Transcription
Introduction toRACFIBM Systems TechU ‐ May 2019RSH CONSULTING, INC. RACF SPECIALISTS 617‐969‐9050 WWW.RSHCONSULTING.COM
RSH Consulting ‐ Robert S. HanselRSH Consulting, Inc. is an IT security professional services firm established in 1992and dedicated to helping clients strengthen their IBM z/OS mainframe accesscontrols by fully exploiting all the capabilities and latest innovations in RACF.RSH's services include RACF security reviews and audits, initial implementation ofnew controls, enhancement and remediation of existing controls, and training. www.rshconsulting.com 617‐969‐9050Robert S. Hansel is Lead RACF Specialist and founder of RSH Consulting, Inc. Hebegan working with RACF in 1986 and has been a RACF administrator, manager,auditor, instructor, developer, and consultant. Mr. Hansel is especially skilled atredesigning and refining large‐scale implementations of RACF using role‐basedaccess control concepts. He is a leading expert in securing z/OS Unix using RACF.Mr. Hansel has created elaborate automated tools to assist clients with RACFadministration, database merging, identity management, and quality assurance. edin.com/in/roberthanselhttp://twitter.com/RSH RACFIntroduction to RACF 2019 RSH Consulting, Inc. All Rights Reserved.IBM TechUMay 20192
z/OS Security How important is the z/OS mainframe's data and services to yourorganization How would your organization be affected if data on the mainframe was . Stolen or publicly disclosedInappropriately modifiedDeletedRendered unavailable because the operation of the system was disrupted Working in conjunction with z/OS and installed system software products(e.g., CICS), RACF can help guard against bad outcomes by preventing usersfrom accessing data and software functions they are not supposed to use if itis fully and properly implementedRACF, z/OS, DB2, and CICS are Trademarks of the International Business Machines CorporationIntroduction to RACF 2019 RSH Consulting, Inc. All Rights Reserved.IBM TechUMay 20193
Topics Concepts Users Groups Resource Protection Dataset Protection General Resources Monitoring Administration ICH408I MessageIntroduction to RACF 2019 RSH Consulting, Inc. All Rights Reserved.IBM TechUMay 20194
RACFConceptsIntroduction to RACF 2019 RSH Consulting, Inc. All Rights Reserved.IBM TechUMay 20195
Introduction to RACF Resource Access Control Facility (RACF) IBM's Security Software Product for MVS, OS/390, and z/OS First introduced in 1976 Component of IBM's z/OS Security ServerIntroduction to RACF 2019 RSH Consulting, Inc. All Rights Reserved.IBM TechUMay 20196
RACF Components Database (Primary and Backup Pair) Options Profiles Indices‐ SETROPTS (SET RACF OPTIONS)‐ Users, Groups, Datasets, General Resources‐ Profile location and Application Identity Mapping (AIM) cross‐references Software ProgramsTablesExitsMacrosCommandsISPF PanelsUtilitiesSubsystem‐ Query Database and make security decisions (loaded into z/OS Link Pack Area)‐ Specify the Databases and define Classes (e.g., Class Descriptor Table (CDT))‐ Optional Installation‐written programs that modify RACF's behavior‐ Assembly routines used by a Resource Manager to call RACF (e.g., RACROUTE)‐ TSO programs used to create and administer options and profiles‐ TSO ISPF menus used to create and administer options and profiles‐ Programs used for backup, maintenance, unload, and control reports‐ RACF Address Space used to support optional communication functions likeRACF Remote Sharing Facility (RRSF) used for cross‐system synchronizationIntroduction to RACF 2019 RSH Consulting, Inc. All Rights Reserved.IBM TechUMay 20197
