IBM is constantly enhancing functions or adding new functions to RACF. Read on:


  • z/OS Version 2 Release 2

    z/OS V2.2 is available! This release includes these new RACF functions:
    • A new user attribute, ROAUDIT, which grants the user the privileges of the AUDITOR attribute, without the ability to change log settings and options
    • Three new RRSF functions:
      • NEWMAIN, which allows you to change the MAIN system dynamically
      • Unidirectional nodes, which allow you to block inbound RRSF activity from a node
      • A new function in the r_Admin callable service to return configuration and operational information on RRSF (also available in the IRRXUTIL REXX interface)
    • More granular controls on certificates administration, supporting narrowed spans of administrative control
    • IRRDBU00 requires only READ authority to the input RACF data base when PARM=NOLOCKINPUT is specified
    • Password enhancements:
      • Elimination of the need for an ICHDEX01 exit to eliminate the use of the RACF masking algorithm for a user's password
      • RACF commands no longer assign a "default" password by default
      • The RACF_ENCRYPTION_ALGORITHM health check raises an exception if KDFAES is not active
      • Enable the use of password phrases in the RACLINK DEFINE command
    • New health checks:
      • RACF_RRSF_RESOURCES, which examines the protection of your RRSF data sets
      • Additional resources checked in RACF_SENSITIVE_RESOURCES

  • Password Security Enhancements

    A number of significant enhancements to password and password phrase security are available with new function APAR OA43999 on z/OS V1.12 and higher! These new functions include:
    • A stronger encryption algorithm for passwords and password phrases
    • Support for 14 additional special characters in passwords
    • The ability for a user to have a password phrase without a password
    • A new password syntax control that requires a password to contain at least one character from each of four different categories: upper case letters, lower case letters, numeric digits, and symbolic characters
    • The ability to expire a user's password without changing its value
    • An ALTUSER command function to "clean up" after lowering the SETROPTS(PASSWORD(HISTORY(nn)) value.

Details on this new function can be found at

  • New and Updated RACF Health Checks

    With new function APARs OA44696 and OA45608 RACF is:

    • Updating the RACF_SENSITIVE_RESOURCES check to examine the access protections on your ICSF data sets
    • Introducing the RACF_PASSWORD_CONTROLS check to examine your setting for password history, mixed case passwords, and the maximum number of days that a password or password phrase is valid
    • Introducing the RACF_ENCRYPTION_ALGORITHM check to examine the return codes from your ICHDEX01 exit to ensure that at least DES-only encryption is being used for passwords and password phrases on your system.

  • z/OS Version 2 Release 1

    z/OS V2.1 is available! This release includes these new RACF functions:
    • IPv6 and transport layer security (TLS) 1.2 cipher suite support for the RACF Remote Sharing Facility (RRSF).