z/OS

Security Server RACFSecurity Administrator's Guide

SA22-7683-15

NoteBefore using this information and the product it supports, be sure to read the general information under Notices on page781.

This edition applies to z/OS Version 1 Release 13 of z/OS (5694-A01) and to all subsequent releases andmodifications until otherwise indicated in new editions.

This edition replaces SA22-7683-14.

Copyright IBM Corporation 1994, 2011.US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

ContentsFigures . . . . . . . . . . . . . . xiii

Tables . . . . . . . . . . . . . . . xv

About this document . . . . . . . . xviiWho should use this document . . . . . . . xviiHow to use this document . . . . . . . . . xviiWhere to find more information . . . . . . . xvii

Softcopy documents . . . . . . . . . . xviiRACF courses . . . . . . . . . . . . xviii

IBM systems center publications. . . . . . . xviiiOther sources of information . . . . . . . . xix

Internet sources . . . . . . . . . . . . xixThe z/OS Basic Skills Information Center . . . xx

To request copies of IBM publications . . . . . xx

How to send your comments to IBM xxiIf you have a technical problem . . . . . . . xxi

Summary of changes. . . . . . . . xxiiiChanges made in z/OS Version 1 Release 13,SA22-7683-15 . . . . . . . . . . . . . xxiiiChanges made in z/OS Version 1 Release 12,SA22-7683-14 . . . . . . . . . . . . . xxivChanges made in z/OS Version 1 Release 11,SA22-7683-13 . . . . . . . . . . . . . xxv

Chapter 1. Introduction . . . . . . . . 1How RACF Meets Security Needs . . . . . . . 2

User Identification and Verification . . . . . . 2Authorization Checking . . . . . . . . . 3Logging and Reporting . . . . . . . . . . 4User Accountability . . . . . . . . . . . 5Flexibility . . . . . . . . . . . . . . 9RACF Transparency . . . . . . . . . . 10Implementing Multilevel Security . . . . . . 10

Multilevel Security . . . . . . . . . . . . 10Characteristics of a Multilevel-SecureEnvironment . . . . . . . . . . . . . 11

Administering Security . . . . . . . . . . 12Delegating Administration Tasks . . . . . . 12Administering Security When a z/VM SystemShares the RACF Database . . . . . . . . 13Using RACF Commands or Panels . . . . . 13

RACF Group and User Structure . . . . . . . 15Defining Users and Groups . . . . . . . . 16Protecting Resources . . . . . . . . . . 20Security Classification of Users and Data . . . 24Selecting RACF Options . . . . . . . . . 24

Using RACF Installation Exits to Customize RACF 24The RACROUTE REQUEST=VERIFY, VERIFYX,AUTH, and DEFINE exits . . . . . . . . 24The RACROUTE REQUEST=LIST exits . . . . 25The RACROUTE REQUEST=FASTAUTH exits. . 25

The RACF command exits . . . . . . . . 25The RACF password processing exits . . . . . 25The RACF password authentication exits . . . 26

Tools for the Security Administrator . . . . . . 26Using RACF utilities . . . . . . . . . . 26RACF block update command (BLKUPD) . . . 28Using the RACF report writer . . . . . . . 28Using the data security monitor . . . . . . 29Recording statistics in RACF profiles . . . . . 29Listing information from RACF profiles . . . . 29Searching for RACF profile names . . . . . . 32Using the LIST and SEARCH commandseffectively . . . . . . . . . . . . . . 32

Chapter 2. Organizing for RACFImplementation . . . . . . . . . . . 37Ensuring Management Commitment . . . . . . 37Selecting the Security Implementation Team . . . 38

Responsibilities of the Implementation Team . . 38Defining Security Objectives and Preparing theImplementation Plan . . . . . . . . . . . 39Deciding What to Protect . . . . . . . . . . 39

Protecting Existing Data . . . . . . . . . 40Protecting New Data . . . . . . . . . . 40Allowing a Warning Period . . . . . . . . 43

Establishing Ownership Structures. . . . . . . 43Selecting User IDs and Group Names . . . . 43Establishing Your RACF Group Structure . . . 44

Educating the System Users . . . . . . . . . 46Summary . . . . . . . . . . . . . . . 48

Chapter 3. Defining Groups and Users 51Defining RACF Groups . . . . . . . . . . 52

Types of Groups . . . . . . . . . . . . 52Group Profiles . . . . . . . . . . . . 54Defining Large Groups with the UNIVERSALAttribute . . . . . . . . . . . . . . 56Group Naming Conventions. . . . . . . . 57Benefits of Using RACF Groups . . . . . . 57Group Ownership and Levels of GroupAuthority . . . . . . . . . . . . . . 59

Summary of Steps for Defining a RACF Group . . 61Summary of Steps for Deleting Groups . . . . . 62Defining Users . . . . . . . . . . . . . 63

User Profiles . . . . . . . . . . . . . 64User Naming Conventions . . . . . . . . 75Suggestions for Defining User IDs . . . . . . 75Ownership of a RACF User Profile . . . . . 76User Attributes . . . . . . . . . . . . 76User Attributes at the Group Level . . . . . 82Suggestions for Assigning User Attributes . . . 87Verifying User Attributes . . . . . . . . . 88Default Universal Access Authority (UACC) . . 88Assigning Security Categories, Levels, and Labelsto Users . . . . . . . . . . . . . . 88

Copyright IBM Corp. 1994, 2011 iii

Limiting When a User Can Access the System . . 89Defining protected user IDs . . . . . . . . 90Defining restricted user IDs . . . . . . . . 91Assigning password phrases. . . . . . . . 92

Summary of Steps for Defining Users. . . . . . 94Summary of Steps for Deleting Users . . . . . . 96General Considerations for User ID Delegation . . 98

Chapter 4. Classifying Users and Data 101Security Classification of Users and Data . . . . 101

Effect On RACF Authorization Checking . . . 102Understanding Security Levels and SecurityCategories . . . . . . . . . . . . . . 103

CATEGORY and SECLEVEL Information inProfiles . . . . . . . . . . . . . . 104Converting from LEVEL to SECLEVEL . . . . 104Deleting UNKNOWN Categories . . . . . . 104Maintaining Categories in an RRSFEnvironment . . . . . . . . . . . . 104

Understanding Security Labels . . . . . . . 105Comparing Security Labels . . . . . . . . 105Considerations Related to Security Labels . . . 106How Users Specify Current Security Labels . . 107Listing Security Labels . . . . . . . . . 108Finding Out Which Security Labels a User CanUse. . . . . . . . . . . . . . . . 108Searching by Security Labels . . . . . . . 108Restricting Security Label Changes . . . . . 109Requiring Security Labels . . . . . . . . 109Controlling the Writedown Privilege . . . . 109Planning Considerations for Security Labels . . 110