RACF Functions User Identification and Authentication Resource Access Authorization User Activity Monitoring Access AdministrationIntroduction to RACF 2019 RSH Consulting, Inc. All Rights Reserved.IBM TechUMay 20198
RACF Functions RACF is called by a system resource manager (e.g.CICS) whenever a user tries to logon or attempts toaccess a resource Most calls are made using the RACROUTE macro, whichis directed at the System Authorization Facility (SAF) RACF determines whether an action is authorizedand advises the resource manager to allow ordisallow the action RACF uses the profiles defined in its database toUserAllowor DenyRequestResourceManagerYes, No, orUnprotectedPermitted?zOS(SAF)Yes, No, orUnprotectedPermitted?make these determinationsRACF The resource manager decides what action to takebased on what RACF advisesIntroduction to RACF 2019 RSH Consulting, Inc. All Rights Reserved.RACFDatabaseIBM TechUMay 20199
Profiles and LTERPermitLCONTROBatch enoitrmPe ADREConnectPermitEXECUTECPosition-------Job Function-------OrganizationDatasetProgramPerNO mitNEIntroduction to RACF 2019 RSH Consulting, Inc. All Rights Reserved.CICSTrans.IBM TechUMay 201910
RACF CommandsProfile TSO EADDSDALTDSDDELDSDLISTDSDOther TSO RACMAPHELPRACPRIVConsole PERMITIntroduction to RACF 2019 RSH Consulting, Inc. All Rights Reserved.IBM TechUMay 201911
SETROPTS LISTSETROPTS LISTATTRIBUTES INITSTATS WHEN(PROGRAM -- BASIC) TERMINAL(READ) SAUDIT CMDVIOL OPERAUDITSTATISTICS DATASET GTERMINL TERMINALAUDIT CLASSES DATASET USER GROUP DASDVOL GDASDVOL GTERMINL TERMINALACTIVE CLASSES DATASET USER GROUP ACCTNUM ACICSPCT APPL BCICSPCT CCICSCMDCDT CONSOLE DASDVOL DCICSDCT DSNR ECICSDCT FACILITY FCICSFCTFSSEC GCICSTRN GDASDVOL GSDSF GTERMINL HCICSFCT JCICSJCTKCICSJCT LOGSTRM MCICSPPT NCICSPPT OPERCMDS PCICSPSBPMBR PROGRAM PROPCNTL QCICSPSB RACFVARS RRSFDATA RVARSMBRSCICSTST SDSF SERVER STARTED SURROGAT TCICSTRN TEMPDSNTERMINAL TSOAUTH TSOPROC UCICSTST UNIXPRIV VCICSCMDGENERIC PROFILE CLASSES DATASET DASDVOL FACILITY PROGRAM TCICSTRN TERMINALGENERIC COMMAND CLASSES DATASET ACCTNUM DASDVOL FACILITY FIELD PERFGRPPROGRAM T@TESTRN TCICSTRN TERMINAL TSOAUTH TSOPROCGENLIST CLASSES NONEGLOBAL CHECKING CLASSES DATASET FACILITY TERMINALSETR RACLIST CLASSES APPL CDT DSNR FACILITY STARTED TSOAUTH TSOPROCGLOBAL YES RACLIST ONLY TCICSTRNLOGOPTIONS "ALWAYS" CLASSES SURROGATLOGOPTIONS "NEVER" CLASSES NONELOGOPTIONS "SUCCESSES" CLASSES NONELOGOPTIONS "FAILURES" CLASSES FACILITYLOGOPTIONS "DEFAULT" CLASSES DATASET ACCTNUM ACICSPCT ALCSAUTH APPCLU. VTAMAPPL VXMBR WIMS WRITERAUTOMATIC DATASET PROTECTION IS IN EFFECTENHANCED GENERIC NAMING IS IN EFFECTREAL DATA SET NAMES OPTIONS IS INACTIVEJES-BATCHALLRACF OPTION IS INACTIVEJES-XBMALLRACF OPTION IS INACTIVEJES-EARLYVERIFY OPTION IS INACTIVEPROTECT-ALL OPTION IS NOT IN EFFECTTAPE DATA SET PROTECTION IS INACTIVESECURITY RETENTION PERIOD IN EFFECT IS 9999 DAYS.ERASE-ON-SCRATCH IS INACTIVESINGLE LEVEL NAME PREFIX IS LVL1XLIST OF GROUPS ACCESS CHECKING IS ACTIVE.INACTIVE USERIDS ARE NOT BEING AUTOMATICALLY REVOKED.NO DATA SET MODELLING IS BEING DONE.Introduction to RACF 2019 RSH Consulting, Inc. All Rights Reserved.IBM TechUMay 201912
