SlideShare a Scribd company logo

IBM Workload Scheduler for z/OS Security with RACF & IBM zSecure

Download as PPTX, PDF
Nico Chillemi
Nico Chillemi

This presentation is intrended to show and demonstrate how powerful can be IBM zSecure a quick overview about internal criteria used by IBM Workloadwith RACF to fully protect IBM Scheduler for z/OS (IWSz) resources, especially with the new modern needs of addressing DEVOPS issues of allowing developers to access IWSz in a limited way enabling work only with batch applications and objects they are responsible for. This is also achieved with last IWSz 9.3 enhancements, and can be protected in the best way by using zSecure Command Verifier. I created this presentation for several Workload Automarion and zSecure User Groups (Denmark, France, UK and Germany in Copenhagen, Paris, London, Nuremberg, Frankfurt).

Technology
1 of 34
IBM Systems & IBM Security © 2018 IBM Corporation IBM zSystems IT Service Management IBM Workload Scheduler for z/OS Security with RACF & IBM zSecure Domenico (Nico) Chillemi IBM Executive IT Specialist nicochillemi@it.ibm.com Best Practices
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Ciao  IBM Mainframe 50 years old Strong Batch experience IBM Academy of Technology z Platform Initiatives Leader zChampion 2 IBM Workload Scheduler RACF & zSecure zStorage Rocket Tools System Automation Log Analytics Tools
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity zSecure components RACF commands RACF db SMF RACF zSecure Admin zSecure Alert zSecure Audit z/OS + UNIX + DB2 + CICS + IMS configuration info z/OS DB2 CICS S A F zSecure Visual zSecure CICS Toolkit zSecure Command Verifier SIEM Other
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity IBM Workload Scheduler for z/OS components Info Mgmt IWS for z/OS/ES A Monitoring ALLSYSTEMSCITY1 CITY2 CITY 3 ISPF Z/OS Domain IWS z/OS Agents IBM Workload Console Websphere Application Server IWS Distributed zCentric Agents IWS z/OS Engine Sysplex MAS DASD XCF FTP
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Main IWSz concepts and objects  Database – Batch applications – Workstations – Calendars  Plans – Long Term Plan – Current Plan  Run Cycles  JOBs  Generic Operations  Commands  JOBLOGs  .....
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity IBM Workload Scheduler for z/OS - What to consider for protection  IWSz data sets – This can be done just protecting all data sets needed to IWSz address spaces to start  Subsystem (Controller/Tracker/Server) USERID – Any IWSz address space needs to be associated with a user, which can be the same for more than one subsystem – This user has to be registered in the STARTED RACF class  IWSz Subsystems – Any direct access to IWSz or also via any kind of interface (Console, API, etc...) can be prevented or authorized through the APPL RACF Class  IWSz Objects – Any access to AD, CP, or also for example to specific IWSz jobs, can be prevented or authorized  IWSz Commands – One or more typical IWSz commands can be prevented or authorized 6
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity IWSz - What to consider for protection (RACF)  IWSz data sets ADDSD IWS.V9R3.** UACC(N) OWNER(NICO) PERMIT IWS.V9R3.** ACC(ALTER) ID(IWSUSER AdminGrup)  Subsystem (Controller/Tracker) USERID ADDUSER IWSSTC DFLTGRP(Admin) OWNER(NICO) NOPASSWORD .... RDEF STARTED IWS*.* STDATA( USER(IWSSTC) .....) PERMIT IWS.V9R3.** ACC(ALTER) ID(IWSSTC)  IWSz Subsystems RDEF APPL IWS9 UACC(N) OWNER(NICO) PERMIT IWS9 CLASS(APPL) ACC(R) ID(.......) 7
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity IWSz - What to consider for protection (zSecure) 8
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Protect IWSz Objects with RACF 9  One dedicated RACF Class, already defined in RACF – IBMOPC dedicated RACF Class • Automatically activated • We can have others dedicated, to be defined to RACF – Activated in IWSz with the AUTHDEF initialization statement  Other RACF classes can be defined in RACF – Dynamically or via job  Two protection levels – IWSz Fixed Resources (AD, WS, LT, CP, ...) • All activated if IBMOPC activated both in RACF and in AUTHDEF – IWSz Subresources (Specific objects inside each resource) • Only those specified in the AUTHDEF initialization statement are activated
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity IBM Workload Scheduler for z/OS Parameters Example  IWSz PARMLIB – IWSz Fixed Resources AUTHDEF CLASS(IBMOPC) – IWSz Subresources AUTHDEF CLASS(IBMOPC) SUBRESOURCES(AD.ADNAME, AD.OWNER, WS.WSNAME, LT.ADNAME, CP.JOBNAME, JS.JOBNAME, .....) RACF Resource ADA.** ADO.** CPJ.**
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Fixed Resources protection (1st level)  Application Description, Current Plan, JS, etc... RDEF IBMOPC (AD) UACC(N) RDEF IBMOPC (CP) UACC(N) RDEF IBMOPC (JS) UACC(N) … PERMIT AD CLASS(IBMOPC) ACC(U) ID(Admin) PERMIT CP CLASS(IBMOPC) ACC(U) ID(Admin) PERMIT JS CLASS(IBMOPC) ACC(U) ID(Admin) … PERMIT AD CLASS(IBMOPC) ACC(U) ID(Grup1) PERMIT CP CLASS(IBMOPC) ACC(U) ID(Grup1 Grup2) PERMIT JS CLASS(IBMOPC) ACC(U) ID(Grup1 Grup2 Grup3) 11
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Subresources protection (2nd level)  Specific applications, specific jobs, etc... – Applications by owner-name RDEF IBMOPC (ADO.NIC*) UACC(N) PERMIT ADO.NIC* CLASS(IBMOPC) ACC(U) ID(Admin) – Long term plan objects by application-name RDEF IBMOPC (LTA.APPL1*) UACC(N) PERMIT LTA.APPL1* CLASS(IBMOPC) ACC(U) ID(Grup1) – Current plan objects by job-name RDEF IBMOPC (CPJ.J01*) UACC(N) PERMIT CPJ.J01* CLASS(IBMOPC) ACC(U) ID(Grup1 Grup2) – JS objects by job-name RDEF IBMOPC (JSJ.J01*) UACC(N) PERMIT JSJ.J01* CLASS(IBMOPC) ACC(U) ID(Grup3) 12
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity zSecure – Fixed Resources and Subresources 13
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity © 2016 IBM Corporation Enhanced Security in Workload Automation for z/OS (last IWSz 9.3 SPE) Value Solution  More granularity in security access help guarantee product stability  Secure actions, in addition to data  Security access can now be controlled at any level, from object level down to action level
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity © 2016 IBM Corporation AUTHDEF COMMAND1(J,ARC,…) SUBRESOURCES(CP.ADDOPER, CP.COMMAND1) RACF Commands RDEF IBMOPC CP.ADDOPER PERMIT CP.ADDOPER ID(JASON) ACCESS(UPDATE) CLASS(IBMOPC) Fixed resource Subresource & RACF resource name Description CP CP.ADD Add workload (occurrences or operations) CP.MODIFY Modify attributes CP.DELETE Delete workload (occurrences or operations) CP.COMMANDx Line commands CP.ADDOPER Add operations CP.DELOPER Delete operations CP.MODOPER Modify operations CP.ADDDEP Add dependencies CP.DELDEP Delete dependencies CP.MODDEP Modify dependencies CP.MODOPSTAT Modify operation status • Define actions as sub-resources in AUTHDEF statement • Use RACF commands to provide/deny access to users IWSz Security Enhancements Occurrence Commands • RG Remove from group • DG Delete group • CG Complete group • C Complete an occurrence • W Set waiting • R Rerun Operation Commands  J Edit JCL (J command resource)  MH, MR Manual Hold, Manual Release (MR, MH command resources)  NP, UN NOP,UN NOP (NP, UN command resources)  K Kill (K command resource)  EX Execute (EX command resource)  JR/FJR JT, Fast path JR (JR command resource)  SR/FSR SR, Fast path SR (SR command resource)  SC/FSC SC, Fast path SC (SC command resource)  SJR Simple Job Restart Execute (SJR command resource)  R Reset Status (MODOPSTAT resource)  BIND Bind operation (BND command resources)  N Set NEXT logical status (MODOPSTAT resource)  N-x Set specific status (MODOPSTAT resource)
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity © 2016 IBM Corporation Enhanced IWSz Security - Scenarios Tim, the System Administrator Tim can now authorize Jason, the Scheduler, to add operations to the Current Plan. In the same time, he can prevent him from adding new occurrences. Jason, the scheduler Tim can secure a set of commands, creating new User Profiles. • He can authorize Jane to perform a recovery action, but prevent her from editing a job • He can authorize Jason to Complete and Rerun an existing occurrence, but prevent him from adding new occurrences Jane, the Application Developer 1 2
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity © 2016 IBM Corporation • Define the CP.ADD and CP.ADDOPER subresources in the AUTHDEF SUBRESOURCES(CP.ADD,CPADDOPER) (AUTHDEF statement) • Define them to RACF and give universal NONE access by default RDEF IBMOPC CP.ADD RDEF IBMOPC CP.ADDOPER • Give user Jason update access to the CP.ADDOPER resource PERMIT CP.ADDOPER ID(MARNIE) ACCESS(UPDATE) CLASS(IBMOPC) To allow Jane to perform “ARC” (Automatic Recovery) and Jason to perform “C” (Complete occurrence) and “R” (Rerun Occurrence) commands: • Define the CP.COMMANDx subresources in the AUTHDEF AUTHDEF CLASSNAME(IBMOPC) COMMAND1(ARC, C, R) SUBRESOURCES(CP.COMMAND1) • Define to RACF RDEF IBMOPC CP.ADD • Give Jane update access to CP.COMMAND1 PERMIT CP.COMMAND1 ID(JANE) ACCESS(UPDATE) CLASS(IBMOPC) 1 2 Enhanced IWSz Security - Scenarios
