z/OS UNIX System Services Planning
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Limitations of RACF client ACEE support

z/OS UNIX System Services Planning
GA32-0884-00

If both the server's RACF® identity and the client's RACF identity are used to make access decisions, you should be aware of limitations of the RACF client ACEE support.
  • RACROUTE REQUEST=FASTAUTH processing does not check both the server and client RACF identities automatically.

    Unauthorized servers cannot use the RACROUTE REQUEST=LIST instruction to build in-storage profiles for RACF defined resources. Profiles must reside in storage before RACROUTE REQUEST=FASTAUTH can verify a user's access to a resource.

  • The client/server relationship is not propagated from the server.

If your server controls access to resources by checking and authenticating both the server's RACF identity and client's RACF identity, treat servers you do not trust as end points on z/OS. These servers should not be allowed to submit batch jobs or use the services of other servers that run exclusively under the identity of the client. You must ensure that servers that do not meet this criteria are not authorized to the profile BPX.SERVER in the RACF FACILITY class.

Parent topic: Designing security for servers

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014