sec. admin
TRANSCRIPT
Release 6 of z/OS.e (5655-G52), and to all subsequent releases and modifications until otherwise indicated in new
editions.
IBM welcomes your comments. A form for readers’ comments may be provided at the back of this document, or you
may address your comments to the following address:
International Business Machines Corporation
2455 South Road
Poughkeepsie, NY 12601-5400
FAX (Other
Internet e-mail: [email protected]
World Wide Web: http://www.ibm.com/servers/eserver/zseries/zos/webqs.html
If you would like a reply, be sure to include your name, address, telephone number, or FAX number.
Make sure
v Page number or topic related to your comment
When you send information to IBM, you grant IBM a nonexclusive right to use or distribute the information in any
way it
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
Softcopy publications . . . . . . . . . . . . . . . . . . . . . xxiii
RACF courses . . . . . . . . . . . . . . . . . . . . . . . xxiv
IBM systems center publications . . . . . . . . . . . . . . . . . . xxvi
Other sources of information . . . . . . . . . . . . . . . . . . . xxvi
IBM discussion areas . . . . . . . . . . . . . . . . . . . . . xxvi
Summary of changes . . . . . . . . . . . . . . . . . . . . . xxix
Chapter 1. Introduction . . . . . . . . . . . . . . . . . . . . . . 1 How RACF Meets Security Needs . . . . . . . . . . . . . . . . . . 2
User Identification and Verification . . . . . . . . . . . . . . . . . 2 Authorization Checking . . . . . . . . . . . . . . . . . . . . . 3 Logging and Reporting . . . . . . . . . . . . . . . . . . . . . 4
User Accountability . . . . . . . . . . . . . . . . . . . . . . . 5 Flexibility . . . . . . . . . . . . . . . . . . . . . . . . . . 9
RACF Transparency . . . . . . . . . . . . . . . . . . . . . . 10
Characteristics of a Multilevel-Secure Environment . . . . . . . . . . . 11 Administering Security . . . . . . . . . . . . . . . . . . . . . . 12
Delegating Administration Tasks . . . . . . . . . . . . . . . . . 12
Administering Security When a VM System Shares the RACF Database . . . 13
Using RACF Commands or Panels . . . . . . . . . . . . . . . . 13
RACF Group and User Structure . . . . . . . . . . . . . . . . . . 15
Defining Users and Groups . . . . . . . . . . . . . . . . . . . 15
Protecting Resources . . . . . . . . . . . . . . . . . . . . . 20
Selecting RACF Options . . . . . . . . . . . . . . . . . . . . 24
The RACROUTE REQUEST=VERIFY, VERIFYX, AUTH, and DEFINE Exits 24
The RACROUTE REQUEST=LIST Exits . . . . . . . . . . . . . . 24 The RACROUTE REQUEST=FASTAUTH Exits . . . . . . . . . . . . 24
The RACF Command Exits . . . . . . . . . . . . . . . . . . . 25 The RACF Password Processing Exit . . . . . . . . . . . . . . . 25
The RACF Password Authentication Exits . . . . . . . . . . . . . . 25
Tools for the Security Administrator . . . . . . . . . . . . . . . . . 25
Using RACF Utilities . . . . . . . . . . . . . . . . . . . . . . 25
© Copyright
IBM
Corp.