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Subresources protection with the last IWSz 9.3 SPEs  AUTHDEF in IWSz PARM AUTHDEF CLASSNAME(IBMOPC) COMMAND1(ARC, C, R) SUBRESOURCES(CP.COMMAND1)  RACF RESOURCE DEFINITION RDEF IBMOPC CP.COMMAND1  PERMIT TO DEVELOPERS PERMIT CP.COMMAND1 ID(Grup3) ACCESS(UPDATE) CLASS(IBMOPC) 18
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity IBM New Security Enhancements Parameters Example  IWSz PARMLIB AUTHDEF CLASS(IBMOPC) SUBRESOURCES(CP.COMMAND1, CP.COMMAND2, .....) COMMAND1(ARC, C, R) COMMAND2(M, L) ... RACF Resource CP.COMMAND1 CP.COMMAND2
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Quick zSecure Scenario - IWSz 9.3 SPE example 20
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity zSecure Command Verifier and IWSz  When acting on resources in RACF, often the SPECIAL attribute is required  Also in IWSz this can be a problem, since a SPECIAL user can do much more  With only RACF this problem is not solved  zSecure Command Verifier allows to limit SPECIAL users power  IWSz can strongly benefit by this zSecure capability 21
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity zSecure Command Verifier in Action 22 RACF db mgr TSO/ISPF RACF commands + output zSecure Admin Cmds RACF commands RACF profiles Command Verifier EXIT Policy SMF
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity zSecure CV Best Practices examples with IWSz  Suppose you would like to establish a IWSz RACF compliance rule, saying that development people inside a department can define only IWS Application Description profiles for applications starting with TIV*.  The objective is to prevent RACF accepting any IWS profile creation, other than a IWS Application Description profile matching the TIV* wildcard, issued by a user belonging to the TIVCFG group.  The first thing to do is to define the generic C4R profile saying that TIVCFG cannot add IWS for zOS profiles  This is done by adding the C4R.IBMOPC.ID.* profile to the C4R class 23
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity zSecure CV Best Practices examples with IWSz 24
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity zSecure CV Best Practices examples with IWSz 25 YES NO
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Typical zSecure Command Verifier DEVOPS Scenario with IBM Workload Scheduler for z/OS  Suppose we need to establish IWSz RACF compliance rule, saying that: – PAYROLL administrators can define IWSz resources, based on payroll batch applications their teams are responsible for • PAYROLL application developers can define only with IWSz applications they are responsible for – REPORTING administrators can define IWSz resources, based on reporting batch applications their teams are responsible for • REPORTING application developers can define only IWSz applications they are responsible for  There will be 3 types of figures in this scenario: – RACF administrator – PAYROLL administrator and REPORTING administrator – PAYROLL developers and REPORTING developers 26
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity PAYROLL and REPORTING DEVOPS Scenarios  RACFADM is the RACF Administrator – Creates Command Verifier profiles to authorize PAYROLL and REPORTING administrators, with SPECIAL attribute, to create only specific PAYROLL and REPORTING IWSz RACF profiles  IWSPAYR is the IWSz Payroll Administrator – Creates RACF profiles for different Payroll IWSz applications  IWSREPT is the IWSz Reporting Administrator – Creates RACF profiles for different Reporting IWSz applications  IWSGPAY1 is the IWSz Payroll Application Developers 1 Team – Users connected to this RACF group will be authorized to define only IWSz applications with names starting with PAYR1  IWSGPAY2 is the IWSz Payroll Application Developers 2 Team – Users connected to this RACF group will be authorized to define only IWSz applications with names starting with PAYR2  IWSGRPT1 is the IWSz Reporting Application Developers A Team – Users connected to this RACF group will be authorized to define only IWSz applications with names starting with REPTA  IWSGRPTB is the IWSz Reporting Application Developers B Team – Users connected to this RACF group will be authorized to define only IWSz applications with names starting with REPTB 27
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Administrators work in this scenario  RACFADM – RDEF C4R C4R.IBMOPC.ID.** UACC(N) OWNER(RACFADM) – RDEF C4R C4R.IBMOPC.ID.ADA.PAYR* UACC(N) OWNER(IWSPAYR)  1st line – RDEF C4R C4R.IBMOPC.ID.ADA.REPT* UACC(N) OWNER(IWSREPT)  2nd line  IWSPAYR – RDEF IBMOPC ADA.PAYR1* UACC(N) OWNER(IWSPAYR)  matches (1st line) – RDEF IBMOPC ADA.PAYR2* UACC(N) OWNER(IWSPAYR)  matches (1st line) – PERMIT ADA.PAYR1* ACCESS(U) ID(IWSGPAY1) CLASS(IBMOPC) – PERMIT ADA.PAYR2* ACCESS(U) ID(IWSGPAY2) CLASS(IBMOPC)  IWSREPT – RDEF IBMOPC ADA.REPTA* UACC(N) OWNER(IWSREPT)  matches (2nd line) – RDEF IBMOPC ADA.REPTB* UACC(N) OWNER(IWSREPT)  matches (2nd line) – PERMIT ADA.REPTA* ACCESS(U) ID(IWSGRPTA) CLASS(IBMOPC) – PERMIT ADA.REPTB* ACCESS(U) ID(IWSGRPTB) CLASS(IBMOPC) 28
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Results  ITUSER01 is connected to IWSGPAY1 – ITUSER01 can access IBM Workload Scheduler for z/OS • He/She can define/update PAYR1APPL001, PAYR1APPLXXX, ... • He/She cannot define/update PAYR2APPZZZ, REPTAAPPKKK, BANKAPP1, ...  ITUSER25 is connected to IWSGPAY2 – ITUSER25 can access IBM Workload Scheduler for z/OS • He/She can define/update PAYR2APPL001, PAYR2APPLXXX, ... • He/She cannot define/update PAYR1APPZZZ, REPTBAPPKKK, BANKAPP1, ...  ITUSER71 is connected to IWSGRPTA – ITUSER01 can access IBM Workload Scheduler for z/OS • He/She can define/update REPTAAPPL001, REPTAAPPLXXX, ... • He/She cannot define/update PAYR2APPZZZ, REPTBAPPKKK, BANKAPP1, ...  ITUSER95 is connected to IWSGRPTB – ITUSER25 can access IBM Workload Scheduler for z/OS • He/She can define/update REPTBAPPL001, REPTBAPPLXXX, ... • He/She cannot define/update PAYR2APPZZZ, REPTAAPPKKK, BANKAPP1, ... 29
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Command Verifier Scenario with new IWSz enhancements  Suppose we need to establish IWSz RACF compliance rule, saying that: – PAYROLL administrators can define IWSz command resources, based on payroll batch applications their teams are responsible to test • PAYROLL application testers can test only IWSz Payroll RERUN in the Current Plan – REPORTING administrators can define IWSz resources, based on reporting batch applications their teams are responsible to test • REPORTING application testers can test only IWSz browse joblog in the Current Plan  There will be 3 types of figures also in this scenario: – RACF administrator – PAYROLL administrator and REPORTING administrator – PAYROLL testers and REPORTING testers Note: We assume here that all appropriate Current Plan RACF protections have been performed for both PAYROLL and REPORTING applications! 30
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Testing (last IWSz enhancements) DEVOPS Scenarios  RACFADM is the RACF Administrator – Creates Command Verifier profiles to include PAYROLL and REPORTING commands  IWSPAYR is the IWSz Payroll Administrator – Creates RACF profiles for Payroll tester groups  IWSREPT is the IWSz Reporting Administrator – Creates RACF profiles for Reporting tester groups  IWSGPAYT is the IWSz Payroll tester group – Users connected to this RACF group can test only the RERUN (R) command related to PAYROLL occurrences  IWSGRPTT is the IWSz Reporting tester group – Users connected to this RACF group can test only the BROWSE JOBLOG (L) command related to PAYROLL occurrences 31
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Enable R and L different commands in IWSZ  IWSz PARMLIB – AUTHDEF CLASS(IBMOPC) SUBRESOURCES(CP.COMMAND5, CP.COMMAND7) COMMAND5(R) COMMAND7(L)  RACFADM – RDEF C4R C4R.IBMOPC.ID.** UACC(N) OWNER(RACFADM) – RDEF C4R C4R.IBMOPC.ID.CP.COMMAND5 UACC(N) OWNER(IWSPAYR) – RDEF C4R C4R.IBMOPC.ID.CP.COMMAND7 UACC(N) OWNER(IWSREPT)  IWSPAYR – RDEF IBMOPC CP.COMMAND5 UACC(N) OWNER(IWSPAYR) – PERMIT CP.COMMAND5 ACCESS(U) ID(IWSGPAYT) CLASS(IBMOPC)  IWSREPT – RDEF IBMOPC CP.COMMAND7 UACC(N) OWNER(IWSREPT) – PERMIT CP.COMMAND7 ACCESS(U) ID(IWSGRPTT) CLASS(IBMOPC) –32
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Results Considering that appropriate Current Plan RACF protections have been done for both PAYROLL and REPORTING applications, we will get:  ITUSER51 is connected to IWSGPAYT – ITUSER51 can access IBM Workload Scheduler for z/OS • He/She can test the RERUN command on all PAYROLL occurrences • He/She cannot test any other command  ITUSER73 is connected to IWSGRPTT – ITUSER73 can access IBM Workload Scheduler for z/OS • He/She can test the BROWSE JOBLOG command on all REPORTING occurrences • He/She cannot test any other command 33
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity 34 Thank You

