vanguard securitycenter - amazon s3 · vanguard security & compliance 2016 the toolbar ©2016...

SECURITY & COMPLIANCE CONFERENCE 2016

Vanguard SecurityCenter

John Hilman

Vanguard Professional Services

VSS6

VANGUARD SECURITY & COMPLIANCE 2016

Legal Notice

Copyright

©2016 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license

to view these materials for your organization’s internal purposes. Any unauthorized

reproduction, distribution, exhibition or use of these copyrighted materials is expressly

prohibited.

Trademarks

The following are trademarks of Vanguard Integrity Professionals – Nevada:

©2016 Vanguard Integrity Professionals, Inc. 2

Vanguard Administrator

Vanguard Advisor

Vanguard Analyzer

Vanguard SecurityCenter

Vanguard Offline

Vanguard Cleanup

Vanguard PasswordReset

Vanguard Authenticator

Vanguard inCompliance

Vanguard IAM

Vanguard GRC

Vanguard QuickGen

Vanguard Active Alerts

Vanguard Configuration Manager

Vanguard Configuration Manager Enterprise Edition

Vanguard Policy Manager

Vanguard Enforcer

Vanguard ez/Token

Vanguard Tokenless Authenticator

Vanguard ez/PIV Card Authenticator

Vanguard ez/Integrator

Vanguard ez/SignOn

Vanguard ez/Password Synchronization

Vanguard Security Solutions

Vanguard Security & Compliance

Vanguard zSecurity University

VANGUARD SECURITY & COMPLIANCE 2016

The following are trademarks or registered trademarks of the International Business Machines Corporation: Java and all Java-based trademarks are trademarks of Oracle and/or its affiliates. UNIX is a registered trademark of The Open Group in the United States and other countries.

Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation.

Other company, product, and service names may be trademarks or service marks of others.

Trademarks

©2016 Vanguard Integrity Professionals, Inc. 3

CICS

CICSPlex

DB2

eServer

IBM

IBM z

IBM z Systems

IBM z13

S/390

System z

System z9

System z10

System/390

VTAM

WebSphere

z Systems

z9

z10

z13

z/Architecture

z/OS

z/VM

zEnterprise

IMS

MQSeries

MVS

NetView

OS/390

Parallel Sysplex

RACF

RMF

VANGUARD SECURITY & COMPLIANCE 2016

Session Topics

• Vanguard SecurityCenter™ Overview

• What is Vanguard SecurityCenter

• Navigating Through Vanguard SecurityCenter

• Customizing Vanguard SecurityCenter

• Using Vanguard SecurityCenter to Administer RACF®

©2016 Vanguard Integrity Professionals, Inc. 4

VANGUARD SECURITY & COMPLIANCE 2016

What is Vanguard SecurityCenter?

• Windows-GUI Based RACF Administration Tool

– Also Administers Native DB2® Security

• Client/Server Architecture

– Client is a Windows Application

– Server is an z/OS® Started Task and an MVS™ Data

Space

• RACF Data is “Live” – no Extract File needed

– Current Data is maintained in the MVS Data Space

• SecurityCenter/Workstation Connects to

SecurityCenter/RACF Via TCP/IP

©2016 Vanguard Integrity Professionals, Inc. 5

VANGUARD SECURITY & COMPLIANCE 2016

Starting Vangaurd SecurityCenter

• Click on SecurityCenter ICON on desktop

• Select from “All Programs/Vanguard/SecurityCenter”

©2016 Vanguard Integrity Professionals, Inc. 6

VANGUARD SECURITY & COMPLIANCE 2016

Adding Host Systems

©2016 Vanguard Integrity Professionals, Inc. 7

VANGUARD SECURITY & COMPLIANCE 2016

Adding a Host System

©2016 Vanguard Integrity Professionals, Inc. 8

VANGUARD SECURITY & COMPLIANCE 2016

Selecting a Host System

©2016 Vanguard Integrity Professionals, Inc. 9

VANGUARD SECURITY & COMPLIANCE 2016

Signing on to Vanguard SecurityCenter

©2016 Vanguard Integrity Professionals, Inc. 10

VANGUARD SECURITY & COMPLIANCE 2016

Navigating Through Vanguard SecurityCenter

• Menu Bar

– File, View, Insert, Action, Options, Help

• Tool Bar

• Status Bar

• Smart Icons

– Tool Bar, Tree Structures, and Worksheets

• Context Sensitive Shortcut Menus

• Drag and Drop; Copy and Paste

©2016 Vanguard Integrity Professionals, Inc. 11

VANGUARD SECURITY & COMPLIANCE 2016

Vanguard SecurityCenter Workspace

©2016 Vanguard Integrity Professionals, Inc. 12

Tool Bar

Status Bar

Menu Bar

VANGUARD SECURITY & COMPLIANCE 2016

Using the Menu Bar

©2016 Vanguard Integrity Professionals, Inc. 13

• File - Contains commands for printing the active window, formatting reports,

opening the files, and more.

