SAF or System Authorisation Facility is an interface defined by MVS that enables programs to use system authorisation services to control access to resources, such as datasets, MVS commands, JES, etc.
SAF can either process security authorisation requests directly, or work with an External Security Manager (ESM) such as RACF, ACF2, or Top Secret. Although SAF does not require an External Security Manager (ESM), the system security functions are greatly enhanced and complemented if it is used concurrently with one.
The key element in SAF is the SAF router. This router is always present, even when an ESM is not present. The SAF router provides a common focal point for all products providing resource control. This focal point encourages the use of common control functions shared across products and across systems. The resource managing components and subsystems call the z/OS router as part of certain decision-making functions in their processing, such as access-control checking and authorisation-related checking. These functions are called control points.