAPEVOL,
VMBATCH, VMCMD, VMMDISK, VMNODE, and VMRDR
classes. You can assign the OPERATIONS attribute at the group level.
When you do, the group-OPERATIONS user’s authority is limited to
resources within the scope of that group.
CLAUTH If a user has the CLAUTH attribute in a class, RACF allows the user
to define profiles in that class. You cannot assign the CLAUTH
attribute at the user or group level.
GRPACC When a user with the GRPACC attribute creates a data set profile for a
group data set, RACF gives UPDATE access authority to other users
in the group.
ADSP The ADSP attribute establishes an environment in which all
permanent DASD data sets created by this user are automatically
defined to RACF and protected with a discrete profile.
REVOKE The REVOKE attribute prevents the RACF-defined user from entering
the system. REVOKE can be assigned at the group level, in which
case the user cannot enter the system and connect to that group.
RESTRICTED You can prevent RACF users from gaining access to protected
resources they are not specifically authorized to access by assigning
the RESTRICTED attribute on the ADDUSER or ALTUSER
command.
PROTECTED This attribute is used mainly for started tasks to prevent a user ID from
being revoked due to multiple unsuccessful logon attempts. This
attribute is assigned implicitly by default. So, if you specify
PASSWORD operand with ALU command, it will be removed.
WHEN Specifies days of the week and hours of the day during which the user
has access to the system.
User Profiles
AU userid NAME(‘user_name’) Add a userid to the RACF database. Note that this
DFLTGRP(grp_name) is a very simplified example.
OWNER(owner) PASS(password)
LU userid List a userid info
ALU userid PASSWORD(password) Set a temporary password to a userid. This
password will have to be changed when user logs
in to the system.
ALU userid REVOKE Revoke a userid
ALU userid RESUME Resume a userid
ALU userid RESUME PASS(password) Resume a userid and set a temporary password.
CO userid GROUP(grp_name) Connect a userid to a RACF group.
OWN(grp_name)
RE userid GROUP(grp_name) Remove a userid from a RACF group.
ALU userid NAME(‘user_name’) Change the user name of a userid. Max. of 120
characters available.
ALU userid DATA(‘inst_data’) Change the installation data of a userid. Max. of
255 characters available.
DU userid Delete a userid from RACF database.
Group Profiles
AG grp_name OWNER(owner) Add a group to RACF.
SUPGROUP(superior_grp_name)
LG grp_name List a RACF group details.
ALG grp_name Change the Superior Group of a RACF group.
SUPGROUP(superior_grp_name)
ALG grp_name DATA(‘inst_data’) Change installation data of a RACF group. Max.
of 255 characters available.
DG grp_name Delete a RACF group.
Dataset Profiles
AD ‘ds_profile’ UACC(uacc_level) Add a Dataset profile to RACF database. Note that
this is a very simplified example.Ex: AD ‘XPTO.*’
UACC(READ)
LD DATASET(‘ds_profile’) List a dataset profile details.
ALD ‘ds_profile’ UACC(uacc_level) Change a dataset profile UACC.
ALD ‘ds_profile’ OWNER(owner) Change a dataset profile OWNER.
DD ‘ds_profile’ Delete dataset profile from RACF database.
SR MASK(mask_argument) List the profiles matching the mask argument and
CLASS(class) the Class.Ex: SR MASK(sys1)
CLASS(DATASET)
PE ‘ds_profile’ ID(userid) GEN Grants userid access to the dataset profile.
AC(access_level)
PE ‘ds_profile’ ID(grp_name) GEN Grants RACF group access to the dataset profile.
AC(access_level)
General Resources
RDEF class_name profile_name Add a general resource profile.Ex: RDEF
ADDMEM(member) PROGRAM AMASPZAP
ADDMEM(‘SYS1.LINKLIB’/SYSRES/PADCHK
)
RL class_name profile_name ALL List all details of a general resource profile.Ex: RL
PROGRAM AMASPZAP ALL
RALT class_name profile_name Changes the general resource profile UACC.Ex:
UACC(acc_level) RAL PROGRAM AMASPZAP UACC(READ)
RDEL class_name profile_name Delete a general resource profile.Ex: RDEL
PROGRAM AMASPZAP
PE gr_profile CL(class) ID(userid) Grants userid access to the General resource profile
AC(access_level) of Class class.
PE gr_profile CL(class) ID(grp_name) Grants RACF group access to the General resource
AC(access_level) profile of Class class.
RACF Options
SETROPTS GENERIC(class_name) Refresh in-storage profile for a specific CLASS.
REFRESH
SETROPTS Sets in RACF that all passwords must be at least
PASSWORD(REVOKE(5) six characters in length and contain at least one
RULE1(LENGTH(6:8) ALPHA(1,6) numeric character, not in the first or last position.
ALPHANUM(2:5)) Further, the user’s access to the system must be
revoked if five incorrect passwords are entered in a
RULE2(LENGTH(7) ALPHA(1,7) row.
ALPHANUM(2:6))
RULE3(LENGTH(8) ALPHA(1,8)
ALPHANUM(2:7)))