• Edit - Contains commands for searching, undoing actions, and manipulating field text, such as copying, pasting, deleting items, and more.

• View - Contains commands for displaying items, such as the SecurityCenter toolbar and tree structures. Includes options for opening the SecurityCenter administration windows, expanding and collapsing tree structures, and changing the order of the Group Tree.

• Insert - Contains commands for inserting, or adding, new RACF profiles for users, resources and groups.

• Action - Contains commands for sending the SecurityCenter generated commands (displayed in the Command Status window) to the host for processing.

• Options - Contains commands for dynamically setting RACF options related to resource protection and for changing system preferences, such as the location of the log file.

• Window - Contains commands for managing windows, such as opening a new window, tiling multiple windows, cascading windows, and more.

• Help - Contains commands for opening the help file, contacting technical support, viewing release notes, and obtaining information about SecurityCenter, such as copyright information, free disk space, and memory availability.

File Edit View Insert Action Options Window Help

VANGUARD SECURITY & COMPLIANCE 2016

Customize Tool Bar

©2016 Vanguard Integrity Professionals, Inc. 14

Select View,

Toolbars,

Customize

Select Appearance of Tool Bar

VANGUARD SECURITY & COMPLIANCE 2016

The Toolbar

©2016 Vanguard Integrity Professionals, Inc. 15

Group

Tree

Group and User Worksheet

and Resource Explorer

Group, User, Ghost, Resource

Administration

Create New

Group, User, Resource

Help Desk Administration,

Send Commands to Host,

Scratch Pad,

Command Status

Member Cross

Reference,

DB2 Administration

Copy, Paste

Undo, Redo

Filter

VANGUARD SECURITY & COMPLIANCE 2016

Filter Toolbar

Becomes Active when Using:

• Group Worksheet

• User Worksheet

• Resource Explorer

• Connections

• Access List

• Effective Access List

• Subgroups

• Owned Groups

• Owned Users

©2016 Vanguard Integrity Professionals, Inc. 16

Filter Characters:

+ Represents 0 to n characters.

% Represents a single character.

* Represents 0 to 8 characters

within a qualifier.

| Finds items that meet either

condition specified.

