MAINFRAME > Tips & Techniques > Application Development

The Dos and Donts of RACF Performance

Improve your RACF installations with these tips on RACF administrator tuning options and systems programming tuning options.


In this article we’ll discuss the options available to the RACF* Administrator and Systems Programming staff to improve the performance of RACF installations. The options discussed here that involve systems programming should be reviewed and tested carefully before implementation, refer to the RACF Systems Programmers Guide for this:

Part One: RACF Administrator Tuning Options

RACLIST Everything You Can

Using RACLIST is highly recommended wherever available. RACF information is copied into a virtual data space, available for authorization checking without additional I/O to the physical database. Don’t refresh in-storage data too often though.

Alternatives such as RACGLIST and GENLIST are also available. With GENLIST, RACF information is copied into real storage (ECSA) rather than a virtual data space as in RACLIST—you must have sufficient real storage available if you chose GENLIST. GENLIST works best with a small number of profiles that are frequently accessed. RACGLIST is a performance option to reduce IPL time in a data sharing system—after an initial system creates the data space, subsequent systems joining the sysplex aren’t required to read the RACF database for the same information. Instead, they copy the data space built by the first system that IPL’d. These options aren’t often used except in the largest environments. Note that you can’t both GENLIST and RACLIST a class. Generally judicious use of RACLIST is sufficient—see Table 1 for a listing of eligible/required classes for RACLISTing.

Global Access Table

Using the Global Access Table (GAT) can lead to significant performance benefits. It’s recommended that all “public” resources be defined to GAT. Ensure that fallback profiles implement the same level of access in the equivalent RACF classes, in case GAT is de-activated.


In the ICHRDSNT use “all updates except for statistics.” Your systems programmer can verify this. Combine this with SETR INITSTATS to maintain basic statistics. Whenever users log on for the first time in any given day, their statistical information is replicated to the backup database. This prevents revocation due to inactivity should you need to switch the backup database for any reason. Don’t use SETR STATISTICS as this only applies for discrete profiles and the information it generates in RACF is rarely used.

RACF Auditing options

The more SMF audit records you generate the more overhead on your system. RACF may perform fine, but the volume of SMF will inevitably slow system performance. I’ve advocated auditing both successful and failing access in RACF, but this must be done sensibly. Don’t audit frequent, unimportant, events. The GAT can help here. Anyone with the AUDITOR attribute at a system-wide level can cripple a system by changing AUDIT settings. Frequently checked resources with a poor choice of audit settings can easily cause performance problems.

SETROPTS APPLAUDIT, combined with an AUDIT setting on profiles in the class APPL can produce excessive SMF data if the application in question doesn’t support persistent verification. Don’t use AUDIT(SUCCESS) on APPL profiles unless the calling application supports persistent verification.

Don’t specify AUDIT(DATASET), rather use the AUDIT options on data set profiles. This prevents SMF records being created for every transient data set.

Never use LOGOPTIONS(ALWAYS) for frequently used RACF classes—this will rapidly degrade system performance.




Michael Cairns works for IBM as a technical specialist in the Tivoli zSecure range of software. Michael can be reached at

comments powered by Disqus



2019 Solutions Edition

A Comprehensive Online Buyer's Guide to Solutions, Services and Education.

A Beginner's Guide to the REXX Programming Language on z/OS

Reading and Writing Files in the REXX programming language on z/OS.


Application Management is Important to the Entire Process


Application Testing: Giving Users What They Need

IBM Systems Magazine Subscribe Box Read Now Link Subscribe Now Link iPad App Google Play Store
Mainframe News Sign Up Today! Past News Letters