Recommended

Systemz Security Overview (for non-Mainframe folks)
Systemz Security Overview (for non-Mainframe folks)Systemz Security Overview (for non-Mainframe folks)
Systemz Security Overview (for non-Mainframe folks)Mike Smith
 
Upgrade to IBM z/OS V2.5 Planning
Upgrade to IBM z/OS V2.5 PlanningUpgrade to IBM z/OS V2.5 Planning
Upgrade to IBM z/OS V2.5 PlanningMarna Walle
 
Upgrade to IBM z/OS V2.4 technical actions
Upgrade to IBM z/OS V2.4 technical actionsUpgrade to IBM z/OS V2.4 technical actions
Upgrade to IBM z/OS V2.4 technical actionsMarna Walle
 
Upgrade to IBM z/OS V2.5 technical actions
Upgrade to IBM z/OS V2.5 technical actionsUpgrade to IBM z/OS V2.5 technical actions
Upgrade to IBM z/OS V2.5 technical actionsMarna Walle
 
I Didn't Know You Could Do That with zOS.pdf
I Didn't Know You Could Do That with zOS.pdfI Didn't Know You Could Do That with zOS.pdf
I Didn't Know You Could Do That with zOS.pdfMarna Walle
 
z/OS Communications Server: z/OS Resolver
z/OS Communications Server: z/OS Resolverz/OS Communications Server: z/OS Resolver
z/OS Communications Server: z/OS ResolverzOSCommserver
 
CICS basics overview session-1
CICS basics overview session-1CICS basics overview session-1
CICS basics overview session-1Srinimf-Slides
 
Construindo um data warehouse com Pentaho e Docker
Construindo um data warehouse com Pentaho e DockerConstruindo um data warehouse com Pentaho e Docker
Construindo um data warehouse com Pentaho e DockerWellington Marinho
 

Recommended

Systemz Security Overview (for non-Mainframe folks)
Systemz Security Overview (for non-Mainframe folks)Systemz Security Overview (for non-Mainframe folks)
Systemz Security Overview (for non-Mainframe folks)Mike Smith
 
Upgrade to IBM z/OS V2.5 Planning
Upgrade to IBM z/OS V2.5 PlanningUpgrade to IBM z/OS V2.5 Planning
Upgrade to IBM z/OS V2.5 PlanningMarna Walle
 
Upgrade to IBM z/OS V2.4 technical actions
Upgrade to IBM z/OS V2.4 technical actionsUpgrade to IBM z/OS V2.4 technical actions
Upgrade to IBM z/OS V2.4 technical actionsMarna Walle
 
Upgrade to IBM z/OS V2.5 technical actions
Upgrade to IBM z/OS V2.5 technical actionsUpgrade to IBM z/OS V2.5 technical actions
Upgrade to IBM z/OS V2.5 technical actionsMarna Walle
 
I Didn't Know You Could Do That with zOS.pdf
I Didn't Know You Could Do That with zOS.pdfI Didn't Know You Could Do That with zOS.pdf
I Didn't Know You Could Do That with zOS.pdfMarna Walle
 
z/OS Communications Server: z/OS Resolver
z/OS Communications Server: z/OS Resolverz/OS Communications Server: z/OS Resolver
z/OS Communications Server: z/OS ResolverzOSCommserver
 
CICS basics overview session-1
CICS basics overview session-1CICS basics overview session-1
CICS basics overview session-1Srinimf-Slides
 
Construindo um data warehouse com Pentaho e Docker
Construindo um data warehouse com Pentaho e DockerConstruindo um data warehouse com Pentaho e Docker
Construindo um data warehouse com Pentaho e DockerWellington Marinho
 
Upgrade to IBM z/OS V2.4 planning
Upgrade to IBM z/OS V2.4 planningUpgrade to IBM z/OS V2.4 planning
Upgrade to IBM z/OS V2.4 planningMarna Walle
 
