RACF: Advanced Administration

This three-day, hands-on course is the natural follow-on to RSM's definitive RACF Administration & Auditing course for all RACF Administrators. It enables attendees to build on the knowledge and skills they have gained previously with further advanced skills and techniques.
In this course experienced RACF Administrators will learn how to handle the more technically challenging aspects of using RACF in today's z/OS environments.
The course is packed with challenging, practical, hands-on exercises that will reinforce what attendees learn during the classroom sessions.

This course is also available for exclusive, one-company presentations and for live presentation over the Internet, via the Virtual Classroom Environment service.

Virtual Classroom Environment dates - click to book!

UK Start Times

1 July 2024 11 September 2024


USA/Canada Start Times

29 July 2024 18 November 2024 17 March 2025 21 July 2025

What is a 'Virtual Classroom Environment'?


What do I need?

  • webcam
  • headphones with microphone
  • sufficient bandwidth, at least 1.5 Mb/s in each direction.

What you will learn

On successful completion of this course you will be able to:

  • describe and explain in detail the RACF architecture, its components and facilities
  • understand and use the SETROPTS and RVARY command to manipulate the RACF options and database
  • use Advanced General Resources classes
  • define users to use TSO
  • define the parameters needed to set up security for JES2 and SDSF
  • describe the facilities provided by RRSF
  • describe the B1 Security parameters including Security labels, levels and categories
  • list what facilities RACF provides for Digital Certificates.

Who Should Attend

The course is suitable for all Security Administrators & Systems Programmers.


Attendees should have a clear understanding of RACF at both the conceptual and practical level. All should have attended the course RACF Administration & Auditing.


3 days

Fee (per attendee)

£1750 (ex VAT)


This includes free online 24/7 access to course notes.


Hard copy course notes are available on request from rsmshop@rsm.co.uk

at £50.00 plus carriage per set.

Course Code



What is RACF?

Why do we need security?; What does security provide?; How does RACF work?; RACF profiles; RACF classes; Controlling access; RACF commands.

Defining TSO Users

TSO & RACF; The TSO segment of a user profile; TSO General Resource classes; TSO/E logon screen; TSO administration; When the class is CONSOLE; When the class is OPERCMDS.

Advanced General Resources

Class Descriptor Table (CDT); Dynamic CDT; Defining a Dynamic CDT; Rules; POSIT values; New segment CDTINFO; CDTINFO option; Managing Dynamic CDTs; Migration Utility (CDT2DYN); ICHRFR01; Normal rules apply; When the class is CDT; The FACILITY class; The Help Desk function; Facility class profiles; Password reset granularity; ALTUSER changes; LISTUSER changes; Group/User structure - example; Group/User structure - z/OS 1.10; Group Tree structure; Granular authorities; ALTUSER: Allow by Owner; ALTUSER: Allow by Tree; Access level authorities; LISTUSER: Allow by Owner; LISTUSER: Allow by Tree; Password reset authority scoped by Owner/Tree; LISTUSER authority scoped by Owner/Tree; RACF variables; Using the RACFVARS class; Using RACF variables; Field level access checking; Using the FIELD class; FIELD class examples; Delegating TSO administration; Security administration for z/OS UNIX; Custom Fields; Custom Fields - preview of results; What is in a Custom Field?; RACF command changes; Defining a Custom Field; Activating a Custom Field; Putting data into a Custom Field; Authorisation to define a Custom Field; Authorisation for CSDATA; RACF panel enhancements; Operations attribute; DASD volume operations; Allowing access to DASD volumes; DASDVOL profiles: DF/SMSdss; DASDVOL profiles: ICKDSF; DASDVOL profile authority summary; DASDVOL example; Tape security; Tape volume protection; Tape dataset protection; Tape dataset and TAPEVOL protection; Bypass Label Processing; Restricting use of BLP.


RACF & JES2; JES resources protected by RACF; Batch user identification; Userid propagation; Surrogate Job Control; JES Earlyverification; Started Task identification; SETROPTS options for JES; Network Job Entry (NJE); Remote Job Entry (RJE); z/OS security environment; Resource classes for JES security; Securing jobs with RACF; Job input processing; Job submission control; Job validation; JES job input sources; JESINPUT - controlling Port-Of-Entry device names; Job name control; TSO SUBMIT/CANCEL commands; SURROGAT class; Surrogate job submission; Job input processing: PROPCNTL & SECLABEL; Nodes class; NJE security; Controlling transmission to other nodes; Controlling receipt of jobs & sysout; Propagation through NJE; Translation between nodes; RJE/RJP signon & logon security; Controlling output destinations; Security overlays with PSF; Spool protection; JES dataset name format; JESPOOL class profiles; Controlling messages; Controlling data transmission; SDSF; SDSF authorised commands; SDSF line & implicit commands.

RACF & Digital Certificates

Cryptography in Internet applications; Public key cryptography overview; What is a digital certificate?; Public key & certificate; Uses for certificates in applications; Secure Sockets Layer (SSL); Digital certificates and RACF; How RACF uses digital certificates; RACF classes & commands; RACDCERT; RACF certificate generation; RACDCERT command; Examples of the RACDCERT command; Creating a certificate; Gencert examples; Key rings; RACDCERT ring functions; Certification installation; RACDCERT ADD examples; Certification installation; Certificate management; Exploiters of certificates; Exporting a certificate; Certificates are packaged in formats; Steps for migrating a certificate and its ICSF private key in the PKDS; KEYXFER Utility; Renew a certificate; Examples of REKEY and ROLLOVER; Certificate mapping; Miscellaneous issues; RACF Key Ring protection classes; Global FACILITYclass profiles; Sharing a private key; RDATALIB Class; RDATALIB - examples; RACDCERT granular administration; RACDCERT granular control; Listing, removing & deleting; Password enveloping; How does password enveloping work?; Password enveloping - exceptions.

RACF Remote Sharing Facility

The RACF Remote Sharing Facility; RACF command direction; RACF password synchronisation; managed user associations; controlling RACLINK use; controlling password synchronisation; controlling the AT keyword; automatic RACF command direction; controlling automatic RACF command direction; combined RACF command direction; use of ONLYAT keyword; automatic password synchronisation; controlling automatic password synchronisation; password synchronisation by command; combined RACF command direction; defining RRSF nodes; the RACF subsystem & parameter library; When the class is APPCLU.

Security Labels

What is multilevel security?; Security classification; Security labels - B1 support; Resource authorisation checking; Security levels; Security categories; Security labels; Defining security levels & categories; Defining security labels; Assigning security labels; SECLABEL class active; SECLABEL class active & MLS; Dominance & equivalence; MAC scenario - user logon; MAC scenario - access attempt; Security classification options; External access to internal systems.


The RVARY command; RVARY passwords; Basic SETROPTS; Dataset related parameters; General parameters; In-storage profile parameters; B1 security parameters; JES parameters; Userid & password parameters; Auditor parameters; SETROPTS LIST examples; SETROPTS command authority.

Q & A session

© RSM Technology 2022