SETROPTS LISTPASSWORD PROCESSING OPTIONSTHE ACTIVE PASSWORD ENCRYPTION ALGORITHM IS KDFAESPASSWORD CHANGE INTERVAL IS45 DAYS.PASSWORD MINIMUM CHANGE INTERVAL IS 3 DAYS.MIXED CASE PASSWORD SUPPORT IS NOT IN EFFECTSPECIAL CHARACTERS ARE ALLOWED.10 GENERATIONS OF PREVIOUS PASSWORDS BEING MAINTAINED.AFTER4 CONSECUTIVE UNSUCCESSFUL PASSWORD ATTEMPTS,A USERID WILL BE REVOKED.PASSWORD EXPIRATION WARNING LEVEL IS5 DAYS.INSTALLATION PASSWORD SYNTAX RULES:RULE 1 LENGTH(5:8)********RULE 2 LENGTH(6:8)LLLLLLLLLEGEND:A-ALPHA C-CONSONANT L-ALPHANUM N-NUMERIC V-VOWEL W-NOVOWEL *-ANYTHINGc-MIXED CONSONANT m-MIXED NUMERIC v-MIXED VOWEL -NATIONAL s-SPECIALx-MIXEDALLINSTALLATION DEFINED RVARY PASSWORD IS IN EFFECT FOR THE SWITCH FUNCTION.DEFAULT RVARY PASSWORD IS IN EFFECT FOR THE STATUS FUNCTION.SECLEVELAUDIT IS INACTIVESECLABEL AUDIT IS NOT IN EFFECTSECLABEL CONTROL IS NOT IN EFFECTGENERIC OWNER ONLY IS NOT IN EFFECTCOMPATIBILITY MODE IS NOT IN EFFECTMULTI-LEVEL QUIET IS NOT IN EFFECTMULTI-LEVEL STABLE IS NOT IN EFFECTNO WRITE-DOWN IS NOT IN EFFECTMULTI-LEVEL ACTIVE IS NOT IN EFFECTCATALOGUED DATA SETS ONLY, IS NOT IN EFFECTUSER-ID FOR JES NJEUSERID IS : ?USER-ID FOR JES UNDEFINEDUSER IS : PARTNER LU-VERIFICATION SESSIONKEY INTERVAL DEFAULT IS30 DAYS.APPLAUDIT IS IN EFFECTADDCREATOR IS NOT IN EFFECTKERBLVL 0MULTI-LEVEL FILE SYSTEM IS NOT IN EFFECTMULTI-LEVEL INTERPROCESS COMMUNICATIONS IS NOT IN EFFECTMULTI-LEVEL NAME HIDING IS NOT IN EFFECTSECURITY LABEL BY SYSTEM IS NOT IN EFFECTPRIMARY LANGUAGE DEFAULT : ENU / ENGLISHSECONDARY LANGUAGE DEFAULT : ENU / ENGLISHIntroduction to RACF 2019 RSH Consulting, Inc. All Rights Reserved.IBM TechUMay 201913
RACFUsersIntroduction to RACF 2019 RSH Consulting, Inc. All Rights Reserved.IBM TechUMay 201914
RACF Identification and Authentication User ‐ person or process (e.g., Started Task, Batch Job) accessing the system USERID (often abbreviated as just "ID" ) ‐ identifier for a user Up to 8 characters in length Comprised of letters, numbers, or national characters (U.S. ‐ @, #, ) Must be unique ‐ cannot match another USERID or a Group A User Profile defines an ID to RACF along with its characteristics User Authentication Password: 1‐8 characters ‐ letters, numbers, and national characters Password Phrase: 9‐100 characters ‐ mixed‐case letters, numbers, and specialcharacters Pass‐Ticket: One‐time password generated by an application at logon time Digital Certificate: Public Key x509 certificate Multifactor Authentication (MFA): PIN and dynamic tokenIntroduction to RACF 2019 RSH Consulting, Inc. All Rights Reserved.IBM TechUMay 201915
RACF Identification and Authentication At logon, the Resource Manager passes the ID and authenticator entered bythe user (e.g., password) to RACF for validation using either a RACINIT macroor a RACROUTE macro with REQUEST VERIFY or VERIFYX If logon is successful, RACF builds an Accessor Environment Element (ACEE)control block in memory ACEE Contents USERIDUser Attributes (e.g. SPECIAL, OPERATIONS)User Name and Installation‐DataCurrent Connect GroupCurrent Connect Group UACCList of User's Groups The ACEE is referenced for all subsequent resource access authorization checks The ACEE must be refreshed via re‐logon to acquire new attributesIntroduction to RACF 2019 RSH Consulting, Inc. All Rights Reserved.IBM TechUMay 201916
USERID Controls Controls on individual IDs REVOKE / RESUME [ (date) ] ‐ deactivate / activate, with optional future date WHEN(DAYS(days) TIME(time)) ‐ Day‐of‐Week, Time‐of‐Day logon limits PROTECTED ‐ Disallows logon with a password; for Batch and Started Task IDs NOINTERVAL ‐ User never required to change password; for file transfer IDs, etc.Introduction to RACF 2019 RSH Consulting, Inc. All Rights Reserved.IBM TechUMay 201917
