RACF commands
Using the RACF commands, you can add, change, or delete RACF profiles and define system-wide options. Only users that are defined by RACF® can issue RACF commands. Although you can issue most RACF commands, RACF verifies that you are authorized to issue the command against the profile that is specified in the command. Most of the RACF commands can be issued from the TSO environment. In addition, there are some RACF commands that can be issued only from the MVS™ operator console. Nowadays, the traditional TSO RACF commands are no longer restricted to the TSO environment. The commands can also be issued from the operator console, the RACF Parameter Library, and through an R-Admin RACF Callable Service. When issued from the operator console, the console operator must be logged on, and the authorization is based on the user ID of the operator.
Historically, RACF commands are grouped by the type of profile. This grouping is still useful for users and groups, but less so for data sets and the General Resources. In particular, the PERMIT command often confuses people when they try to authorize access to a general resource profile. The long history of RACF can be seen in the implementation of discrete profiles and the user attributes that can be used to automatically set data set attributes like UACC. Using the RACF ISPF panel interface alleviates some of the problems that are caused by the history and compatibility with an earlier version of RACF.
The owner of a profile can change any attribute of the profile as long as changing the attribute does not increase the authority or access of the owner.
Some installations do not want to allow their users this flexibility. Users can change the access rules to effectively disable RACF access control for their resources. You can reduce this exposure by disallowing the RACF commands entirely, or through coding of exits. Both solutions have their drawbacks. Disallowing the commands (for example, through RACF program control) also prevents legitimate changes that an owner of a resource might want to make. The standard RACF exits often do not provide the amount of control that is required by the installation. See RACF command exits. Subsequent sections describe how zSecure™ Command Verifier introduces an extra flexible control point.