Having identified and verified the user, RACF® then controls interaction between the user and the system resources. RACF must authorize not only the users who can access resources, but also the way the user can access them, which depends on the user's purpose—reading, for example, or updating. RACF also can authorize when a user can access resources, by either time or day.