2. Agenda
2The role of users in
RACF and how to
define access to the
mainframe.
Users
3What are RACF
groups, how do they
work and how to
use them.
Groups
5General resources
and how to protect
everything else on
the mainframe.
General
6How to configure
RACF and security
best practices.
Settings
7How to contact Rui
and keep in touch.
Contact
1What is RACF,
what is it for, and
how it works.
Intro
4Dataset profiles and
how to protect the
data on the
mainframe.
Dataset
4. 04
It’s an IBM External Security Management (ESM) product that provides access control and audit functionalities for the
mainframe z/OS and z/VM operating systems.
RACF provides the tools to manage user access to critical resources. It protects resources by granting access only to
authorised users of the protected resources. RACF retains information about users, resources, and access authorities in
special structures called profiles in its database, and it refers to these profiles when deciding which users should be
permitted access to protected system resources.
ResourceAccessControlFacility
(RACF) .
5. Macros
Allows applications to use RACF
macros.
7
Logging
Logs access to a protected system and
protected resources.
5
Administration
Simplifies the administration process
to meet the security goals of the
company.
6
Main Features.
05
Users
Identifies and authenticates users
using a userid and a password when
trying to access the mainframe
operating system.
1
Protection
Allows the identification,
classification and protection of
mainframe system resources.
2
Access
Facilitates the maintenance of access
rights to the protected resources.
3
Control
Helps controlling the means of access
to protected resources on the
mainframe.
4
6. RACF Profiles.
06
User profiles contain security
information about the userids
defined to RACF who can access
(or not) the resources.
User
01 Group profiles contain security
information about group attributes
and user connections.
Group
02
General resource profiles contain
security information about all
resources other than user, group or
dataset.
General Resources
03
These profiles contain the necessary
information to allow RACF to make a
decision as to the access authority
allowed for any specific request.
What are they for?
Dataset profiles contain security
information about DASD and tape
datasets.
Dataset
04
7. Access to Profiles.
07
Users and groups can be defined in RACF to
have different levels of access to dataset profiles
and general resource profiles (programs,
transactions, commands, etc).
Accessing profiles
Dataset
Profiles
General
Resource
Profiles
Users
&
Groups
8. Access Levels.
08
Access to the resource is not granted to users and groups.
None
1
Users and groups can execute programs from a library, but
they cannot read or write into the library.
Execute
2
Users and groups can access the resource but they cannot
alter its contents.
Read
3
Users and groups can change the contents of the resource
but they are not authorized to delete it or create a new one.
Update
4
Users and groups are granted authority to VSAM datasets
(equivalent to the VSAM control password).
Control
5
Users and groups have full control over the resource, i.e.,
they can create a new one, access it, modify it and delete it.
Alter
6
From lowest (1) to greatest (6).
9. Securing the Mainframe.
09
z/OS
Application
SAF RACF
Resource
Manager
System
Component
Authorisation Checking
1. A userid is passed from the application or system component to the
resource manager.
2. The resource manager maintains the data that the userid wishes to access
and calls SAF to perform an authorisation check. In some situations the
resource manager may provide its own security
3. SAF passes the userid, the resource the userid wishes to access, and the
access type to RACF (External Security Manager).
4. RACF refers to its database in order to make a decision.
5. RACF passes the Information back to SAF and ultimately to the resource
manager.
6. The resource manager makes the decision to allow or deny access based on
the security information it now has.
10. Summary.
10
RACF controls and logs access
RACF profiles protect resources
Users can logon to the mainframe
Users can be connected to Groups
Users and groups are defined to profiles
Access can go from None to Alter
What we have covered
so far...
RACF provides access control and audit functionalities for the mainframe. It
uses profiles to describe mainframe resources that it protects: datasets,
programs, commands, transactions, etc.
Users can logon to the mainframe via userid/password and can be grouped
together into Groups to share the same levels of access. This facilitates the
security management tasks.
In order to access the resources, users and groups need to be defined in the
Access Control List (ACL) of the RACF profiles – dataset and general
resource.
The access that a user or a group can have to a resource varies from None (no
access) to Alter (full access).