Chapter 5. Specifying RACF Options 113Using the SETROPTS Command . . . . . . . 114SETROPTS Options for Initial Setup . . . . . . 115

Allowing Mixed-Case Passwords (PASSWORDOption) . . . . . . . . . . . . . . 116Establishing Password Syntax Rules(PASSWORD Option) . . . . . . . . . . 117Setting the Maximum and Minimum ChangeInterval (PASSWORD Option) . . . . . . . 117Extending Password and User ID Processing(PASSWORD Option) . . . . . . . . . . 118Revoking Unused User IDs (INACTIVE Option) 119Activating List-of-Groups Checking (GRPLISTOption) . . . . . . . . . . . . . . 120Setting the RVARY Passwords (RVARYPWOption) . . . . . . . . . . . . . . 121Restricting the Creation of General ResourceProfiles (GENERICOWNER Option) . . . . . 121Activating General Resource Classes(CLASSACT Option) . . . . . . . . . . 123Activating Generic Profile Checking and GenericCommand Processing . . . . . . . . . 123Activating statistics collection (STATISTICSoption) . . . . . . . . . . . . . . 124Activating Global Access Checking (GLOBALOption) . . . . . . . . . . . . . . 128RACF-Protecting All Data Sets (PROTECTALLOption) . . . . . . . . . . . . . . 128

Activating JES2 or JES3 RACF Support . . . . 129Preventing Access to Uncataloged Data Sets(CATDSNS Option) . . . . . . . . . . 129Activating Enhanced Generic Naming for theDATASET Class (EGN Option) . . . . . . 131Controlling Data Set Modeling (MODEL Option) 131Bypassing Automatic Data Set Protection(NOADSP Option). . . . . . . . . . . 132Displaying and Logging Real Data Set Names(REALDSN Option) . . . . . . . . . . 132Protecting Data Sets with Single-QualifierNames (PREFIX Option). . . . . . . . . 132Activating Tape Data Set Protection (TAPEDSNOption) . . . . . . . . . . . . . . 133Activating Tape Volume Protection (TAPEVOLOption) . . . . . . . . . . . . . . 133Establishing a Security Retention Period forTape Data Sets (RETPD Option) . . . . . . 133Erasing Scratched or Released Data (ERASEOption) . . . . . . . . . . . . . . 135Establishing National Language Defaults(LANGUAGE Option) . . . . . . . . . 136

SETROPTS Options to Activate In-Storage ProfileProcessing . . . . . . . . . . . . . . 136

SETROPTS GENLIST Processing . . . . . . 137SETROPTS RACLIST Processing . . . . . . 138

SETROPTS REFRESH Option for Special Cases . . 141Refreshing In-Storage Generic Profile Lists(GENERIC REFRESH Option) . . . . . . . 141Refreshing Global Access Checking Lists(GLOBAL REFRESH Option) . . . . . . . 142Refreshing Shared Systems (REFRESH Option) 142

SETROPTS Options for Special Purposes . . . . 143Protecting Undefined Terminals (TERMINALOption) . . . . . . . . . . . . . . 143Activating the Security Classification of Usersand Data . . . . . . . . . . . . . . 143Establishing the Maximum VTAM SessionInterval (SESSIONINTERVAL Option) . . . . 144Activating Program Control(WHEN(PROGRAM) Option) . . . . . . . 144

SETROPTS Options Related to Security Labels . . 145Restricting Changes to Security Labels(SECLABELCONTROL option) . . . . . . 145Preventing Changes to Security Labels(MLSTABLE Option) . . . . . . . . . . 146Quiescing RACF Activity (MLQUIET Option) 146Preventing the Copying of Data to a LowerSecurity Label (SETROPTS MLS Option) . . . 147Activating Compatibility Mode For SecurityLabels (COMPATMODE Option) . . . . . . 147Enforcing Multilevel Security (MLACTIVEOption) . . . . . . . . . . . . . . 148Restricting Access to z/OS UNIX Files andDirectories (MLFSOBJ Option). . . . . . . 150Restricting Access to InterprocessCommunication Objects (MLIPCOBJ Option) . . 150Using Name-hiding (MLNAMES Option) . . . 151Activating Security Labels by System Image(SECLBYSYSTEM Option) . . . . . . . . 151

iv z/OS V1R13.0 Security Server RACF Security Administrator's Guide

SETROPTS Options for Automatic Control ofAccess List Authority. . . . . . . . . . . 152

Automatic Addition of Creator's User ID toAccess List . . . . . . . . . . . . . 152Automatic Omission of Creator's User ID fromAccess List . . . . . . . . . . . . . 152

Specifying the Encryption Method for UserPasswords . . . . . . . . . . . . . . 152Using Started Procedures . . . . . . . . . 153

Assigning RACF User IDs to Started Procedures 154Authorizing Access to Resources . . . . . . 155Setting Up the STARTED Class . . . . . . 155Using the Started Procedures Table (ICHRIN03) 157Started Procedure Considerations. . . . . . 158

Chapter 6. Protecting Data Sets onDASD and Tape . . . . . . . . . . 161Protecting Data Sets . . . . . . . . . . . 162

Rules for Defining Data Set Profiles . . . . . 162Controlling the Creation of New Data Sets . . 165Data Set Profile Ownership. . . . . . . . 166Data Set Profiles . . . . . . . . . . . 167Rules for Generic Data Set Profile Names . . . 168Automatic Profile Modeling for Data Sets . . . 175Password-Protected Data Sets . . . . . . . 177Protecting GDG Data Sets . . . . . . . . 178Protecting Data Sets That Have DuplicateNames . . . . . . . . . . . . . . 179Disallowing Duplicate Names for Data SetProfiles . . . . . . . . . . . . . . 179Using the PROTECT Operand or SECMODELfor Non-VSAM Data Sets . . . . . . . . 179Protecting Multivolume Data Sets with DiscreteProfiles . . . . . . . . . . . . . . 180

Protecting DASD Data Sets . . . . . . . . . 181Access Authorities for DASD Data Sets . . . . 181Erasing of Scratched (Deleted) DASD Data Sets 182Comparison of Password and RACFAuthorization Requirements for VSAM. . . . 183Protecting Catalogs . . . . . . . . . . 183Protecting DASD System Data Sets . . . . . 183

DASD Volume Authority . . . . . . . . . 185DFSMSdss Storage Administration . . . . . . 186Protecting Data on Tape . . . . . . . . . . 186

