RACF - Audit and Compliance Roadmap

Course:  RACFAUD
Duration:  4 Days
Level:  II
Course Summary

This course is designed for auditors, compliance monitors, and RACF administrators seeking to identify vulnerabilities in RACF-protected z/OS mainframe systems and bring the systems into compliance with legally mandated security requirements. Much more than just a simple "how to audit" class, this technically-rich course will show you how to find and address serious security exposures of the kinds commonly found during RSH's RACF audits. By the end of class, you will have gained a solid understanding of RACF, an awareness of implementation "best practices", and a comprehensive knowledge of the tools and techniques for evaluating the status of RACF protection. Better still, you will be reviewing RACF reports from your own system during class and immediately identifying control concerns.  You are likely to return with a lengthy list of findings.

« Hide The Details
Topics Covered In This Course

RACF Concepts

  • Introduction to RACF
  • Profiles & relationships


  • Identification & authentication
  • Password composition & options
  • User profile contents & segments
  • RACF commands and reports for users


  • Concepts, hierarchy, & functions
  • Group profile contents & segments
  • RACF commands and reports for groups

Resource Protection

  • Concepts
  • Resource profiles - generic & discrete
  • OPERATIONS & privileged access authorities
  • Access permissions & authorization process
  • Datasets
  • Dataset basics & protection
  • Dataset profiles & contents
  • PROTECTALL & TAPEDSN control options
  • RACF commands and reports for datasets

General Resources

  • Resource types, names & protection
  • General Resource profiles & contents
  • RACF commands and reports for resources

JES-related Controls

  • Started Task identification
  • Batch job controls (e.g., SURROGAT)

DASD Storage Administration

  • DASDVOL profiles

System Product Controls

  • z/OS Unix BPX & UNIXPRIV profiles
  • TSO authorities and logon resource protection
  • CICS transaction & command protection

Logging & Reporting

  • System Management Facilities (SMF)
  • SETROPTS & profile monitoring options
  • Reporting tools

Administrative Authorities

  • System & Group level SPECIAL & AUDITOR
  • Group connect authorities
  • Class authorization and FIELD profiles
  • Policies, standards, and staffing

RACF Configuration

  • Exits & customization
  • Database backup and maintenance

RACF Audit Plan, Process, & Tools

What You Can Expect

On completing this course, students will have learned:

  • RACF's components, primary functions, and access authorization logic
  • RACF configuration SETROPTS options
  • Use of RACF commands for gathering information
  • How to limit powerful authorities like OPERATIONS
  • Protection of high-value, security-sensitive resources
  • Options governing event logging and reporting
  • Security administration tasks and authorities
  • How to generate and interpret RACF DSMON reports
Who Should Take This Course
  • IT Auditors seeking to perform more effective audits
  • Compliance Monitors who want to ensure the security staff or outsource service provider has properly implemented RACF
  • RACF Managers & Administrators who want to find and fix control concerns before the auditors arrive
Recommended Prerequisites

Familiarity with the mainframe, RACF, and using TSO

Training Style

Instructor-led, including hands-on lab sessions.

« Hide The Details
Related Courses
Code Course Title Duration Level
Essential Audit Skills
5 Days
The IBM Mainframe Environment for IT Auditors
3 Days
5 Days
RACF Administration
4 Days

Every student attending a Verhoef Training class will receive a certificate good for $100 toward their next public class taken within a year.

You can also buy "Verhoef Vouchers" to get a discounted rate for a single student in any of our public or web-based classes. Contact your account manager or our sales office for details.

Schedule For This Course
There are currently no public sessions scheduled for this course. We can schedule a private class for your organization just a couple of weeks from now. Or we can let you know the next time we do schedule a public session.
Notify me the next time this course is confirmed!
Can't find the course you want?
Call us at 800.533.3893, or
email us at [email protected]