12. What are RACF users?
12
Someone who requires access to resources
In RACF users are represented by userids
Users must authenticate to gain access
User authentication is done by userid/pass
Userids can be used by people (personal)
Userids can be used by system resourcesDesigned by Freepik
13. Naming Convention.
13
The userid name has to be one to eight characters in length.
Userid length
1
Any combination of alphanumeric and $, # or @.
Characters
2
Has to be unique. The userid cannot match an existing
userid or group name.
Userid
3
Users with the ability to logon to the mainframe system
cannot exceed 7 characters in length.
TSO users length
4
TSO userids cannot begin with a numeric character.
TSO useridcharacters
5
16. Attributes – System Wide.
16
Attribute Description
SPECIAL A user can issue all RACF commands. This attribute gives the user full control over all RACF
profiles in the RACF database.
AUDITOR Given to users who are responsible to auditing RACF security controls and functions.
OPERATIONS A user has full access authorisation to all RACF-protected resources in specific classes:
DATASET, DASDVOL, GDASDVOL, PSFMPL, TAPEVOL, VMBATCH, VMCMD,
VMMDISK, VMNODE and VMRDR.
PROTECTED Used mainly for started tasks to prevent a userid from being revoked.
RESTRICTED Prevents a user from accessing protected resources
REVOKE Prevents a user from accessing the system.
CLAUTH Allows the user to define profiles in the class where user has CLAUTH
17. Attributes – Group Level.
17
Attribute Description
SPECIAL (Group Special) This attribute gives the user full control over all RACF profiles
within the scope of the group.
AUDITOR (Group Auditor) User authority is limited to RACF profiles within the scope of the
group. Given to users who are responsible to auditing RACF security controls
and functions.
OPERATIONS (Group Operations) A user has full access authorisation to all RACF-protected
resources in specific classes: DATASET, DASDVOL, GDASDVOL, PSFMPL,
TAPEVOL, VMBATCH, VMCMD, VMMDISK, VMNODE and VMRDR. User
authority is limited to RACF profiles within the scope of the group.
REVOKE Prevents a user from accessing the profiles within the scope of the group.
• The "scope of the group” is determined by the group ownership structure
• Group ownership can only occur between a superior group and its subgroups
• The scope will continue as long as "groups own groups”
• The scope ends when a group is owned by a user id
18. RACF Commands.
18
Command Description Example
ADDUSER (AU) Add a user profile AU userid NAME(‘user_name’) DFLTGRP(grp_name) OWNER(owner) PASS(password)
ALTUSER (ALU) Modify a user profile ALU userid PASSWORD(password)
LISTUSER (LU) List a user profile LU userid
DELUSER (DU) Delete a user profile DU userid
20. What are RACF groups?
20
Collection of users with common access
Groups can have users connected to them
Groups facilitate user management
Groups can have subgroups
Each Group has an owner (user or group)
Groups should be owned by another Group
Why are Groups so
important?
By adding a user to a group, we give that user access to all of the resources to
which the group has access. Likewise, by removing a user from a group, we
prevent the user from accessing those resources.
Some of the benefits of using RACF groups include:
• Reducing the effort to maintain access lists
• Avoiding the need to refresh in-storage profiles
• Providing a form of timed PERMIT
• Minimising the length of access lists
21. Naming Convention.
21
The group name has to be one to eight characters in length.
Name length
1
Any combination of alphanumeric and $, # or @.
Characters
2
Has to be unique. The group name cannot match an existing
userid or other group name.
Group
3
The group name cannot begin with a numeric character.
Numerics
4
22. Group Tree.
22
SYS1
HR
STAFF HIRE
FINANCE IT
SECURITY SYSTEMS
SHARED EXTERNAL ZOS
MVS
JUNIOR SENIOR
CICS
CIC01 CIC02
DB2
DB201 DB202
HELPDESK
AUDIT OFFSHORE
INDIA AFRICA AMERICA
23. Owner and SupGroup.
23
The owner of a group can define new users (providing it has got CLAUTH
for the USER class), can modify, list, and delete the group profile, can
connect and remove users from the group, and can define, delete, and list the
names of the subgroups.