USERID Controls Controls over all USERIDs ‐ SETROPTS INITSTATS‐ Record last logon and password change date/time INACTIVE(#)‐ Automatic revoke after prolonged inactivity ‐ # days (1 ‐ 255) PASSWORD(Options) ALGORITHMEncryption algorithm ‐ LEGACY or KDFAES‐ LEGACY ‐ DES ‐ Data Encryption Standard‐ KDFAES ‐ Key Derivation Function with Advanced Encryption Alogrithm (#)REVOKE(#)WARNING(#)RULE#( )Frequency of mandatory periodic change ‐ # days (1 ‐ 254)Minimum # days before next password change (0 ‐ 254)Mixed case passwords in useNational @ # plus . & ! * ‐ % ? : Prevent reuse of # prior passwords (1 ‐ 32)Revoke ID after # attempts with bad password (1 ‐ 255)# days advance notice of next password expiration (1 ‐ 255)Minimum/Maximum length and composition format ‐ up to 8 rules‐ Most common rule ‐ 8 alphanumeric charactersIntroduction to RACF 2019 RSH Consulting, Inc. All Rights Reserved.IBM TechUMay 201918
User ProfileUSERIDUser NameDefault GroupProfile OwnerLast Access Date/TimePassword / PhrasePassword / Phrase DatePassword / Phrase IntervalPassword / Phrase HistoryUser AttributesRevoke/Resume DatesInstallation-DataDay/Time Logon LimitsGroup Connects- Connect Owner- Last Connect Date/Time- Connect Attributes- Connect Revoke/Resume DatesSegments- CICS- OMVS- TSOIntroduction to RACF 2019 RSH Consulting, Inc. All Rights Reserved.IBM TechUMay 201919
User ProfileLISTUSER JSMITH1 TSOUSER JSMITH1 NAME JOHN SMITHOWNER SECGRP1CREATED 05.067DEFAULT-GROUP USRGRPA PASSDATE 19.030 PASS-INTERVAL 30 PHRASEDATE N/AATTRIBUTES OPERATIONSATTRIBUTES UAUDITREVOKE DATE NONERESUME DATE NONELAST-ACCESS 19.035/11:35:22CLASS AUTHORIZATION DASDVOLINSTALLATION-DATA SSN234-12-3990 TECHSPT DASD MANAGEMENTNO-MODEL-NAMELOGON -----------------ANYDAYANYTIMEGROUP USRGRPAAUTH USECONNECT-OWNER SECUSR02 CONNECT-DATE 05.067CONNECTS 5,234 UACC NONELAST-CONNECT 19.035/11:35:22CONNECT ATTRIBUTES NONEREVOKE DATE NONERESUME DATE NONEGROUP TECHSPT1 AUTH CONNECTCONNECT-OWNER RJONES2CONNECT-DATE 05.070CONNECTS 00 UACC READLAST-CONNECT UNKNOWNCONNECT ATTRIBUTES OPERATIONSREVOKE DATE NONERESUME DATE NONEGROUP SYS1AUTH CREATECONNECT-OWNER SYS1CONNECT-DATE 08.144CONNECTS 00 UACC ALTERLAST-CONNECT UNKNOWNCONNECT ATTRIBUTES NONEREVOKE DATE NONERESUME DATE NONEGROUP DASDMGTAUTH USECONNECT-OWNER RJONES2CONNECT-DATE 10.081CONNECTS 00 UACC NONELAST-CONNECT UNKNOWNCONNECT ATTRIBUTES SPECIALREVOKE DATE 02.030 RESUME DATE NONESECURITY-LEVEL NONE SPECIFIEDCATEGOTY-AUTHORIZATIONNONE SPECIFIEDSECURITY-LABEL NONE SPECIFIEDTSO INFORMATIONACCTNUM JJK001HOLDCLASS M.Groups listed in the order the user was connected to themIntroduction to RACF 2019 RSH Consulting, Inc. All Rights Reserved.IBM TechUMay 201920
User Profile Segments Segments are extensions of the User profile containing system softwareproduct‐specific control information SOPERPARMPROXYTSO WORKATTRSNT identification information (e.g., OPIDENT)Customer‐defined custom data fieldAssociates DCE Principle Identity (e.g., uuid) to RACF USERIDSMS data management and DASD storage (e.g., MGMTCLAS)LDAP profileKerberos user attributesPreferred National LanguageLotus Notes user (e.g., SNAME)Map Novell Directory Service user name to RACF USERIDApplication access informationUNIX user attributes (e.g., UID)Extended MCS Console Session attributes (e.g., AUTH)LDAP characteristics (e.g., LDAPHOST)TSO UADS logon and authority information (e.g., ACCTNUM)APPC User characteristics (e.g., WANAME for SYSOUT)Introduction to RACF 2019 RSH Consulting, Inc. All Rights Reserved.IBM TechUMay 201921
RACFGroupsIntroduction to RACF 2019 RSH Consulting, Inc. All Rights Reserved.IBM TechUMay 201922
