① Product · IBM
RACF is the access control and auditing heart of z/OS, licensed as the Security Server element and billed in MSU against your z/OS peak. The cost is real, and so is the one alternative that gives you leverage.
Audit notice or renewal under 18 months out? We mobilize within 48 hours.
Get expert help →RACF, the IBM Resource Access Control Facility, is the access control and auditing engine for z/OS. It decides who can reach which dataset, transaction, and resource, and it produces the audit trail your security and compliance teams depend on. IBM delivers it as the z/OS Security Server, and it is the most widely deployed of the three external security managers on the platform, the others being the Broadcom (CA) products ACF2 and Top Secret. RACF is foundational, which is exactly why its licensing is easy to overlook and expensive to misread.
RACF is licensed as the z/OS Security Server, a priced element of the z/OS environment, under IBM's Monthly License Charge model and measured in MSU. There is rarely a standalone RACF meter to manage. Instead its cost rides the same sub-capacity MSU profile as z/OS, billed on the peak rolling four hour average each month. Estates on consumption pricing fold the security server into their annual baseline rather than the monthly peak.
| Element | How RACF is treated |
|---|---|
| Charge model | Monthly License Charge, as a z/OS element |
| Metric | MSU |
| Delivered as | z/OS Security Server |
| Billing driver | Peak rolling four hour average per month |
| Reporting | Sub-Capacity Reporting Tool, monthly |
Directional summary. Treatment depends on machine model and contract vehicle.
Two drivers set the RACF number. The first is the z/OS MSU peak it is billed against, so anything that lifts the rolling four hour average lifts RACF along with the rest of the stack. The second is footprint: the more LPARs and systems on which the security server is enabled, the broader the basis that carries the charge. Because RACF is rarely a separate line buyers actively manage, both drivers move quietly. The practical consequence is that RACF optimization is z/OS optimization, and the place to look for savings is the peak and the enabled footprint, not a RACF specific control.
Because RACF is metered against the z/OS profile, its traps are the z/OS traps amplified by scope. Lapsed or incomplete SCRT submissions risk reverting to full capacity, the most expensive basis. Disaster recovery images that run hot but are classified as warm or cold create exposure that an audit reads on the expensive side. And a security server enabled on systems it was never meant to cover quietly widens the licensed basis. The fix is the same discipline that protects the whole MLC stack, applied with the security footprint specifically in view.
RACF has something most IBM elements do not: a genuine alternative. The Broadcom (CA) external security managers, ACF2 and Top Secret, deliver the same function, and a costed, time bound plan to migrate off RACF is one of the few real sources of leverage in an IBM negotiation. You rarely need to execute it; a credible plan reshapes the wider z/OS conversation. Alongside that, the operational levers act on the peak through specialty engine offload, soft capping, and peak shaving, and the contract levers are uplift caps, sub-capacity protections, and timing the renewal against hardware refresh. We build the alternative and the math before IBM controls the clock, which is the heart of our IBM work.
RACF is licensed as the z/OS Security Server, a priced element of the z/OS environment, under IBM's Monthly License Charge model and measured in MSU. In practice its cost rides the same sub-capacity MSU profile as z/OS itself, billed on the peak rolling four hour average each month, so there is rarely a separate RACF meter to manage in isolation.
RACF ships with z/OS as the Security Server, but the security server function is a priced element rather than something free with the base operating system. The buyer side point is that you are paying for it inside the z/OS MLC stack in MSU, which is why the levers that shape the z/OS peak also shape what RACF costs.
The credible alternatives are the two Broadcom (CA) external security managers, ACF2 and Top Secret, which deliver the same external security manager function on z/OS. A migration is real work, but a costed and time bound plan to move off RACF is one of the few genuine sources of leverage in an otherwise IBM controlled negotiation, and it commonly reshapes the wider z/OS conversation more than the RACF line alone.
Because RACF is billed against the z/OS MSU profile, the traps are the z/OS traps: lapsed or incomplete SCRT submissions that risk reverting to the full capacity basis, disaster recovery images misclassified as warm when they run hot, and capacity events that lift the peak without anyone modeling the billing tail. A security server that is enabled on systems it was never meant to cover is the RACF specific exposure to check.
Publisher hub: IBM mainframe licensing. Related products: z/OS licensing and Tivoli Workload Scheduler for z/OS. Put it to work: IBM mainframe audit defense.