What is RACF and what does it do?

RACF (Resource Access Control Facility) helps to secure an organization’s Mainframe

environment by providing:

– Flexible control of access to protected resources

– Protection of installation-defined resources

– Ability to store information for other products

– Choice of centralized or decentralized control of profiles

– An ISPF panel interface

– Transparency to end users

– Exits for installation-written routines.

A typical RACF protected system is organized in a certain manner. Users that need access to the
same resources are gathered together and placed into groups. These groups are then given access to
the data and resources needed by its members:

1. Several Users

2. Are placed into Groups

3. Which are given access to Resources.

RACF Profiles
In RACF, a profile describes the security characteristics of a user, a group of users, or one or more
mainframe resources.

Profile Type Description

User profiles A user profile is a description of a RACF-defined user. The
information in the profile includes the user ID, the user name,
the user’s password, the profile owner, user attributes, and
other data.
Group profiles A group profile defines a group of users. The information in
the profile includes the group name, the profile owner, and the
users in the group.
Data set profiles A data set profile provides RACF protection for one or more
data sets. The information in the profile includes the data set
profile name, the profile owner, the universal access authority,
the access list, and other data.Data set profiles can be generic
or discrete:
  A generic profile protects several resources with
similar names and identical security requirements.
 A discrete profile protects a single resource.

General resource A general resource profile provides RACF protection for

profiles mainframe resources, other than data sets. The information in
the profile includes the general resource profile name, the
profile owner, the universal access authority, the access list,
and other data. General resources with similar characteristics
belong to the same class.Like a generic profile, a resource
group profile protects several resources with identical security
requirements. However, the resources do not have to have
similar names. Resource group profiles with similar
characteristics belong to the same resource grouping class.

Resource profiles can be generic or discrete:

 A generic profile protects several resources with

similar names and identical security requirements.
 A discrete profile protects a single resource.

RACF – Group Authorities

Each user in a group requires a level of group authority for that group. If a user is connected to
several groups, the user has a level of group authority for each group.

Authority Description
USE Allows the user to access resources to which the group is authorized.
CREATE Allows the user to create RACF data set profiles for the group.
CONNECT Allows the user to connect other users to the group.
JOIN Allows the user to add new subgroups or users to the group, as well as
assign group authorities to the new members.

RACF – User Attributes

User attributes are extraordinary capabilities, limitations, or environments that can be assigned to a
user either all of the time or when the user is connected to a specific group or groups.

Attribute Description
SPECIAL A user who has the SPECIAL attribute at the system level can issue all
RACF commands. This attribute gives the user full control over all of
the RACF profiles in the RACF database. You can assign the
SPECIAL attribute at the group level. When you do, the group-
SPECIAL user has full control over all of the profiles within the scope
 of the group.
AUDITOR The AUDITOR attribute is given to users who are responsible for
auditing RACF security controls and functions. You can assign the
AUDITOR attribute at the group level. When you do, the group-
AUDITOR user’s authority is limited to profiles that are within the
scope of that group.
OPERATION A user who has the system wide OPERATIONS attribute has full
S access authorization to all RACF-protected resources in the classes
DATASET, DASDVOL, GDASDVOL, PSFMPL, TAPEVOL,
VMBATCH, VMCMD, VMMDISK, VMNODE, and VMRDR
classes. You can assign the OPERATIONS attribute at the group level.
When you do, the group-OPERATIONS user’s authority is limited to
resources within the scope of that group.
CLAUTH If a user has the CLAUTH attribute in a class, RACF allows the user
to define profiles in that class. You cannot assign the CLAUTH
attribute at the user or group level.
GRPACC When a user with the GRPACC attribute creates a data set profile for a
group data set, RACF gives UPDATE access authority to other users
in the group.
ADSP The ADSP attribute establishes an environment in which all
permanent DASD data sets created by this user are automatically
defined to RACF and protected with a discrete profile.
REVOKE The REVOKE attribute prevents the RACF-defined user from entering
the system. REVOKE can be assigned at the group level, in which
case the user cannot enter the system and connect to that group.
RESTRICTED You can prevent RACF users from gaining access to protected
resources they are not specifically authorized to access by assigning
the RESTRICTED attribute on the ADDUSER or ALTUSER
command.
PROTECTED This attribute is used mainly for started tasks to prevent a user ID from
being revoked due to multiple unsuccessful logon attempts. This
attribute is assigned implicitly by default. So, if you specify
PASSWORD operand with ALU command, it will be removed.
WHEN Specifies days of the week and hours of the day during which the user
has access to the system.

