RACF Concepts

Compared to mainframe security implementation, Windows and *Nix security is very primitive. Resource Access Control Facility (RACF) is one of the many products that protect mainframe resources.

RACF aims to protect mainframe resources from unauthorized access. It sees every file, database, table, transaction, service as a resource and each of these can be protected by RACF. RACF can be set to protect all resources by default. That means unless specifically given, no one can access a resource.

Users

Each person who uses the mainframe is a user. When you logon to the mainframe, you are considered a user. So let us say a bank teller that uses the banking system is considered a user. A customer service representative that users the customer service system is also a user. Each user is identified by a userid.

Groups

A group of bank tellers will have common accesses, say to specific transactions. You can group these users into one or more RACF groups. Administration is easier when using groups because allowing access to a group means all the members in the group will have the same access. So if you allow say the TELLER group access to a specific transaction, then all the members of the TELLER group can access the transaction.

Resources

As mentioned above, resources are logical or physical objects that you use on the mainframe. These can be files which z/OS calls data sets, databases, tables, transactions, groups of transactions, services.

Profiles

Each User, Group, Resource has its own profile.

1. A User profile contains information about the user. This includes, the userid, user's description, creation date, revoked date, owner, system or group attributes and other information.
2. A Group profile contains information about the group. It also contains the users connected to the group. When users are connected to the group, an authority is defined for the user.
3. There are many resources controlled by RACF. The more common ones are:
1. Data set profiles contains information on a specific data set. This is a profile and NOT the data set itself. It contains the data set name pattern that determines what data sets it protects. It contains an access list that contains specific accesses allowed to users and groups.
2. Resource profiles are profiles for transaction groups, transactions, system resources, system services, etc. Like data set profiles, they contain information on specific resources. These are profiles or information about the resource and NOT the resources itself. It contains the name of the resource, the access list that has the specific accesses allowed to users and groups.