Group Concept A Group is a collection of users with similar access needs and commonattributes Users are "connected" (i.e., joined) to groups and "removed" from groups Every user has a logon default group (DFLTGRP), and therefore, is connectedto at least one group A user can be connected to multiple groups Groups can be permitted access to resources, and the users who areconnected to the group are granted this access Groups simplify RACF administration; it is easier to manage the access of 100groups than 10,000 individual users Group names have the same format as USERIDs Group names must be unique; cannot match a USERID or another group Groups defined as UNIVERSAL allow more than 5,957 IDs to be connectedIntroduction to RACF 2019 RSH Consulting, Inc. All Rights Reserved.IBM TechUMay 201923
Group Architecture Group Structure Groups are organized in a hierarchy with SYS1 at the top Every group except SYS1 has a superior group (SUPGROUP) RACF comes with one group ‐ SYS1 Groups are the primary tool for organizing the RACF database and can servedifferent purposes OrganizationUser Logon/DefaultAccess Granting (role‐based)Dataset Owning (HLQ)Resource Owning deptOther MiscellaneousAdministrativeDocumentationSYS1 dept@deptuser#deptrole dept deptres##deptmiscdataset‐hlqIntroduction to RACF 2019 RSH Consulting, Inc. All Rights Reserved.IBM TechUMay 201924
Group ProfileCONNECT Authorities: USE, CREATE, CONNECT, and JOINIntroduction to RACF 2019 RSH Consulting, Inc. All Rights Reserved.IBM TechUMay 201925
Group ProfileLISTGRP DASDMGT OMVSINFORMATION FOR GROUP DASDMGTSUPERIOR GROUP TECHSPT1OWNER RJONES2CREATED 02.305INSTALLATION DATA DASD MANAGEMENT SECTIONNO MODEL DATA SETTERMUACCSUBGROUP(S) DASDTESTUSER(S) ACCESS ACCESS COUNT UNIVERSAL ACCESS RJONES2CREATE000000READCONNECT ATTRIBUTES SPECIALREVOKE DATE NONERESUME DATE NONEJSMITH1USE000000NONECONNECT ATTRIBUTES SPECIALREVOKE DATE 19.320RESUME DATE NONESREST03CONNECT000000NONECONNECT ATTRIBUTES NONEREVOKE DATE NONERESUME DATE NONERHOMES1USE000000NONECONNECT ATTRIBUTES REVOKEDREVOKE DATE NONERESUME DATE NONEHWILLS2USE000000NONECONNECT ATTRIBUTES NONEREVOKE DATE NONERESUME DATE NONEJWINDS4JOIN000000NONECONNECT ATTRIBUTES NONEREVOKE DATE NONERESUME DATE NONEOMVS INFORMATIONGID 0000000339Users are listed in the order by which they were connected to the groupIntroduction to RACF 2019 RSH Consulting, Inc. All Rights Reserved.IBM TechUMay 201926
Group Profile Segments Segments are extensions of the Group profile containing system softwareproduct‐specific control information CSDATA Customer‐defined custom data field DFPSMS data management and DASD storage OMVSUNIX group attributes (e.g., GID) TMETivoli group rolesIntroduction to RACF 2019 RSH Consulting, Inc. All Rights Reserved.IBM TechUMay 201927
RACFResource ProtectionIntroduction to RACF 2019 RSH Consulting, Inc. All Rights Reserved.IBM TechUMay 201928
Resource Protection Concepts RACF determines whether a user is authorized to access a resource at therequested level of access (e.g., READ) based on resource profiles defined inits database Resource profiles contain . The logical name of the resource (e.g., the DSNAME)The type of resource or 'Class' (e.g., PROGRAM)Control options (e.g., WARNING)Auditing specifications (e.g., AUDIT(FAILURES(READ)) )Access permissions Resource categories Dataset General Resource (e.g., TSOPROC)Introduction to RACF 2019 RSH Consulting, Inc. All Rights Reserved.IBM TechUMay 201929
