SlideShare a Scribd company logo

RACF - The Basics (v1.2)

Rui Miguel Feio
Rui Miguel Feio

In this presentation Rui will explain what is RACF, what are its components, and how to implement security profiles in the mainframe z/OS system.

Technology
1 of 53
Download to read offline
Rui Miguel Feio Sharingknowledgewiththeworld RACF Thebasics
Agenda 2The role of users in RACF and how to define access to the mainframe. Users 3What are RACF groups, how do they work and how to use them. Groups 5General resources and how to protect everything else on the mainframe. General 6How to configure RACF and security best practices. Settings 7How to contact Rui and keep in touch. Contact 1What is RACF, what is it for, and how it works. Intro 4Dataset profiles and how to protect the data on the mainframe. Dataset
RACF INTRODUCTION
04 It’s an IBM External Security Management (ESM) product that provides access control and audit functionalities for the mainframe z/OS and z/VM operating systems. RACF provides the tools to manage user access to critical resources. It protects resources by granting access only to authorised users of the protected resources. RACF retains information about users, resources, and access authorities in special structures called profiles in its database, and it refers to these profiles when deciding which users should be permitted access to protected system resources. ResourceAccessControlFacility (RACF) .
Macros Allows applications to use RACF macros. 7 Logging Logs access to a protected system and protected resources. 5 Administration Simplifies the administration process to meet the security goals of the company. 6 Main Features. 05 Users Identifies and authenticates users using a userid and a password when trying to access the mainframe operating system. 1 Protection Allows the identification, classification and protection of mainframe system resources. 2 Access Facilitates the maintenance of access rights to the protected resources. 3 Control Helps controlling the means of access to protected resources on the mainframe. 4
RACF Profiles. 06 User profiles contain security information about the userids defined to RACF who can access (or not) the resources. User 01 Group profiles contain security information about group attributes and user connections. Group 02 General resource profiles contain security information about all resources other than user, group or dataset. General Resources 03 These profiles contain the necessary information to allow RACF to make a decision as to the access authority allowed for any specific request. What are they for? Dataset profiles contain security information about DASD and tape datasets. Dataset 04
Access to Profiles. 07 Users and groups can be defined in RACF to have different levels of access to dataset profiles and general resource profiles (programs, transactions, commands, etc). Accessing profiles Dataset Profiles General Resource Profiles Users & Groups
Access Levels. 08 Access to the resource is not granted to users and groups. None 1 Users and groups can execute programs from a library, but they cannot read or write into the library. Execute 2 Users and groups can access the resource but they cannot alter its contents. Read 3 Users and groups can change the contents of the resource but they are not authorized to delete it or create a new one. Update 4 Users and groups are granted authority to VSAM datasets (equivalent to the VSAM control password). Control 5 Users and groups have full control over the resource, i.e., they can create a new one, access it, modify it and delete it. Alter 6 From lowest (1) to greatest (6).
Securing the Mainframe. 09 z/OS Application SAF RACF Resource Manager System Component Authorisation Checking 1. A userid is passed from the application or system component to the resource manager. 2. The resource manager maintains the data that the userid wishes to access and calls SAF to perform an authorisation check. In some situations the resource manager may provide its own security 3. SAF passes the userid, the resource the userid wishes to access, and the access type to RACF (External Security Manager). 4. RACF refers to its database in order to make a decision. 5. RACF passes the Information back to SAF and ultimately to the resource manager. 6. The resource manager makes the decision to allow or deny access based on the security information it now has.
Summary. 10 RACF controls and logs access RACF profiles protect resources Users can logon to the mainframe Users can be connected to Groups Users and groups are defined to profiles Access can go from None to Alter What we have covered so far... RACF provides access control and audit functionalities for the mainframe. It uses profiles to describe mainframe resources that it protects: datasets, programs, commands, transactions, etc. Users can logon to the mainframe via userid/password and can be grouped together into Groups to share the same levels of access. This facilitates the security management tasks. In order to access the resources, users and groups need to be defined in the Access Control List (ACL) of the RACF profiles – dataset and general resource. The access that a user or a group can have to a resource varies from None (no access) to Alter (full access).
RACF USERS
What are RACF users? 12 Someone who requires access to resources In RACF users are represented by userids Users must authenticate to gain access User authentication is done by userid/pass Userids can be used by people (personal) Userids can be used by system resourcesDesigned by Freepik
Naming Convention. 13 The userid name has to be one to eight characters in length. Userid length 1 Any combination of alphanumeric and $, # or @. Characters 2 Has to be unique. The userid cannot match an existing userid or group name. Userid 3 Users with the ability to logon to the mainframe system cannot exceed 7 characters in length. TSO users length 4 TSO userids cannot begin with a numeric character. TSO useridcharacters 5
Base Segment. 14 BASE Segment Userid User Name Owner Default Group User Attributes Password
Other Segments. 15 Optional User Segments TSO CICS OMVSCSDATA …
Attributes – System Wide. 16 Attribute Description SPECIAL A user can issue all RACF commands. This attribute gives the user full control over all RACF profiles in the RACF database. AUDITOR Given to users who are responsible to auditing RACF security controls and functions. OPERATIONS A user has full access authorisation to all RACF-protected resources in specific classes: DATASET, DASDVOL, GDASDVOL, PSFMPL, TAPEVOL, VMBATCH, VMCMD, VMMDISK, VMNODE and VMRDR. PROTECTED Used mainly for started tasks to prevent a userid from being revoked. RESTRICTED Prevents a user from accessing protected resources REVOKE Prevents a user from accessing the system. CLAUTH Allows the user to define profiles in the class where user has CLAUTH
Attributes – Group Level. 17 Attribute Description SPECIAL (Group Special) This attribute gives the user full control over all RACF profiles within the scope of the group. AUDITOR (Group Auditor) User authority is limited to RACF profiles within the scope of the group. Given to users who are responsible to auditing RACF security controls and functions. OPERATIONS (Group Operations) A user has full access authorisation to all RACF-protected resources in specific classes: DATASET, DASDVOL, GDASDVOL, PSFMPL, TAPEVOL, VMBATCH, VMCMD, VMMDISK, VMNODE and VMRDR. User authority is limited to RACF profiles within the scope of the group. REVOKE Prevents a user from accessing the profiles within the scope of the group. • The "scope of the group” is determined by the group ownership structure • Group ownership can only occur between a superior group and its subgroups • The scope will continue as long as "groups own groups” • The scope ends when a group is owned by a user id
RACF Commands. 18 Command Description Example ADDUSER (AU) Add a user profile AU userid NAME(‘user_name’) DFLTGRP(grp_name) OWNER(owner) PASS(password) ALTUSER (ALU) Modify a user profile ALU userid PASSWORD(password) LISTUSER (LU) List a user profile LU userid DELUSER (DU) Delete a user profile DU userid
RACF GROUPS
What are RACF groups? 20 Collection of users with common access Groups can have users connected to them Groups facilitate user management Groups can have subgroups Each Group has an owner (user or group) Groups should be owned by another Group Why are Groups so important? By adding a user to a group, we give that user access to all of the resources to which the group has access. Likewise, by removing a user from a group, we prevent the user from accessing those resources. Some of the benefits of using RACF groups include: • Reducing the effort to maintain access lists • Avoiding the need to refresh in-storage profiles • Providing a form of timed PERMIT • Minimising the length of access lists
Naming Convention. 21 The group name has to be one to eight characters in length. Name length 1 Any combination of alphanumeric and $, # or @. Characters 2 Has to be unique. The group name cannot match an existing userid or other group name. Group 3 The group name cannot begin with a numeric character. Numerics 4
Group Tree. 22 SYS1 HR STAFF HIRE FINANCE IT SECURITY SYSTEMS SHARED EXTERNAL ZOS MVS JUNIOR SENIOR CICS CIC01 CIC02 DB2 DB201 DB202 HELPDESK AUDIT OFFSHORE INDIA AFRICA AMERICA
Owner and SupGroup. 23 The owner of a group can define new users (providing it has got CLAUTH for the USER class), can modify, list, and delete the group profile, can connect and remove users from the group, and can define, delete, and list the names of the subgroups. The same applies for users connected to the group with Group Special attribute. Owner The Superior Group defines the parent group. The initial point where all groups derive from is SYS1. Supgroup Determinesadministration Determinesstructure But bear in mind… When creating a RACF group, always remember that: • If you don’t specify the OWNER your userid becomes the OWNER of the group • If you don’t specify the SUPGROUP, your userid’s current connect group becomes the superior group. • If the OWNER is a group, this group will also become the SUPGROUP.
Naming Convention. 24 The group name has to be one to eight characters in length. Name length 1 Any combination of alphanumeric and $, # or @. Characters 2 Has to be unique. The group name cannot match an existing userid or other group name. Group 3 #CIO $WIN $MVS @ZVM @ZOS ZOS01 CICS CICS01 CICS02 ZOS02 IMS ZOS03 WAS ZOS04 DB2 DB201 DB202 $AS400 $LINUX @SUSE @REDHAT
Base Segment. 25 BASE Segment Group Name Owner Superior Group Installation Data Connected Users Subgroups
Other Segments. 26 Optional Group Segments DFP OMVS CSDATATME OVM