How to Improve RACF Performance (v0.2 - 2016)
How to Improve RACF Performance (v0.2 - 2016)How to Improve RACF Performance (v0.2 - 2016)
How to Improve RACF Performance (v0.2 - 2016)Rui Miguel Feio
 
z/OSMF Workflow Editor Lab - Try it out on your z/OSMF system
z/OSMF Workflow Editor Lab - Try it out on your z/OSMF systemz/OSMF Workflow Editor Lab - Try it out on your z/OSMF system
z/OSMF Workflow Editor Lab - Try it out on your z/OSMF systemMarna Walle
 
Veeam Backup and Replication: Overview
Veeam Backup and Replication: OverviewVeeam Backup and Replication: Overview
Veeam Backup and Replication: OverviewDudley Smith
 
TCP/IP Stack Configuration with Configuration Assistant for IBM z/OS CS
TCP/IP Stack Configuration with Configuration Assistant for IBM z/OS CSTCP/IP Stack Configuration with Configuration Assistant for IBM z/OS CS
TCP/IP Stack Configuration with Configuration Assistant for IBM z/OS CSzOSCommserver
 
Smpe
SmpeSmpe
SmpeThousif "thousif329@gmail.com"
 
Xdc command-to-print-job-output-and-syslog-from-sdsf
Xdc command-to-print-job-output-and-syslog-from-sdsfXdc command-to-print-job-output-and-syslog-from-sdsf
Xdc command-to-print-job-output-and-syslog-from-sdsfMaintec Technologies Inc.
 
Group Policy
Group PolicyGroup Policy
Group PolicyChris Watson
 
IP Routing on z/OS
IP Routing on z/OSIP Routing on z/OS
IP Routing on z/OSzOSCommserver
 
Virtual desktop infrastructure
Virtual desktop infrastructureVirtual desktop infrastructure
Virtual desktop infrastructuregaurav jain
 
Best practices for DB2 for z/OS log based recovery
Best practices for DB2 for z/OS log based recoveryBest practices for DB2 for z/OS log based recovery
Best practices for DB2 for z/OS log based recoveryFlorence Dubois
 
z16 zOS Support - March 2023 - SHARE in Atlanta.pdf
z16 zOS Support - March 2023 - SHARE in Atlanta.pdfz16 zOS Support - March 2023 - SHARE in Atlanta.pdf
z16 zOS Support - March 2023 - SHARE in Atlanta.pdfMarna Walle
 
Db2 for z os trends
Db2 for z os trendsDb2 for z os trends
Db2 for z os trendsCuneyt Goksu
 
The History of Lotus Notes
The History of Lotus NotesThe History of Lotus Notes
The History of Lotus NotesPeter Presnell
 
Vmware ppt
Vmware pptVmware ppt
Vmware pptrpapsakthi
 
Windows 2019
Windows 2019Windows 2019
Windows 2019Gary Williams
 
Veeam back up and replication presentation
Veeam back up and replication presentation Veeam back up and replication presentation
Veeam back up and replication presentation BlueChipICT
 
TWS 8.6 new features (from the 2013 European Tour)
TWS 8.6 new features (from the 2013 European Tour)TWS 8.6 new features (from the 2013 European Tour)
TWS 8.6 new features (from the 2013 European Tour)Nico Chillemi
 
DB2 for z/OS Architecture in Nutshell
DB2 for z/OS Architecture in NutshellDB2 for z/OS Architecture in Nutshell
DB2 for z/OS Architecture in NutshellCuneyt Goksu
 
Veeam presentation
Veeam presentationVeeam presentation
Veeam presentationdvmug1
 
Tailoring Redis Modules For Your Users’ Needs
Tailoring Redis Modules For Your Users’ NeedsTailoring Redis Modules For Your Users’ Needs
Tailoring Redis Modules For Your Users’ NeedsRedis Labs
 
Leveraging Open Source to Manage SAN Performance
Leveraging Open Source to Manage SAN PerformanceLeveraging Open Source to Manage SAN Performance
Leveraging Open Source to Manage SAN Performancebrettallison
 

More Related Content

What's hot

Upgrade to IBM z/OS V2.4 planning
Upgrade to IBM z/OS V2.4 planningUpgrade to IBM z/OS V2.4 planning
Upgrade to IBM z/OS V2.4 planningMarna Walle
 
How to Improve RACF Performance (v0.2 - 2016)
How to Improve RACF Performance (v0.2 - 2016)How to Improve RACF Performance (v0.2 - 2016)
How to Improve RACF Performance (v0.2 - 2016)Rui Miguel Feio
 
z/OSMF Workflow Editor Lab - Try it out on your z/OSMF system
z/OSMF Workflow Editor Lab - Try it out on your z/OSMF systemz/OSMF Workflow Editor Lab - Try it out on your z/OSMF system
z/OSMF Workflow Editor Lab - Try it out on your z/OSMF systemMarna Walle
 
Veeam Backup and Replication: Overview
Veeam Backup and Replication: OverviewVeeam Backup and Replication: Overview
Veeam Backup and Replication: OverviewDudley Smith
 
TCP/IP Stack Configuration with Configuration Assistant for IBM z/OS CS
TCP/IP Stack Configuration with Configuration Assistant for IBM z/OS CSTCP/IP Stack Configuration with Configuration Assistant for IBM z/OS CS
TCP/IP Stack Configuration with Configuration Assistant for IBM z/OS CSzOSCommserver
 
Xdc command-to-print-job-output-and-syslog-from-sdsf
Xdc command-to-print-job-output-and-syslog-from-sdsfXdc command-to-print-job-output-and-syslog-from-sdsf
Xdc command-to-print-job-output-and-syslog-from-sdsfMaintec Technologies Inc.
 
Virtual desktop infrastructure
Virtual desktop infrastructureVirtual desktop infrastructure
Virtual desktop infrastructuregaurav jain
 
Best practices for DB2 for z/OS log based recovery
Best practices for DB2 for z/OS log based recoveryBest practices for DB2 for z/OS log based recovery
Best practices for DB2 for z/OS log based recoveryFlorence Dubois
 
z16 zOS Support - March 2023 - SHARE in Atlanta.pdf
z16 zOS Support - March 2023 - SHARE in Atlanta.pdfz16 zOS Support - March 2023 - SHARE in Atlanta.pdf
z16 zOS Support - March 2023 - SHARE in Atlanta.pdfMarna Walle
 
Db2 for z os trends
Db2 for z os trendsDb2 for z os trends
Db2 for z os trendsCuneyt Goksu
 
The History of Lotus Notes
The History of Lotus NotesThe History of Lotus Notes
The History of Lotus NotesPeter Presnell
 
Veeam back up and replication presentation
Veeam back up and replication presentation Veeam back up and replication presentation
Veeam back up and replication presentation BlueChipICT
 
TWS 8.6 new features (from the 2013 European Tour)
TWS 8.6 new features (from the 2013 European Tour)TWS 8.6 new features (from the 2013 European Tour)
TWS 8.6 new features (from the 2013 European Tour)Nico Chillemi
 
DB2 for z/OS Architecture in Nutshell
DB2 for z/OS Architecture in NutshellDB2 for z/OS Architecture in Nutshell
DB2 for z/OS Architecture in NutshellCuneyt Goksu
 
Veeam presentation
Veeam presentationVeeam presentation
Veeam presentationdvmug1
 

What's hot (20)

Upgrade to IBM z/OS V2.4 planning
Upgrade to IBM z/OS V2.4 planningUpgrade to IBM z/OS V2.4 planning
Upgrade to IBM z/OS V2.4 planning
 
How to Improve RACF Performance (v0.2 - 2016)
How to Improve RACF Performance (v0.2 - 2016)How to Improve RACF Performance (v0.2 - 2016)
How to Improve RACF Performance (v0.2 - 2016)
 
z/OSMF Workflow Editor Lab - Try it out on your z/OSMF system
z/OSMF Workflow Editor Lab - Try it out on your z/OSMF systemz/OSMF Workflow Editor Lab - Try it out on your z/OSMF system
z/OSMF Workflow Editor Lab - Try it out on your z/OSMF system
 