Resource Protection Concepts Resource Managers use RACF authorization macros to call RACF RACHECK or FRACHECK RACROUTE REQUEST AUTH or FASTAUTHRACROUTE REQUEST AUTH,USERID 'GSMITH',ENTITY ' RSH.PRIV',CLASS 'FACILITY',ATTR 'READ',LOG NONE RACF uses the name and class of the resource to locate the correspondingprofile in its database RACF sends a Return Code (RC) back to the calling Resource Managerindicating the results of the authorization ntroduction to RACF 2019 RSH Consulting, Inc. All Rights Reserved.IBM TechUMay 201930
Resource ProfilesRLIST DASDVOL SYS* ALLCLASSNAME-------DASDVOLSYS* (G)GROUP CLASS NAME----- ----- ---GDASDVOLRESOURCE GROUPS-------- -----NONELEVEL----00OWNER-------STGADMUNIVERSAL ACCESS---------------NONEYOUR ACCESS----------NONEWARNING------YESINSTALLATION ----NONEAPPLICATION DATA---------------NONESECLEVEL-------NO SECLEVELCATEGORIES---------NO CATEGORIESSECLABEL-------NO SECLABELIntroduction to RACF 2019 RSH Consulting, Inc. All Rights Reserved.IBM TechUMay 201931
Resource READ)GLOBALAUDIT----------NONENOTIFY-------NO USER TO BE NOTIFIEDCREATION DATE(DAY) (YEAR)------------27002ALTER WILLS2LAST REFERENCE DATE(DAY) (YEAR)------------------27002CONTROL ONELAST CHANGE DATE(DAY) (YEAR)---------------27002UPDATE COUNT-----------000000READ COUNT---------000000ACCESS COUNT------ -----IDACCESS ACCESS COUNT CLASSENTITY NAME-------- ------- ------------ -------- -------------------------------NO ENTRIES IN CONDITIONAL ACCESS LISTIDs are listed in the order by which they were permitted accessPermission of NONE for JWILLS2 prevents access even if user is a member of APPLSPT or DASDMGMTIntroduction to RACF 2019 RSH Consulting, Inc. All Rights Reserved.IBM TechUMay 201932
Resource Profiles Resource profile types Discrete Generic Grouping‐ Fully qualified resource name ‐ exact match‐ Partially qualified resource name with masking‐ Set of discrete and generic profiles with identical attributes RACF uses the most specific profile (i.e., closest match to the resource name)for determining access authorization First Discrete, then Generic Generic with most matching non‐masking characters, from left to PROD.*.EMPLOYEEPAY.PROD.**PAY.** PAY.PROD.MASTER.BKUP PAY.PROD.CHECKS.TAPEProfiles are sequenced based on EBCDIC characters rather than ASCIIIntroduction to RACF 2019 RSH Consulting, Inc. All Rights Reserved.IBM TechUMay 201933
Generic Profiles Offer one‐to‐many relationship of profile to resource protected Use masking characters to match multiple resources Masking characters ‐ in order of precedence in specificity%***Single substitute characterAny set of substitute characters or one qualifierAny set of substitute characters, zero or more qualifiers Generic masking characters may be used in .* Usage and behavior of the masking characters differs slightly based onwhether the profile is a Dataset or a General ResourceIntroduction to RACF 2019 RSH Consulting, Inc. All Rights Reserved.IBM TechUMay 201934
Access Authorization RACF considers the following in deciding whether access is permitted Is the Class activeIs the user a Started Task with PRIVILEGED or TRUSTED authorityDoes an installation exit program grant or deny accessDoes an entry in the Global Access Table grant access The GAT is used to grant access to resources needed by all users Is there a profile that protects the resource; if not, what default RC is to be issued Does the user own the resource Does the profile's Standard Access List have an entry granting access to . The user's USERIDOne of the user's groups ‐ assumes SETROPTS GRPLIST (List of Groups) is activeID(*) ‐ all RACF‐defined usersDoes the profile's Universal Access (UACC) grant access (default access)Does the class accept OPERATIONS authority, and does the user have OPERATIONSDoes the profile's Conditional Access List have an entry granting accessIs the profile in WARNINGIs the user RESTRICTED ‐ ignores GAT, ID(*), and UACC permissionsIntroduction to RACF 2019 RSH Consulting, Inc. All Rights Reserved.IBM TechUMay 201935