Using DFSMSrmm with RACF . . . . . . 187Choosing Which Tape-Related Options to Use 187Protecting Existing Data on Tape (SETROPTSTAPEDSN in Effect) . . . . . . . . . . 189Protecting New Data on Tape . . . . . . . 190Security Levels and Security Categories forTapes . . . . . . . . . . . . . . . 193Security Labels for Tapes . . . . . . . . 194Tape Volume Profiles That Contain a TVTOC 194Predefining Tape Volume Profiles for Tape DataSets . . . . . . . . . . . . . . . 196RACF Security Retention Period Processing(TAPEDSN Must Be Active) . . . . . . . 197Authorization Requirements for Tape Data SetsWhen Both TAPEVOL and TAPEDSN AreActive . . . . . . . . . . . . . . . 199

Authorization Requirements for Tape Data SetsWhen TAPEVOL Is Inactive and TAPEDSN IsActive . . . . . . . . . . . . . . . 200Authorization Requirements for Tape Data SetsWhen TAPEVOL Is Active and TAPEDSN IsInactive . . . . . . . . . . . . . . 200JCL Changes . . . . . . . . . . . . 200Installations with DFSMShsm . . . . . . . 200IEC.TAPERING Profile in the FACILITY Class 201Password-Protected Tape Data Sets . . . . . 201Using the PROTECT Parameter for Tape DataSet or Tape Volume Protection . . . . . . . 201Multivolume Tape Data Sets . . . . . . . 202RACF Authorization of Bypass Label Processing(BLP) . . . . . . . . . . . . . . . 202Authorization Requirements for Labels . . . . 203Tape Data Set and Tape Volume Protection withNonstandard Labels (NSL) . . . . . . . . 203Tape Data Set and Tape Volume Protection forNonlabeled (NL) Tapes . . . . . . . . . 203

Chapter 7. Protecting GeneralResources. . . . . . . . . . . . . 205Defining Profiles for General Resources . . . . 207

Summary of Steps for Defining GeneralResource Profiles . . . . . . . . . . . 207Choosing Between Discrete and Generic Profilesin General Resource Classes . . . . . . . 210Disallowing Generic Profile Names for GeneralResources . . . . . . . . . . . . . 210Choosing Among Generic Profiles, ResourceGroup Profiles, and RACFVARS Profiles . . . 211Rules for Generic Profile Names . . . . . . 211Generic Profile Checking of General Resources 213Generic Profile Performance . . . . . . . 215Granting Access Authorities . . . . . . . 216Conditional Access Lists for General ResourceProfiles . . . . . . . . . . . . . . 217

Setting Up the Global Access Checking Table . . . 218How Global Access Checking Works . . . . 219Candidates for Global Access Checking. . . . 219Creating Global Access Checking Table Entries 219Stopping Global Access Checking for a SpecificClass . . . . . . . . . . . . . . . 223Listing the Global Access Checking Table . . . 223Special Considerations for Global AccessChecking . . . . . . . . . . . . . . 223

Field-level access checking . . . . . . . . . 225Planning for Profiles in the FACILITY Class . . . 232

Delegating help desk functions . . . . . . 232Delegating authority to profiles in the FACILITYclass . . . . . . . . . . . . . . . 233

Creating Resource Group Profiles. . . . . . . 233Adding a Resource to a Profile . . . . . . 235Deleting a Resource from a Profile . . . . . 235Which Profiles Protect a Particular Resource? 235Resolving Conflicts among Multiple Profiles . . 235Considerations for Resource Group Profiles . . 236

Using RACF Variables in Profile Names(RACFVARS Class) . . . . . . . . . . . 237

Defining RACF Variables . . . . . . . . 238

Contents v

Example of Protecting Several Tape VolumesUsing the RACFVARS Class . . . . . . . 238Using RACF Variables . . . . . . . . . 239How RACF uses the RACFVARS member list 240Using RACFVARS with Mixed-Case Classes . . 242

Controlling VTAM LU 6.2 Bind . . . . . . . 243Protecting Applications . . . . . . . . . . 245Protecting DFP-Managed Temporary Data Sets . . 246Protecting File Services Provided by LFS/ESA . . 246Protecting Terminals . . . . . . . . . . . 247

Creating Profiles in the TERMINAL andGTERMINL Classes . . . . . . . . . . 247Controlling the Use of Undefined Terminals . . 248Limiting Specific Groups of Users to SpecificTerminals. . . . . . . . . . . . . . 249Limiting the Times That a Terminal Can BeUsed . . . . . . . . . . . . . . . 250Using Security Labels to Control Terminals . . 250Using the TSO LOGON Command with theRECONNECT Operand . . . . . . . . . 250

Protecting Consoles . . . . . . . . . . . 251Using Security Labels to Control Consoles. . . 252

Using the Secured Signon Function . . . . . . 252The RACF PassTicket. . . . . . . . . . 253Activating the PTKTDATA Class . . . . . . 253Defining Profiles in the PTKTDATA Class . . . 253When the Profile Definitions Are Complete . . 259How RACF Processes the Password orPassTicket . . . . . . . . . . . . . 259Enabling the Use of PassTickets . . . . . . 261

Protecting the Vector Facility . . . . . . . . 263Controlling Access to Program Dumps . . . . . 263

Using RACF to Control Access to ProgramDumps . . . . . . . . . . . . . . 263Using Non-RACF Methods to Control Access toProgram Dumps . . . . . . . . . . . 265

Controlling the Allocation of Devices . . . . . 265Protecting LLA-Managed Data Sets . . . . . . 268Controlling Data Lookaside Facility (DLF) Objects(Hiperbatch). . . . . . . . . . . . . . 269Using RACROUTE REQUEST=LIST,GLOBAL=YESSupport . . . . . . . . . . . . . . . 271

The RACGLIST Class. . . . . . . . . . 271Administering the Use of Operator Commands . . 272

Authorizing the Use of Operator Commands 273Command Authorization in an MCS Sysplex 274Controlling the Use of Operator Commands . . 274

Controlling the Use of Remote Sharing Functions 279Controlling Access to the RACLINK Command 279Controlling Password Synchronization . . . . 280Controlling the Use of the AT Operand. . . . 281Controlling the Use of the ONLYAT Operand 281Controlling Automatic Direction . . . . . . 282

Establishing Security for the RACF ParameterLibrary . . . . . . . . . . . . . . . 286Controlling Message Traffic. . . . . . . . . 287Controlling the Opening of VTAM ACBs . . . . 288RACF and PSF (Print Services Facility) . . . . . 288Auditing When Users Receive Message Traffic . . 289RACF and APPC . . . . . . . . . . . . 289

User Verification during APPC Transactions . . 289

Protection of APPC/MVS Transaction Programs(TPs) . . . . . . . . . . . . . . . 290LU Security Capabilities . . . . . . . . . 291Origin LU Authorization . . . . . . . . 291Protection of APPC Server IDs (APPCSERV) . . 292