Veeam Backup and Replication: Overview
Veeam Backup and Replication: OverviewVeeam Backup and Replication: Overview
Veeam Backup and Replication: Overview
 
TCP/IP Stack Configuration with Configuration Assistant for IBM z/OS CS
TCP/IP Stack Configuration with Configuration Assistant for IBM z/OS CSTCP/IP Stack Configuration with Configuration Assistant for IBM z/OS CS
TCP/IP Stack Configuration with Configuration Assistant for IBM z/OS CS
 
Smpe
SmpeSmpe
Smpe
 
Xdc command-to-print-job-output-and-syslog-from-sdsf
Xdc command-to-print-job-output-and-syslog-from-sdsfXdc command-to-print-job-output-and-syslog-from-sdsf
Xdc command-to-print-job-output-and-syslog-from-sdsf
 
Group Policy
Group PolicyGroup Policy
Group Policy
 
IP Routing on z/OS
IP Routing on z/OSIP Routing on z/OS
IP Routing on z/OS
 
Virtual desktop infrastructure
Virtual desktop infrastructureVirtual desktop infrastructure
Virtual desktop infrastructure
 
Best practices for DB2 for z/OS log based recovery
Best practices for DB2 for z/OS log based recoveryBest practices for DB2 for z/OS log based recovery
Best practices for DB2 for z/OS log based recovery
 
z16 zOS Support - March 2023 - SHARE in Atlanta.pdf
z16 zOS Support - March 2023 - SHARE in Atlanta.pdfz16 zOS Support - March 2023 - SHARE in Atlanta.pdf
z16 zOS Support - March 2023 - SHARE in Atlanta.pdf
 
Db2 for z os trends
Db2 for z os trendsDb2 for z os trends
Db2 for z os trends
 
The History of Lotus Notes
The History of Lotus NotesThe History of Lotus Notes
The History of Lotus Notes
 
Vmware ppt
Vmware pptVmware ppt
Vmware ppt
 
Windows 2019
Windows 2019Windows 2019
Windows 2019
 
Veeam back up and replication presentation
Veeam back up and replication presentation Veeam back up and replication presentation
Veeam back up and replication presentation
 
TWS 8.6 new features (from the 2013 European Tour)
TWS 8.6 new features (from the 2013 European Tour)TWS 8.6 new features (from the 2013 European Tour)
TWS 8.6 new features (from the 2013 European Tour)
 
DB2 for z/OS Architecture in Nutshell
DB2 for z/OS Architecture in NutshellDB2 for z/OS Architecture in Nutshell
DB2 for z/OS Architecture in Nutshell
 
Veeam presentation
Veeam presentationVeeam presentation
Veeam presentation
 

Similar to IBM Workload Scheduler for z/OS Security with RACF & IBM zSecure

Tailoring Redis Modules For Your Users’ Needs
Tailoring Redis Modules For Your Users’ NeedsTailoring Redis Modules For Your Users’ Needs
Tailoring Redis Modules For Your Users’ NeedsRedis Labs
 
Leveraging Open Source to Manage SAN Performance
Leveraging Open Source to Manage SAN PerformanceLeveraging Open Source to Manage SAN Performance
Leveraging Open Source to Manage SAN Performancebrettallison
 
OpenStack Tokyo Talk Application Data Protection Service
OpenStack Tokyo Talk Application Data Protection ServiceOpenStack Tokyo Talk Application Data Protection Service
OpenStack Tokyo Talk Application Data Protection ServiceEran Gampel
 
Better Network Management Through Network Programmability
Better Network Management Through Network ProgrammabilityBetter Network Management Through Network Programmability
Better Network Management Through Network ProgrammabilityCisco Canada
 
Android Radio Layer Interface
Android Radio Layer InterfaceAndroid Radio Layer Interface
Android Radio Layer InterfaceChun-Yu Wang
 
Embedded Android
Embedded AndroidEmbedded Android
Embedded Android晓东 杜
 
점진적인 레거시 웹 애플리케이션 개선 과정
점진적인 레거시 웹 애플리케이션 개선 과정점진적인 레거시 웹 애플리케이션 개선 과정
점진적인 레거시 웹 애플리케이션 개선 과정Arawn Park
 
Android porting for dummies @droidconin 2011
Android porting for dummies @droidconin 2011Android porting for dummies @droidconin 2011
Android porting for dummies @droidconin 2011pundiramit
 
Using Terraform to manage the configuration of a Cisco ACI fabric.
Using Terraform to manage the configuration of a Cisco ACI fabric.Using Terraform to manage the configuration of a Cisco ACI fabric.
Using Terraform to manage the configuration of a Cisco ACI fabric.Joel W. King
 
Oracle RAC Presentation at Oracle Open World
Oracle RAC Presentation at Oracle Open WorldOracle RAC Presentation at Oracle Open World
Oracle RAC Presentation at Oracle Open WorldPaul Marden
 
Super-NetOps Source of Truth
Super-NetOps Source of TruthSuper-NetOps Source of Truth
Super-NetOps Source of TruthJoel W. King
 
Security benefits of the Nitro architecture - SEP401-R - AWS re:Inforce 2019
Security benefits of the Nitro architecture - SEP401-R - AWS re:Inforce 2019 Security benefits of the Nitro architecture - SEP401-R - AWS re:Inforce 2019
Security benefits of the Nitro architecture - SEP401-R - AWS re:Inforce 2019 Amazon Web Services
 
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...idsecconf
 
Airframe: Lightweight Building Blocks for Scala @ TD Tech Talk 2018-10-17
Airframe: Lightweight Building Blocks for Scala @ TD Tech Talk 2018-10-17Airframe: Lightweight Building Blocks for Scala @ TD Tech Talk 2018-10-17
Airframe: Lightweight Building Blocks for Scala @ TD Tech Talk 2018-10-17Taro L. Saito
 
Cloud Computing for Business - The Road to IT-as-a-Service
Cloud Computing for Business - The Road to IT-as-a-ServiceCloud Computing for Business - The Road to IT-as-a-Service
Cloud Computing for Business - The Road to IT-as-a-ServiceJames Urquhart
 
Ato2019 weave-services-istio
Ato2019 weave-services-istioAto2019 weave-services-istio
Ato2019 weave-services-istioLin Sun
 
Weave Your Microservices with Istio
Weave Your Microservices with IstioWeave Your Microservices with Istio
Weave Your Microservices with IstioAll Things Open
 
All Things Open 2019 weave-services-istio
All Things Open 2019 weave-services-istioAll Things Open 2019 weave-services-istio
All Things Open 2019 weave-services-istioLin Sun
 
gDBClone - Database Clone “onecommand Automation Tool”
gDBClone - Database Clone “onecommand Automation Tool”gDBClone - Database Clone “onecommand Automation Tool”
gDBClone - Database Clone “onecommand Automation Tool”Ruggero Citton
 
SecZone 2011: Scrubbing SAP clean with SOAP
SecZone 2011: Scrubbing SAP clean with SOAPSecZone 2011: Scrubbing SAP clean with SOAP
SecZone 2011: Scrubbing SAP clean with SOAPChris John Riley
 

Similar to IBM Workload Scheduler for z/OS Security with RACF & IBM zSecure (20)

Tailoring Redis Modules For Your Users’ Needs
Tailoring Redis Modules For Your Users’ NeedsTailoring Redis Modules For Your Users’ Needs
Tailoring Redis Modules For Your Users’ Needs
 
Leveraging Open Source to Manage SAN Performance
Leveraging Open Source to Manage SAN PerformanceLeveraging Open Source to Manage SAN Performance
Leveraging Open Source to Manage SAN Performance
 