Access Authorization Decision LogicNot RESTRICTEDResource Class Active (& RACLISTed if Required)YesNo4# Return CodePRIVILEGED or TRUSTED Started TaskYes0Pass0Yes0No4 0Yes0No8FailAUTH / FASTAUTH Pre/Post-Processing ExitsICHRCX01 - 02 / ICHRFX01 - 04No Exit or No ActionGlobal Access Table - RequestedAllowed AccessNo8NoProfile Found in Database(If No, CDT DFTRETC 0/4/8 or PROTECTALL)YesUser "Owns" the ResourceUSERID Dataset HLQ, JES Spool SYSOUT OwnerNoAIntroduction to RACF 2019 RSH Consulting, Inc. All Rights Reserved.IBM TechUMay 201936
Access Authorization Decision LogicANotAuthUSERID in Access List - RequestedAllowed AccessYes0Allowed AccessYes0Yes0Yes0Yes0Yes0Yes0Not ListedNotAuthGroup(s) in Access List - RequestedNot ListedNotAuthID(*) in Access List - RequestedAllowed AccessNot Listed ‐or‐ Does Not have a RACF USERIDRequested AccessUACCNoClass accepts OPERATIONS & User has OPERATIONSNoNotAuthUSERID, Group(s), ID(*)PROGRAM, TERMINAL, CONSOLE, or JESINPUTin Conditional Access List - Requested Allowed AccessNot Listed8NoProfile in WARN ModeIntroduction to RACF 2019 RSH Consulting, Inc. All Rights Reserved.IBM TechUMay 201937
Access Permissions Access List entries and UACC specify the permitted level of access Access levels (listed from highest to lowest access authority) ALTERCONTROLUPDATEREADEXECUTENONE Higher level access authorities include lower level authorities The meaning of an access level differs by the class of resource protected Conditional Access List entries grant access only when a condition is met (terminal‐id))Introduction to RACF 2019 RSH Consulting, Inc. All Rights Reserved.IBM TechUMay 201938
RACFDataset ProtectionIntroduction to RACF 2019 RSH Consulting, Inc. All Rights Reserved.IBM TechUMay 201939
Dataset Protection RACF protection is provided by Dataset Profiles Dataset Profile name Incorporates the name(s) of the dataset(s) it protects DatasetProfilePAY.PROD.MASTERPAY.PROD.**HLQ PAY The High Level Qualifier (HLQ) must match an existing RACF user or group Dataset profile types Discrete Protects a single dataset on a specific DASD volume identified by its VOLSERThe RACF‐Indicator bit in the DASD volume VTOC flags the dataset as having a Discrete profileProfile is deleted when the corresponding dataset is deleted Generic Protects multiple dataset using masking charactersCan be 'fully qualified' (no masking characters) to protect a single datasetSETROPTS EGN (Enhanced Generic Naming) enables use of the ** masking characterUnaffected by dataset deletion and RACF‐indicator bit is not setIntroduction to RACF 2019 RSH Consulting, Inc. All Rights Reserved.IBM TechUMay 201940
Access LevelsALTERAllows anything, to include creating, scratching (i.e., deleting),cataloging, uncataloging, and renaming(1)CONTROLFor VSAM datasets, allows use of high‐performance control‐interval processing (enhanced form of UPDATE)UPDATEAllows writing and reading, but not creating and scratchingREADAllows reading, to include copyingEXECUTEAllows the execution of programs from a specified library, butwill not allow reading, copying, or dumping of the programsNONEDenies all access(1) Renaming requires ALTER to both the old and new dataset nameIntroduction to RACF 2019 RSH Consulting, Inc. All Rights Reserved.IBM TechUMay 201941