VANGUARD SECURITY & COMPLIANCE 2016

Working with Tree Structures

• Group Tree Explorer Window

– Opening Multiple Group Tree Windows

– Restructuring with Drag and Drop

• Group and User Worksheets

– Using the Filter Toolbar

• Resource Explorer Tree

– Class Families, Classes

• Access List and Owned

Resources Tabs

©2016 Vanguard Integrity Professionals, Inc. 17

VANGUARD SECURITY & COMPLIANCE 2016

Group Tree Explorer Window

©2016 Vanguard Integrity Professionals, Inc. 18

VANGUARD SECURITY & COMPLIANCE 2016

Group Tree Explorer Window

©2016 Vanguard Integrity Professionals, Inc. 19

VANGUARD SECURITY & COMPLIANCE 2016

Group Worksheet

©2016 Vanguard Integrity Professionals, Inc. 20

VANGUARD SECURITY & COMPLIANCE 2016

User Worksheet

©2016 Vanguard Integrity Professionals, Inc. 21

VANGUARD SECURITY & COMPLIANCE 2016

Adding a Field to the Worksheet

©2016 Vanguard Integrity Professionals, Inc. 22

1. Right Mouse Click on the header bar

3. Select the field(s) you want to add

2. Select Add Field(s)

VANGUARD SECURITY & COMPLIANCE 2016

New Field Added

©2016 Vanguard Integrity Professionals, Inc. 23

VANGUARD SECURITY & COMPLIANCE 2016

Resource Explorer Tree

©2016 Vanguard Integrity Professionals, Inc. 24

Specify Filter

Select Resource

VANGUARD SECURITY & COMPLIANCE 2016

Working With Profiles

• Administering Group Profiles

• Adding Group Connections

• Administering User Profiles

• Cloning User IDs

• Help Desk Administration

• Administering Resource Profiles

©2016 Vanguard Integrity Professionals, Inc. 25

©2016 Vanguard Integrity Professionals, Inc. 26

VANGUARD SECURITY & COMPLIANCE 2016

Adding a Group Profile

©2016 Vanguard Integrity Professionals, Inc. 27

1. Select New Group button

2. Fill In the blanks – Click OK

VANGUARD SECURITY & COMPLIANCE 2016

Group Installation Data

©2016 Vanguard Integrity Professionals, Inc. 28

3. Fill In the Installation Data – Press Enter

VANGUARD SECURITY & COMPLIANCE 2016

Add a Group Connection

©2016 Vanguard Integrity Professionals, Inc. 29

4. Click Connections Tab, enter the

User ID you wish to connect to group

VANGUARD SECURITY & COMPLIANCE 2016

Send Commands to Host

©2016 Vanguard Integrity Professionals, Inc. 30

5. Review commands in Command Status Tab

6. Click Send button

©2016 Vanguard Integrity Professionals, Inc. 31

VANGUARD SECURITY & COMPLIANCE 2016

Adding a User Profile

©2016 Vanguard Integrity Professionals, Inc. 32

1. Select New User button

2. Fill In the blanks – Click OK

VANGUARD SECURITY & COMPLIANCE 2016

TSO Segment Information

©2016 Vanguard Integrity Professionals, Inc. 33

3. Select the TSO tab

and fill in the

information

VANGUARD SECURITY & COMPLIANCE 2016

Connect User to Groups

©2016 Vanguard Integrity Professionals, Inc. 34

4. Select the Connections

tab and enter the group

name

VANGUARD SECURITY & COMPLIANCE 2016

Send to Host

©2016 Vanguard Integrity Professionals, Inc. 35

5. Review Commands in Command Status Tab

6. Click Send button

VANGUARD SECURITY & COMPLIANCE 2016

Cloning a User Profile

©2016 Vanguard Integrity Professionals, Inc. 36

1. Select New User button

2. Enter the User ID

3. Click Clone User

4. Enter the Clone ID

5. Fill In the User

Name and

Password

6. Select the segments

to clone

VANGUARD SECURITY & COMPLIANCE 2016

Send to Host

©2016 Vanguard Integrity Professionals, Inc. 37

7. Review Commands in Command Status Tab

8. Click Send button

VANGUARD SECURITY & COMPLIANCE 2016

Define Alias Command

©2016 Vanguard Integrity Professionals, Inc. 38

Option to add Define Alias

VANGUARD SECURITY & COMPLIANCE 2016

Command Generation Tab

©2016 Vanguard Integrity Professionals, Inc. 39

VANGUARD SECURITY & COMPLIANCE 2016

Side-by-Side Administration

©2016 Vanguard Integrity Professionals, Inc. 40

Click the Tab

and Pull Down

VANGUARD SECURITY & COMPLIANCE 2016

Side-by-Side Administration

©2016 Vanguard Integrity Professionals, Inc. 41

Select groups to copy

VANGUARD SECURITY & COMPLIANCE 2016

Side-by-Side Administration

©2016 Vanguard Integrity Professionals, Inc. 42

Drag and drop

VANGUARD SECURITY & COMPLIANCE 2016

Delete a User Profile - from Worksheets

©2016 Vanguard Integrity Professionals, Inc. 43

1. Click the User

2. Press the Delete Key

VANGUARD SECURITY & COMPLIANCE 2016

Delete a User Profile - from User Admin

©2016 Vanguard Integrity Professionals, Inc. 44

1. Click the User

Administration button

2. Enter User ID to delete

3. Right mouse click above the tabs

4. Select Delete Item

VANGUARD SECURITY & COMPLIANCE 2016

Delete With Cleanup Wizard

©2016 Vanguard Integrity Professionals, Inc. 45

VANGUARD SECURITY & COMPLIANCE 2016

Generated Commands to Delete User ID

©2016 Vanguard Integrity Professionals, Inc. 46

Review Commands in Command Status Tab

Click Send button

©2016 Vanguard Integrity Professionals, Inc. 47

VANGUARD SECURITY & COMPLIANCE 2016

Help Desk Administration

©2016 Vanguard Integrity Professionals, Inc. 48

Click Help Desk button

Enter User ID

VANGUARD SECURITY & COMPLIANCE 2016

Help Desk Administration

©2016 Vanguard Integrity Professionals, Inc. 49

Enter New Password

and Verify, Uncheck

the Revoked box,

then press OK

Used to Establish a

Future Revoke or

Resume Date

VANGUARD SECURITY & COMPLIANCE 2016

What is a Hard Revoke?

