I've just read a good article from the IBM Systems Journal: Security on z/OS: Comprehensive, current, and flexible. About 20 printed pages, from 2001, and written "at a high level, aimed at enterprise decision makers and application architects. The intent is to explain the comprehensive security componentry within z/OS and to show how these techniques and functions are exploited by modern distributed and Internet applications".
This is not mentioned in the article, but one thing that in the past has made me feel uneasy about z/OS security was the limited maximum password length (8 chars), giving a very small password-space by today's computing standards. No need to be concerned about this anymore: z/OS V1.8 supports RACF pass phrases from 14 to 100 characters in length.
I learned some neat things about the z/OS security capabilities that, as far as I know, are not available in other operating systems, e.g.
- access control can be made dependant on time.
- great separation of roles: admins can administer resources without having access to them, or admins cannot prevent the auditor from auditing them, while the auditors cannot authorize themselves to resources (Update: César Gustavo Miramontes, Domino for iSeries wizard, pointed to me that iSeries also has this capability).
Another introductory article that I liked is Ensuring Security On IBM Mainframes. Shorter (10 pages), but was useful for me to get a basic understanding of RACF classes and profiles.
More security-related goodies comming with z/OS v1.9; dear to me with what is keeping me busy today are support for PKCS#11 and a Java API for RACF administration.