OpenStack Tokyo Talk Application Data Protection Service
OpenStack Tokyo Talk Application Data Protection ServiceOpenStack Tokyo Talk Application Data Protection Service
OpenStack Tokyo Talk Application Data Protection Service
 
Better Network Management Through Network Programmability
Better Network Management Through Network ProgrammabilityBetter Network Management Through Network Programmability
Better Network Management Through Network Programmability
 
Android Radio Layer Interface
Android Radio Layer InterfaceAndroid Radio Layer Interface
Android Radio Layer Interface
 
Embedded Android
Embedded AndroidEmbedded Android
Embedded Android
 
점진적인 레거시 웹 애플리케이션 개선 과정
점진적인 레거시 웹 애플리케이션 개선 과정점진적인 레거시 웹 애플리케이션 개선 과정
점진적인 레거시 웹 애플리케이션 개선 과정
 
Android porting for dummies @droidconin 2011
Android porting for dummies @droidconin 2011Android porting for dummies @droidconin 2011
Android porting for dummies @droidconin 2011
 
Using Terraform to manage the configuration of a Cisco ACI fabric.
Using Terraform to manage the configuration of a Cisco ACI fabric.Using Terraform to manage the configuration of a Cisco ACI fabric.
Using Terraform to manage the configuration of a Cisco ACI fabric.
 
Oracle RAC Presentation at Oracle Open World
Oracle RAC Presentation at Oracle Open WorldOracle RAC Presentation at Oracle Open World
Oracle RAC Presentation at Oracle Open World
 
Super-NetOps Source of Truth
Super-NetOps Source of TruthSuper-NetOps Source of Truth
Super-NetOps Source of Truth
 
Security benefits of the Nitro architecture - SEP401-R - AWS re:Inforce 2019
Security benefits of the Nitro architecture - SEP401-R - AWS re:Inforce 2019 Security benefits of the Nitro architecture - SEP401-R - AWS re:Inforce 2019
Security benefits of the Nitro architecture - SEP401-R - AWS re:Inforce 2019
 
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...
 
Airframe: Lightweight Building Blocks for Scala @ TD Tech Talk 2018-10-17
Airframe: Lightweight Building Blocks for Scala @ TD Tech Talk 2018-10-17Airframe: Lightweight Building Blocks for Scala @ TD Tech Talk 2018-10-17
Airframe: Lightweight Building Blocks for Scala @ TD Tech Talk 2018-10-17
 
Cloud Computing for Business - The Road to IT-as-a-Service
Cloud Computing for Business - The Road to IT-as-a-ServiceCloud Computing for Business - The Road to IT-as-a-Service
Cloud Computing for Business - The Road to IT-as-a-Service
 
Ato2019 weave-services-istio
Ato2019 weave-services-istioAto2019 weave-services-istio
Ato2019 weave-services-istio
 
Weave Your Microservices with Istio
Weave Your Microservices with IstioWeave Your Microservices with Istio
Weave Your Microservices with Istio
 
All Things Open 2019 weave-services-istio
All Things Open 2019 weave-services-istioAll Things Open 2019 weave-services-istio
All Things Open 2019 weave-services-istio
 
gDBClone - Database Clone “onecommand Automation Tool”
gDBClone - Database Clone “onecommand Automation Tool”gDBClone - Database Clone “onecommand Automation Tool”
gDBClone - Database Clone “onecommand Automation Tool”
 
SecZone 2011: Scrubbing SAP clean with SOAP
SecZone 2011: Scrubbing SAP clean with SOAPSecZone 2011: Scrubbing SAP clean with SOAP
SecZone 2011: Scrubbing SAP clean with SOAP
 

Recently uploaded

Introduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationIntroduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationZilliz
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...CzechDreamin
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...Product School
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxAbida Shariff
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaRTTS
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...CzechDreamin
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsExpeed Software
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoTAnalytics
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsPaul Groth
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlPeter Udo Diehl
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupCatarinaPereira64715
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...Product School
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...Elena Simperl
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxDavid Michel
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutesconfluent
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1DianaGray10
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIES VE
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...Product School
 

Recently uploaded (20)

Introduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationIntroduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG Evaluation
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 