Universal Groups. 27 Regular, normal RACF groups can only have up to 5,957 connected users. Limitation of regular groups 1 RACF Universal groups allow more than 5,957 to be connected. UniversalGroups 2 To create a RACF Universal group you just need to use the UNIVERSAL parameter with the add Group command: AG group OW(owner) SUP(supgroup) UNIVERSAL Setup an Universalgroup 3 With Universal groups, the LISTGRP command will only list users with authority higher than USE or with the attributes SPECIAL, OPERATIONS or AUDITOR. Downside 4 To view all members of a RACF Universal group, you will need to use the Database Unload Utility (IRRDBU00). List all users 5
Group Attributes. 28 Attribute Description USER Allows the user to access resources to which the group is authorised CREATE Allows the user to create RACF dataset profiles for the group CONNECT Allows the user to connect other users to the group JOIN Allows the user to add new subgroups or users to the group, as well as assign group authorities to the new members • The "scope of the group” is determined by the group ownership structure • Group ownership can only occur between a superior group and its subgroups • The scope will continue as long as "groups own groups” • The scope ends when a group is owned by a user id
RACF Commands. 29 Command Description Example ADDGROUP (AG) Add a group profile AG group OWNER(owner) SUPGRP(grp_name) ALTGROUP (ALG) Modify a group profile ALG group OWNER(owner) SUPGRP(grp_name) LISTGRP (LG) List a group profile LG group DELGROUP (DG) Delete a group profile DG group CONNECT (CO) Connect a user to a RACF group CO user GROUP(group) OWNER(owner) REMOVE (RE) Remove a user from a RACF group RE userid GROUP(group)
RACF DATSET PROFILES
What are they? 31 RACF dataset profiles protect datasets HLQ of profile must match user or group Must be owned by a user or a group PROTECTALL requires dataset profiles Why are RACF Dataset profiles so important? Dataset profiles allow the security administrator to define who can read the content of a dataset, who can edit it, and who can create or delete a dataset. In essence, it’s the way to protect datasets on the mainframe using RACF. If RACF option PROTECTALL is enabled, datasets can only be accessed if there’s a dataset profile in place in RACF.
Categories. 32 Protects one data set that has unique security requirements. If the data set is deleted, the profile is deleted. Avoid using them. TSSS.EXRT222.OUTPUT VOL123 Discrete 1 Can protect one or many data sets whose data set name matches profile name. Uses "generic" characters % and *. TSSS.%%%%%%%.* Generic 2 Can protect one or more data sets with the same data set name. The profile is not deleted if the data set is deleted. TSSS.EXRT222.OUTPUT Fully-qualifiedgeneric 3 Similar to generic profiles but can also use the ** as a generic character. Implemented to provide comparable capability provided for General Resources. TSSS.*.** Enhanced generic 4 Generic profiles are the standard (use GEN with the RACF commands)
Naming Convention. 33 A dataset profile can have two or more naming qualifiers. Number of qualifiers 1 Each qualifier must be separated by a period. Qualifiers separation 2 Any combination of alphanumeric and $, # or @. Characters 3 The first character of each qualifier cannot be a numeric. No numerics at the start 4 Dataset profiles can have wildcards (%, *, **) Wildcards 5
Generic Profiles. 34 Profile Dataset Name HLQ.DATA.* HLQ.DATA HLQ.D%TA.FILE HLQ.DATA.FILE HLQ.D*.FILE HLQ.DATA.FILE.STUFF HLQ.* HLQ.MY.FILE HLQ.*.** HLQ.YOUR.FILE HLQ.**.FILE HLQ.MASTER.FILE HLQ.BACKUP.FILE RACF uses the most specific Generic Profile when determining which profile protects a dataset. SR MASK(hlq.) will display the search order RACF will use 1. To see which of two generic profiles is more specific, compare the profile names, character by character. 2. Where they first differ, if one has a discrete character and the other has a generic character, the one with the discrete character wins. 3. If both have a generic character where they differ, then: • If one has a % and the other has a * or **, the one with % wins. • If one has a * and the other has a **, the one with * wins.
Access Levels. 35 Level Description NONE User/Group is not allowed to access the dataset EXECUTE User/Group is allowed to execute a program from the dataset, but not to Read, Copy or Modify the dataset READ User/Group is allowed to Read and Copy the dataset UPDATE User/Group is allowed to Read, Copy and Modify the dataset CONTROL (VSAM data sets) User/Group is allowed to perform improved control interval processing. This is control-interval access (access to individual VSAM data blocks), and the ability to Retrieve, Update, Insert, or Delete records in the data set ALTER User/Group has full authority over the dataset (Read, Update, Create, Delete, Rename, Allocate)
Access Control List. 36 • Standard Access Control List: – Grants User/Group some level of access • Conditional Access Control List: – Grants User/Group some level of access based on a condition: – WHEN using a certain PROGRAM – WHEN user is logged onto a certain TERMINAL – WHEN user is logged onto a certain CONSOLE – WHEN job submitted from a certain JESINPUT – WHEN user enters system from certain LU (APPCPORT) – WHEN user enters system from certain IP address (SERVAUTH)
UACC and ID(*). 37 Level Description ID(*) Defines the default access level to all RACF defined users UACC (Universal Access) Defines the default access level to all users and groups defined or not in RACF UACC value is a required field when defining a new dataset profile
Access. 38 Condition Description Own Profile • Userid/Group has full admin control over profile (including Access List) • Does not allow access to dataset itself Don’t Own Profile • GAT allows access to dataset • Userid = dataset HLQ • Userid/Group is in ACL • ID(*) allows access • UACC allows access • OPERATIONS attribute • WARNING Mode • Each dataset profile defined to RACF requires a RACF-defined user or group as the owner of the profile. • The owner (if a user) has full control over the profile, including the access list. If the owner of the dataset profile is a group, users with group-SPECIAL in that group have full control over the profile. • Ownership of dataset profiles is assigned when the profiles are defined to RACF. Note that ownership of a dataset profile does not mean that the owner can automatically access that data set. • To access a data set, the owner must still be authorized in the profile's access list, unless the high-level qualifier of the profile name is the owner's user ID.
RACF Commands. 39 Command Description Example ADDSD (AD) Add a dataset profile AD ‘ds_profile’ UACC(uacc_level) OW(owner) ALTDSD (ALD) Modify a dataset profile ALD ‘ds_profile’ UACC(uacc_level) OW(owner) LISTDSD (LD) List a dataset profile LD DATASET(‘ds_profile’) DELDSD (DD) Delete a dataset profile DD ‘ds_profile’ PERMIT (PE) Define, modify or delete ACL entries on a dataset profile PE ‘dsprofile’ GEN ID(group) AC(access)
RACF GENERAL RESOURSE PROFILES
What are they? 41 Protect all resources other than Datasets General Resources grouped by Classes Must be owned by a user or a group Why are RACF General Resource profiles so important? General resource profiles protect all resources other than datasets on the mainframe, for example: CICS transactions, TCP/IP ports, MVS commands, JES2 commands, ISPF panels, DB2 subsystems, etc.
Need to Know. 42 • Classes must be activated: – SETROPTS CLASSACT(class_name) – But… we need to define the profiles before activating it • Classes can be RACLISTed to improve performance: – SETROPTS RACLIST(class_name) • Dynamic refreshing of in-storage profiles: – SETROPTS RACLIST(class_name) REFRESH – When… adding, modifying, or deleting RACLISTed profiles
Profile Types. 43 Discrete Profiles Generic Profiles Generic characters %, *, **, and & can be used Generic characters can be used in any qualifier
Access Control List. 44 • Standard Access Control List: – Grants User/Group some level of access • Conditional Access Control List: – Grants User/Group some level of access based on a condition: – WHEN user is logged onto a certain TERMINAL – WHEN user is logged onto a certain CONSOLE – WHEN job submitted from a certain JESINPUT – WHEN user enters system from certain LU (APPCPORT) – WHEN user enters systemid (SYSID)
UACC and ID(*). 45 Level Description ID(*) Defines the default access level to all RACF defined users UACC (Universal Access) Defines the default access level to all users and groups defined or not in RACF UACC value is a required field when defining a new Generic profile
RACF Commands. 46 Command Description Examples RDEFINE (RDEF) Add a Generic Resource profile RDEF class_name profile_name ADDMEM(member) RALTER (RALT) Modify a Generic Resource profile RALT class_name profile_name UACC(acc_level) RLIST (RL) List a Generic Resource profile RL class_name profile_name ALL RDELETE (RDEL) Delete a Generic Resource profile RDEL class_name profile_name PERMIT (PE) Define, modify or delete ACL entries on a Generic Resource profile PE gr_profile CL(class) ID(grp_name) AC(access_level)
RACF SETTINGS
What is SETROPS? 48 Where RACF is configured (settings) Accessible by System Special users Accessible by System Auditor users Why is SETROPS so important? SETROPS contains the default settings for the RACF environment. These values can be modified by system special userids. System auditor userids have the ability to visualise the entire SETROPS configuration.
Need to Know. 49 • SPECIAL users can set global controls • AUDITOR users can set tracking options • Need to Refresh after updating: – Generic – Global – RACLIST – WHEN(PROGRAM) • An SMF record is written for every SETROPTS
Parameters – Examples. 50 Parameter Description CLASSACT Specifies classes for which RACF protection will be in effect RACLIST Discrete and Generic profiles for the General Resource classes specified will be copied into storage and shared by all users LOGOPTIONS Audit selected access attempts to resources whether they are RACF protected or not PROTECTALL Creation of or access to unprotected data sets is not allowed INTERVAL (Pasword) Maximum number of days a user's password is valid MINCHANGE (Password) Number of days that must pass between a user’s password changes MIXEDCASE (Password) Support for mixed-case passwords
RACF Commands. 51 Command Description Examples SETROPTS parameter Modify SETROPTS values SETROPTS PASSWORD(REVOKE(5) RULE1(LENGTH(6:8) ALPHA(1,6) ALPHANUM(2:5)) RULE2(LENGTH(7) ALPHA(1,7) ALPHANUM(2:6)) RULE3(LENGTH(8) ALPHA(1,8) ALPHANUM(2:7))) SETROPS LIST List RACF settings SETROPS LIST SETROPS REFRESH Refresh in-storage profile for a specific CLASS SETROPTS GENERIC(class_name) REFRESH
CONTACTS
Contacts. 53 ruif@rmfconsulting.com +44 (0)7570 911459 l t f Phone & email Social Media https://twitter.com/rfeio https://www.facebook.com/RuiMiguelFeio https://www.linkedin.com/in/rfeio g https://plus.google.com/+RuiMiguelFeio Other Presentations s http://www.slideshare.net/rmfeio http://www.RuiFeio.com Website