1994,
2005
iii
Listing Information from RACF Profiles . . . . . . . . . . . . . . . 29
Searching for RACF Profile Names . . . . . . . . . . . . . . . . 31 Using the LIST and SEARCH Commands Effectively . . . . . . . . . . 32
Chapter 2. Organizing for RACF Implementation . . . . . . . . . . . 35
Ensuring Management Commitment . . . . . . . . . . . . . . . . . 35
Defining Security Objectives and Preparing the Implementation Plan . . . . . 37
Deciding What to Protect . . . . . . . . . . . . . . . . . . . . . 37
Protecting Existing Data . . . . . . . . . . . . . . . . . . . . 38
Protecting New Data . . . . . . . . . . . . . . . . . . . . . . 38
Establishing Ownership Structures . . . . . . . . . . . . . . . . . . 41
Establishing Your RACF Group Structure . . . . . . . . . . . . . . 42
Educating the System Users . . . . . . . . . . . . . . . . . . . . 44
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Defining RACF Groups . . . . . . . . . . . . . . . . . . . . . . 50
Types of Groups . . . . . . . . . . . . . . . . . . . . . . . 50
Group Naming Conventions . . . . . . . . . . . . . . . . . . . 55
Group Ownership and Levels of Group Authority . . . . . . . . . . . 56
Summary of Steps for Defining a RACF Group . . . . . . . . . . . . . 59
Summary of Steps for Deleting Groups . . . . . . . . . . . . . . . . 60
Defining Users . . . . . . . . . . . . . . . . . . . . . . . . . 61
User Profiles . . . . . . . . . . . . . . . . . . . . . . . . . 62
Ownership of a RACF User Profile . . . . . . . . . . . . . . . . 73
User Attributes . . . . . . . . . . . . . . . . . . . . . . . . 73
Suggestions for Assigning User Attributes . . . . . . . . . . . . . . 84
Verifying User Attributes . . . . . . . . . . . . . . . . . . . . 85
Assigning Security Categories, Levels, and Labels to Users . . . . . . . 85
Limiting When a User Can Access the System . . . . . . . . . . . . 86
Defining Protected User IDs . . . . . . . . . . . . . . . . . . . 87
Defining Restricted User IDs . . . . . . . . . . . . . . . . . . . 88
Summary of Steps for Defining Users . . . . . . . . . . . . . . . . 89
Summary of Steps for Deleting Users . . . . . . . . . . . . . . . . 91
General Considerations for User ID Delegation . . . . . . . . . . . . . 93
Chapter 4. Classifying Users and Data . . . . . . . . . . . . . . . 95
Security Classification of Users and Data . . . . . . . . . . . . . . . 95
Effect On RACF Authorization Checking . . . . . . . . . . . . . . 96
Understanding Security Levels and Security Categories . . . . . . . . . . 97
CATEGORY and SECLEVEL Information in Profiles . . . . . . . . . . 98
Converting from LEVEL to SECLEVEL . . . . . . . . . . . . . . . 98
Deleting UNKNOWN Categories . . . . . . . . . . . . . . . . . 98
Understanding Security Labels . . . . . . . . . . . . . . . . . . . 99
How Users Specify Current Security Labels . . . . . . . . . . . . . 101
Listing Security Labels . . . . . . . . . . . . . . . . . . . . 102
Finding Out Which Security Labels a User Can Use . . . . . . . . . . 102
Searching by Security Labels . . . . . . . . . . . . . . . . . . 102
Restricting Security Label Changes . . . . . . . . . . . . . . . . 103
Requiring Security Labels . . . . . . . . . . . . . . . . . . . 103
Planning Considerations for Security Labels . . . . . . . . . . . . . 104
Chapter 5. Specifying RACF Options . . . . . . . . . . . . . . . 107
Using the SETROPTS Command . . . . . . . . . . . . . . . . . 108
SETROPTS Options for Initial Setup . . . . . . . . . . . . . . . . 109
Establishing Password Syntax Rules (PASSWORD Option) . . . . . . . 109
Setting the Maximum Password Change Interval (PASSWORD Option) 110 Extending Password and User ID Processing (PASSWORD Option) . . . . 110
Revoking Unused User IDs (INACTIVE Option) . . . . . . . . . . . 111 Activating List-of-Groups Checking (GRPLIST Option) . . . . . . . . . 112
Setting the RVARY Passwords (RVARYPW Option) . . . . . . . . . . 113 Restricting the Creation of General Resource Profiles (GENERICOWNER
Option) . . . . . . . . . . . . . . . . . . . . . . . . . 114 Activating General Resource Classes (CLASSACT Option) . . . . . . . 115
