The MVS router

This topic contains Product-sensitive Programming Interface and Associated Guidance Information.

The system authorization facility (SAF) provides your installation with centralized control over security processing by using a system service called the MVS™ router. The MVS router provides a common system interface for all products providing and requesting resource control. The resource-managing components and subsystems (such as CICS®) call the MVS router as part of certain decision-making functions in their processing, such as access control checking and authorization-related checking. These functions are called control points. This single SAF interface encourages the use of common control functions shared across products and across systems.

If RACF® is available in the system, the MVS router may pass control to the RACF router, which in turn invokes the appropriate RACF function. (The parameter information and the RACF router table, which associates router invocations with RACF functions, determine the appropriate function.) However, before calling the RACF router, the MVS router calls an optional installation-supplied security-processing exit, if one has been installed.

The system authorization facility and the SAF router are present on all MVS systems, even if RACF is not installed. Although the SAF router is not part of RACF, many system components and programs, such as CICS, invoke RACF through the RACROUTE macro and SAF. Therefore, installations can modify RACF parameter lists and do customized security processing within the SAF router. For information about how to code a SAF router exit, see the z/OS Security Server RACF Messages and Codes.