Service name
Security Server (RACF)


For z/OS Releases
V1R1 and above


Description
The Security Server (RACF) service is a pure supporting service. It cannot be customized, but it offers update requests that can be used by other services to make their security definitions in the RACF database. It also offers selective data that it retrieves from the RACF database during the 'Refresh' task which can be accessed in read-only mode by other services.


Policies Supplied
 
Policy name Purpose
authorization
  • Let customers specify whether update requests against the Security Server (RACF) service will result in actual updates in the RACF database or not.
  • If no update is selected in the policy dialog, update requests are reported in a log message but not performed. If no delete is selected in the policy dialog, deletion of objects in the RACF database that would have taken place as part of the update process are reported in a log message but not  performed. However, other updates to the RACF database, such as adding new objects, are performed.


Refresh Actions
 
System resources accessed during Refresh Authorization Required
Selected entries are retrieved from the RACF database, including:
  • a list of selected resource profiles together with their attributes and access lists
  • the names and properties of the Unix System Services anchor user and anchor group (if defined)
  • a list of selected started task procedure profiles in the STARTED class together with their attributes
  • a list of program controlled datasets in the PROGRAM class together with their attributes
The SPECIAL attribute must be defined for the RACF user IDs performing a refresh.
The Security Server (RACF) service supplies a refresh dialog that is automatically displayed before the very first refresh of the service or on explicit user request (by selecting the Edit refresh data choice for the service). This dialog handles the rare cases where customers have defined their security setup in a way that a RACF database is not shared among all systems in a sysplex. In this case the user can define which subset of systems are sharing a RACF database to make sure that updates are applied to the correct database.


Update Actions Performed by this Service
None


Update Requests Offered by this Service
 
Update action System resources Updated Authorization Required
The following objects/settings are defined or modified:
  • user profiles
  • group profiles
  • connects (user => group)
  • resource profiles
  • data set profiles
  • access permissons (user or group => resource/data set profile)
  • RACF options (SETROPTS)
RACF database. The SPECIAL attribute must be defined for the RACF user IDs performing update requests.