RACF and CICS . . . . . . . . . . . . 292RACF and DB2 . . . . . . . . . . . . . 292RACF and IMS . . . . . . . . . . . . . 292RACF and ICSF . . . . . . . . . . . . 292RACF and z/OS UNIX . . . . . . . . . . 293RACF Support for NDS and Lotus Notes for z/OS 293

Administering Application User Identities . . . 293System Considerations . . . . . . . . . 294Authorizing Applications to Use IdentityMapping . . . . . . . . . . . . . . 296Considerations for Application User Names . . 297

Storing encryption keys using the KEYSMSTR class 297Steps for storing a key in a KEYSMSTR profile 298

Defining delegated resources . . . . . . . . 299Steps for authorizing daemons to use delegatedresources . . . . . . . . . . . . . . 300

Chapter 8. Administering the DynamicClass Descriptor Table (CDT) . . . . 301Overview of the class descriptor table . . . . . 301

Restrictions for applications and vendorproducts . . . . . . . . . . . . . . 302

Using the dynamic CDT. . . . . . . . . . 302Profiles in the CDT class . . . . . . . . 303

Adding a dynamic class with a unique POSITvalue . . . . . . . . . . . . . . . . 304

Steps for adding a dynamic class with a uniquePOSIT value . . . . . . . . . . . . . 304

Adding a dynamic class that shares a POSIT value 305Processing options that are controlled by ashared POSIT value . . . . . . . . . . 306Rules about disallowing generics when sharinga POSIT value . . . . . . . . . . . . 307Steps for adding a dynamic class with a sharedPOSIT value . . . . . . . . . . . . . 307

Changing a POSIT value for a dynamic class . . . 308Steps for changing a POSIT value of an existingdynamic class . . . . . . . . . . . . 308

Guidelines for changing dynamic CDT entries . . 309Defining a dynamic class with generics disallowed 311

Steps for changing a dynamic class to disallowgeneric profiles . . . . . . . . . . . . 311

Deleting a class from the dynamic CDT . . . . 312Steps for deleting a dynamic CDT class . . . 313

Disabling the dynamic CDT . . . . . . . . 315Re-enabling a previously defined dynamic class 315

Steps to re-enable a previously defined dynamicclass . . . . . . . . . . . . . . . 315

Migrating to the dynamic CDT . . . . . . . 316Sysplex considerations for the dynamic CDT . . . 318Shared system considerations for the dynamic CDT 318

Shared system rules for disallowing genericswith dynamic classes . . . . . . . . . . 319

RRSF considerations for the dynamic CDT . . . 319

vi z/OS V1R13.0 Security Server RACF Security Administrator's Guide

Chapter 9. Protecting Programs . . . 321Overview of protecting programs. . . . . . . 321Program security modes. . . . . . . . . . 323

Simple program protection in BASIC orENHANCED mode . . . . . . . . . . 324Program control by SMFID in BASIC orENHANCED mode . . . . . . . . . . 327Maintaining a clean environment in BASIC orENHANCED mode . . . . . . . . . . 327More complex controls: Using EXECUTE accessfor programs or libraries (BASIC mode) . . . 329Migrating from BASIC to ENHANCED programsecurity mode . . . . . . . . . . . . 330

Protecting program libraries . . . . . . . . 332Program access to data sets (PADS) in BASICmode . . . . . . . . . . . . . . . 333Choosing between the PADCHK andNOPADCHK operands . . . . . . . . . 337

Program access to SERVAUTH resources in BASICor ENHANCED mode . . . . . . . . . . 338ENHANCED program security mode . . . . . 339

Program access to data sets (PADS) inENHANCED mode . . . . . . . . . . 339Using EXECUTE access for programs andlibraries in ENHANCED mode . . . . . . 339When to use MAIN or BASIC . . . . . . . 340Defining programs as MAIN or BASIC . . . . 341

How protection works for programs and PADS . . 342How program control works . . . . . . . 343Informational messages for program control . . 343Authorization checking for access control toload modules . . . . . . . . . . . . 343Authorization checking for access control todata sets . . . . . . . . . . . . . . 344

Processing for execute-controlled libraries . . . . 345Examples of controlling programs and using PADS 347

Examples of defining load modules ascontrolled programs . . . . . . . . . . 348Examples of setting up program access to datasets. . . . . . . . . . . . . . . . 348Example of setting up an execute-controlledlibrary. . . . . . . . . . . . . . . 349Example of setting up program control bysystem ID . . . . . . . . . . . . . 350

Chapter 10. Program signing andverification . . . . . . . . . . . . 351Overview of program signing and verification . . 351

Terms to know . . . . . . . . . . . . 352Related information . . . . . . . . . . 352Task roadmap for program signing andsignature verification . . . . . . . . . . 352

Enabling a user to sign a program . . . . . . 352Overview of enabling a user to sign a program 353Steps for enabling a user to sign a programusing RACF code-signing certificates . . . . 355Steps for enabling a user to sign a programusing external code-signing certificates . . . . 357

Enabling RACF to verify signed programs. . . . 359

Overview of enabling RACF to verify signedprograms . . . . . . . . . . . . . . 359Steps for discovering if signed programscurrently execute on your systems (optional) . . 363Steps for preparing RACF to verify signedprograms (one-time setup) . . . . . . . . 365Steps for verifying a signed program . . . . 366

Chapter 11. Operating Considerations 369Coordinating Profile Updates . . . . . . . . 369

RACF Commands for Flushing a VLF Cache 370Getting Started with RACF (after First InstallingRACF). . . . . . . . . . . . . . . . 371

Logging On as IBMUSER and Checking InitialConditions . . . . . . . . . . . . . 372Defining Administrator User IDs for Your OwnUse. . . . . . . . . . . . . . . . 373Defining at Least One User ID to Be Used forEmergencies Only . . . . . . . . . . . 373Logging on as RACFADM, Checking Groupsand Users, and Revoking IBMUSER . . . . . 373Defining the Groups Needed for the First Users 374Defining a System-Wide Auditor . . . . . . 374Defining Users and Groups. . . . . . . . 374Defining Group Administrators, GroupAuditors, and Data Managers . . . . . . . 374Protecting System Data Sets . . . . . . . 375Setting RACF Options . . . . . . . . . 376

Using the Data Security Monitor (DSMON) . . . 376JCL Parameters Related to RACF . . . . . . . 380Restarting Jobs . . . . . . . . . . . . . 381Bypassing Password Protection . . . . . . . 381Controlling Access to RACF Passwords. . . . . 381Authorizing Only RACF-Defined Users to AccessRACF-Protected Resources . . . . . . . . . 382Using the TSO or ISPF Editor . . . . . . . . 383Service by IBM Personnel . . . . . . . . . 383Failsoft Processing. . . . . . . . . . . . 383

Failsoft Processing with Tape Data Sets . . . . 384Considerations for RACF Databases . . . . . . 385

