Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Effect on RACF authorization checking z/OS Security Server RACF Security Administrator's Guide SA23-2289-00 |
|
For RACROUTE REQUEST=AUTH access checking, security classification processing takes place after global access checking (if active), but before RACF® checks the standard access list. If global access checking does not allow access to the resource, RACF does security classification processing for any resource that is protected by a profile that has security category or security level data. (For information on global access checking, see Setting up the global access checking table. For a complete list of the sequence of checks that RACF makes to grant or deny access to a resource, see Authorization checking for RACF-protected resources.) Attention: Because RACF performs global access checking before
many of the other kinds of access authority checks, such as security
label checking or access list checking, global access checking might
allow access to a resource you are otherwise protecting. To avoid
a security exposure to a sensitive resource, do not create an entry
in the global access checking table for a resource protected by a
profile that contains a security level, security category, or security
label (if the security label in the profile is SYSLOW, a global access
checking table entry with an access authority of READ can be created).
See Authorization checking for RACF-protected resources.
|
Copyright IBM Corporation 1990, 2014
|