Dataset ProfileDataset Name/MaskProfile TypeDASD Volume (Discrete)Profile OwnerWARN mode tandard Access List- User(s) - Access- Group(s) - Access-*- AccessConditional Access List - WHEN- User(s) - Access - Condition- Group(s) - Access - Condition-*- Access - ConditionIntroduction to RACF 2019 RSH Consulting, Inc. All Rights Reserved.IBM TechUMay 201942
Dataset ProfileLISTDSD DATASET('SYS1.LIBS*') ALLINFORMATION FOR DATASET SYS1.LIBS* (G)LEVEL----00OWNERUNIVERSAL ACCESS-------- -NOAUDITING-------FAILURES(UPDATE)NOTIFY-------NO USER TO BE NOTIFIEDYOUR ACCESS----------READCREATION GROUP-------------TECHSPT1DATASET STALLATION ----MVS LIBRARIESSECURITY LEVEL-------------------------------------------NO SECURITY LEVELIntroduction to RACF 2019 RSH Consulting, Inc. All Rights Reserved.IBM TechUMay 201943
Dataset ProfileCATEGORIES---------NO CATEGORIESSECLABEL-------NO SECLABELCREATION DATE(DAY) (YEAR)------------27002LAST REFERENCE DATE LAST CHANGE DATE(DAY) (YEAR)(DAY) (YEAR)------------------- ---------------NOT APPLICABLE FOR GENERIC PROFILEALTER COUNT CONTROL COUNT UPDATE COUNT----------- ------------- -----------NOT APPLICABLE FOR GENERIC PROFILEID-------RJONES2TECHSPT1*DASDMGTJWILLS2READ EIDACCESSCLASSENTITY NAME-------- ------- -------- ----------------------------------APPPGMRUPDATE PROGRAM PVAL01APPPGMRUPDATE PROGRAM PVAL04Introduction to RACF 2019 RSH Consulting, Inc. All Rights Reserved.IBM TechUMay 201944
Dataset Protection Options SETROPTS PROTECTALL option ‐ prevents access to unprotected datasets SETROPTS ERASE option ‐ overwrites data when deleted to preventscavenging of residual data Tape datasets are only protected if either SETROPTS TAPEDSN option is active PARMLIB(DEVSUPnn) option TAPEAUTHDSN YES CA‐1 option OCEOV YES Pervasive Encryption ‐ encrypt contents of a dataset CSFKEY class encryption‐key‐label profile is specified in a dataset profile's DFPsegmentIntroduction to RACF 2019 RSH Consulting, Inc. All Rights Reserved.IBM TechUMay 201945
RACFGeneral Resource ProtectionIntroduction to RACF 2019 RSH Consulting, Inc. All Rights Reserved.IBM TechUMay 201946
General Resources RACF protection is provided by General Resource Profiles A General Resource is anything other than a datasetTerminalsCICS TransactionsDASD VolumesApplication APPLIDsTSO Logon AttributesGeneral Purpose FacilityProgramsJES SpoolNJE NodesDB2 System ConnectionsMVS and JES Commands3rd Party or Locally Defined General Resources are identified by their logical names within a specific class The construct of the resource name is determined by the resource managerIntroduction to RACF 2019 RSH Consulting, Inc. All Rights Reserved.IBM TechUMay 201947
General ResourcesRESOURCE‐TYPEProgramTSO AuthorityDASD VolumesCICS APPLIDDB2 TSO ConnectStorage AdminJES2 RJE ReaderSDSF CommandMVS CommandCICS TransactionCLASS / GROUPING‐CLASSPROGRAMTSOAUTHDASDVOL / GDASDVOLAPPLDSNRFACILITYJESINPUTSDSF / GSDSFOPERCMDSTCICSTRN / GCICSTRNIntroduction to RACF 2019 RSH Consulting, Inc. All Rights TPUT.JES2MVS.HALT.NETCEMTIBM TechUMay 201948
General Resource Protection General Resource Profile names incorporate the cla
617‐969‐9050 Robert S. Hansel isLead RACFSpecialistand founder of RSH Consulting, Inc. He began working withRACF in 1986and has been a RACF administrator, manager, auditor, instructor, developer, and consultant. Mr. Hansel is especially skilled at redesigning and refininglarge‐scaleimplementationsof RACF using role‐based