Activating Generic Profile Checking and Generic Command Processing 116 Activating Statistics Collection (STATISTICS Option) . . . . . . . . . . 116
Activating Global Access Checking (GLOBAL Option) . . . . . . . . . 118 RACF-Protecting All Data Sets (PROTECTALL Option) . . . . . . . . . 119
Activating JES2 or JES3 RACF Support . . . . . . . . . . . . . . 120
Preventing Access to Uncataloged Data Sets (CATDSNS Option) . . . . . 120 Activating Enhanced Generic Naming for the DATASET Class (EGN Option) 121
Controlling Data Set Modeling (MODEL Option) . . . . . . . . . . . 122
Bypassing Automatic Data Set Protection (NOADSP Option) . . . . . . 122
Displaying and Logging Real Data Set Names (REALDSN Option) . . . . 123
Protecting Data Sets with Single-Qualifier Names (PREFIX Option) . . . . 123
Activating Tape Data Set Protection (TAPEDSN Option) . . . . . . . . 123
Activating Tape Volume Protection (CLASSACT(TAPEVOL) Option) . . . . 124
Establishing a Security Retention Period for Tape Data Sets (RETPD
Option) . . . . . . . . . . . . . . . . . . . . . . . . . 124
Establishing National Language Defaults (LANGUAGE Option) . . . . . . 126
SETROPTS Options to Activate In-Storage Profile Processing . . . . . . . 126
SETROPTS GENLIST Processing . . . . . . . . . . . . . . . . 126
SETROPTS RACLIST Processing . . . . . . . . . . . . . . . . 128
Refreshing In-Storage Generic Profile Lists (GENERIC REFRESH Option) 131
Refreshing Global Access Checking Lists (GLOBAL REFRESH Option) 132
Refreshing Shared Systems (REFRESH Option) . . . . . . . . . . . 132
SETROPTS Options for Special Purposes . . . . . . . . . . . . . . 132
Protecting Undefined Terminals (TERMINAL Option) . . . . . . . . . . 133
Activating the Security Classification of Users and Data . . . . . . . . 133
Establishing the Maximum VTAM Session Interval (SESSIONINTERVAL
Option) . . . . . . . . . . . . . . . . . . . . . . . . . 134
SETROPTS Options Related to Security Labels . . . . . . . . . . . . 135
Restricting Changes to Security Labels (SECLABELCONTROL option) 135
Preventing Changes to Security Labels (MLSTABLE Option) . . . . . . 135
Contents v
Quiescing RACF Activity (MLQUIET Option) . . . . . . . . . . . . . 136
Preventing the Copying of Data to a Lower Security Label (SETROPTS
MLS Option) . . . . . . . . . . . . . . . . . . . . . . . 136
Enforcing Multilevel Security (MLACTIVE Option) . . . . . . . . . . . 137
Restricting Access to z/OS UNIX Files and Directories (MLFSOBJ Option) 139
Restricting Access to Interprocess Communication Objects (MLIPCOBJ
Option) . . . . . . . . . . . . . . . . . . . . . . . . . 139
Activating Security Labels by System Image (SECLBYSYSTEM Option) 140
SETROPTS Options for Automatic Control of Access List Authority . . . . . 141
Automatic Addition of Creator’s User ID to Access List . . . . . . . . . 141
Automatic Omission of Creator’s User ID from Access List . . . . . . . 141
Specifying the Encryption Method for User Passwords . . . . . . . . . . 142
Using Started Procedures . . . . . . . . . . . . . . . . . . . . 143
Authorizing Access to Resources . . . . . . . . . . . . . . . . . 144
Setting Up the STARTED Class . . . . . . . . . . . . . . . . . 144
Using the Started Procedures Table (ICHRIN03) . . . . . . . . . . . 146
Started Procedure Considerations . . . . . . . . . . . . . . . . 147
Chapter 6. Protecting Data Sets on DASD and Tape . . . . . . . . . 149
Protecting Data Sets . . . . . . . . . . . . . . . . . . . . . . 150
Controlling the Creation of New Data Sets . . . . . . . . . . . . . 153
Data Set Profile Ownership . . . . . . . . . . . . . . . . . . . 155
Data Set Profiles . . . . . . . . . . . . . . . . . . . . . . . 155
Automatic Profile Modeling for Data Sets . . . . . . . . . . . . . . 163
Password-Protected Data Sets . . . . . . . . . . . . . . . . . 166
Protecting Data Sets That Have Duplicate Names . . . . . . . . . . 167
Disallowing Duplicate Names for Data Set Profiles . . . . . . . . . . 168
Using the PROTECT Operand or SECMODEL for Non-VSAM Data Sets 168
Protecting Multivolume Data Sets with Discrete Profiles . . . . . . . . 168
Protecting DASD Data Sets . . . . . . . . . . . . . . . . . . . . 169
Access Authorities for DASD Data Sets . . . . . . . . . . . . . . 169