Recommended

Resource Access Control Facility (RACF) in Mainframes
Resource Access Control Facility (RACF) in MainframesResource Access Control Facility (RACF) in Mainframes
Resource Access Control Facility (RACF) in Mainframes
Aayush Singh
 
Vsam
VsamVsam
Vsam
kapa rohit
 
JCL MAINFRAMES
JCL MAINFRAMESJCL MAINFRAMES
JCL MAINFRAMES
kamaljune
 
TCP/IP Stack Configuration with Configuration Assistant for IBM z/OS CS
TCP/IP Stack Configuration with Configuration Assistant for IBM z/OS CSTCP/IP Stack Configuration with Configuration Assistant for IBM z/OS CS
TCP/IP Stack Configuration with Configuration Assistant for IBM z/OS CS
zOSCommserver
 
Mvs commands
Mvs commandsMvs commands
Mvs commands
Maintec Technologies Inc.
 
Z OS IBM Utilities
Z OS IBM UtilitiesZ OS IBM Utilities
Z OS IBM Utilities
kapa rohit
 
z/OS Communications Server Overview
z/OS Communications Server Overviewz/OS Communications Server Overview
z/OS Communications Server Overview
zOSCommserver
 
Introduction of ISPF
Introduction of ISPFIntroduction of ISPF
Introduction of ISPF
Anil Bharti
 

Recommended

Resource Access Control Facility (RACF) in Mainframes
Resource Access Control Facility (RACF) in MainframesResource Access Control Facility (RACF) in Mainframes
Resource Access Control Facility (RACF) in Mainframes
Aayush Singh
 
Vsam
VsamVsam
Vsam
kapa rohit
 
JCL MAINFRAMES
JCL MAINFRAMESJCL MAINFRAMES
JCL MAINFRAMES
kamaljune
 
TCP/IP Stack Configuration with Configuration Assistant for IBM z/OS CS
TCP/IP Stack Configuration with Configuration Assistant for IBM z/OS CSTCP/IP Stack Configuration with Configuration Assistant for IBM z/OS CS
TCP/IP Stack Configuration with Configuration Assistant for IBM z/OS CS
zOSCommserver
 
Mvs commands
Mvs commandsMvs commands
Mvs commands
Maintec Technologies Inc.
 