• Purpose - Revoke a user in a way that the Help Desk cannot resume the user

• When a user is Hard Revoked, the user is revoked and a bit is set in the Userdata field of the user profile

• The Hard Revoke bit is looked at only

by the Identity Manager function and

Help Desk Administration

• Who can use Hard Revoke?

– System-SPECIAL

– User who is not System-SPECIAL must

be authorized by FACILITY class profiles

©2016 Vanguard Integrity Professionals, Inc. 50

VANGUARD SECURITY & COMPLIANCE 2016

Hard Revoke

©2016 Vanguard Integrity Professionals, Inc. 51

Click Hard Revoke

VANGUARD SECURITY & COMPLIANCE 2016

Help Desk View

©2016 Vanguard Integrity Professionals, Inc. 52

VANGUARD SECURITY & COMPLIANCE 2016

Help Desk View

©2016 Vanguard Integrity Professionals, Inc. 53

VANGUARD SECURITY & COMPLIANCE 2016

Help Desk Administration Security

FACILITY Class profiles control:

• What User Profile fields may be viewed?

• What actions may be performed for which types of users?

$RIO.HDA.item.action.owner.userid

©2016 Vanguard Integrity Professionals, Inc. 54

Help Desk Administration

View User Info

Revoke

Resume

Reset Password

FACILITY

Profiles

©2016 Vanguard Integrity Professionals, Inc. 55

VANGUARD SECURITY & COMPLIANCE 2016

Resource Administration

©2016 Vanguard Integrity Professionals, Inc. 56

1. Click the Resource

Administration button

VANGUARD SECURITY & COMPLIANCE 2016

Data Set Administration

©2016 Vanguard Integrity Professionals, Inc. 57

2. Select Class Family and Class

3. Enter Data Set Profile Name

VANGUARD SECURITY & COMPLIANCE 2016

Working with the Access List

©2016 Vanguard Integrity Professionals, Inc. 58

5. Enter the Group or User ID

6. Select the Access level

4. Select the Access List Tab

VANGUARD SECURITY & COMPLIANCE 2016

Review the Commands – Send to Host

©2016 Vanguard Integrity Professionals, Inc. 59

7. Review Commands in Command Status Tab

8. Click Send button

VANGUARD SECURITY & COMPLIANCE 2016

Optional Generic Refresh

©2016 Vanguard Integrity Professionals, Inc. 60

RACF Preferences can

automatically issue Generic

Refresh

VANGUARD SECURITY & COMPLIANCE 2016

Finding the Best Fitting Profile

©2016 Vanguard Integrity Professionals, Inc. 61

1. Select View,

Data Set Protection Analysis |

Profile That Protects a Data Set

2. Enter the Full Data Set Name in the Pop Up Window

VANGUARD SECURITY & COMPLIANCE 2016

Profile Found

©2016 Vanguard Integrity Professionals, Inc. 62

3. Double Click the Profile to Display

VANGUARD SECURITY & COMPLIANCE 2016

Profile Displayed

©2016 Vanguard Integrity Professionals, Inc. 63

4. Click Effective Access

List Tab

VANGUARD SECURITY & COMPLIANCE 2016

Find Data Sets Protected by Profile

©2016 Vanguard Integrity Professionals, Inc. 64

1. Right Mouse Click next to Profile Name

2. Select Data Sets Protected By

VANGUARD SECURITY & COMPLIANCE 2016

Data Set Names Displayed

©2016 Vanguard Integrity Professionals, Inc. 65

VANGUARD SECURITY & COMPLIANCE 2016

Clone Dataset Profile

©2016 Vanguard Integrity Professionals, Inc. 66

1. Right Mouse Click next to Profile Name

2. Select Clone

VANGUARD SECURITY & COMPLIANCE 2016

Clone Dataset Profile

©2016 Vanguard Integrity Professionals, Inc. 67

1. Enter New Dataset Profile Name

2. Click OK

VANGUARD SECURITY & COMPLIANCE 2016

Add BUDDY to Access List

©2016 Vanguard Integrity Professionals, Inc. 68

VANGUARD SECURITY & COMPLIANCE 2016

Upload Commands to File

©2016 Vanguard Integrity Professionals, Inc. 69

VANGUARD SECURITY & COMPLIANCE 2016

Specify PDS and Member Name

©2016 Vanguard Integrity Professionals, Inc. 70

VANGUARD SECURITY & COMPLIANCE 2016

Commands Uploaded

©2016 Vanguard Integrity Professionals, Inc. 71

VANGUARD SECURITY & COMPLIANCE 2016

Thanks for Attending

©2016 Vanguard Integrity Professionals, Inc. 72