Erasing of Scratched (Deleted) DASD Data Sets . . . . . . . . . . . 171
Protecting Catalogs . . . . . . . . . . . . . . . . . . . . . . 172
DASD Volume Authority . . . . . . . . . . . . . . . . . . . . . 173
DFDSS-Authorized Storage Administration . . . . . . . . . . . . . . 174
Choosing Which Tape-Related Options to Use . . . . . . . . . . . . 175
Protecting Existing Data on Tape (SETROPTS TAPEDSN in Effect) . . . . 177
Protecting New Data on Tape . . . . . . . . . . . . . . . . . . 178
Security Levels and Security Categories for Tapes . . . . . . . . . . 181
Security Labels for Tapes . . . . . . . . . . . . . . . . . . . 181
Tape Volume Profiles That Contain a TVTOC . . . . . . . . . . . . 182
Predefining Tape Volume Profiles for Tape Data Sets . . . . . . . . . 184
RACF Security Retention Period Processing (TAPEDSN Must Be Active) 185
Authorization Requirements for Tape Data Sets When Both TAPEVOL and
TAPEDSN Are Active . . . . . . . . . . . . . . . . . . . . 187
Authorization Requirements for Tape Data Sets When TAPEVOL Is Inactive
and TAPEDSN Is Active . . . . . . . . . . . . . . . . . . . 187
vi z/OS V1R6.0
Authorization Requirements for Tape Data Sets When TAPEVOL Is Active
and TAPEDSN Is Inactive . . . . . . . . . . . . . . . . . . 188
JCL Changes . . . . . . . . . . . . . . . . . . . . . . . . 188
Password-Protected Tape Data Sets . . . . . . . . . . . . . . . 189
Using the PROTECT Parameter for Tape Data Set or Tape Volume
Protection . . . . . . . . . . . . . . . . . . . . . . . . 189
RACF Authorization of Bypass Label Processing (BLP) . . . . . . . . 190
Authorization Requirements for Labels . . . . . . . . . . . . . . . 191
Tape Data Set and Tape Volume Protection with Nonstandard Labels (NSL) 191
Tape Data Set and Tape Volume Protection for Nonlabeled (NL) Tapes 191
Chapter 7. Protecting General Resources . . . . . . . . . . . . . . 193
Defining Profiles for General Resources . . . . . . . . . . . . . . . 195
Summary of Steps for Defining General Resource Profiles . . . . . . . 196
Choosing Between Discrete and Generic Profiles in General Resource
Classes . . . . . . . . . . . . . . . . . . . . . . . . . 198
RACFVARS Profiles . . . . . . . . . . . . . . . . . . . . . 199
Generic Profile Checking of General Resources . . . . . . . . . . . 202
Granting Access Authorities . . . . . . . . . . . . . . . . . . . 204
How Global Access Checking Works . . . . . . . . . . . . . . . 207
Candidates for Global Access Checking . . . . . . . . . . . . . . 207
Creating Global Access Checking Table Entries . . . . . . . . . . . 207
Stopping Global Access Checking for a Specific Class . . . . . . . . . 211 Listing the Global Access Checking Table . . . . . . . . . . . . . 212
Special Considerations for Global Access Checking . . . . . . . . . . 212
Field-Level Access Checking . . . . . . . . . . . . . . . . . . . 213
Delegating Authority to Profiles in the FACILITY Class . . . . . . . . . 219
Providing the Ability to List User Information . . . . . . . . . . . . . 219
Providing the Ability to Reset User Passwords . . . . . . . . . . . . 220
Creating Resource Group Profiles . . . . . . . . . . . . . . . . . 221
Adding a Resource to a Profile . . . . . . . . . . . . . . . . . 223
Deleting a Resource from a Profile . . . . . . . . . . . . . . . . 223
Which Profiles Protect a Particular Resource? . . . . . . . . . . . . 223
Resolving Conflicts among Multiple Profiles . . . . . . . . . . . . . 224
Considerations for Resource Group Profiles . . . . . . . . . . . . . 225
Using RACF Variables in Profile Names (RACFVARS Class) . . . . . . . 226
Defining RACF Variables . . . . . . . . . . . . . . . . . . . . 226
Example of Protecting Several Tape Volumes Using the RACFVARS Class 227
Using RACF Variables . . . . . . . . . . . . . . . . . . . . . 227
Controlling VTAM LU 6.2 Bind . . . . . . . . . . . . . . . . . . . 231
Protecting Applications . . . . . . . . . . . . . . . . . . . . . 233
Protecting File Services Provided by LFS/ESA . . . . . . . . . . . . . 234
Protecting Terminals . . . . . . . . . . . . . . . . . . . . . . 235
Contents vii
Limiting Specific Groups of Users to Specific Terminals . . . . . . . . 237