Z OS IBM Utilities
Z OS IBM UtilitiesZ OS IBM Utilities
Z OS IBM Utilities
kapa rohit
 
z/OS Communications Server Overview
z/OS Communications Server Overviewz/OS Communications Server Overview
z/OS Communications Server Overview
zOSCommserver
 
Introduction of ISPF
Introduction of ISPFIntroduction of ISPF
Introduction of ISPF
Anil Bharti
 
Tso and ispf
Tso and ispfTso and ispf
Tso and ispf
satish090909
 
Smpe
SmpeSmpe
Smpe
Thousif "thousif329@gmail.com"
 
ASM
ASMASM
ASM
VINAY PANDEY
 
Mainframe interview
Mainframe interviewMainframe interview
Mainframe interview
Shivankoo Sharma
 
SKILLWISE-DB2 DBA
SKILLWISE-DB2 DBASKILLWISE-DB2 DBA
SKILLWISE-DB2 DBA
Skillwise Group
 
Ipl process
Ipl processIpl process
Ipl process
Thousif "thousif329@gmail.com"
 
Presentation implementing oracle asm successfully
Presentation implementing oracle asm successfullyPresentation implementing oracle asm successfully
Presentation implementing oracle asm successfully
xKinAnx
 
Vsam presentation PPT
Vsam presentation PPTVsam presentation PPT
Vsam presentation PPT
Anil Polsani
 
zOSMF SDSF_ShareLab_V2R5.pdf
zOSMF SDSF_ShareLab_V2R5.pdfzOSMF SDSF_ShareLab_V2R5.pdf
zOSMF SDSF_ShareLab_V2R5.pdf
Marna Walle
 
Cics cheat sheet
Cics cheat sheetCics cheat sheet
Cics cheat sheet
Rafi Shaik
 
Less05 asm instance
Less05 asm instanceLess05 asm instance
Less05 asm instance
Amit Bhalla
 
DB2 on Mainframe
DB2 on MainframeDB2 on Mainframe
DB2 on Mainframe
Skillwise Group
 
DB2 for z/OS Architecture in Nutshell
DB2 for z/OS Architecture in NutshellDB2 for z/OS Architecture in Nutshell
DB2 for z/OS Architecture in Nutshell
Cuneyt Goksu
 
Database Consolidation using the Oracle Multitenant Architecture
Database Consolidation using the Oracle Multitenant ArchitectureDatabase Consolidation using the Oracle Multitenant Architecture
Database Consolidation using the Oracle Multitenant Architecture
Pini Dibask
 
File Manager for z/OS - Overview
File Manager for z/OS - OverviewFile Manager for z/OS - Overview
File Manager for z/OS - Overview
DevOps for Enterprise Systems
 
DB2 for z/OS and DASD-based Disaster Recovery - Blowing away the myths
DB2 for z/OS and DASD-based Disaster Recovery - Blowing away the mythsDB2 for z/OS and DASD-based Disaster Recovery - Blowing away the myths
DB2 for z/OS and DASD-based Disaster Recovery - Blowing away the myths
Florence Dubois
 
CSM Storage Debugging
CSM Storage DebuggingCSM Storage Debugging
CSM Storage Debugging
zOSCommserver
 
Winning Performance Challenges in Oracle Multitenant
Winning Performance Challenges in Oracle MultitenantWinning Performance Challenges in Oracle Multitenant
Winning Performance Challenges in Oracle Multitenant
Pini Dibask
 
CICS basics overview session-1
CICS basics overview session-1CICS basics overview session-1
CICS basics overview session-1
Srinimf-Slides
 
Db2 and storage management (mullins)
Db2 and storage management (mullins)Db2 and storage management (mullins)
Db2 and storage management (mullins)
Craig Mullins
 
How to Improve RACF Performance (v0.2 - 2016)
How to Improve RACF Performance (v0.2 - 2016)How to Improve RACF Performance (v0.2 - 2016)
How to Improve RACF Performance (v0.2 - 2016)
Rui Miguel Feio
 
Share 2015 - 5 Myths that can put your Mainframe at risk (v1.3)
Share 2015 - 5 Myths that can put your Mainframe at risk (v1.3)Share 2015 - 5 Myths that can put your Mainframe at risk (v1.3)
Share 2015 - 5 Myths that can put your Mainframe at risk (v1.3)
Rui Miguel Feio
 

More Related Content

What's hot

Vsam presentation PPT
Vsam presentation PPTVsam presentation PPT
Vsam presentation PPT
Anil Polsani
 
Cics cheat sheet
Cics cheat sheetCics cheat sheet
Cics cheat sheet
Rafi Shaik
 
Database Consolidation using the Oracle Multitenant Architecture
Database Consolidation using the Oracle Multitenant ArchitectureDatabase Consolidation using the Oracle Multitenant Architecture
Database Consolidation using the Oracle Multitenant Architecture
Pini Dibask
 
DB2 for z/OS and DASD-based Disaster Recovery - Blowing away the myths
DB2 for z/OS and DASD-based Disaster Recovery - Blowing away the mythsDB2 for z/OS and DASD-based Disaster Recovery - Blowing away the myths
DB2 for z/OS and DASD-based Disaster Recovery - Blowing away the myths
Florence Dubois
 

What's hot (20)

Tso and ispf
Tso and ispfTso and ispf
Tso and ispf
 
Smpe
SmpeSmpe
Smpe
 
ASM
ASMASM
ASM
 
Mainframe interview
Mainframe interviewMainframe interview
Mainframe interview
 
SKILLWISE-DB2 DBA
SKILLWISE-DB2 DBASKILLWISE-DB2 DBA
SKILLWISE-DB2 DBA
 
Ipl process
Ipl processIpl process
Ipl process
 
Presentation implementing oracle asm successfully
Presentation implementing oracle asm successfullyPresentation implementing oracle asm successfully
Presentation implementing oracle asm successfully
 
Vsam presentation PPT
Vsam presentation PPTVsam presentation PPT
Vsam presentation PPT
 
zOSMF SDSF_ShareLab_V2R5.pdf
zOSMF SDSF_ShareLab_V2R5.pdfzOSMF SDSF_ShareLab_V2R5.pdf
zOSMF SDSF_ShareLab_V2R5.pdf
 
Cics cheat sheet
Cics cheat sheetCics cheat sheet
Cics cheat sheet
 
Less05 asm instance
Less05 asm instanceLess05 asm instance
Less05 asm instance
 
DB2 on Mainframe
DB2 on MainframeDB2 on Mainframe
DB2 on Mainframe
 
DB2 for z/OS Architecture in Nutshell
DB2 for z/OS Architecture in NutshellDB2 for z/OS Architecture in Nutshell
DB2 for z/OS Architecture in Nutshell
 
Database Consolidation using the Oracle Multitenant Architecture
Database Consolidation using the Oracle Multitenant ArchitectureDatabase Consolidation using the Oracle Multitenant Architecture
Database Consolidation using the Oracle Multitenant Architecture
 
File Manager for z/OS - Overview
File Manager for z/OS - OverviewFile Manager for z/OS - Overview
File Manager for z/OS - Overview
 
DB2 for z/OS and DASD-based Disaster Recovery - Blowing away the myths
DB2 for z/OS and DASD-based Disaster Recovery - Blowing away the mythsDB2 for z/OS and DASD-based Disaster Recovery - Blowing away the myths
DB2 for z/OS and DASD-based Disaster Recovery - Blowing away the myths
 
CSM Storage Debugging
CSM Storage DebuggingCSM Storage Debugging
CSM Storage Debugging
 
Winning Performance Challenges in Oracle Multitenant
Winning Performance Challenges in Oracle MultitenantWinning Performance Challenges in Oracle Multitenant
Winning Performance Challenges in Oracle Multitenant
 
CICS basics overview session-1
CICS basics overview session-1CICS basics overview session-1
CICS basics overview session-1
 
Db2 and storage management (mullins)
Db2 and storage management (mullins)Db2 and storage management (mullins)
Db2 and storage management (mullins)
 

Viewers also liked

Mainframe Architecture & Product Overview
Mainframe Architecture & Product OverviewMainframe Architecture & Product Overview
Mainframe Architecture & Product Overview
abhi1112
 