Backup RACF Database . . . . . . . . . 385Multiple Data Set Support . . . . . . . . 385Protecting the RACF Database. . . . . . . 385Using RACF Data Sharing . . . . . . . . 386Sharing Data without Sharing a RACF Database 386Number of Resident Data Blocks . . . . . . 386

Chapter 12. Working With The RACFDatabase . . . . . . . . . . . . . 387Using the RACF Database Unload Utility(IRRDBU00) . . . . . . . . . . . . . . 388

Diagnosis. . . . . . . . . . . . . . 388Performance Considerations . . . . . . . 388Operational Considerations. . . . . . . . 389Running the Database Unload Utility . . . . 390Allowable Parameters . . . . . . . . . 392Using the Database Unload Utility OutputEffectively . . . . . . . . . . . . . 393

Using the RACF remove ID (IRRRID00) utility . . 410IRRRID00 Job Control Statements . . . . . 412

Contents vii

IRRRID00 return codes . . . . . . . . . 415Finding Residual IDs . . . . . . . . . . 415Creating Commands to Remove IDs. . . . . 417Using IRRRID00 output . . . . . . . . . 418Processing Profiles and Resources . . . . . 421What IRRRID00 Verifies . . . . . . . . . 422Database Objects That Are Not Processed . . . 423Processing a Hierarchy of Groups . . . . . 423Processing Global Profiles . . . . . . . . 423Processing General Resource Profiles . . . . 423Processing MEMBER Data . . . . . . . . 424Processing Universal Groups . . . . . . . 424IRRRID00 and Tivoli . . . . . . . . . . 424Time Required to Run IRRRID00 . . . . . . 425

Chapter 13. The RACF remote sharingfacility (RRSF) . . . . . . . . . . . 427The RRSF network . . . . . . . . . . . 429

RRSF nodes . . . . . . . . . . . . . 429Establishing User ID associations in the RRSFnetwork . . . . . . . . . . . . . . . 430

Types of User ID Associations . . . . . . . 431Password Synchronization . . . . . . . . 431

User ID associations . . . . . . . . . . . 432Defining User ID Associations . . . . . . . 432Approving User ID Associations . . . . . . 433Deleting User ID Associations . . . . . . . 433Listing User ID Associations . . . . . . . 434

Command Direction . . . . . . . . . . . 434Commands That Are Not Eligible for CommandDirection . . . . . . . . . . . . . . 434Directing Commands Using the AT Option . . 435Directing Commands Using the ONLYATOption . . . . . . . . . . . . . . 437Order considerations for directed commandsand application updates . . . . . . . . . 438Directing commands to incompatible systems 439

Automatic direction . . . . . . . . . . . 439Preparing to Use Automatic Direction . . . . 441Output Processing . . . . . . . . . . . 444Interactions among Automatic DirectionFunctions and Password Synchronization . . . 449Using Automatic Direction of Commands . . . 451Using Automatic Direction of ApplicationUpdates . . . . . . . . . . . . . . 454Using Automatic Password Direction . . . . 457Synchronizing database profiles . . . . . . 459

Establishing RACF security for RRSF TCP/IPconnections . . . . . . . . . . . . . . 459

Task roadmap for establishing RACF securityfor RRSF TCP/IP connections . . . . . . . 460Administer profiles in the SERVAUTH class toenable RRSF to use TCP/IP node connections . 460Implementing an RRSF trust policy . . . . . 462

Chapter 14. Providing Security forJES . . . . . . . . . . . . . . . 471Planning for Security . . . . . . . . . . . 472How JES and RACF Work Together . . . . . . 473Defining JES as a RACF Started Procedure . . . 473

Forcing Batch Users to Identify Themselves toRACF . . . . . . . . . . . . . . . . 474Support for Execution Batch Monitor (XBM) (JES2Only) . . . . . . . . . . . . . . . . 474Defining and Grouping Operators . . . . . . 474JES User ID Early Verification . . . . . . . . 475User ID Propagation When Jobs Are Submitted . . 475

Allowing Surrogate Job Submission . . . . . 475Controlling User ID Propagation in a LocalEnvironment . . . . . . . . . . . . 477

Using Protected User IDs for Batch Jobs . . . . 478Propagating Protected User IDs . . . . . . 478Using Protected User IDs for Surrogate JobSubmission . . . . . . . . . . . . . 478

Where NJE Jobs Are Verified . . . . . . . . 478How SYSOUT Requests Are Verified . . . . . 479Security Labels for JES Resources. . . . . . . 480Controlling Access to Data Sets JES Uses . . . . 480Controlling Input to Your System. . . . . . . 481

How RACF Validates Users . . . . . . . 481Controlling the Use of Job Names . . . . . 482Authorizing the Use of Input Sources . . . . 485

Authorizing Network Jobs and SYSOUT (NJE) . . 486Authorizing Inbound Work. . . . . . . . 487Authorizing Outbound Work . . . . . . . 504

Controlling Access to Spool Data . . . . . . . 504Protecting Data Sets on Spools . . . . . . 504Defining Profiles for SYSIN and SYSOUT DataSets . . . . . . . . . . . . . . . 505Letting Users Create Their Own JESSPOOLProfiles . . . . . . . . . . . . . . 507Protecting JESNEWS . . . . . . . . . . 508Protecting Trace Data Sets (JES2 Only) . . . . 510Protecting SYSLOG . . . . . . . . . . 510Spool Offload Considerations (JES2 Only) . . . 510How RACF Affects Jobs Dumped from andRestored to Spool (JES3 Only) . . . . . . . 511

Authorizing Console Access . . . . . . . . 511MCS Consoles . . . . . . . . . . . . 511Remote Workstations (RJP/RJE Consoles) . . . 512JES3 Consoles . . . . . . . . . . . . 514

Controlling Where Output Can Be Processed . . . 514Authorizing the Use of Your Installation's Printers 515Authorizing the Use of Operator Commands . . . 516

Commands from RJE Work Stations . . . . . 516Commands from NJE Nodes . . . . . . . 516Who Authorizes Commands When RACF IsActive . . . . . . . . . . . . . . . 517

Chapter 15. RACF and StorageManagement Subsystem (SMS). . . . 519Overview of RACF and SMS . . . . . . . . 519RACF General Resource Classes for Protecting SMSClasses . . . . . . . . . . . . . . . 519Controlling the Use of SMS Classes . . . . . . 520

Refreshing Profiles for SETROPTS RACLISTProcessing for MGMTCLAS and STORCLAS . . 521

DFP Segment in RACF Profiles . . . . . . . 521DFP Segment in User and Group Profiles . . . 522DFP Segment in Data Set Profiles. . . . . . 523

viii z/OS V1R13.0 Security Server RACF Security Administrator's Guide

|||||||||||

How RACF Uses the Information in the DFPSegments . . . . . . . . . . . . . . 524Controlling Access to the DFP Segment. . . . 524

