Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
RACROUTE REQUEST=AUTH processing z/OS Security Server RACF System Programmer's Guide SA23-2287-00 |
|
Whenever a user attempts to access a resource, the system calls RACF® to perform authorization checking. During normal RACROUTE REQUEST=AUTH processing, RACF always authorizes full access to a user's own data (based on the high-level qualifier) and references the corresponding profile to see whether statistics or logging is indicated. An installation can bypass normal REQUEST=AUTH processing by using the global access-checking facility. When global access checking allows a request, RACF performs no I/O to the RACF database, performs no logging, and maintains no statistics. As a result, global access checking provides you with a fast way to allow access to selected resources. A global access table for the DATASET class is recommended because
of the frequency of AUTH requests that can occur.
In addition, if generic profile checking is active during authorization checking, RACF builds lists of generic profiles in storage to be referenced repeatedly by the RACROUTE REQUEST=AUTH function. The use of generic profiles can reduce the size of the RACF database, reduce the time and effort needed to maintain profiles, and minimize the frequency of I/O requests to the RACF database. However, these benefits are lost if too many generic profiles are
defined:
RACF generic profiles work best when you have multiple resources protected by a single profile. Note that RACF authorization checking bypasses data-set password checking. RACF also eliminates the need for an operator message requesting a password for password-protected DASD data sets. |
Copyright IBM Corporation 1990, 2014
|