Ldap system administration
Ldap system administrationLdap system administration
Ldap system administration
Ali Abdo
 

Viewers also liked (20)

How to Improve RACF Performance (v0.2 - 2016)
How to Improve RACF Performance (v0.2 - 2016)How to Improve RACF Performance (v0.2 - 2016)
How to Improve RACF Performance (v0.2 - 2016)
 
Share 2015 - 5 Myths that can put your Mainframe at risk (v1.3)
Share 2015 - 5 Myths that can put your Mainframe at risk (v1.3)Share 2015 - 5 Myths that can put your Mainframe at risk (v1.3)
Share 2015 - 5 Myths that can put your Mainframe at risk (v1.3)
 
Security Audit on the Mainframe (v1.0 - 2016)
Security Audit on the Mainframe (v1.0 - 2016)Security Audit on the Mainframe (v1.0 - 2016)
Security Audit on the Mainframe (v1.0 - 2016)
 
Mainframe Security - It's not just about your ESM v2.2
Mainframe Security - It's not just about your ESM v2.2Mainframe Security - It's not just about your ESM v2.2
Mainframe Security - It's not just about your ESM v2.2
 
Cyber security and the mainframe (v1.3)
Cyber security and the mainframe (v1.3)Cyber security and the mainframe (v1.3)
Cyber security and the mainframe (v1.3)
 
2017 - Cibersecurity v1.0 (English version)
2017 - Cibersecurity v1.0 (English version)2017 - Cibersecurity v1.0 (English version)
2017 - Cibersecurity v1.0 (English version)
 
Cyber Crime - The New World Order (v1.0 - 2016)
Cyber Crime - The New World Order (v1.0 - 2016)Cyber Crime - The New World Order (v1.0 - 2016)
Cyber Crime - The New World Order (v1.0 - 2016)
 
Mainframe Architecture & Product Overview
Mainframe Architecture & Product OverviewMainframe Architecture & Product Overview
Mainframe Architecture & Product Overview
 
Pre-Con Ed: Predicting the Fire with Operational Intelligence
Pre-Con Ed: Predicting the Fire with Operational IntelligencePre-Con Ed: Predicting the Fire with Operational Intelligence
Pre-Con Ed: Predicting the Fire with Operational Intelligence
 
Krrushnan Resume - Mainframe (2)
Krrushnan Resume - Mainframe (2)Krrushnan Resume - Mainframe (2)
Krrushnan Resume - Mainframe (2)
 
2017 - Ciberseguranca v1.0 (versao em Portugues)
2017 - Ciberseguranca v1.0 (versao em Portugues)2017 - Ciberseguranca v1.0 (versao em Portugues)
2017 - Ciberseguranca v1.0 (versao em Portugues)
 
How to Protect Your Mainframe from Hackers (v1.0)
How to Protect Your Mainframe from Hackers (v1.0)How to Protect Your Mainframe from Hackers (v1.0)
How to Protect Your Mainframe from Hackers (v1.0)
 
Git intermediate workshop slides v1.4
Git intermediate workshop slides v1.4Git intermediate workshop slides v1.4
Git intermediate workshop slides v1.4
 
Cics Connectivity
Cics ConnectivityCics Connectivity
Cics Connectivity
 
Implementation of RBAC and Data Classification onto a Mainframe system (v1.5)
Implementation of RBAC and Data Classification onto a Mainframe system (v1.5)Implementation of RBAC and Data Classification onto a Mainframe system (v1.5)
Implementation of RBAC and Data Classification onto a Mainframe system (v1.5)
 
The Importance of Mainframe Security Education
The Importance of Mainframe Security Education The Importance of Mainframe Security Education
The Importance of Mainframe Security Education
 
LDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access ProtocolLDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access Protocol
 
Tackling the cyber security threat (2016 - v1.0)
Tackling the cyber security threat (2016 - v1.0)Tackling the cyber security threat (2016 - v1.0)
Tackling the cyber security threat (2016 - v1.0)
 
IBM Utilities
IBM UtilitiesIBM Utilities
IBM Utilities
 
Ldap system administration
Ldap system administrationLdap system administration
Ldap system administration
 

Similar to RACF - The Basics (v1.2)

Title Fedora Linux OS Access Control__20231104_222610_0000.pptx
Title Fedora Linux OS Access Control__20231104_222610_0000.pptxTitle Fedora Linux OS Access Control__20231104_222610_0000.pptx
Title Fedora Linux OS Access Control__20231104_222610_0000.pptx
kaverizanzane1
 

Similar to RACF - The Basics (v1.2) (20)

Database Security Methods, DAC, MAC,View
Database Security Methods, DAC, MAC,ViewDatabase Security Methods, DAC, MAC,View
Database Security Methods, DAC, MAC,View
 
Chapter 14 - Protection
Chapter 14 - ProtectionChapter 14 - Protection
Chapter 14 - Protection
 
S5-Authorization
S5-AuthorizationS5-Authorization
S5-Authorization
 
IRJET- A Review On - Controlchain: Access Control using Blockchain
IRJET- A Review On - Controlchain: Access Control using BlockchainIRJET- A Review On - Controlchain: Access Control using Blockchain
IRJET- A Review On - Controlchain: Access Control using Blockchain
 
Week No 13 Access Control Part 1.pptx
Week No 13 Access Control Part 1.pptxWeek No 13 Access Control Part 1.pptx
Week No 13 Access Control Part 1.pptx
 
Database_Security.ppt
Database_Security.pptDatabase_Security.ppt
Database_Security.ppt
 
Presentation gggffggggg.pdf
Presentation gggffggggg.pdfPresentation gggffggggg.pdf
Presentation gggffggggg.pdf
 
Security and LDAP integration in InduSoft Web Studio
Security and LDAP integration in InduSoft Web StudioSecurity and LDAP integration in InduSoft Web Studio
Security and LDAP integration in InduSoft Web Studio
 
2016 share the three headed beast v4
2016 share the three headed beast v42016 share the three headed beast v4
2016 share the three headed beast v4
 
Automating Security Management in PBCS!
Automating Security Management in PBCS!Automating Security Management in PBCS!
Automating Security Management in PBCS!
 
Websphere on z/OS and RACF security
Websphere on z/OS and RACF securityWebsphere on z/OS and RACF security
Websphere on z/OS and RACF security
 
Data base Access Control a look at Fine grain Access method
Data base Access Control a look at Fine grain Access methodData base Access Control a look at Fine grain Access method
Data base Access Control a look at Fine grain Access method
 
Implementing Active Directory and Information Security Audit also VAPT in Fin...
Implementing Active Directory and Information Security Audit also VAPT in Fin...Implementing Active Directory and Information Security Audit also VAPT in Fin...
Implementing Active Directory and Information Security Audit also VAPT in Fin...
 