Limiting the Times That a Terminal Can Be Used . . . . . . . . . . . 238
Using Security Labels to Control Terminals . . . . . . . . . . . . . 238
Using the TSO LOGON Command with the RECONNECT Operand . . . . 238
Protecting Consoles . . . . . . . . . . . . . . . . . . . . . . 239
Using the Secured Signon Function . . . . . . . . . . . . . . . . . 240
The RACF PassTicket . . . . . . . . . . . . . . . . . . . . . 241
Defining Profiles in the PTKTDATA Class . . . . . . . . . . . . . . 241
When the Profile Definitions Are Complete . . . . . . . . . . . . . 247
How RACF Processes the Password or PassTicket . . . . . . . . . . 247
Enabling the Use of PassTickets . . . . . . . . . . . . . . . . . 249
Protecting the Vector Facility . . . . . . . . . . . . . . . . . . . 250
Controlling Access to Program Dumps . . . . . . . . . . . . . . . . 251
Using RACF to Control Access to Program Dumps . . . . . . . . . . 251
Using Non-RACF Methods to Control Access to Program Dumps . . . . . 253
Controlling the Allocation of Devices . . . . . . . . . . . . . . . . 253
Protecting LLA-Managed Data Sets . . . . . . . . . . . . . . . . . 255
Controlling Data Lookaside Facility (DLF) Objects (Hiperbatch) . . . . . . . 256
Using RACROUTE REQUEST=LIST,GLOBAL=YES Support . . . . . . . 259
The RACGLIST Class . . . . . . . . . . . . . . . . . . . . . 259
Controlling the Use of Remote Sharing Functions . . . . . . . . . . . . 266
Controlling Access to the RACLINK Command . . . . . . . . . . . . 267
Controlling Password Synchronization . . . . . . . . . . . . . . . 267
Controlling Automatic Direction . . . . . . . . . . . . . . . . . 269
Controlling Message Traffic . . . . . . . . . . . . . . . . . . . . 273
RACF and APPC . . . . . . . . . . . . . . . . . . . . . . . 276
Protection of APPC/MVS Transaction Programs (TPs) . . . . . . . . . 277
LU Security Capabilities . . . . . . . . . . . . . . . . . . . . 278
Origin LU Authorization . . . . . . . . . . . . . . . . . . . . 278
RACF and CICS . . . . . . . . . . . . . . . . . . . . . . . . 279
RACF and DB2 . . . . . . . . . . . . . . . . . . . . . . . . 279
RACF and ICSF . . . . . . . . . . . . . . . . . . . . . . . . 279
RACF Support for NDS and Lotus Notes for z/OS . . . . . . . . . . . 280
Administering Application User Identities . . . . . . . . . . . . . . 280
System Considerations . . . . . . . . . . . . . . . . . . . . 281
Considerations for Application User Names . . . . . . . . . . . . . 284
Storing encryption keys using the KEYSMSTR class . . . . . . . . . . 284
Steps for storing a key in a KEYSMSTR profile . . . . . . . . . . . 285
viii z/OS V1R6.0
Chapter 8. Administering the Dynamic Class Descriptor Table (CDT) 287
Overview of the class descriptor table . . . . . . . . . . . . . . . . 287
Using the dynamic CDT . . . . . . . . . . . . . . . . . . . . . 288
Profiles in the CDT class . . . . . . . . . . . . . . . . . . . . 289
Adding a dynamic class with a unique POSIT value . . . . . . . . . . . 290
Steps for adding a dynamic class with a unique POSIT value . . . . . . 290
Adding a dynamic class that shares a POSIT value . . . . . . . . . . . 291
When a POSIT value is shared . . . . . . . . . . . . . . . . . 292
Steps for adding a dynamic class with a shared POSIT value . . . . . . 292
Changing a POSIT value for a dynamic class . . . . . . . . . . . . . 293
Steps for changing a POSIT value of an existing dynamic class . . . . . 293
Guidelines for changing dynamic CDT entries . . . . . . . . . . . . . 294
Deleting a class from the dynamic CDT . . . . . . . . . . . . . . . 296
Steps for deleting a dynamic CDT class . . . . . . . . . . . . . . 296
Disabling the dynamic CDT . . . . . . . . . . . . . . . . . . . . 298
Re-enabling a previously defined dynamic class . . . . . . . . . . . . 298
Steps to re-enable a previously defined dynamic class . . . . . . . . . 299
Recommendation for moving to the dynamic CDT . . . . . . . . . . . 299
Sysplex considerations for the dynamic CDT . . . . . . . . . . . . . 301
Shared system considerations for the dynamic CDT . . . . . . . . . . . 301
RRSF considerations for the dynamic CDT . . . . . . . . . . . . . . 302
Chapter 9. Protecting Programs . . . . . . . . . . . . . . . . . 303