The same applies for users connected to the group with Group Special
attribute.
Owner
The Superior Group defines the parent group. The initial point where all
groups derive from is SYS1.
Supgroup
Determinesadministration
Determinesstructure
But bear in mind…
When creating a RACF group, always remember that:
• If you don’t specify the OWNER your userid becomes the
OWNER of the group
• If you don’t specify the SUPGROUP, your userid’s current
connect group becomes the superior group.
• If the OWNER is a group, this group will also become the
SUPGROUP.
24. Naming Convention.
24
The group name has to be one to eight characters in length.
Name length
1
Any combination of alphanumeric and $, # or @.
Characters
2
Has to be unique. The group name cannot match an existing
userid or other group name.
Group
3
#CIO
$WIN $MVS
@ZVM @ZOS
ZOS01
CICS
CICS01 CICS02
ZOS02
IMS
ZOS03
WAS
ZOS04
DB2
DB201 DB202
$AS400 $LINUX
@SUSE @REDHAT
27. Universal Groups.
27
Regular, normal RACF groups can only have up to 5,957
connected users.
Limitation of regular groups
1
RACF Universal groups allow more than 5,957 to be
connected.
UniversalGroups
2
To create a RACF Universal group you just need to use the
UNIVERSAL parameter with the add Group command:
AG group OW(owner) SUP(supgroup) UNIVERSAL
Setup an Universalgroup
3
With Universal groups, the LISTGRP command will only
list users with authority higher than USE or with the
attributes SPECIAL, OPERATIONS or AUDITOR.
Downside
4
To view all members of a RACF Universal group, you will
need to use the Database Unload Utility (IRRDBU00).
List all users
5
28. Group Attributes.
28
Attribute Description
USER Allows the user to access resources to which the group is authorised
CREATE Allows the user to create RACF dataset profiles for the group
CONNECT Allows the user to connect other users to the group
JOIN Allows the user to add new subgroups or users to the group, as well as assign
group authorities to the new members
• The "scope of the group” is determined by the group ownership structure
• Group ownership can only occur between a superior group and its subgroups
• The scope will continue as long as "groups own groups”
• The scope ends when a group is owned by a user id
29. RACF Commands.
29
Command Description Example
ADDGROUP (AG) Add a group profile AG group OWNER(owner) SUPGRP(grp_name)
ALTGROUP (ALG) Modify a group profile ALG group OWNER(owner) SUPGRP(grp_name)
LISTGRP (LG) List a group profile LG group
DELGROUP (DG) Delete a group profile DG group
CONNECT (CO) Connect a user to a RACF group CO user GROUP(group) OWNER(owner)
REMOVE (RE) Remove a user from a RACF group RE userid GROUP(group)
31. What are they?
31
RACF dataset profiles protect datasets
HLQ of profile must match user or group
Must be owned by a user or a group
PROTECTALL requires dataset profiles
Why are RACF Dataset
profiles so important?
Dataset profiles allow the security administrator to define who can read the
content of a dataset, who can edit it, and who can create or delete a dataset. In
essence, it’s the way to protect datasets on the mainframe using RACF.
If RACF option PROTECTALL is enabled, datasets can only be accessed if
there’s a dataset profile in place in RACF.
32. Categories.
32
Protects one data set that has unique security requirements.
If the data set is deleted, the profile is deleted. Avoid using
them.
TSSS.EXRT222.OUTPUT VOL123
Discrete
1
Can protect one or many data sets whose data set name
matches profile name. Uses "generic" characters % and *.
TSSS.%%%%%%%.*
Generic
2
Can protect one or more data sets with the same data set
name. The profile is not deleted if the data set is deleted.
TSSS.EXRT222.OUTPUT
Fully-qualifiedgeneric
3
Similar to generic profiles but can also use the ** as a
generic character. Implemented to provide comparable
capability provided for General Resources.
TSSS.*.**
Enhanced generic
4
Generic profiles are the standard (use GEN with the RACF commands)
33. Naming Convention.
33
A dataset profile can have two or more naming qualifiers.
