Documentation
RACFHound is an end-to-end toolchain for mainframe RACF security analysis. It parses RACF database unloads, builds an access control graph, and exports it to BloodHound for attack path analysis.
Architecture
mfpandas IRRDBU00 unload → DataFrames
↓
mfpandas-racfhound DataFrames → OpenGraph (nodes + edges)
↓
racfhound collect → transform → export pipeline
The three components are independently usable. mfpandas-racfhound can be embedded in your own tooling without the racfhound CLI.
Getting started
- Installation — pip install and dependencies
- Usage — CLI reference and pipeline options
- BloodHound Integration — API setup and saved queries
Graph model
RACFHound maps RACF constructs to typed BloodHound nodes:
| Node kind | Represents |
|---|---|
RACFUser |
RACF user profile |
RACFGroup |
RACF group profile |
RACFDataset |
Dataset protection profile |
RACFResource |
General resource (FACILITY, SURROGAT, …) |
RACFPrivilege |
Named privilege: SPECIAL, OPERATIONS, AUDITOR, … |
RACFStartedTask |
Started task (STARTED class, STDATA segment) |
Edges encode access relationships: RACFMemberOf, RACFCanRead, RACFCanWrite, RACFHasPrivilege, RACFSurrogateFor, and more.