IRJET - Health Medicare Data using Tweets in Twitter
IRJET - Health Medicare Data using Tweets in TwitterIRJET - Health Medicare Data using Tweets in Twitter
IRJET - Health Medicare Data using Tweets in Twitter
 
Liferay architecture By Navin Agarwal
Liferay architecture By Navin AgarwalLiferay architecture By Navin Agarwal
Liferay architecture By Navin Agarwal
 
Dataverse Permissions Demystified - PowerAddicts BE 11-2022.pptx
Dataverse Permissions Demystified - PowerAddicts BE 11-2022.pptxDataverse Permissions Demystified - PowerAddicts BE 11-2022.pptx
Dataverse Permissions Demystified - PowerAddicts BE 11-2022.pptx
 
Gradution Project
Gradution ProjectGradution Project
Gradution Project
 
Access Control Facilities in Oracle Database 11g r2
Access Control Facilities in Oracle Database 11g r2Access Control Facilities in Oracle Database 11g r2
Access Control Facilities in Oracle Database 11g r2
 
Role based access control - RBAC
Role based access control - RBACRole based access control - RBAC
Role based access control - RBAC
 
Title Fedora Linux OS Access Control__20231104_222610_0000.pptx
Title Fedora Linux OS Access Control__20231104_222610_0000.pptxTitle Fedora Linux OS Access Control__20231104_222610_0000.pptx
Title Fedora Linux OS Access Control__20231104_222610_0000.pptx
 

More from Rui Miguel Feio

More from Rui Miguel Feio (10)

(2019) Hack All the Way Through From Fridge to Mainframe (v0.2)
(2019) Hack All the Way Through From Fridge to Mainframe (v0.2)(2019) Hack All the Way Through From Fridge to Mainframe (v0.2)
(2019) Hack All the Way Through From Fridge to Mainframe (v0.2)
 
(2017) GDPR – What Does It Mean For The Mainframe v0.2
(2017) GDPR – What Does It Mean For The Mainframe v0.2(2017) GDPR – What Does It Mean For The Mainframe v0.2
(2017) GDPR – What Does It Mean For The Mainframe v0.2
 
(2017) Cybercrime, Inc. (v3.2)
(2017) Cybercrime, Inc. (v3.2)(2017) Cybercrime, Inc. (v3.2)
(2017) Cybercrime, Inc. (v3.2)
 
2017 - A New Look at Mainframe Hacking and Penetration Testing v2.2
2017 - A New Look at Mainframe Hacking and Penetration Testing v2.22017 - A New Look at Mainframe Hacking and Penetration Testing v2.2
2017 - A New Look at Mainframe Hacking and Penetration Testing v2.2
 
2017 - Data Privacy and GDPR (v1.1)
2017 - Data Privacy and GDPR (v1.1)2017 - Data Privacy and GDPR (v1.1)
2017 - Data Privacy and GDPR (v1.1)
 
Network and Endpoint Security v1.0 (2017)
Network and Endpoint Security v1.0 (2017)Network and Endpoint Security v1.0 (2017)
Network and Endpoint Security v1.0 (2017)
 
Cybercrime Inc. v2.2
Cybercrime Inc. v2.2Cybercrime Inc. v2.2
Cybercrime Inc. v2.2
 
Challenges of Outsourcing the Mainframe (v1.2)
Challenges of Outsourcing the Mainframe (v1.2)Challenges of Outsourcing the Mainframe (v1.2)
Challenges of Outsourcing the Mainframe (v1.2)
 
IOT & BYOD – The New Security Risks (v1.1)
IOT & BYOD – The New Security Risks (v1.1)IOT & BYOD – The New Security Risks (v1.1)
IOT & BYOD – The New Security Risks (v1.1)
 
The Billion Dollar Product - Online Privacy (v2.2)
The Billion Dollar Product - Online Privacy (v2.2)The Billion Dollar Product - Online Privacy (v2.2)
The Billion Dollar Product - Online Privacy (v2.2)
 

Recently uploaded

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
WSO2
 

Recently uploaded (20)

WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 

RACF - The Basics (v1.2)

