RACF and the operating system

RACF® acts as a layer in the operating system.

For example:

A user is identified and verified to the RACF-protected system.
A user wants to modify an existing RACF-protected resource.
The user issues a command to the system to access the resource.
The system resource manager (such as data management) processes the request.
The resource manager “asks” RACF whether the user can access the resource.
RACF checks one profile to verify that the user can access the resource and to determine whether the user has the required authorization to modify the contents.
RACF returns the results of its check to the resource manager.
The resource manager, based on what RACF indicates, either grants or denies the request.

Figure 1 shows how RACF interacts with the operating system to allow access to a protected resource. The operating system-RACF interaction to identify and verify users is similar.

Figure 1. RACF and its relationship to the operating system

During authorization checking, RACF ensures that a user has the authorization to access the requested protected resource. RACF checks the resource profile to ensure, for example, that the resource can be accessed in the way requested and that the user has the proper authorization to access the resource.

The RACF mechanism is analogous to the tumblers of a lock, all of which must align before the lock can open. In RACF, the necessary user-resource requirements must match before RACF grants the request to access a protected resource.