Controlling the Use of Other SMS Resources . . . 527

Chapter 16. RACF and TSO/E . . . . 529TSO/E Administration Considerations . . . . . 529Protecting TSO Resources . . . . . . . . . 530Authorization Checking for Protected TSOResources . . . . . . . . . . . . . . 533Field-Level Access Checking for TSO . . . . . 533Controlling the Use of the TSO SEND Command 533Restricting Spool Access by TSO Users . . . . . 534TSO Commands That Relate to RACF . . . . . 534Using TSO When RACF Is Deactivated . . . . . 535

Chapter 17. RACF and z/OS UNIX. . . 537Defining group identifiers (GIDs). . . . . . . 538Defining user identifiers (UIDs) . . . . . . . 539

Listing UIDs and GIDs . . . . . . . . . 539Superuser authority . . . . . . . . . . 540Setting z/OS UNIX user limits . . . . . . 540Protected user IDs . . . . . . . . . . . 541

Controlling the use of shared UNIX identities . . 541Sharing IDs . . . . . . . . . . . . . 541Defining the SHARED.IDS profile in theUNIXPRIV class . . . . . . . . . . . 542Using the SHARED operand . . . . . . . 542

Enabling automatic assignment of unique UNIXidentities . . . . . . . . . . . . . . . 543

Automatically assigning unique IDs usingRACF commands . . . . . . . . . . . 544Automatically assigning unique IDs throughUNIX services . . . . . . . . . . . . 545RRSF considerations for automatic IDassignment . . . . . . . . . . . . . 549

Enabling default OMVS segments processing . . . 550z/OS UNIX performance considerations . . . . 552

Converting to stage 3 of application identitymapping . . . . . . . . . . . . . . 553Using the UNIXMAP class and VirtualLookaside Facility (VLF). . . . . . . . . 553

Using UNIXPRIV class profiles to manage z/OSUNIX privileges . . . . . . . . . . . . 556

Example of authorizing superuser privileges 557Allowing z/OS UNIX users to change fileownerships . . . . . . . . . . . . . 557Configuring the group owner for new UNIXfiles . . . . . . . . . . . . . . . 558

Protecting file system resources . . . . . . . 559Administering ACLs . . . . . . . . . . 559

z/OS UNIX application considerations . . . . . 562Threads and security . . . . . . . . . . 562Application services and security . . . . . . 564Restrictions of RACF client ACEE support. . . 564

Auditing z/OS UNIX security events . . . . . 565

Chapter 18. RACF and digitalcertificates . . . . . . . . . . . . 567Overview of digital certificates . . . . . . . 568

Public and private keys . . . . . . . . . 568X.509 certificates . . . . . . . . . . . 569Certificate hierarchies. . . . . . . . . . 570Certificate formats . . . . . . . . . . . 571Using certificates with z/OS client/serverapplications . . . . . . . . . . . . . 572Enabling client login using certificates . . . . 575

Using RACF to manage digital certificates . . . . 577Size considerations for public and private keys 578

Using the RACDCERT command to administercertificates . . . . . . . . . . . . . . 579

Sharing the RACF database with a z/VMsystem . . . . . . . . . . . . . . 580Controlling the Use of the RACDCERTCommand . . . . . . . . . . . . . 580Examples of adding digital certificateinformation . . . . . . . . . . . . . 583Examples of listing digital certificateinformation . . . . . . . . . . . . . 583Examples of checking digital certificateinformation . . . . . . . . . . . . . 588Examples of altering digital certificateinformation . . . . . . . . . . . . . 590Examples of deleting digital certificates. . . . 590

DIGTCERT general resource profiles. . . . . . 591DIGTCERT profile names . . . . . . . . 591Ownership of DIGTCERT profiles . . . . . 592RACLISTing the DIGTCERT class . . . . . 592

RACF and key rings . . . . . . . . . . . 593DIGTRING general resource profiles . . . . 594Sharing a private key using a key ring . . . . 595Using a virtual key ring . . . . . . . . . 595

RACF and z/OS PKCS #11 tokens . . . . . . 595Creating and populating PKCS #11 tokens. . . 596

Certificate name filtering . . . . . . . . . 598Interpreting the X.500 directory information tree 598Creating certificate name filters . . . . . . 599Types of certificate name filters . . . . . . 601How RACF processes certificate name filters 605Using an existing certificate as a model. . . . 605Excluding a certificate by using the NOTRUSToption . . . . . . . . . . . . . . . 606Mapping multiple user IDs using additionalcriteria . . . . . . . . . . . . . . 606

Automatic registration of digital certificates . . . 610Integrated Cryptographic Service Facility (ICSF)considerations . . . . . . . . . . . . . 611

Using a PCI cryptographic coprocessor togenerate private keys . . . . . . . . . . 611Migrating an ICSF private key from one systemto another . . . . . . . . . . . . . 611

The irrcerta, irrmulti, and irrsitec user IDs. . . . 613Renewing an expiring certificate . . . . . . . 613

Renewing a certificate with the same privatekey . . . . . . . . . . . . . . . . 614Renewing (rekeying) a certificate with a newprivate key . . . . . . . . . . . . . 615

Supplied digital certificates . . . . . . . . . 618Steps to begin using a supplied CA certificate 619

Implementation scenarios . . . . . . . . . 620

Contents ix

Scenario 1: Secure Server with a CertificateSigned by a Certificate Authority . . . . . . 620Scenario 2: Secure Server with a Locally SignedCertificate . . . . . . . . . . . . . 621Scenario 3: Migrating an ikeyman or gskkymanCertificate . . . . . . . . . . . . . 622Scenario 4: Secure Server-to-Server SessionEnablement . . . . . . . . . . . . . 623Scenario 5: Creating Client Browser Certificateswith a Locally Signed Certificate . . . . . . 624Scenario 6: Enabling Secure Outbound FTP . . 625Scenario 7: Sharing One Certificate BetweenMultiple Servers . . . . . . . . . . . 626Scenario 8: Using the IBM Encryption Facilityfor z/OS . . . . . . . . . . . . . . 627

Chapter 19. Controlling applicationsthat invoke callable services . . . . . 629Authorizing applications . . . . . . . . . 629

Defining applications as RACF users . . . . 630Defining resources that control callable services 630Activating your authorizations . . . . . . 630

initACEE (IRRSIA00) callable service . . . . . 631Registering user certificates. . . . . . . . 631Deregistering user certificates . . . . . . . 631Replacing certificate-authority certificates . . . 631Using a hostIdMappings extension . . . . . 632

R_admin (IRRSEQ00) callable service . . . . . 633R_auditx (IRRSAX00) callable service . . . . . 633R_cacheserv (IRRSCH00) callable service . . . . 633R_datalib (IRRSDL00 or IRRSDL64) callable service 634