  • 2. Agenda 2The role of users in RACF and how to define access to the mainframe. Users 3What are RACF groups, how do they work and how to use them. Groups 5General resources and how to protect everything else on the mainframe. General 6How to configure RACF and security best practices. Settings 7How to contact Rui and keep in touch. Contact 1What is RACF, what is it for, and how it works. Intro 4Dataset profiles and how to protect the data on the mainframe. Dataset
  • 4. 04 It’s an IBM External Security Management (ESM) product that provides access control and audit functionalities for the mainframe z/OS and z/VM operating systems. RACF provides the tools to manage user access to critical resources. It protects resources by granting access only to authorised users of the protected resources. RACF retains information about users, resources, and access authorities in special structures called profiles in its database, and it refers to these profiles when deciding which users should be permitted access to protected system resources. ResourceAccessControlFacility (RACF) .
  • 5. Macros Allows applications to use RACF macros. 7 Logging Logs access to a protected system and protected resources. 5 Administration Simplifies the administration process to meet the security goals of the company. 6 Main Features. 05 Users Identifies and authenticates users using a userid and a password when trying to access the mainframe operating system. 1 Protection Allows the identification, classification and protection of mainframe system resources. 2 Access Facilitates the maintenance of access rights to the protected resources. 3 Control Helps controlling the means of access to protected resources on the mainframe. 4
  • 6. RACF Profiles. 06 User profiles contain security information about the userids defined to RACF who can access (or not) the resources. User 01 Group profiles contain security information about group attributes and user connections. Group 02 General resource profiles contain security information about all resources other than user, group or dataset. General Resources 03 These profiles contain the necessary information to allow RACF to make a decision as to the access authority allowed for any specific request. What are they for? Dataset profiles contain security information about DASD and tape datasets. Dataset 04
  • 7. Access to Profiles. 07 Users and groups can be defined in RACF to have different levels of access to dataset profiles and general resource profiles (programs, transactions, commands, etc). Accessing profiles Dataset Profiles General Resource Profiles Users & Groups
  • 8. Access Levels. 08 Access to the resource is not granted to users and groups. None 1 Users and groups can execute programs from a library, but they cannot read or write into the library. Execute 2 Users and groups can access the resource but they cannot alter its contents. Read 3 Users and groups can change the contents of the resource but they are not authorized to delete it or create a new one. Update 4 Users and groups are granted authority to VSAM datasets (equivalent to the VSAM control password). Control 5 Users and groups have full control over the resource, i.e., they can create a new one, access it, modify it and delete it. Alter 6 From lowest (1) to greatest (6).
  • 9. Securing the Mainframe. 09 z/OS Application SAF RACF Resource Manager System Component Authorisation Checking 1. A userid is passed from the application or system component to the resource manager. 2. The resource manager maintains the data that the userid wishes to access and calls SAF to perform an authorisation check. In some situations the resource manager may provide its own security 3. SAF passes the userid, the resource the userid wishes to access, and the access type to RACF (External Security Manager). 4. RACF refers to its database in order to make a decision. 5. RACF passes the Information back to SAF and ultimately to the resource manager. 6. The resource manager makes the decision to allow or deny access based on the security information it now has.
  • 10. Summary. 10 RACF controls and logs access RACF profiles protect resources Users can logon to the mainframe Users can be connected to Groups Users and groups are defined to profiles Access can go from None to Alter What we have covered so far... RACF provides access control and audit functionalities for the mainframe. It uses profiles to describe mainframe resources that it protects: datasets, programs, commands, transactions, etc. Users can logon to the mainframe via userid/password and can be grouped together into Groups to share the same levels of access. This facilitates the security management tasks. In order to access the resources, users and groups need to be defined in the Access Control List (ACL) of the RACF profiles – dataset and general resource. The access that a user or a group can have to a resource varies from None (no access) to Alter (full access).
  • 12. What are RACF users? 12 Someone who requires access to resources In RACF users are represented by userids Users must authenticate to gain access User authentication is done by userid/pass Userids can be used by people (personal) Userids can be used by system resourcesDesigned by Freepik
  • 13. Naming Convention. 13 The userid name has to be one to eight characters in length. Userid length 1 Any combination of alphanumeric and $, # or @. Characters 2 Has to be unique. The userid cannot match an existing userid or group name. Userid 3 Users with the ability to logon to the mainframe system cannot exceed 7 characters in length. TSO users length 4 TSO userids cannot begin with a numeric character. TSO useridcharacters 5
  • 16. Attributes – System Wide. 16 Attribute Description SPECIAL A user can issue all RACF commands. This attribute gives the user full control over all RACF profiles in the RACF database. AUDITOR Given to users who are responsible to auditing RACF security controls and functions. OPERATIONS A user has full access authorisation to all RACF-protected resources in specific classes: DATASET, DASDVOL, GDASDVOL, PSFMPL, TAPEVOL, VMBATCH, VMCMD, VMMDISK, VMNODE and VMRDR. PROTECTED Used mainly for started tasks to prevent a userid from being revoked. RESTRICTED Prevents a user from accessing protected resources REVOKE Prevents a user from accessing the system. CLAUTH Allows the user to define profiles in the class where user has CLAUTH
  • 17. Attributes – Group Level. 17 Attribute Description SPECIAL (Group Special) This attribute gives the user full control over all RACF profiles within the scope of the group. AUDITOR (Group Auditor) User authority is limited to RACF profiles within the scope of the group. Given to users who are responsible to auditing RACF security controls and functions. OPERATIONS (Group Operations) A user has full access authorisation to all RACF-protected resources in specific classes: DATASET, DASDVOL, GDASDVOL, PSFMPL, TAPEVOL, VMBATCH, VMCMD, VMMDISK, VMNODE and VMRDR. User authority is limited to RACF profiles within the scope of the group. REVOKE Prevents a user from accessing the profiles within the scope of the group. • The "scope of the group” is determined by the group ownership structure • Group ownership can only occur between a superior group and its subgroups • The scope will continue as long as "groups own groups” • The scope ends when a group is owned by a user id
  • 18. RACF Commands. 18 Command Description Example ADDUSER (AU) Add a user profile AU userid NAME(‘user_name’) DFLTGRP(grp_name) OWNER(owner) PASS(password) ALTUSER (ALU) Modify a user profile ALU userid PASSWORD(password) LISTUSER (LU) List a user profile LU userid DELUSER (DU) Delete a user profile DU userid
  • 20. What are RACF groups? 20 Collection of users with common access Groups can have users connected to them Groups facilitate user management Groups can have subgroups Each Group has an owner (user or group) Groups should be owned by another Group Why are Groups so important? By adding a user to a group, we give that user access to all of the resources to which the group has access. Likewise, by removing a user from a group, we prevent the user from accessing those resources. Some of the benefits of using RACF groups include: • Reducing the effort to maintain access lists • Avoiding the need to refresh in-storage profiles • Providing a form of timed PERMIT • Minimising the length of access lists
  • 21. Naming Convention. 21 The group name has to be one to eight characters in length. Name length 1 Any combination of alphanumeric and $, # or @. Characters 2 Has to be unique. The group name cannot match an existing userid or other group name. Group 3 The group name cannot begin with a numeric character. Numerics 4
  • 22. Group Tree. 22 SYS1 HR STAFF HIRE FINANCE IT SECURITY SYSTEMS SHARED EXTERNAL ZOS MVS JUNIOR SENIOR CICS CIC01 CIC02 DB2 DB201 DB202 HELPDESK AUDIT OFFSHORE INDIA AFRICA AMERICA
  • 23. Owner and SupGroup. 23 The owner of a group can define new users (providing it has got CLAUTH for the USER class), can modify, list, and delete the group profile, can connect and remove users from the group, and can define, delete, and list the names of the subgroups. The same applies for users connected to the group with Group Special attribute. Owner The Superior Group defines the parent group. The initial point where all groups derive from is SYS1. Supgroup Determinesadministration Determinesstructure But bear in mind… When creating a RACF group, always remember that: • If you don’t specify the OWNER your userid becomes the OWNER of the group • If you don’t specify the SUPGROUP, your userid’s current connect group becomes the superior group. • If the OWNER is a group, this group will also become the SUPGROUP.
  • 24. Naming Convention. 24 The group name has to be one to eight characters in length. Name length 1 Any combination of alphanumeric and $, # or @. Characters 2 Has to be unique. The group name cannot match an existing userid or other group name. Group 3 #CIO $WIN $MVS @ZVM @ZOS ZOS01 CICS CICS01 CICS02 ZOS02 IMS ZOS03 WAS ZOS04 DB2 DB201 DB202 $AS400 $LINUX @SUSE @REDHAT
  • 27. Universal Groups. 27 Regular, normal RACF groups can only have up to 5,957 connected users. Limitation of regular groups 1 RACF Universal groups allow more than 5,957 to be connected. UniversalGroups 2 To create a RACF Universal group you just need to use the UNIVERSAL parameter with the add Group command: AG group OW(owner) SUP(supgroup) UNIVERSAL Setup an Universalgroup 3 With Universal groups, the LISTGRP command will only list users with authority higher than USE or with the attributes SPECIAL, OPERATIONS or AUDITOR. Downside 4 To view all members of a RACF Universal group, you will need to use the Database Unload Utility (IRRDBU00). List all users 5