Number of qualifiers
1
Each qualifier must be separated by a period.
Qualifiers separation
2
Any combination of alphanumeric and $, # or @.
Characters
3
The first character of each qualifier cannot be a numeric.
No numerics at the start
4
Dataset profiles can have wildcards (%, *, **)
Wildcards
5
34. Generic Profiles.
34
Profile Dataset Name
HLQ.DATA.* HLQ.DATA
HLQ.D%TA.FILE HLQ.DATA.FILE
HLQ.D*.FILE HLQ.DATA.FILE.STUFF
HLQ.* HLQ.MY.FILE
HLQ.*.** HLQ.YOUR.FILE
HLQ.**.FILE HLQ.MASTER.FILE
HLQ.BACKUP.FILE
RACF uses the most specific Generic Profile when determining which profile protects a dataset.
SR MASK(hlq.) will display the search order RACF will use
1. To see which of two generic profiles is more specific, compare the profile names, character by character.
2. Where they first differ, if one has a discrete character and the other has a generic character, the one with
the discrete character wins.
3. If both have a generic character where they differ, then:
• If one has a % and the other has a * or **, the one with % wins.
• If one has a * and the other has a **, the one with * wins.
35. Access Levels.
35
Level Description
NONE User/Group is not allowed to access the dataset
EXECUTE User/Group is allowed to execute a program from the dataset, but not to Read, Copy or
Modify the dataset
READ User/Group is allowed to Read and Copy the dataset
UPDATE User/Group is allowed to Read, Copy and Modify the dataset
CONTROL (VSAM data sets) User/Group is allowed to perform improved control interval processing.
This is control-interval access (access to individual VSAM data blocks),
and the ability to Retrieve, Update, Insert, or Delete records in the data set
ALTER User/Group has full authority over the dataset (Read, Update, Create, Delete, Rename,
Allocate)
36. Access Control List.
36
• Standard Access Control List:
– Grants User/Group some level of access
• Conditional Access Control List:
– Grants User/Group some level of access based on a condition:
– WHEN using a certain PROGRAM
– WHEN user is logged onto a certain TERMINAL
– WHEN user is logged onto a certain CONSOLE
– WHEN job submitted from a certain JESINPUT
– WHEN user enters system from certain LU (APPCPORT)
– WHEN user enters system from certain IP address (SERVAUTH)
37. UACC and ID(*).
37
Level Description
ID(*) Defines the default access level to all RACF defined users
UACC (Universal Access) Defines the default access level to all users and
groups defined or not in RACF
UACC value is a required field when defining a new dataset profile
38. Access.
38
Condition Description
Own Profile • Userid/Group has full admin control over profile (including Access List)
• Does not allow access to dataset itself
Don’t Own Profile • GAT allows access to dataset
• Userid = dataset HLQ
• Userid/Group is in ACL
• ID(*) allows access
• UACC allows access
• OPERATIONS attribute
• WARNING Mode
• Each dataset profile defined to RACF requires a RACF-defined user or group as the owner of the profile.
• The owner (if a user) has full control over the profile, including the access list. If the owner of the dataset profile is a group, users with group-SPECIAL
in that group have full control over the profile.
• Ownership of dataset profiles is assigned when the profiles are defined to RACF. Note that ownership of a dataset profile does not mean that the owner
can automatically access that data set.
• To access a data set, the owner must still be authorized in the profile's access list, unless the high-level qualifier of the profile name is the owner's user
ID.
39. RACF Commands.
39
Command Description Example
ADDSD (AD) Add a dataset profile AD ‘ds_profile’ UACC(uacc_level) OW(owner)
ALTDSD (ALD) Modify a dataset profile ALD ‘ds_profile’ UACC(uacc_level) OW(owner)
LISTDSD (LD) List a dataset profile LD DATASET(‘ds_profile’)
DELDSD (DD) Delete a dataset profile DD ‘ds_profile’
PERMIT (PE) Define, modify or delete ACL entries on a dataset profile PE ‘dsprofile’ GEN ID(group) AC(access)
41. What are they?
41
Protect all resources other than Datasets
General Resources grouped by Classes
Must be owned by a user or a group
Why are RACF General
Resource profiles so
important?
