RACF Administration

Course:  RACFAD01
Duration:  4 Days
Level:  II
Course Summary

This course introduces students to the concepts, terminology, commands, and procedures involved in administering a RACF secured system. All major aspects of RACF administration are covered and these facilities will benefit the audit process. The course can be run with either online labs (if a suitable environment is available) or with paper based labs (if online access is not available).

« Hide The Details
Topics Covered In This Course


  • Positioning RACF with SAF and Operating System
  • Security past and present
  • Security threats and the role of RACF
  • RACF Structure: Profiles and Classes
  • Review of available documentation

Where to start with Security

  • Policy statement production
  • Identifying Resources and ownership
  • Identifying the Users
  • Relating Resources and Users
  • Converting the policy to a Plan

The Group Structure

  • Identifying Business Groups
  • Relating Business Groups to RACF Groups
  • Associating Users with Groups
  • Group/Sub-group Hierarchy
  • Privilege Status –Special vs Group Special
  • Group Ownership and Connection

The RACF Commands

  • Entering RACF Commands
  • RACF Commands and the Manuals
  • Entering RACF Commands in Batch
  • Online Help

Defining/Deleting RACF Groups

  • Group Profile Commands
  • Adding a Group (ADDGROUP)
  • Deleting a Group (DELGROUP)
  • Modifying an existing Group (ALTGROUP)
  • Obtaining Group information (LISTGRP)
  • Specifying the Superior Group
  • Data set Profile Modelling
  • RACF Remote Sharing Parameters
  • Additional ADDGROUP Parameters
  • Additional Group Segments
  • Required authority levels for Group Commands

Defining Users

  • User Profile Commands
  • Adding a User profile (ADDUSER)
  • Deleting a User profile (DELUSER)
  • Modifying a existing user Profile (ALTUSER)
  • Obtaining user information (LISTUSER)
  • Specifying the Default Group
  • Group and Class Authority
  • Group Access Authority
  • RACF Remote Sharing Parameters
  • Data set Profile Modelling
  • RACF Authorities and Attributes
  • Security Levels and Security Categories
  • Security Labels
  • Defining the CICS Segments
  • Defining the DCE Segments
  • Defining the DFP Segment
  • Defining the LANGUAGE Segment
  • Defining the OMVS Segment and why
  • Defining the NETVIEW Segments)
  • Defining the OPERPARM Segments
  • Defining the TSO Segments and why
  • Defining the WORKATTR Segments
  • Parameters only applicable to ALTUSER
  • Required authority levels for User Commands
  • Basic PASSWORD
  • Changing Other Users Passwords
  • Full Syntax of PASSWORD
  • Required authority levels Password Command

Connecting Users to Groups

  • Connect and Remove Commands
  • CONNECT a user to a Group
  • REMOVE a user from a Group
  • Relevance to deleting a Group
  • Required authority levels for Connect/Remove

Data set Profiles

  • Data set Profile Commands
  • Discrete Data set Profiles
  • Generic Data set Profiles
  • Adding a data set profile (ADDSD)
  • Discrete Profile Parameters
  • Generic Wildcard Characters - %
  • Generic Wildcard Characters - *
  • Generic Wildcard Characters - **
  • Specifying Data set Attributes
  • Access Levels
  • Auditing Access Attempts
  • Profile Copying
  • RACF Remote Sharing Parameters
  • Security Level & Category Checking
  • Other Profile Attributes
  • Deleting a data set profile (DELDSD)
  • Modifying an existing data set profile (ALTDSD)
  • Parameters only applicable to ALTDSD
  • Obtaining data set profile information (LISTDSD)
  • Listing multiple data set Profiles
  • Listing Generic or Discrete Profiles
  • Required authority levels for data set Commands
  • Allowing other users/groups access (PERMIT)
  • Conditional Access Lists
  • Permitting Many Users access
  • Denying Users and Groups access
  • Deleting Access Lists
  • Required authority levels for Permit Command

General Resource Profiles

  • General Resource Profile Commands
  • Defining additional resources (RDEFINE)
  • Common RDEFINE Parameters
  • Providing extra Profile Information
  • TME Segment
  • Controlling DLF use - DLFCLASS
  • Controlling APPX use - APPCLU
  • Controlling PassTickets - PTKTDATA
  • Interfacing with Tivoli Products - ROLE
  • Controlling STCs - STARTED
  • Controlling access to SystemView - SYSMVIEW
  • Why not to use - TAPEVOL
  • Controlling access by screen - TERMINAL
  • The use of GTERMINL
  • Using TCICSTRN/GCICSTRN to protect CICS Transactions
  • Using WHEN(PROGRAM) to Protect Load Modules
  • RACF rather than ISFPARMS to Protect SDSF
  • Deleting a resource profile (RDELETE)
  • Modifying resource profiles (RALTER)
  • Parameters only applicable to RALTER
  • Obtaining information about resources ( RLIST)
  • Common RLIST Parameters
  • Listing Non-RACF Segments
  • Special RLIST Features
  • General resources and the PERMIT command
  • Required authority levels for General Resource Command

