Security

RACF maintains buffers in memory, known as resident data blocks, to retain copies of most recently used database blocks for reuse. You can specify the desired number of resident blocks in the database name table (ICH RDSNT). You should always specify the maximum 255. Figure 3 shows sample code to build the ICHRDSNT.

 3 Use RACLIST classes whenever feasible 

RACLIST is a SET ROPTS option for loading general resource profiles into memory for rapid reference; it causes all profiles for the class to be retrieved from the database and stored in a z/OS data space. All subsequent access checks reference this in-storage copy of the profiles.

RACLISTing is especially valuable for classes used during logon processing, particularly those that affect CICS logons. RACLISTing can occur in one of two ways. A system application (e.g., CICS) can RACLIST a class itself, using the RACROUTE macro. Or, a system-SPEC IAL administrator can issue a  SETROPTS RACLIST (classname) command. For an administrator to RACLIST a class with the SET ROPTS command, the class must be defined with RACLIST ALLOWED.

If you change any profiles, the RACLISTed profiles must be refreshed for the change to take effect. Enter the command SETROPTS RACLIST (classname) REFRESH . During the refresh, all profiles are retrieved from the database and loaded into a new data space. Once the new data space is created and placed in service, the old one is discarded. This avoids disruption during the refresh process.

During RACLISTing, the contents of grouping class profiles merge with the member class profiles to form a single composite list. If there are many profiles or grouping profiles with many resources, this can be a lengthy, resource-intensive process. If the class being refreshed is linked to others by a common POS IT number, all will be refreshed. Institute administrative practices that minimize the need for changes and refreshes.  For example, use groups in access lists instead of individual user IDs. Avoid refreshes during the workday, if possible.

Some third-party software products give you the option of using a general resource class for protecting resources or the DATASET class. As a rule, opt for the resource class to take advantage of RACLISTing.

 4 RACGLIST the RACLISTed classes

Aside from the initial RACLISTing, RACF performs the RACLISTing process previously described for all classes at Initial Program Load (IPL) and for specific classes whenever an administrator issues a SETROPTS RACLIST (classname) REFRESH . Each z/OS system image must perform this RACLIST process for itself.

You can avoid some of this processing by using RACGLIST. With RACGLIST, once the RACLIST processing is complete, RACF saves a copy of the post-processed profiles in the database. During IPL, RACF retrieves and loads these profiles into the data space without repeating the merging process.

4 Pages