z/OS Version 2 Release 3 Security Server RACF System Programmer's Guide IBM SA23-2287-30 Note Before using this information and the product it supports, read the information in “Notices” on page 365. This edition applies to Version 2 Release 3 of z/OS (5650-ZOS) and to all subsequent releases and modifications until otherwise indicated in new editions. Last updated: 2019-02-16 © Copyright International Business Machines Corporation 1994, 2018. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents List of Figures....................................................................................................... xi List of Tables.......................................................................................................xiii About this document............................................................................................xv Intended audience..................................................................................................................................... xv Where to find more information................................................................................................................. xv RACF courses........................................................................................................................................ xv Other sources of information.................................................................................................................... xvi Internet sources...................................................................................................................................xvi How to send your comments to IBM.................................................................... xvii If you have a technical problem............................................................................................................... xvii Summary of changes......................................................................................... xviii Summary of changes for z/OS Version 2 Release 3 (V2R3)................................................................... xviii Summary of changes for z/OS Version 2 Release 2 (V2R2) as updated December 2016.....................xviii Summary of changes for z/OS Version 2 Release 2 (V2R2)..................................................................... xix z/OS Version 2 Release 1 summary of changes........................................................................................ xx Chapter 1. Security and the RACF database............................................................1 Data processing security..............................................................................................................................1 How RACF meets security needs.................................................................................................................1 Identifying and verifying users...............................................................................................................1 Authorizing users to access resources.................................................................................................. 1 Controlling access to resources............................................................................................................. 1 Logging and reporting.............................................................................................................................2 Administering security............................................................................................................................2 Basic RACF concepts................................................................................................................................... 2 RACF and the operating system.................................................................................................................. 2 The RACF database......................................................................................................................................3 Database templates............................................................................................................................... 4 Multiple data set support....................................................................................................................... 6 Backup RACF database.......................................................................................................................... 6 Shared RACF databases......................................................................................................................... 7 Sharing RACF data without sharing a database.....................................................................................9 Creating a RACF database....................................................................................................................10 Finding a location for the RACF database............................................................................................10 Copying your database.........................................................................................................................11 Using DFSMSdss DEFRAG.................................................................................................................... 12 DFSMS enhanced data integrity (EDI)................................................................................................. 12 Monitoring the usable space in your RACF database..........................................................................12 Chapter 2. Performance considerations................................................................15 The RACF database....................................................................................................................................15 Selection of control unit and device.................................................................................................... 15 Shared RACF database.........................................................................................................................15 Multiple data sets.................................................................................................................................16 Database housekeeping.......................................................................................................................16 Creating backup RACF databases........................................................................................................16 Resident data blocks................................................................................................................................. 17 RVARY SWITCH command................................................................................................................... 18 Auditing...................................................................................................................................................... 18 iii Operands requiring the AUDITOR attribute.........................................................................................18 RACF commands........................................................................................................................................19 RACF utility programs................................................................................................................................ 20 BLKUPD.................................................................................................................................................20 IRRUT200............................................................................................................................................. 20 Failsoft processing..................................................................................................................................... 20 Protecting data during its life cycle........................................................................................................... 21 Encryption of data at rest.....................................................................................................................21 Erase-on-scratch..................................................................................................................................22 Installation-written exit routines.............................................................................................................. 22 Using global access checking.................................................................................................................... 23 The SETROPTS command..........................................................................................................................23 Using SETROPTS RACLIST and SETROPTS GENLIST..........................................................................23 Using SETROPTS INITSTATS and SETROPTS STATISTICS..................................................................29 Identification, verification, and authorization of user IDs........................................................................ 31 User identification and verification......................................................................................................31 RACROUTE REQUEST=AUTH processing............................................................................................ 32 RACROUTE REQUEST=FASTAUTH processing...................................................................................