General resource profiles protect all resources other than datasets on the
mainframe, for example: CICS transactions, TCP/IP ports, MVS commands,
JES2 commands, ISPF panels, DB2 subsystems, etc.
42. Need to Know.
42
• Classes must be activated:
– SETROPTS CLASSACT(class_name)
– But… we need to define the profiles before activating it
• Classes can be RACLISTed to improve performance:
– SETROPTS RACLIST(class_name)
• Dynamic refreshing of in-storage profiles:
– SETROPTS RACLIST(class_name) REFRESH
– When… adding, modifying, or deleting RACLISTed profiles
44. Access Control List.
44
• Standard Access Control List:
– Grants User/Group some level of access
• Conditional Access Control List:
– Grants User/Group some level of access based on a condition:
– WHEN user is logged onto a certain TERMINAL
– WHEN user is logged onto a certain CONSOLE
– WHEN job submitted from a certain JESINPUT
– WHEN user enters system from certain LU (APPCPORT)
– WHEN user enters systemid (SYSID)
45. UACC and ID(*).
45
Level Description
ID(*) Defines the default access level to all RACF defined users
UACC (Universal Access) Defines the default access level to all users and
groups defined or not in RACF
UACC value is a required field when defining a new Generic profile
46. RACF Commands.
46
Command Description Examples
RDEFINE (RDEF) Add a Generic Resource profile RDEF class_name profile_name ADDMEM(member)
RALTER (RALT) Modify a Generic Resource profile RALT class_name profile_name UACC(acc_level)
RLIST (RL) List a Generic Resource profile RL class_name profile_name ALL
RDELETE (RDEL) Delete a Generic Resource profile RDEL class_name profile_name
PERMIT (PE) Define, modify or delete ACL entries on a Generic
Resource profile
PE gr_profile CL(class) ID(grp_name) AC(access_level)
48. What is SETROPS?
48
Where RACF is configured (settings)
Accessible by System Special users
Accessible by System Auditor users
Why is SETROPS so
important?
SETROPS contains the default settings for the RACF environment. These
values can be modified by system special userids. System auditor userids have
the ability to visualise the entire SETROPS configuration.
49. Need to Know.
49
• SPECIAL users can set global controls
• AUDITOR users can set tracking options
• Need to Refresh after updating:
– Generic
– Global
– RACLIST
– WHEN(PROGRAM)
• An SMF record is written for every SETROPTS
50. Parameters – Examples.
50
Parameter Description
CLASSACT Specifies classes for which RACF protection will be in
effect
RACLIST Discrete and Generic profiles for the General Resource classes specified will be copied into
storage and shared by all users
LOGOPTIONS Audit selected access attempts to resources whether
they are RACF protected or not
PROTECTALL Creation of or access to unprotected data sets is not allowed
INTERVAL (Pasword) Maximum number of days a user's password is valid
MINCHANGE (Password) Number of days that must pass between a
user’s password changes
MIXEDCASE (Password) Support for mixed-case passwords
51. RACF Commands.
51
Command Description Examples
SETROPTS parameter Modify SETROPTS values SETROPTS
PASSWORD(REVOKE(5) RULE1(LENGTH(6:8)
ALPHA(1,6) ALPHANUM(2:5))
RULE2(LENGTH(7) ALPHA(1,7) ALPHANUM(2:6))
RULE3(LENGTH(8) ALPHA(1,8) ALPHANUM(2:7)))
SETROPS LIST List RACF settings SETROPS LIST
SETROPS REFRESH Refresh in-storage profile for a specific CLASS SETROPTS GENERIC(class_name) REFRESH
53. Contacts.
53
ruif@rmfconsulting.com
+44 (0)7570 911459
l
t
f
Phone & email Social Media
https://twitter.com/rfeio
https://www.facebook.com/RuiMiguelFeio
https://www.linkedin.com/in/rfeio
g https://plus.google.com/+RuiMiguelFeio
Other Presentations
s http://www.slideshare.net/rmfeio
http://www.RuiFeio.com
Website