How are ACF2, Top Secret, and RACF licensed?

All three are external security managers for z/OS, and all are priced on capacity, but through different vehicles. Broadcom (CA) ACF2 and Broadcom (CA) Top Secret are licensed on MSU capacity, commonly inside a Broadcom portfolio agreement and increasingly under Broadcom Mainframe Consumption Licensing (MCL). IBM RACF is delivered as the IBM Security Server component of z/OS, so it is effectively part of the z/OS stack and priced under IBM's MLC framework with sub-capacity reporting through SCRT. The practical difference is that the two Broadcom products are negotiated as named line items, while RACF cost is bound up in the broader z/OS entitlement.

Is it worth switching external security managers to save money?

Rarely, because the external security manager is the single deepest switch on the platform. It mediates every access decision on z/OS, and the rules, exits, profiles, and operational procedures built around it represent decades of accumulated security policy, so a migration between ACF2, Top Secret, and RACF is a major, carefully staged program with real risk, not a cost exercise. Migrations do happen, usually driven by consolidation, vendor strategy, or a desire to move security into the IBM stack, but they are justified by strategy rather than by the licensing line alone. The more common and reliable value is using the credible option as leverage at renewal.

What actually decides ACF2 vs Top Secret vs RACF cost?

Three things decide it more than features. First, which side of the IBM versus Broadcom line you are on: RACF cost rides inside the z/OS MLC entitlement, while ACF2 and Top Secret are separate Broadcom line items with their own negotiation. Second, the contract vehicle and bundle: a Broadcom portfolio or MCL agreement for the two CA products, and the z/OS sub-capacity position for RACF. Third, your incumbency and the genuine, prepared alternative, since the switching cost is so high that leverage, not feature parity, drives the renewal. The three are functionally close enough that licensing structure and migration risk dominate the decision.

ACF2 vs Top Secret vs RACF: Licensing

ACF2 vs Top Secret vs RACF: the deepest switch on the platform.

Broadcom (CA) ACF2, Broadcom (CA) Top Secret, and IBM RACF are the three external security managers for z/OS. All price on capacity, but ACF2 and Top Secret are separate Broadcom line items while RACF rides inside the z/OS stack. Because the security manager mediates every access decision, switching is the hardest migration on the mainframe, so licensing structure and leverage decide this, not the feature sheet.

Keep the security manager you run and negotiate it hard. ACF2, Top Secret, and RACF all do the job, and the external security manager is the single deepest dependency on z/OS, mediating every access decision through rules and exits built up over decades. A migration is a major staged program with real operational risk, justified by consolidation or vendor strategy, not by the licensing line. Where it matters most is leverage: for the two Broadcom products, a credible, prepared evaluation of the alternative disciplines the renewal, and the standing option to consolidate security into the IBM stack is itself a lever. The prize is almost always a better deal on the incumbent.

ACF2 vs Top Secret vs RACF, the licensing levers compared
Dimension	CA ACF2	CA Top Secret	IBM RACF
Vendor	Broadcom (CA)	Broadcom (CA)	IBM
Delivery	Standalone ESM product	Standalone ESM product	IBM Security Server component of z/OS
Licensing metric	MSU capacity	MSU capacity	z/OS MLC, sub-capacity via SCRT
Contract vehicle	Broadcom portfolio or MCL	Broadcom portfolio or MCL	Inside the z/OS stack entitlement
Negotiated as	Named Broadcom line item	Named Broadcom line item	Bound into the z/OS position
Switching cost	Very high	Very high	Very high

ACF2 vs Top Secret vs RACF, the licensing levers compared

Dimension

CA ACF2

CA Top Secret

IBM RACF

Vendor

Broadcom (CA)

IBM

Delivery

Standalone ESM product

IBM Security Server component of z/OS

Licensing metric

MSU capacity

z/OS MLC, sub-capacity via SCRT

Contract vehicle

Broadcom portfolio or MCL

Inside the z/OS stack entitlement

Negotiated as

Named Broadcom line item

Bound into the z/OS position

Switching cost

Very high

For almost every estate this is a renewal and leverage question, not a procurement one. Use it this way:

Stay with the incumbent and negotiate if

The security manager is woven into your rules, exits, automation, and audit posture, as it always is
You run ACF2 or Top Secret and a prepared evaluation of the alternative, including a move to RACF, gives you a credible lever
Right sizing the licensed MSU and choosing the Broadcom vehicle deliberately captures most of the available saving

Genuinely consider migrating if

You are consolidating security strategy into the IBM stack and want RACF inside the z/OS entitlement
A wider Broadcom or IBM negotiation makes the migration cost ride on a program that is happening anyway
Vendor strategy or support direction makes the incumbent untenable on its own terms

Either way, treat the security manager migration as a security program with its own risk governance, never as a line on a cost spreadsheet, and use the alternative primarily to discipline the renewal you actually face.

How are they licensed?All on capacity. ACF2 and Top Secret on MSU as Broadcom line items, often inside a portfolio or MCL deal. RACF rides inside the z/OS MLC entitlement via SCRT.

Is switching worth it?Rarely as a cost play. The security manager is the deepest dependency on z/OS, so migration is a strategic, risk governed program, not a licensing exercise.

What decides the cost?Which side of the IBM versus Broadcom line you sit on, the contract vehicle and bundle, and your incumbency plus a credible, prepared alternative.

What is the first lever?For ACF2 or Top Secret, right size the licensed MSU and prepare the alternative as leverage. For RACF, manage the z/OS sub-capacity position.

The hardest thing to move on the platform. Use that, do not fight it.

Explainers: Workload License Charges history and variants and what auditors test. Other comparisons: MainView vs SYSVIEW and BMC vs Broadcom. Hubs and commercial: the Broadcom (CA) buyer side guide, the IBM buyer side guide, Broadcom (CA) license negotiation, and IBM contract review.

ACF2 vs Top Secret vs RACF: the deepest switch on the platform.

The verdict

Head to head

Who should pick which

Frequently asked

The switch you will not make is your leverage. We make it count.