Authorizing users to access protected resources

RACF® enables your organization to define individuals and groups who use the system RACF protects. For example, for a secretary in your organization, a security administrator uses RACF to define a user profile that defines the secretary's user ID, initial password, and other information.

A group is a collection of individuals who have common needs and requirements. For example, the secretaries for a whole department might be defined as one group.

RACF also enables an installation to define what authorities you have, or what authorities a group to which you belong has. RACF controls what you can do on the system. Some individuals have a great degree of authority, while others have little authority. The degree of authority you are given is based on what you need to do your job.

Besides defining user and group authorities, RACF protects resources. A resource is your organization's information stored in its computer system, such as a data set. For example, a secretary might have a data set as a resource. RACF provides a way to control who has authority to access a resource.

RACF stores information about users, groups, and resources in profiles. A profile is a record of RACF information that has been defined by the security administrator. There are user, group, and resource profiles.

Note: RACF protects some z/OS® UNIX resources, such as files and directories. Security information about these resources is not stored in profiles, but in the z/OS UNIX file system, and it is administered using z/OS UNIX commands. For more information about z/OS UNIX resources, see z/OS UNIX System Services User's Guide.

Using information in its profiles, RACF authorizes access to certain resources. RACF applies user attributes, group authorities, and resource authorities to control use of the system.

Your user profile provides your user attributes. User attributes describe what system-wide and group-wide access privileges you have to protected resources.
Your group profile describes the kind of authority you as a group member have to access resources that belong to your group.
The resources themselves have profiles describing the type of authority needed to use them.

The security administrator or someone in authority in your organization controls the information in your user profile, in group profiles, and in resource profiles. You, as the end user, control the information in profiles describing your own resources, such as your own data sets. You can protect your data by setting up resource profiles.

A resource profilecan contain an access list as well as a default level of access authority for the resources it protects. An access list identifies the access authorities of specific users and groups, while the default level of access authority applies to anyone not specifically in the access list. You can specify the users you want on the access list and what authority they have to use your data. You can change your resource profiles, but you cannot change the user or group profiles, because they are established by the system administrator.

RACF enables you to perform security tasks. You can use RACF to see the authorities you have, to protect your resources with profiles you create, or to give other users the authority to access your resources. For example, you might want to let someone look at a data set that contains a program you are developing, but not be able to change that data set. In the data set's profile, you can add that person to the access list with the authority to view, but not change, your data. In this way, RACF helps you protect your work.