Advantages of using zSecure Command Verifier to monitor RACF

zSecure™ Command Verifier intercepts RACF® commands at an earlier stage than most other exits provided by RACF. Thus, the installation can verify keywords on the RACF commands before any significant RACF processing takes place. The installation can also change keywords in such a way that the RACF command processors cannot distinguish these modified keywords from those keywords that are entered by the terminal user. On the other hand, zSecure Command Verifier intercepts at a late enough stage to allow normal TSO command keyword prompting to take place. However, this latter feature is not supported for all keywords. Some keyword validations can be done only during the final processing of the command, and are thus not eligible for terminal prompting.

Although it is possible for the console operator to issue RACF commands, not all operator commands are intercepted by zSecure Command Verifier. zSecure Command Verifier does not intercept the original operator commands like DISPLAY and SIGNOFF, but it does intercept the other RACF commands like ALTUSER and LISTUSER.

z/OS® also provides a USS callable service to execute RACF functions. This R_Admin service can execute some predefined functions, but also all TSO RACF commands. These RACF commands are executed in the RACF address space under the authority of the RACF user ID associated with the USS process. Because these commands also invoke the standard RACF Common Command exit (IRREVX01), they can also be controlled by zSecure Command Verifier.

The current version of zSecure Command Verifier does not differentiate between the various sources of RACF commands or the execution environment. The execution environment includes TSO, Operator command, and RRSF propagated command, or R_Admin command.