Program security modes . . . . . . . . . . . . . . . . . . . . . 305
Program control by SMFID in BASIC or ENHANCED mode . . . . . . . 308
Maintaining a clean environment in BASIC or ENHANCED mode . . . . . 309
More complex controls: Using EXECUTE access for programs or libraries
(BASIC mode) . . . . . . . . . . . . . . . . . . . . . . . 310
Migrating from BASIC to ENHANCED program security mode . . . . . . 311 Protecting program libraries . . . . . . . . . . . . . . . . . . . . 313
Program access to data sets (PADS) in BASIC mode . . . . . . . . . 314
Choosing between the PADCHK and NOPADCHK operands . . . . . . 318
Program access to SERVAUTH resources in BASIC or ENHANCED mode 319
ENHANCED program security mode . . . . . . . . . . . . . . . . 320
Program access to data sets (PADS) in ENHANCED mode . . . . . . . 320
Using EXECUTE access for programs and libraries in ENHANCED mode 321
When to use MAIN or BASIC . . . . . . . . . . . . . . . . . . 321
Defining programs as MAIN or BASIC . . . . . . . . . . . . . . . 323
How protection works for programs and PADS . . . . . . . . . . . . . 324
How program control works . . . . . . . . . . . . . . . . . . . 324
Informational messages for program control . . . . . . . . . . . . . 325
Authorization checking for access control to load modules . . . . . . . 325
Authorization checking for access control to data sets . . . . . . . . . 326
Processing for execute-controlled libraries . . . . . . . . . . . . . . 327
Examples of controlling programs and using PADS . . . . . . . . . . . 329
Examples of defining load modules as controlled programs . . . . . . . 329
Examples of setting up program access to data sets . . . . . . . . . 330
Example of setting up an execute-controlled library . . . . . . . . . . 331
Example of setting up program control by system ID . . . . . . . . . 331
Chapter 10. Operating Considerations . . . . . . . . . . . . . . . 333
Coordinating Profile Updates . . . . . . . . . . . . . . . . . . . 333
Getting Started with RACF (after First Installing RACF) . . . . . . . . . 335
Logging On as IBMUSER and Checking Initial Conditions . . . . . . . 336
Contents ix
Defining Administrator User IDs for Your Own Use . . . . . . . . . . 337
Defining at Least One User ID to Be Used for Emergencies Only . . . . . 337
Logging on as RACFADM, Checking Groups and Users, and Revoking
IBMUSER . . . . . . . . . . . . . . . . . . . . . . . . 337
Defining a System-Wide Auditor . . . . . . . . . . . . . . . . . 338
Defining Users and Groups . . . . . . . . . . . . . . . . . . . 338
Defining Group Administrators, Group Auditors, and Data Managers . . . . 338
Protecting System Data Sets . . . . . . . . . . . . . . . . . . 340
Setting RACF Options . . . . . . . . . . . . . . . . . . . . . 340
JCL Parameters Related to RACF . . . . . . . . . . . . . . . . . 344
Restarting Jobs . . . . . . . . . . . . . . . . . . . . . . . . 345
Authorizing Only RACF-Defined Users to Access RACF-Protected Resources 346
Using the TSO or ISPF Editor . . . . . . . . . . . . . . . . . . . 347
Service by IBM Personnel . . . . . . . . . . . . . . . . . . . . 347
Failsoft Processing . . . . . . . . . . . . . . . . . . . . . . . 347
Considerations for RACF Databases . . . . . . . . . . . . . . . . 348
Backup RACF Database . . . . . . . . . . . . . . . . . . . . 349
Sharing Data without Sharing a RACF Database . . . . . . . . . . . 350
Number of Resident Data Blocks . . . . . . . . . . . . . . . . . 350
Chapter 11. Working With The RACF Database . . . . . . . . . . . 351
Using the RACF Database Unload Utility (IRRDBU00) . . . . . . . . . . 352
Diagnosis . . . . . . . . . . . . . . . . . . . . . . . . . 352
Allowable Parameters . . . . . . . . . . . . . . . . . . . . . 355
IRRRID00 Job Control Statements . . . . . . . . . . . . . . . . 374
Finding Residual IDs . . . . . . . . . . . . . . . . . . . . . 377
IRRRID00 Output . . . . . . . . . . . . . . . . . . . . . . 379
Processing Profiles and Resources . . . . . . . . . . . . . . . . 381
What IRRRID00 Verifies . . . . . . . . . . . . . . . . . . . . 382
Processing a Hierarchy of Groups . . . . . . . . . . . . . . . . 383
Processing Global Profiles . . . . . . . . . . . . . . . . . . . 383