  • 28. Group Attributes. 28 Attribute Description USER Allows the user to access resources to which the group is authorised CREATE Allows the user to create RACF dataset profiles for the group CONNECT Allows the user to connect other users to the group JOIN Allows the user to add new subgroups or users to the group, as well as assign group authorities to the new members • The "scope of the group” is determined by the group ownership structure • Group ownership can only occur between a superior group and its subgroups • The scope will continue as long as "groups own groups” • The scope ends when a group is owned by a user id
  • 29. RACF Commands. 29 Command Description Example ADDGROUP (AG) Add a group profile AG group OWNER(owner) SUPGRP(grp_name) ALTGROUP (ALG) Modify a group profile ALG group OWNER(owner) SUPGRP(grp_name) LISTGRP (LG) List a group profile LG group DELGROUP (DG) Delete a group profile DG group CONNECT (CO) Connect a user to a RACF group CO user GROUP(group) OWNER(owner) REMOVE (RE) Remove a user from a RACF group RE userid GROUP(group)
  • 31. What are they? 31 RACF dataset profiles protect datasets HLQ of profile must match user or group Must be owned by a user or a group PROTECTALL requires dataset profiles Why are RACF Dataset profiles so important? Dataset profiles allow the security administrator to define who can read the content of a dataset, who can edit it, and who can create or delete a dataset. In essence, it’s the way to protect datasets on the mainframe using RACF. If RACF option PROTECTALL is enabled, datasets can only be accessed if there’s a dataset profile in place in RACF.
  • 32. Categories. 32 Protects one data set that has unique security requirements. If the data set is deleted, the profile is deleted. Avoid using them. TSSS.EXRT222.OUTPUT VOL123 Discrete 1 Can protect one or many data sets whose data set name matches profile name. Uses "generic" characters % and *. TSSS.%%%%%%%.* Generic 2 Can protect one or more data sets with the same data set name. The profile is not deleted if the data set is deleted. TSSS.EXRT222.OUTPUT Fully-qualifiedgeneric 3 Similar to generic profiles but can also use the ** as a generic character. Implemented to provide comparable capability provided for General Resources. TSSS.*.** Enhanced generic 4 Generic profiles are the standard (use GEN with the RACF commands)
  • 33. Naming Convention. 33 A dataset profile can have two or more naming qualifiers. Number of qualifiers 1 Each qualifier must be separated by a period. Qualifiers separation 2 Any combination of alphanumeric and $, # or @. Characters 3 The first character of each qualifier cannot be a numeric. No numerics at the start 4 Dataset profiles can have wildcards (%, *, **) Wildcards 5
  • 34. Generic Profiles. 34 Profile Dataset Name HLQ.DATA.* HLQ.DATA HLQ.D%TA.FILE HLQ.DATA.FILE HLQ.D*.FILE HLQ.DATA.FILE.STUFF HLQ.* HLQ.MY.FILE HLQ.*.** HLQ.YOUR.FILE HLQ.**.FILE HLQ.MASTER.FILE HLQ.BACKUP.FILE RACF uses the most specific Generic Profile when determining which profile protects a dataset. SR MASK(hlq.) will display the search order RACF will use 1. To see which of two generic profiles is more specific, compare the profile names, character by character. 2. Where they first differ, if one has a discrete character and the other has a generic character, the one with the discrete character wins. 3. If both have a generic character where they differ, then: • If one has a % and the other has a * or **, the one with % wins. • If one has a * and the other has a **, the one with * wins.
  • 35. Access Levels. 35 Level Description NONE User/Group is not allowed to access the dataset EXECUTE User/Group is allowed to execute a program from the dataset, but not to Read, Copy or Modify the dataset READ User/Group is allowed to Read and Copy the dataset UPDATE User/Group is allowed to Read, Copy and Modify the dataset CONTROL (VSAM data sets) User/Group is allowed to perform improved control interval processing. This is control-interval access (access to individual VSAM data blocks), and the ability to Retrieve, Update, Insert, or Delete records in the data set ALTER User/Group has full authority over the dataset (Read, Update, Create, Delete, Rename, Allocate)
  • 36. Access Control List. 36 • Standard Access Control List: – Grants User/Group some level of access • Conditional Access Control List: – Grants User/Group some level of access based on a condition: – WHEN using a certain PROGRAM – WHEN user is logged onto a certain TERMINAL – WHEN user is logged onto a certain CONSOLE – WHEN job submitted from a certain JESINPUT – WHEN user enters system from certain LU (APPCPORT) – WHEN user enters system from certain IP address (SERVAUTH)
  • 37. UACC and ID(*). 37 Level Description ID(*) Defines the default access level to all RACF defined users UACC (Universal Access) Defines the default access level to all users and groups defined or not in RACF UACC value is a required field when defining a new dataset profile
  • 38. Access. 38 Condition Description Own Profile • Userid/Group has full admin control over profile (including Access List) • Does not allow access to dataset itself Don’t Own Profile • GAT allows access to dataset • Userid = dataset HLQ • Userid/Group is in ACL • ID(*) allows access • UACC allows access • OPERATIONS attribute • WARNING Mode • Each dataset profile defined to RACF requires a RACF-defined user or group as the owner of the profile. • The owner (if a user) has full control over the profile, including the access list. If the owner of the dataset profile is a group, users with group-SPECIAL in that group have full control over the profile. • Ownership of dataset profiles is assigned when the profiles are defined to RACF. Note that ownership of a dataset profile does not mean that the owner can automatically access that data set. • To access a data set, the owner must still be authorized in the profile's access list, unless the high-level qualifier of the profile name is the owner's user ID.
  • 39. RACF Commands. 39 Command Description Example ADDSD (AD) Add a dataset profile AD ‘ds_profile’ UACC(uacc_level) OW(owner) ALTDSD (ALD) Modify a dataset profile ALD ‘ds_profile’ UACC(uacc_level) OW(owner) LISTDSD (LD) List a dataset profile LD DATASET(‘ds_profile’) DELDSD (DD) Delete a dataset profile DD ‘ds_profile’ PERMIT (PE) Define, modify or delete ACL entries on a dataset profile PE ‘dsprofile’ GEN ID(group) AC(access)
  • 41. What are they? 41 Protect all resources other than Datasets General Resources grouped by Classes Must be owned by a user or a group Why are RACF General Resource profiles so important? General resource profiles protect all resources other than datasets on the mainframe, for example: CICS transactions, TCP/IP ports, MVS commands, JES2 commands, ISPF panels, DB2 subsystems, etc.
  • 42. Need to Know. 42 • Classes must be activated: – SETROPTS CLASSACT(class_name) – But… we need to define the profiles before activating it • Classes can be RACLISTed to improve performance: – SETROPTS RACLIST(class_name) • Dynamic refreshing of in-storage profiles: – SETROPTS RACLIST(class_name) REFRESH – When… adding, modifying, or deleting RACLISTed profiles
  • 43. Profile Types. 43 Discrete Profiles Generic Profiles Generic characters %, *, **, and & can be used Generic characters can be used in any qualifier
  • 44. Access Control List. 44 • Standard Access Control List: – Grants User/Group some level of access • Conditional Access Control List: – Grants User/Group some level of access based on a condition: – WHEN user is logged onto a certain TERMINAL – WHEN user is logged onto a certain CONSOLE – WHEN job submitted from a certain JESINPUT – WHEN user enters system from certain LU (APPCPORT) – WHEN user enters systemid (SYSID)
  • 45. UACC and ID(*). 45 Level Description ID(*) Defines the default access level to all RACF defined users UACC (Universal Access) Defines the default access level to all users and groups defined or not in RACF UACC value is a required field when defining a new Generic profile
  • 46. RACF Commands. 46 Command Description Examples RDEFINE (RDEF) Add a Generic Resource profile RDEF class_name profile_name ADDMEM(member) RALTER (RALT) Modify a Generic Resource profile RALT class_name profile_name UACC(acc_level) RLIST (RL) List a Generic Resource profile RL class_name profile_name ALL RDELETE (RDEL) Delete a Generic Resource profile RDEL class_name profile_name PERMIT (PE) Define, modify or delete ACL entries on a Generic Resource profile PE gr_profile CL(class) ID(grp_name) AC(access_level)
  • 48. What is SETROPS? 48 Where RACF is configured (settings) Accessible by System Special users Accessible by System Auditor users Why is SETROPS so important? SETROPS contains the default settings for the RACF environment. These values can be modified by system special userids. System auditor userids have the ability to visualise the entire SETROPS configuration.
  • 49. Need to Know. 49 • SPECIAL users can set global controls • AUDITOR users can set tracking options • Need to Refresh after updating: – Generic – Global – RACLIST – WHEN(PROGRAM) • An SMF record is written for every SETROPTS
  • 50. Parameters – Examples. 50 Parameter Description CLASSACT Specifies classes for which RACF protection will be in effect RACLIST Discrete and Generic profiles for the General Resource classes specified will be copied into storage and shared by all users LOGOPTIONS Audit selected access attempts to resources whether they are RACF protected or not PROTECTALL Creation of or access to unprotected data sets is not allowed INTERVAL (Pasword) Maximum number of days a user's password is valid MINCHANGE (Password) Number of days that must pass between a user’s password changes MIXEDCASE (Password) Support for mixed-case passwords
  • 51. RACF Commands. 51 Command Description Examples SETROPTS parameter Modify SETROPTS values SETROPTS PASSWORD(REVOKE(5) RULE1(LENGTH(6:8) ALPHA(1,6) ALPHANUM(2:5)) RULE2(LENGTH(7) ALPHA(1,7) ALPHANUM(2:6)) RULE3(LENGTH(8) ALPHA(1,8) ALPHANUM(2:7))) SETROPS LIST List RACF settings SETROPS LIST SETROPS REFRESH Refresh in-storage profile for a specific CLASS SETROPTS GENERIC(class_name) REFRESH
  • 53. Contacts. 53 ruif@rmfconsulting.com +44 (0)7570 911459 l t f Phone & email Social Media https://twitter.com/rfeio https://www.facebook.com/RuiMiguelFeio https://www.linkedin.com/in/rfeio g https://plus.google.com/+RuiMiguelFeio Other Presentations s http://www.slideshare.net/rmfeio http://www.RuiFeio.com Website