Special RACF Features

  • The Started Task Table
  • Using ICHRIN03
  • Using the STARTED Class
  • The Global Access Checking Table
  • Using the Global Access Checking Table
  • RACF Variables
  • Using the RACFVARS Class
  • Using RACF Variables
  • Field Level Access Checking
  • Using the FIELD Class
  • FIELD Class Examples
  • The FACILITY Class
  • Digital Certificates
  • Basic RACDCERT
  • Full RACDCERT Syntax
  • RACDCERT Command Authority
  • SEARCH Command Basics
  • SEARCH Control Parameters
  • The FILTER & MASK Parameters
  • FILTER & MASK Examples
  • The Backup RACF Database
  • The RACF Database Name Table
  • The RVARY Command

The SETROPTS Command

  • Why have SETROPTS?
  • Parameters associated with data set profiles
  • Parameters for general operation
  • Dynamic implementations (GENLIST & RACLIST)
  • US D-o-D requirements
  • Parameters related to JES
  • General Userid and Password options
  • Parameters applicable to AUDITOR authority
  • Required authority level for SETROPTS Command

RACF Remote Sharing Facility

  • The RACF Remote Sharing Facility
  • RACF Command Direction
  • RACF Password Synchronisation
  • Managed User Associations
  • Controlling RACLINK Use
  • Controlling Password Synchronisation
  • Controlling the AT Keyword
  • Automatic RACF Command Direction
  • Controlling Automatic RACF Command Direction
  • Combined RACF Command Direction
  • Use of ONLYAT Keyword
  • Automatic Password Synchronisation
  • Controlling Automatic Password Synchronisation
  • Password Synchronisation by Command
  • Combined RACF Command Direction
  • Defining RRSF Nodes
  • The RACF Subsystem & Parameter Library

RACF and Sysplex

  • Types of Sysplex
  • Basic Sysplex
  • Parallel Sysplex
  • RACF and Sysplex
  • RACF Communication
  • RACF Data Sharing
  • RACF Data Sharing Problems
  • The Four Sysplex Modes
  • The RACF Database Name Table
  • Coupling Facility Structures
  • Defining Coupling Facility Structures
  • In-Storage Profiles
  • RACLISTed profiles via RACROUTE
  • In-Storage Profiles and Sysplex
  • Introducing RACGLIST
  • Using RACGLIST

Auditing RACF

  • Auditing data collection
  • RACF Report Writer Overview
  • RACFRW Command summaries
  • Extracting RACF records from SMF
  • IRRADU00
  • Using DB2 to process RACF SMF data
  • DSMON - Data Security Monitor
  • Overview of report types

RACF Utility Programs

  • IRRDBU00 –Unload Utility
  • IRRUT100 - Cross Reference Utility
  • IRRRID00 - The RACF Remove Userid Utility
  • IRRUT200 - Verification Utility
  • IRRUT400 - Split/Merge/Extend Utility
  • BLKUPD - Block-Update Utility Command
What You Can Expect
  • Identify the need for security in business information systems
  • Understand how RACF meets business information systems security needs
  • Design a group structure to meet their installations requirements
  • Describe the various ways in which RACF commands can be issued
  • Use the group related commands to administer the group structure
  • Describe the effect of the various group profile related parameters
  • Use the user related commands to administer user profiles
  • Use the various group authorities effectively
  • Explain the management and use of the various non-RACF segments in user profiles
  • Describe the effect of the various user profiles related parameters
  • Connect users to groups and manage the assigned group authorities
  • Describe the advantages and disadvantages of both discrete and generic data set profiles
  • Use the data set related commands to manage both discrete and generic profiles
  • Specify the appropriate auditing parameters for data set profiles
  • Provide users with the appropriate access to protected data sets
  • Use the general resource commands to manage general resources
  • Describe how CICS transactions, load modules, secured sign-on, and the started task table can be protected and controlled
  • Describe how digital certificates, field level access checking, and RACF variables can be protected and controlled
  • Use the search command to locate specified profiles in the database
  • Use and explain the operation of the RVARY and SETROPTS management commands
  • Explain how RACF Remote Sharing operates and how it's use can be controlled
  • Identify how the operation of RACF changes when running in a parallel sysplex
  • Explain how to control RACF operation in a parallel sysplex
  • Describe how to use the RACF Report Writer product to format and print audit records
  • Identify how to process RACF audit records within a DB2 database
  • Use and interpret the output of the Data Security Monitor
  • Use the database unload utility, cross reference utility, remove userid utility, database verification utility, database split/merge/extend utility, and the database block update utility
Who Should Take This Course

This course will benefit RACF Administrators, RACF Auditors, help desk personnel, and anyone requiring knowledge of RACF administration principles and practices. It is of particular benefit to those new to RACF administration or RACF auditing.

Recommended Prerequisites

No previous RACF experience is required however delegates should be fully familiar with the z/OS environment, and have an understanding of TSO/E ISPF/PDF.

Training Style

Hands-on, Instructor-Led Training

« Hide The Details
Related Courses
Code Course Title Duration Level
Effective IBM Tivoli zSecure Admin - Administration and Reporting
2 Days

Every student attending a Verhoef Training class will receive a certificate good for $100 toward their next public class taken within a year.

You can also buy "Verhoef Vouchers" to get a discounted rate for a single student in any of our public or web-based classes. Contact your account manager or our sales office for details.

Schedule For This Course
There are currently no public sessions scheduled for this course. We can schedule a private class for your organization just a couple of weeks from now. Or we can let you know the next time we do schedule a public session.
Notify me the next time this course is confirmed!
Can't find the course you want?
Call us at 800.533.3893, or
email us at [email protected]