Processing MEMBER Data . . . . . . . . . . . . . . . . . . . 384
Processing Universal Groups . . . . . . . . . . . . . . . . . . 384
IRRRID00 and Tivoli . . . . . . . . . . . . . . . . . . . . . 384
Chapter 12. The RACF Remote Sharing Facility (RRSF) . . . . . . . . 387
The RRSF Network . . . . . . . . . . . . . . . . . . . . . . . 388
Types of User ID Associations . . . . . . . . . . . . . . . . . . 390
Password Synchronization . . . . . . . . . . . . . . . . . . . 391 The RACLINK Command . . . . . . . . . . . . . . . . . . . . 392
User ID Associations . . . . . . . . . . . . . . . . . . . . . . 393
Command Direction . . . . . . . . . . . . . . . . . . . . . . . 395
Directing Commands Using the AT Option . . . . . . . . . . . . . 396
Directing Commands Using the ONLYAT Option . . . . . . . . . . . 399
Automatic Direction . . . . . . . . . . . . . . . . . . . . . . . 399
Output Processing . . . . . . . . . . . . . . . . . . . . . . 403
Synchronization . . . . . . . . . . . . . . . . . . . . . . 408
Using Automatic Direction of Application Updates . . . . . . . . . . . 413 Using Automatic Password Direction . . . . . . . . . . . . . . . . 416
Relationship to User ID Associations . . . . . . . . . . . . . . . 416
RRSF Considerations for JES Security . . . . . . . . . . . . . . 416
RRSF Considerations for Network Authentication Service . . . . . . . . 416
Synchronizing Database Profiles . . . . . . . . . . . . . . . . . . 417
RACF Support for DB2 Authorization . . . . . . . . . . . . . . . . 421
Configuring the RACF DB2 External Security Module . . . . . . . . . . 421
Migrating to the RACF DB2 External Security Module . . . . . . . . . . 422
RACF Profile Checking . . . . . . . . . . . . . . . . . . . . . 422
Matching Schema Names . . . . . . . . . . . . . . . . . . . . 422
Protecting DB2 Objects . . . . . . . . . . . . . . . . . . . . . 423
DROP and ALTER INDEX Privileges . . . . . . . . . . . . . . . 432
CREATETMTAB Privilege . . . . . . . . . . . . . . . . . . . 432
The XAPLDIAG Output Parameter . . . . . . . . . . . . . . . . 433
DB2 Aliases for System-Directed Access . . . . . . . . . . . . . . 434
Considerations for Remote and Local Resources . . . . . . . . . . . 434
DB2 GRANT commands . . . . . . . . . . . . . . . . . . . . 434
Authority Checking for All Packages in a Collection . . . . . . . . . . 434
Contents xi
Administering the RACF External Security Module . . . . . . . . . . . 436
Initialization . . . . . . . . . . . . . . . . . . . . . . . . . 436
Authorization processing examples . . . . . . . . . . . . . . . . . 439
Example 2: Allowing access (auditing for all attempts) . . . . . . . . . 440
Example 3: Denying access . . . . . . . . . . . . . . . . . . . 441
Example 4: Deferring to DB2 . . . . . . . . . . . . . . . . . . 442
Example 5: Allowing access (multiple-subsystem scope) . . . . . . . . 443
Example 6: Allowing access (single-subsystem scope) . . . . . . . . . 444
Converting DB2 Authorizations to RACF Profiles . . . . . . . . . . . . 445
Common Problems and Considerations . . . . . . . . . . . . . . . 445
Chapter 14. RACF and DCE . . . . . . . . . . . . . . . . . . . 447
Cross Linking DCE Identities and RACF User IDs . . . . . . . . . . . 447
Defining Cross Linking Information . . . . . . . . . . . . . . . . 448
The RACF DCEUUIDS Class . . . . . . . . . . . . . . . . . . . 449
Defining Profiles to the RACF DCEUUIDS Class . . . . . . . . . . . 449
Activating the DCEUUIDS Class . . . . . . . . . . . . . . . . . 449
Administering DCE Information in RACF . . . . . . . . . . . . . . . 449
Single Signon Support for DCE . . . . . . . . . . . . . . . . . . 450
Using Encryption with Single Signon . . . . . . . . . . . . . . . 451
Chapter 15. RACF and Tivoli Products . . . . . . . . . . . . . . . 453
Establishing a RACF Identity for a Tivoli Administrator . . . . . . . . . . 453
Listing Profiles in the TMEADMIN Class . . . . . . . . . . . . . . 453
Chapter 16. RACF and Information Management System (IMS) . . . . . 455
Overview of RACF and IMS . . . . . . . . . . . . . . . . . . . . 455
Controlling Access to IMS System Data Sets and Databases . . . . . . . 456