IBM Workload Scheduler for z/OS Security with RACF & IBM zSecure

  • 1. IBM Systems & IBM Security © 2018 IBM Corporation IBM zSystems IT Service Management IBM Workload Scheduler for z/OS Security with RACF & IBM zSecure Domenico (Nico) Chillemi IBM Executive IT Specialist nicochillemi@it.ibm.com Best Practices
  • 2. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Ciao  IBM Mainframe 50 years old Strong Batch experience IBM Academy of Technology z Platform Initiatives Leader zChampion 2 IBM Workload Scheduler RACF & zSecure zStorage Rocket Tools System Automation Log Analytics Tools
  • 3. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity zSecure components RACF commands RACF db SMF RACF zSecure Admin zSecure Alert zSecure Audit z/OS + UNIX + DB2 + CICS + IMS configuration info z/OS DB2 CICS S A F zSecure Visual zSecure CICS Toolkit zSecure Command Verifier SIEM Other
  • 4. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity IBM Workload Scheduler for z/OS components Info Mgmt IWS for z/OS/ES A Monitoring ALLSYSTEMSCITY1 CITY2 CITY 3 ISPF Z/OS Domain IWS z/OS Agents IBM Workload Console Websphere Application Server IWS Distributed zCentric Agents IWS z/OS Engine Sysplex MAS DASD XCF FTP
  • 5. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Main IWSz concepts and objects  Database – Batch applications – Workstations – Calendars  Plans – Long Term Plan – Current Plan  Run Cycles  JOBs  Generic Operations  Commands  JOBLOGs  .....
  • 6. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity IBM Workload Scheduler for z/OS - What to consider for protection  IWSz data sets – This can be done just protecting all data sets needed to IWSz address spaces to start  Subsystem (Controller/Tracker/Server) USERID – Any IWSz address space needs to be associated with a user, which can be the same for more than one subsystem – This user has to be registered in the STARTED RACF class  IWSz Subsystems – Any direct access to IWSz or also via any kind of interface (Console, API, etc...) can be prevented or authorized through the APPL RACF Class  IWSz Objects – Any access to AD, CP, or also for example to specific IWSz jobs, can be prevented or authorized  IWSz Commands – One or more typical IWSz commands can be prevented or authorized 6
  • 7. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity IWSz - What to consider for protection (RACF)  IWSz data sets ADDSD IWS.V9R3.** UACC(N) OWNER(NICO) PERMIT IWS.V9R3.** ACC(ALTER) ID(IWSUSER AdminGrup)  Subsystem (Controller/Tracker) USERID ADDUSER IWSSTC DFLTGRP(Admin) OWNER(NICO) NOPASSWORD .... RDEF STARTED IWS*.* STDATA( USER(IWSSTC) .....) PERMIT IWS.V9R3.** ACC(ALTER) ID(IWSSTC)  IWSz Subsystems RDEF APPL IWS9 UACC(N) OWNER(NICO) PERMIT IWS9 CLASS(APPL) ACC(R) ID(.......) 7
  • 8. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity IWSz - What to consider for protection (zSecure) 8
  • 9. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Protect IWSz Objects with RACF 9  One dedicated RACF Class, already defined in RACF – IBMOPC dedicated RACF Class • Automatically activated • We can have others dedicated, to be defined to RACF – Activated in IWSz with the AUTHDEF initialization statement  Other RACF classes can be defined in RACF – Dynamically or via job  Two protection levels – IWSz Fixed Resources (AD, WS, LT, CP, ...) • All activated if IBMOPC activated both in RACF and in AUTHDEF – IWSz Subresources (Specific objects inside each resource) • Only those specified in the AUTHDEF initialization statement are activated
  • 10. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity IBM Workload Scheduler for z/OS Parameters Example  IWSz PARMLIB – IWSz Fixed Resources AUTHDEF CLASS(IBMOPC) – IWSz Subresources AUTHDEF CLASS(IBMOPC) SUBRESOURCES(AD.ADNAME, AD.OWNER, WS.WSNAME, LT.ADNAME, CP.JOBNAME, JS.JOBNAME, .....) RACF Resource ADA.** ADO.** CPJ.**
  • 11. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Fixed Resources protection (1st level)  Application Description, Current Plan, JS, etc... RDEF IBMOPC (AD) UACC(N) RDEF IBMOPC (CP) UACC(N) RDEF IBMOPC (JS) UACC(N) … PERMIT AD CLASS(IBMOPC) ACC(U) ID(Admin) PERMIT CP CLASS(IBMOPC) ACC(U) ID(Admin) PERMIT JS CLASS(IBMOPC) ACC(U) ID(Admin) … PERMIT AD CLASS(IBMOPC) ACC(U) ID(Grup1) PERMIT CP CLASS(IBMOPC) ACC(U) ID(Grup1 Grup2) PERMIT JS CLASS(IBMOPC) ACC(U) ID(Grup1 Grup2 Grup3) 11
  • 12. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Subresources protection (2nd level)  Specific applications, specific jobs, etc... – Applications by owner-name RDEF IBMOPC (ADO.NIC*) UACC(N) PERMIT ADO.NIC* CLASS(IBMOPC) ACC(U) ID(Admin) – Long term plan objects by application-name RDEF IBMOPC (LTA.APPL1*) UACC(N) PERMIT LTA.APPL1* CLASS(IBMOPC) ACC(U) ID(Grup1) – Current plan objects by job-name RDEF IBMOPC (CPJ.J01*) UACC(N) PERMIT CPJ.J01* CLASS(IBMOPC) ACC(U) ID(Grup1 Grup2) – JS objects by job-name RDEF IBMOPC (JSJ.J01*) UACC(N) PERMIT JSJ.J01* CLASS(IBMOPC) ACC(U) ID(Grup3) 12
  • 13. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity zSecure – Fixed Resources and Subresources 13
  • 14. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity © 2016 IBM Corporation Enhanced Security in Workload Automation for z/OS (last IWSz 9.3 SPE) Value Solution  More granularity in security access help guarantee product stability  Secure actions, in addition to data  Security access can now be controlled at any level, from object level down to action level
  • 15. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity © 2016 IBM Corporation AUTHDEF COMMAND1(J,ARC,…) SUBRESOURCES(CP.ADDOPER, CP.COMMAND1) RACF Commands RDEF IBMOPC CP.ADDOPER PERMIT CP.ADDOPER ID(JASON) ACCESS(UPDATE) CLASS(IBMOPC) Fixed resource Subresource & RACF resource name Description CP CP.ADD Add workload (occurrences or operations) CP.MODIFY Modify attributes CP.DELETE Delete workload (occurrences or operations) CP.COMMANDx Line commands CP.ADDOPER Add operations CP.DELOPER Delete operations CP.MODOPER Modify operations CP.ADDDEP Add dependencies CP.DELDEP Delete dependencies CP.MODDEP Modify dependencies CP.MODOPSTAT Modify operation status • Define actions as sub-resources in AUTHDEF statement • Use RACF commands to provide/deny access to users IWSz Security Enhancements Occurrence Commands • RG Remove from group • DG Delete group • CG Complete group • C Complete an occurrence • W Set waiting • R Rerun Operation Commands  J Edit JCL (J command resource)  MH, MR Manual Hold, Manual Release (MR, MH command resources)  NP, UN NOP,UN NOP (NP, UN command resources)  K Kill (K command resource)  EX Execute (EX command resource)  JR/FJR JT, Fast path JR (JR command resource)  SR/FSR SR, Fast path SR (SR command resource)  SC/FSC SC, Fast path SC (SC command resource)  SJR Simple Job Restart Execute (SJR command resource)  R Reset Status (MODOPSTAT resource)  BIND Bind operation (BND command resources)  N Set NEXT logical status (MODOPSTAT resource)  N-x Set specific status (MODOPSTAT resource)
  • 16. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity © 2016 IBM Corporation Enhanced IWSz Security - Scenarios Tim, the System Administrator Tim can now authorize Jason, the Scheduler, to add operations to the Current Plan. In the same time, he can prevent him from adding new occurrences. Jason, the scheduler Tim can secure a set of commands, creating new User Profiles. • He can authorize Jane to perform a recovery action, but prevent her from editing a job • He can authorize Jason to Complete and Rerun an existing occurrence, but prevent him from adding new occurrences Jane, the Application Developer 1 2
  • 17. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity © 2016 IBM Corporation • Define the CP.ADD and CP.ADDOPER subresources in the AUTHDEF SUBRESOURCES(CP.ADD,CPADDOPER) (AUTHDEF statement) • Define them to RACF and give universal NONE access by default RDEF IBMOPC CP.ADD RDEF IBMOPC CP.ADDOPER • Give user Jason update access to the CP.ADDOPER resource PERMIT CP.ADDOPER ID(MARNIE) ACCESS(UPDATE) CLASS(IBMOPC) To allow Jane to perform “ARC” (Automatic Recovery) and Jason to perform “C” (Complete occurrence) and “R” (Rerun Occurrence) commands: • Define the CP.COMMANDx subresources in the AUTHDEF AUTHDEF CLASSNAME(IBMOPC) COMMAND1(ARC, C, R) SUBRESOURCES(CP.COMMAND1) • Define to RACF RDEF IBMOPC CP.ADD • Give Jane update access to CP.COMMAND1 PERMIT CP.COMMAND1 ID(JANE) ACCESS(UPDATE) CLASS(IBMOPC) 1 2 Enhanced IWSz Security - Scenarios
  • 18. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Subresources protection with the last IWSz 9.3 SPEs  AUTHDEF in IWSz PARM AUTHDEF CLASSNAME(IBMOPC) COMMAND1(ARC, C, R) SUBRESOURCES(CP.COMMAND1)  RACF RESOURCE DEFINITION RDEF IBMOPC CP.COMMAND1  PERMIT TO DEVELOPERS PERMIT CP.COMMAND1 ID(Grup3) ACCESS(UPDATE) CLASS(IBMOPC) 18