Extracting private keys . . . . . . . . . 634Managing certificate serial numbers . . . . . 634

R_dcekey (IRRSDK00) callable service . . . . . 634R_GetInfo (IRRSGI00) callable service . . . . . 635R_dceruid (IRRSUD00) callable service . . . . . 635R_PKIServ (IRRSPX00) callable service . . . . . 635

Authorizing end-user functions . . . . . . 636Authorizing administrative functions . . . . 638

R_proxyserv (IRRSPY00) callable service . . . . 639R_ticketserv (IRRSPK00) callable service . . . . 640

Permitting access to the IRR.RTICKETSERVresource . . . . . . . . . . . . . . 640

Chapter 20. RACF and the z/OS LDAPserver . . . . . . . . . . . . . . 641Defining an LDAPBIND class profile . . . . . 641LDAP event notification . . . . . . . . . . 642

LDAP change log entries . . . . . . . . 643LDAP notification occurs in real-time only . . 645RRSF considerations for applications that exploitenveloping . . . . . . . . . . . . . 645Activating LDAP change notification . . . . 645Disabling LDAP change notification . . . . . 646

Chapter 21. Password and passwordphrase enveloping . . . . . . . . . 647Overview of enveloping . . . . . . . . . . 647

Resources that control enveloping . . . . . 648

Signing hash algorithm and encryption strengthused to create the envelope. . . . . . . . 649The IRR.PWENV.KEYRING key ring . . . . 650Controlling envelope retrieval . . . . . . . 650The NOTIFY.LDAP.USER resource . . . . . 650

Setting up enveloping . . . . . . . . . . 650Preparing the address space of the RACFsubsystem . . . . . . . . . . . . . 651Generating a local CA certificate using RACF asthe CA . . . . . . . . . . . . . . 651Generating an X.509 V3 certificate for the RACFaddress space . . . . . . . . . . . . 652Generating an X.509 V3 certificate for theenvelope recipient . . . . . . . . . . . 653Copying the certificates to the host system (ifgenerated elsewhere) . . . . . . . . . . 655Exporting RACF's certificate to the recipient keydatabase . . . . . . . . . . . . . . 656Authorizing the envelope recipient . . . . . 657

Activating enveloping . . . . . . . . . . 657Disabling enveloping . . . . . . . . . . . 659

Steps for disabling enveloping and deletingexisting envelopes . . . . . . . . . . . 660

Planning considerations for heterogeneouspassword synchronization . . . . . . . . . 661

Chapter 22. Defining and usingcustom fields . . . . . . . . . . . 663Overview of custom fields . . . . . . . . . 663Task roadmap for defining and using custom fields 664Defining a custom field and its field attributes . . 664

Profiles in the CFIELD class . . . . . . . 665Steps for defining a custom field and itsattributes . . . . . . . . . . . . . . 666

Activating a custom field . . . . . . . . . 669Steps for activating a custom field . . . . . 669

Adding data to a custom field . . . . . . . . 670Steps for adding data to a custom field. . . . 670

Authorizing users to define custom fields . . . . 672Steps for authorizing users to define customfields . . . . . . . . . . . . . . . 672

Authorizing users to update data in a custom field 673Authorizing users for the ISPF panels to updatecustom field data . . . . . . . . . . . 673Steps for authorizing users to update data in acustom field . . . . . . . . . . . . . 673

Changing attributes of an existing custom field . . 674When you need to change the data type . . . 675When you need to change the MAXLENGTH ofa numeric field . . . . . . . . . . . . 676

Removing a custom field . . . . . . . . . 678Steps for removing a custom field . . . . . 678

Common errors when defining and using customfields . . . . . . . . . . . . . . . . 679

Errors defining a custom field . . . . . . . 679Errors adding data to a custom field . . . . 679

RRSF considerations for custom fields . . . . . 681

Chapter 23. Authorizing help deskfunctions . . . . . . . . . . . . . 683

x z/OS V1R13.0 Security Server RACF Security Administrator's Guide

Delegating the authority to list user information 684Delegating the authority to list user informationin any user profile. . . . . . . . . . . 684Delegating the authority to list user informationin only selected user profiles . . . . . . . 685Delegating the authority to list user informationby owner . . . . . . . . . . . . . . 686Delegating the authority to list user informationby group tree . . . . . . . . . . . . 687Excluding selected user profiles . . . . . . 688

Delegating the authority to reset passwords andpassword phrases . . . . . . . . . . . . 689

Levels of authority . . . . . . . . . . 690Delegating the authority to reset the passwordfor any user . . . . . . . . . . . . . 691Delegating the authority to reset passwords foronly selected users . . . . . . . . . . 692Delegating the authority to reset passwords byowner . . . . . . . . . . . . . . . 693Delegating the authority to reset passwords bygroup tree . . . . . . . . . . . . . 694Excluding selected users. . . . . . . . . 695

Delegating both by owner and by group tree . . . 697Examples of delegating help desk authorities . . . 697

Delegating help desk authorities by owner . . 697Delegating help desk authorities by group tree 698Delegating help desk authorities for all users,excluding selected users . . . . . . . . . 699

Chapter 24. Distributed identity filters 701Overview of distributed identity filters . . . . . 701

What is a distributed identity filter? . . . . . 701Applications that support distributed identityfilters . . . . . . . . . . . . . . . 702Overview of the RACMAP command . . . . 702Profiles in the IDIDMAP class . . . . . . . 703RACMAP command updates to user profiles 703DELUSER processing with distributed identityfilters . . . . . . . . . . . . . . . 703IRRRID00 considerations for distributed identityfilters . . . . . . . . . . . . . . . 704Details about specifying user and registrynames . . . . . . . . . . . . . . . 704Restrictions for UTF-8 data values . . . . . 708

Defining a filter for a non-LDAP user name . . . 709Steps for defining a filter for a non-LDAP username . . . . . . . . . . . . . . . 709

Defining a filter for an X.500 user identity . . . . 710Steps for defining a filter for a full X.500 DN 710Steps for defining a filter using selected RDNs 711

Deleting a distributed identity filter . . . . . . 713Steps for deleting a distributed identity filter 713

Appendix A. Supplied RACF resourceclasses . . . . . . . . . . . . . . 715Supplied resource classes for z/OS systems . . . 715Supplied resource classes for z/VM systems . . . 723

Appendix B. Summary of RACFcommands and authorities . . . . . 725

Summary of commands and their functions . . . 725Summary of Authorities and Commands . . . . 728