IMS System Generation Considerations . . . . . . . . . . . . . . . 457
Establishing Audit Trail Capabilities . . . . . . . . . . . . . . . . . 459
Controlling Access to IMS Control Regions . . . . . . . . . . . . . . 461
Controlling Access to IMS Transactions . . . . . . . . . . . . . . . 461
Grouping IMS Transactions under a Common Profile . . . . . . . . . 462
Controlling Access to IMS Physical Terminals . . . . . . . . . . . . . 463
Authorization to IMS/ESA Control Region Resources . . . . . . . . . . 463
Defining Application Group Names for IMS . . . . . . . . . . . . . 464
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 466
Planning for Security . . . . . . . . . . . . . . . . . . . . . . 468
Defining JES as a RACF Started Procedure . . . . . . . . . . . . . . 469
Forcing Batch Users to Identify Themselves to RACF . . . . . . . . . . 470
Support for Execution Batch Monitor (XBM) (JES2 Only) . . . . . . . . . 470
Defining and Grouping Operators . . . . . . . . . . . . . . . . . . 470
JES User ID Early Verification . . . . . . . . . . . . . . . . . . . 471
User ID Propagation When Jobs Are Submitted . . . . . . . . . . . . 471
Allowing Surrogate Job Submission . . . . . . . . . . . . . . . . 471
Controlling User ID Propagation in a Local Environment . . . . . . . . 473
Using Protected User IDs for Batch Jobs . . . . . . . . . . . . . . . 474
Propagating Protected User IDs . . . . . . . . . . . . . . . . . 474
Using Protected User IDs for Surrogate Job Submission . . . . . . . . 474
xii z/OS V1R6.0
Controlling Access to Data Sets JES Uses . . . . . . . . . . . . . . 476
Controlling Input to Your System . . . . . . . . . . . . . . . . . . 477
How RACF Validates Users . . . . . . . . . . . . . . . . . . . 477
Controlling the Use of Job Names . . . . . . . . . . . . . . . . 478
Authorizing the Use of Input Sources . . . . . . . . . . . . . . . 481
Authorizing Network Jobs and SYSOUT (NJE) . . . . . . . . . . . . . 482
Authorizing Inbound Work . . . . . . . . . . . . . . . . . . . 483
Authorizing Outbound Work . . . . . . . . . . . . . . . . . . . 500
Defining Profiles for SYSIN and SYSOUT Data Sets . . . . . . . . . 501
Letting Users Create Their Own JESSPOOL Profiles . . . . . . . . . 503
Protecting JESNEWS . . . . . . . . . . . . . . . . . . . . . 504
Protecting SYSLOG . . . . . . . . . . . . . . . . . . . . . 506 Spool Offload Considerations (JES2 Only) . . . . . . . . . . . . . 506
How RACF Affects Jobs Dumped from and Restored to Spool (JES3 Only) 507
Authorizing Console Access . . . . . . . . . . . . . . . . . . . 507
JES3 Consoles . . . . . . . . . . . . . . . . . . . . . . . 510
Controlling Where Output Can Be Processed . . . . . . . . . . . . . 510
Authorizing the Use of Your Installation’s Printers . . . . . . . . . . . . 511 Authorizing the Use of Operator Commands . . . . . . . . . . . . . 512
Commands from RJE Work Stations . . . . . . . . . . . . . . . 512
Commands from NJE Nodes . . . . . . . . . . . . . . . . . . 512
Who Authorizes Commands When RACF Is Active . . . . . . . . . . 513
Chapter 18. RACF and Storage Management Subsystem (SMS) . . . . . 515
Overview of RACF and SMS . . . . . . . . . . . . . . . . . . . 515
RACF General Resource Classes for Protecting SMS Classes . . . . . . . 515
Controlling the Use of SMS Classes . . . . . . . . . . . . . . . . 516
Refreshing Profiles for SETROPTS RACLIST Processing for MGMTCLAS
and STORCLAS . . . . . . . . . . . . . . . . . . . . . . 517
DFP Segment in User and Group Profiles . . . . . . . . . . . . . 518
DFP Segment in Data Set Profiles . . . . . . . . . . . . . . . . 519
How RACF Uses the Information in the DFP Segments . . . . . . . . 520
Controlling Access to the DFP Segment . . . . . . . . . . . . . . 520
Controlling the Use of Other SMS Resources . . . . . . . . . . . . . 523
Chapter 19. RACF and TSO/E . . . . . . . . . . . . . . . . . . 525
TSO/E Administration Considerations . . . . . . . . . . . . . . . . 525
Protecting TSO Resources . . . . . . . . . . . . . . . . . . . . 526
Field-Level Access Checking for TSO . . . . . . . . . . . . . . . . 529
Controlling the Use of the TSO SEND Command . . . . . . . . . . . . 529
Restricting Spool Access by TSO Users . .