  • 19. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity IBM New Security Enhancements Parameters Example  IWSz PARMLIB AUTHDEF CLASS(IBMOPC) SUBRESOURCES(CP.COMMAND1, CP.COMMAND2, .....) COMMAND1(ARC, C, R) COMMAND2(M, L) ... RACF Resource CP.COMMAND1 CP.COMMAND2
  • 20. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Quick zSecure Scenario - IWSz 9.3 SPE example 20
  • 21. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity zSecure Command Verifier and IWSz  When acting on resources in RACF, often the SPECIAL attribute is required  Also in IWSz this can be a problem, since a SPECIAL user can do much more  With only RACF this problem is not solved  zSecure Command Verifier allows to limit SPECIAL users power  IWSz can strongly benefit by this zSecure capability 21
  • 22. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity zSecure Command Verifier in Action 22 RACF db mgr TSO/ISPF RACF commands + output zSecure Admin Cmds RACF commands RACF profiles Command Verifier EXIT Policy SMF
  • 23. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity zSecure CV Best Practices examples with IWSz  Suppose you would like to establish a IWSz RACF compliance rule, saying that development people inside a department can define only IWS Application Description profiles for applications starting with TIV*.  The objective is to prevent RACF accepting any IWS profile creation, other than a IWS Application Description profile matching the TIV* wildcard, issued by a user belonging to the TIVCFG group.  The first thing to do is to define the generic C4R profile saying that TIVCFG cannot add IWS for zOS profiles  This is done by adding the C4R.IBMOPC.ID.* profile to the C4R class 23
  • 24. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity zSecure CV Best Practices examples with IWSz 24
  • 25. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity zSecure CV Best Practices examples with IWSz 25 YES NO
  • 26. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Typical zSecure Command Verifier DEVOPS Scenario with IBM Workload Scheduler for z/OS  Suppose we need to establish IWSz RACF compliance rule, saying that: – PAYROLL administrators can define IWSz resources, based on payroll batch applications their teams are responsible for • PAYROLL application developers can define only with IWSz applications they are responsible for – REPORTING administrators can define IWSz resources, based on reporting batch applications their teams are responsible for • REPORTING application developers can define only IWSz applications they are responsible for  There will be 3 types of figures in this scenario: – RACF administrator – PAYROLL administrator and REPORTING administrator – PAYROLL developers and REPORTING developers 26
  • 27. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity PAYROLL and REPORTING DEVOPS Scenarios  RACFADM is the RACF Administrator – Creates Command Verifier profiles to authorize PAYROLL and REPORTING administrators, with SPECIAL attribute, to create only specific PAYROLL and REPORTING IWSz RACF profiles  IWSPAYR is the IWSz Payroll Administrator – Creates RACF profiles for different Payroll IWSz applications  IWSREPT is the IWSz Reporting Administrator – Creates RACF profiles for different Reporting IWSz applications  IWSGPAY1 is the IWSz Payroll Application Developers 1 Team – Users connected to this RACF group will be authorized to define only IWSz applications with names starting with PAYR1  IWSGPAY2 is the IWSz Payroll Application Developers 2 Team – Users connected to this RACF group will be authorized to define only IWSz applications with names starting with PAYR2  IWSGRPT1 is the IWSz Reporting Application Developers A Team – Users connected to this RACF group will be authorized to define only IWSz applications with names starting with REPTA  IWSGRPTB is the IWSz Reporting Application Developers B Team – Users connected to this RACF group will be authorized to define only IWSz applications with names starting with REPTB 27
  • 28. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Administrators work in this scenario  RACFADM – RDEF C4R C4R.IBMOPC.ID.** UACC(N) OWNER(RACFADM) – RDEF C4R C4R.IBMOPC.ID.ADA.PAYR* UACC(N) OWNER(IWSPAYR)  1st line – RDEF C4R C4R.IBMOPC.ID.ADA.REPT* UACC(N) OWNER(IWSREPT)  2nd line  IWSPAYR – RDEF IBMOPC ADA.PAYR1* UACC(N) OWNER(IWSPAYR)  matches (1st line) – RDEF IBMOPC ADA.PAYR2* UACC(N) OWNER(IWSPAYR)  matches (1st line) – PERMIT ADA.PAYR1* ACCESS(U) ID(IWSGPAY1) CLASS(IBMOPC) – PERMIT ADA.PAYR2* ACCESS(U) ID(IWSGPAY2) CLASS(IBMOPC)  IWSREPT – RDEF IBMOPC ADA.REPTA* UACC(N) OWNER(IWSREPT)  matches (2nd line) – RDEF IBMOPC ADA.REPTB* UACC(N) OWNER(IWSREPT)  matches (2nd line) – PERMIT ADA.REPTA* ACCESS(U) ID(IWSGRPTA) CLASS(IBMOPC) – PERMIT ADA.REPTB* ACCESS(U) ID(IWSGRPTB) CLASS(IBMOPC) 28
  • 29. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Results  ITUSER01 is connected to IWSGPAY1 – ITUSER01 can access IBM Workload Scheduler for z/OS • He/She can define/update PAYR1APPL001, PAYR1APPLXXX, ... • He/She cannot define/update PAYR2APPZZZ, REPTAAPPKKK, BANKAPP1, ...  ITUSER25 is connected to IWSGPAY2 – ITUSER25 can access IBM Workload Scheduler for z/OS • He/She can define/update PAYR2APPL001, PAYR2APPLXXX, ... • He/She cannot define/update PAYR1APPZZZ, REPTBAPPKKK, BANKAPP1, ...  ITUSER71 is connected to IWSGRPTA – ITUSER01 can access IBM Workload Scheduler for z/OS • He/She can define/update REPTAAPPL001, REPTAAPPLXXX, ... • He/She cannot define/update PAYR2APPZZZ, REPTBAPPKKK, BANKAPP1, ...  ITUSER95 is connected to IWSGRPTB – ITUSER25 can access IBM Workload Scheduler for z/OS • He/She can define/update REPTBAPPL001, REPTBAPPLXXX, ... • He/She cannot define/update PAYR2APPZZZ, REPTAAPPKKK, BANKAPP1, ... 29
  • 30. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Command Verifier Scenario with new IWSz enhancements  Suppose we need to establish IWSz RACF compliance rule, saying that: – PAYROLL administrators can define IWSz command resources, based on payroll batch applications their teams are responsible to test • PAYROLL application testers can test only IWSz Payroll RERUN in the Current Plan – REPORTING administrators can define IWSz resources, based on reporting batch applications their teams are responsible to test • REPORTING application testers can test only IWSz browse joblog in the Current Plan  There will be 3 types of figures also in this scenario: – RACF administrator – PAYROLL administrator and REPORTING administrator – PAYROLL testers and REPORTING testers Note: We assume here that all appropriate Current Plan RACF protections have been performed for both PAYROLL and REPORTING applications! 30
  • 31. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Testing (last IWSz enhancements) DEVOPS Scenarios  RACFADM is the RACF Administrator – Creates Command Verifier profiles to include PAYROLL and REPORTING commands  IWSPAYR is the IWSz Payroll Administrator – Creates RACF profiles for Payroll tester groups  IWSREPT is the IWSz Reporting Administrator – Creates RACF profiles for Reporting tester groups  IWSGPAYT is the IWSz Payroll tester group – Users connected to this RACF group can test only the RERUN (R) command related to PAYROLL occurrences  IWSGRPTT is the IWSz Reporting tester group – Users connected to this RACF group can test only the BROWSE JOBLOG (L) command related to PAYROLL occurrences 31
  • 32. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Enable R and L different commands in IWSZ  IWSz PARMLIB – AUTHDEF CLASS(IBMOPC) SUBRESOURCES(CP.COMMAND5, CP.COMMAND7) COMMAND5(R) COMMAND7(L)  RACFADM – RDEF C4R C4R.IBMOPC.ID.** UACC(N) OWNER(RACFADM) – RDEF C4R C4R.IBMOPC.ID.CP.COMMAND5 UACC(N) OWNER(IWSPAYR) – RDEF C4R C4R.IBMOPC.ID.CP.COMMAND7 UACC(N) OWNER(IWSREPT)  IWSPAYR – RDEF IBMOPC CP.COMMAND5 UACC(N) OWNER(IWSPAYR) – PERMIT CP.COMMAND5 ACCESS(U) ID(IWSGPAYT) CLASS(IBMOPC)  IWSREPT – RDEF IBMOPC CP.COMMAND7 UACC(N) OWNER(IWSREPT) – PERMIT CP.COMMAND7 ACCESS(U) ID(IWSGRPTT) CLASS(IBMOPC) –32
  • 33. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Results Considering that appropriate Current Plan RACF protections have been done for both PAYROLL and REPORTING applications, we will get:  ITUSER51 is connected to IWSGPAYT – ITUSER51 can access IBM Workload Scheduler for z/OS • He/She can test the RERUN command on all PAYROLL occurrences • He/She cannot test any other command  ITUSER73 is connected to IWSGRPTT – ITUSER73 can access IBM Workload Scheduler for z/OS • He/She can test the BROWSE JOBLOG command on all REPORTING occurrences • He/She cannot test any other command 33
  • 34. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity 34 Thank You