I have done some security assessments against zOS using RACF, as long as RACF has been implemented properly its damn good. What specific questions do you have? just the general security overall?