IBM Security zSecure, Version 2.2.0

RACF command exits

This section describes several types of exits supported by RACF. Most of these are ill-suited for the purpose of verifying the values of fields in RACF profiles. zSecure Command Verifier provides an interface where the authorization to manage fields and field values is defined using simple policy profiles. The first category consists of exits that are not even RACF® exits, but MVS™ exits: The System Authorization Facility (SAF) exits. These exits are started for all instances in which any system component needs a function that is provided by the security product. However, for most of the RACF commands, these exits are not started because there is not yet any profile to be verified. In other situations, the RACF command does the verification itself, based on information already in storage, or retrieved directly from the RACF database.

The second category of exits consists of the RACF SVC-processing exits. During RACF SVC-processing, a preprocessing and a post-processing exit are started. These exits are primarily intended to change the behavior of RACF for low-level functions in a limited way. It is possible to misuse these exits and include more processing, but that is not an intended function of the exit. In addition, some RACF commands do not use the specific RACROUTE requests that use these exits.

A third category of exits is that for data set naming conventions. As the name implies, these exits are only started during RACF command processing if a data set name is present or implied. However, for most commands, no data set profile is involved, and thus none of these exits is called.

The next category of exits comprises the password-related exits. The new password exit is called only when a password or password interval is changed. The encryption exit is called when the new password must be encrypted in the RACF database. These exits are not called for those commands that do not involve passwords or other encrypted data.

RACF also provides an ACEE Compression/ Expansion exit, but that exit, similarly to the RACFRW exit, is not relevant to RACF command processing.

Starting with OS/390® Release 3, RACF also provides a Common Command exit. This exit is called for most RACF commands. Before this exit, it was difficult to implement installation controls on RACF commands. Its major disadvantage is that the command string is passed as a single argument, adding all the complexity of parsing and interpreting its contents to the exit. The exit:

Can either disallow or change the command string.
Cannot change the command name.
Cannot generate more commands.

Feedback