The RACF router table

The SAF router is always present on a system, whether or not RACF® is enabled. The resource-managing components and subsystems call the SAF router as part of certain decision-making functions in their processing, such as access-control checking and authorization-related checking. This single SAF interface encourages the sharing of common control functions across products and across systems.

If RACF is enabled, the SAF router passes control to the RACF router (ICHRFR00) for certain functions. RACF uses the parameter information passed to it and the RACF router table to determine the appropriate RACF function to invoke.

The RACF router table is optional, and if present is the module ICHRFR01. The entries in ICHRFR01 can be for installation-defined resource classes and combinations of requestor and subsystem. The RACF router assumes that if there is no entry in the RACF router table for a combination of resource class, requestor, and subsystem, that combination is to be treated as if ACTION=RACF was specified in the router table, and RACF is called on each invocation of the RACROUTE macro.

You can have entries in the router table that do not appear in the class descriptor table.

To add an entry to the router table, use the ICHRFRTB macro. As part of its operation, the ICHRFRTB macro concatenates the values specified for the REQSTOR, SUBSYS, and CLASS operands to form a 24-character string defining the entry. For more information on the ICHRFRTB macro, see z/OS Security Server RACF Macros and Interfaces.

Your router table should be compatible with your class descriptor table.

Note: When RACF is enabled for sysplex communication, it does not enforce consistency of the router table as it does with the data set name table and the range table.