RACF for z/OS Systems Programmers

This advanced, three-day course is designed, written and presented by specialist RACF consultants.
It provides a detailed insight into the technical architecture of RACF and z/OS for z/OS Systems Programmers. The course describes and explains how RACF is implemented and how it can be customised using standard RACF facilities.

This course is also available for one-company, on-site presentations and for live presentation over the Internet, via the Virtual Classroom Environment service.

The next step

Do you need to know more about RACF and the various subsystems?
For DB2 you should attend DB2 for z/OS: Using RACF
For UNIX System Services attend Using RACF with UNIX System Services (USS)
For IBM MQ attend Using RACF with IBM MQ
For WebSphere attend Using RACF with WebSphere and Security for WebSphere Applications
For CICS attend Using RACF with CICS


On successful completion of this course you will be able to:

  • describe the RACF architecture, its components and facilities
  • customise RACF to meet the requirements of their organisation and its environment
  • describe how RACF interacts with USS, DB2 for z/OS and CICS
  • describe and use all of the RACF Utilities, using JCL and REXX
  • identify how the operation of RACF changes when running in a parallel sysplex
  • describe and explain the IPL process and the security issues associated with facilities such as APF, PPT, System Exits and Linklist
  • describe the components of the RACF database.

Who Should Attend

The course is suitable for all experienced Systems Programmers and experienced RACF Administrators who need to understand the technical aspects of RACF.


Attendees should have a full understanding of RACF at a conceptual level and be familiar with all of the RACF commands and how they are utilised. This can be achieved by attending the courses RACF Administration & Auditing and Advanced RACF Administration.


3 days

Fee (per attendee)

£1475 (ex VAT)

Course Code



What is RACF?

Why do we need security?; What does security provide?; How does RACF work?; RACF Profiles; RACF classes; How many RACF classes?; Controlling access; RACF commands.

z/OS Technical Overview

z/OS controls & drivers; The IPL process; PARMLIB & IPLPARM; Display IPLINFO; LOADxx & IODF; System parameter list IEASYSxx; What is APF?; Defining an APF authorised library; Program Properties Table; Linklist; Dynamic changes; SMFPRMxx; System exits; In-storage profiles; RACLIST & GENLIST; Group tree in storage; ACEE data in memory.

The RACF Database

The RACF database; Database format; Database templates; RACF templates; Issues; Dynamic template objectives; New template support; RACF initialisation; IRRMIN00; Multiple database support; RACF database sharing; The RVARY command; RVARY passwords; RACF FAILSOFT processing; Database backup & recovery.

RACF Modules

RACF control tables; Modules everywhere!; ICHRDSNT; ICHRRNG; Class Descriptor Table (CDT); Dynamic CDT; Defining a Dynamic CDT; Rules; POSIT values; New segment CDTINFO; CDTINFO options; Managing Dynamic CDTs; Migration Utility (CDT2DYN); ICHRFR01; ICHRIN03; ICHAUTAB; ICHNCV00.

RACF in a Sysplex

Types of Sysplex; basic Sysplex; Parallel Sysplex; RACF and Sysplex; RACF communication; RACF data sharing; RACF data sharing problems; the four Sysplex modes; the RACF database name table; Coupling Facility structures; defining Coupling Facility structures; in-storage profiles; RACLISTed profiles via RACROUTE; in-storage profiles and Sysplex; introducing RACGLIST; RACGLIST and REFRESH; using RACGLIST.

RACF and Other Subsystems

RACF and UNIX System Services
What is 'UNIX System Services (USS)'?; How is it related to RACF?; Userids; UNIX identity; UNIX user definition; User definition example; User definition - system resource limits; Default UNIX User & Group identity.
RACF and DB2
DB2/RACF security overview; Sign-on security; Connection security; DB2 internal security; Other options; Security strategy (Transaction Manager or DB2); Security strategy (centralised or decentralised); Using remote applications.
The CICS-RACF interface; The role of CICS in security control; Region wide requirements; Interface implementation; CICS-RACF interfaces.

RACF Utilities

RACF utilities; IRRUT100; IRRUT100 examples: output (Group), output (User); IRRUT200; IRRUT200 example JCL; IRRUT200 example output; IRRUT400; IRRUT400 example JCL; IRRADU00; IRRADU00 example JCL; ICHDSM00; ICHDSM00 example JCL; IRRDBU00; IRRDBU00 example; IRRRID00; IRRRID00 JCL; BLKUPD; IRRBRW00; IRRRID00 JCL; SMF unload utility using XML; ICETOOL; IRRICE package; The Audit Reporting tool.

RACF Control Blocks

RACF control blocks; RACF Communications Vector Table (RCVT); Finding the RCVT; Understanding the RCVT; Data in the RCVT; RCVT vs ICB; SAF Vector Table (SAFV); Finding the SAFV; Accessor Environment Element (ACEE); Where's my ACEE?; ASXBSENV; TCBSENV; Local Control Block; Which ACEE is used?; Which ACEE do I need?; Caveat ACEE; Finding the active ACEE; Security Token; Security Token contents; Security Token uses; ACEE versus Token.

RACF Macros

RACF macros; Macro interfaces; The MVS router (SAF); RACF macros; What do they DO?; RACF macros: RACHECK, RACINIT, RACLIST, FRACHECK, RACDEF, RACSTAT; RACROUTE additions; ICHEINTY; The RACROUTE interface; RACROUTE MF= styles; SAF Parameter list (SAFP); Initialising SAFP; SAFP setup; SAF Work Area (SAFW); SAFW setup; History of REQSTOR & SUBSYS; Using REQSTOR & SUBSYS; Setting up REQSTOR and SUBSYS; Other RACROUTE information; The ACEE - AGAIN!; Return codes; REQUEST=Verify; RACINIT ENVIR= options; RACINIT ENVIR=CREATE; Who do you create?; RACINIT STAT=; ENVIR=CREATE ACEE=; Sample user/password=; Sample with PASSCHK=NO; Sample with Token; Create SESSION=; Create with TERMINAL=; POE=; TERMINAL= vs POE=; Sample with POE=; What about IP addresses?; RACINIT ENVIR=DELETE; ENVIR=DELETE ACEE=; Sample DELETE; REQUEST=AUTH; CLASS=; ENTITY/ENTITYX; ENTITY(X) examples; Sample RACHECK.

RACF Exits

RACF exits; RACF exits; RACF exits; ICHRTX00/01; Pre-processing for ICHRTX00; ICHRTX00: input, output; Pre-exit commonalities; Post-exit commonalities; Pre- to post- communication; Work area pointer; From post- to pre-; 'Gotchas' for SVC exits; Need some input; Finding the parameter list; Coding RACF exits; RACF command exit (IRREVX01); What's a 'dynamic exit'?; RACF IRREVX01 dynamic exit; What can you do in the exit?; IRREVX01 parameter list; The exit command buffer; Using the ACEE passed in exit; Testing your command exit; Sample SETPROG command; Dynamic exit security.

Question & Answer Session

© RSM Technology 2017