RACF – Access Authority

NONE Does not allow users to access the data set.
EXECUTE Allows users to load and execute, but not to read or copy, programs in
the library.
READ Allows users to access the data set for reading only.
UPDATE Allows users to read from, copy from, or write to the data set. UPDATE
does not authorize a user to delete, rename, move, or scratch the data set.
CONTRO Allows users to retrieve, update, insert, or delete records in the specified
L data set.
ALTER Allows users to read, update, delete, rename, move, or scratch the data
set.
Useful RACF Commands for Administrators
The following are a few common RACF commands used by Security Administrators in the
Mainframe environment. Note that the commands shown are very simplified examples. More
details of the commands and their parameters can be found in IBM’s manual.

AU userid NAME(‘user_name’)
DFLTGRP(grp_name)
OWNER(owner) PASS(password)
LU userid
ALU userid PASSWORD(password)
ALU userid REVOKE
ALU userid RESUME
ALU userid RESUME PASS(password) Resume a userid and set a temporary password.
CO userid GROUP(grp_name)
OWN(grp_name)
RE userid GROUP(grp_name)
ALU userid NAME(‘user_name’)
ALU userid DATA(‘inst_data’)
DU userid
User Profiles
Add a userid to the RACF database. Note that this
is a very simplified example.
List a userid info
Set a temporary password to a userid. This
password will have to be changed when user logs
in to the system.
Revoke a userid
Resume a userid
Connect a userid to a RACF group.
Remove a userid from a RACF group.
Change the user name of a userid. Max. of 120
characters available.
Change the installation data of a userid. Max. of
255 characters available.
Delete a userid from RACF database.

Group Profiles
AG grp_name OWNER(owner) Add a group to RACF.
SUPGROUP(superior_grp_name)
LG grp_name List a RACF group details.
ALG grp_name Change the Superior Group of a RACF group.
SUPGROUP(superior_grp_name)
ALG grp_name DATA(‘inst_data’) Change installation data of a RACF group. Max.
of 255 characters available.
DG grp_name Delete a RACF group.

Dataset Profiles
AD ‘ds_profile’ UACC(uacc_level) Add a Dataset profile to RACF database. Note that
this is a very simplified example.Ex: AD ‘XPTO.*’
UACC(READ)
LD DATASET(‘ds_profile’) List a dataset profile details.
ALD ‘ds_profile’ UACC(uacc_level) Change a dataset profile UACC.
ALD ‘ds_profile’ OWNER(owner) Change a dataset profile OWNER.
DD ‘ds_profile’ Delete dataset profile from RACF database.
SR MASK(mask_argument) List the profiles matching the mask argument and
CLASS(class) the Class.Ex: SR MASK(sys1)
CLASS(DATASET)
PE ‘ds_profile’ ID(userid) GEN Grants userid access to the dataset profile.
AC(access_level)
PE ‘ds_profile’ ID(grp_name) GEN Grants RACF group access to the dataset profile.
AC(access_level)

General Resources
RDEF class_name profile_name Add a general resource profile.Ex: RDEF
ADDMEM(member) PROGRAM AMASPZAP
ADDMEM(‘SYS1.LINKLIB’/SYSRES/PADCHK
)
RL class_name profile_name ALL List all details of a general resource profile.Ex: RL
PROGRAM AMASPZAP ALL
RALT class_name profile_name Changes the general resource profile UACC.Ex:
UACC(acc_level) RAL PROGRAM AMASPZAP UACC(READ)
RDEL class_name profile_name Delete a general resource profile.Ex: RDEL
PROGRAM AMASPZAP
PE gr_profile CL(class) ID(userid) Grants userid access to the General resource profile
AC(access_level) of Class class.
PE gr_profile CL(class) ID(grp_name) Grants RACF group access to the General resource
AC(access_level) profile of Class class.

RACF Options
SETROPTS GENERIC(class_name) Refresh in-storage profile for a specific CLASS.
REFRESH
SETROPTS Sets in RACF that all passwords must be at least
PASSWORD(REVOKE(5) six characters in length and contain at least one
RULE1(LENGTH(6:8) ALPHA(1,6) numeric character, not in the first or last position.
ALPHANUM(2:5)) Further, the user’s access to the system must be
revoked if five incorrect passwords are entered in a
RULE2(LENGTH(7) ALPHA(1,7) row.
ALPHANUM(2:6))

RULE3(LENGTH(8) ALPHA(1,8)
ALPHANUM(2:7)))