Nowadays, most RACF administrators report to Chief Information Security Officers (CISOs) who have never worked with z/OS or RACF, and they are being inspected by auditors, both internal and external, who likewise have had little exposure to the mainframe. The RACF administrators we speak with and those who post messages on discussion forums are constantly saying something like "my (fill-in-the-blank) doesn't understand RACF, and this is causing me endless headaches." To address this situation, we took it upon ourselves to write a brief description of RACF that administrators can pass on to their manager and others within the organization who need a basic understanding of RACF's purpose and function. The following overview is the result. Although the overview has just been published on our website, it has already been downloaded many times, and we have received feedback that it has been helpful. We hope you find it helpful, too.
Introducing z/OS & RACF
z/OS is an IBM general-purpose, 64-bit operating system for IBM's zSeries mainframe computers. The “z” denotes “zero downtime” to emphasize the resilience and dependability of both the hardware and software.
z/OS services provide communications, on-line user interfaces, and batch processing in support of business applications. They include Time Sharing Option (TSO), Customer Information Control System (CICS), TCP/IP, Data Base 2 (DB2), Job Entry Subsystem (JES), FTP, Information Management System (IMS), and z/OS Unix.
RACF (Resource Access Control Facility) is IBM's software product that provides security services for z/OS. It performs the following functions:
- Verifies a user's identity at logon using a password, phrase (up to 100 characters), or digital certificate
- Determines whether a user is permitted to access a dataset (i.e., file) or resource
- Logs a user's activities
- Decides if a user can administer security controls. .
z/OS is the latest iteration in a series of operating systems dating back to 1964. With IBM's emphasis on "backward compatibility," z/OS supports business applications written decades ago under prior versions of the operating system to maximize customer software ROI. However, to achieve this, certain limitations in the system architecture have had to be retained, such as 8-character USERIDs and 44-character dataset names.
Early versions of the operating system were designed during information technology’s infancy, well before security was a major consideration. Initial security features were rudimentary (e.g., dataset passwords). To meet the evolving security needs of more modern systems, IBM developed RACF, first released in 1976.
To compensate for the lack of security functionality in early versions of both the operating system and RACF, developers incorporated security controls of their own design into their software products. Such controls became known as “internal” security. Over time RACF improved its functionality and performance, and most products added options to transfer their internal controls to “external” security, i.e., RACF. Nonetheless, many products continue to rely on internal security by default. One of the many challenges faced in properly securing a z/OS system is ensuring all software products are configured to use RACF to govern security.