The SPECIAL or group-SPECIAL Attribute . . 729The AUDITOR or group-AUDITOR Attribute 730The OPERATIONS or group-OPERATIONSAttribute . . . . . . . . . . . . . . 730The CLAUTH Attribute . . . . . . . . . 730Group Authority . . . . . . . . . . . 731Access Authority . . . . . . . . . . . 732Profile Ownership Authority . . . . . . . 732Other Authorities . . . . . . . . . . . 733

Appendix C. Listings of RACFsupplied certificates . . . . . . . . 735

Appendix D. Security for system datasets . . . . . . . . . . . . . . . 745

Appendix E. Debugging problems inthe RACF database . . . . . . . . . 749Checklist: Resolving Problems When Access IsDenied Unexpectedly. . . . . . . . . . . 749Checklist: Resolving Problems When Access IsAllowed Incorrectly . . . . . . . . . . . 751When Changes to Data Set Profiles Take Effect . . 752Authorization Checking for RACF-ProtectedResources . . . . . . . . . . . . . . 753

When Authorization Checking Takes Place andWhy . . . . . . . . . . . . . . . 753Authorizing Access to RACF-ProtectedResources . . . . . . . . . . . . . 754Pictorial View of RACF Authorization Checking 759Authorizing Access to z/OS UNIX Files andDirectories . . . . . . . . . . . . . 764Authorizing Access to RACF-ProtectedTerminals. . . . . . . . . . . . . . 766Authorizing Access to Consoles, JES InputDevices, APPC Partner LUs, or IP Addresses . . 767Authorization Checking for RACROUTEREQUEST=FASTAUTH Requests . . . . . . 769Authorizing Access to RACF-ProtectedApplications. . . . . . . . . . . . . 770Security Label Authorization Checking . . . . 770Relationships among the SECLABEL class,SETROPTS MLS(FAILURES), SETROPTSMLACTIVE(FAILURES) and SETROPTSMLQUIET . . . . . . . . . . . . . 774

Problems with User ID Authentication . . . . . 775When Logon or Job Initialization ProcessingTakes Place and Why. . . . . . . . . . 775Logon/Job Initialization Processing . . . . . 776

Appendix F. Accessibility . . . . . . 779Using assistive technologies . . . . . . . . 779Keyboard navigation of the user interface . . . . 779z/OS information . . . . . . . . . . . . 779

Notices . . . . . . . . . . . . . . 781Policy for unsupported hardware. . . . . . . 783

Contents xi

Trademarks . . . . . . . . . . . . . . 783

Glossary . . . . . . . . . . . . . 785

Index . . . . . . . . . . . . . . . 803

xii z/OS V1R13.0 Security Server RACF Security Administrator's Guide

Figures1. RACF authorization checking . . . . . . . 42. Sample ISPF panel for RACF. . . . . . . 153. Scope of control of an attribute assigned at the

group level. . . . . . . . . . . . . 174. User and group relationships . . . . . . 455. Group-level authority structure . . . . . . 866. Scope of authority for a group-SPECIAL user 877. Delegating authority (user profiles) . . . . 998. Example of two network LU partners 2459. Reports produced by DSMON . . . . . . 37710. Member UGRP: Users with extraordinary

group authoritiesreport format statements . 39411. Member UGRPCNTL: Users with

extraordinary group authoritiesrecordselection statements . . . . . . . . . 395

12. Report of all users with extraordinary groupauthorities . . . . . . . . . . . . 396

13. Customized record selection criteria . . . . 39814. Customized report format . . . . . . . 39915. Customized report JCL . . . . . . . . 39916. Sample SQL utility statements: Defining a

table space . . . . . . . . . . . . 40117. Sample SQL utility statements: Creating a

table . . . . . . . . . . . . . . 40218. Sample SQL utility statements: Creating

indexes . . . . . . . . . . . . . 40219. DB2 utility statements required to load the

tables . . . . . . . . . . . . . . 40320. DB2 utility statements required to delete the

group records . . . . . . . . . . . 40321. Sample SQL to process revoke and resume

dates . . . . . . . . . . . . . . 40722. A sample SQL query . . . . . . . . . 40823. A sample QMF form . . . . . . . . . 40924. A sample report. . . . . . . . . . . 40925. Using the remove ID utility . . . . . . . 41126. Searching for all residual references . . . . 41427. Searching for specific references . . . . . 41428. Specifying a replacement ID . . . . . . 41529. Running IRRRID00 with an empty SYSIN:

Sample input . . . . . . . . . . . 41630. Running IRRRID00 with an empty SYSIN:

Sample output . . . . . . . . . . . 41731. Running IRRRID00 with data in SYSIN:

Sample input . . . . . . . . . . . 41832. Running IRRRID00 with data in SYSIN:

Sample output . . . . . . . . . . . 41833. Sample output from the IRRRID00 utility 42034. Running IRRRID00 CLIST using TMP:

Sample JCL statements . . . . . . . . 42135. An RRSF network . . . . . . . . . . 42936. Captured Output From a Password

Synchronization Request . . . . . . . . 43237. RACLINK ID(userid) LIST(*.*) Output 434

38. Captured Output from a Directed LISTGRPCommand . . . . . . . . . . . . 437

39. Captured Output from a Directed ADDSDCommand . . . . . . . . . . . . 437

40. Which NODES profiles are used? . . . . . 49141. Example: Simple NJE user translation 49942. Example: Simple NJE user translation using

&SUSER . . . . . . . . . . . . . 50043. Example: Trusted, semitrusted, and untrusted

nodes . . . . . . . . . . . . . . 50144. Example of a simple certificate hierarchy 57045. A high-level view of a secure z/OS

handshake using a public key networkprotocol . . . . . . . . . . . . . 573

46. Controlling access to RACDCERT functions 58247. Output from the RACDCERT LIST command 58448. Output from the RACDCERT LISTRING

command . . . . . . . . . . . . . 58549. Output from the RACDCERT LIST command

with LABEL . . . . . . . . . . . . 58650. Output from the RLIST DIGTCERT command 58751. Output from the SEARCH

CLASS(DIGTCERT) command . . . . . . 58852. Example of an X.500 directory information

tree . . . . . . . . . . . . . . . 59953. Sample RACDCERT MAP command for

creating an issuer's name filter . . . . . . 60054. Sample output from the LISTMAP command

for an issuer's name filter . . . . . . . 60155. Sample RACDCERT MAP commands for

creating subject's name filters . . . . . . 60256. Sample RACDCERT MAP command for

creating a subject's and issuer's name filter. . 60357. Sample RACDCERT MAP commands using a

model certificate . . . . . . . . . . 60658. Sample RACDCERT MAP commands not

using a model certificate . . . . . . . . 60659. Sample RACDCERT MAP command using

the NOTRUST option . . . . . . . . . 60660. Sample RACDCERT MAP and RDEFINE

commands for mapping multiple user IDs . . 60861. Sample output from the LISTMAP command

for a MULTIID filter . . . . . . . . . 60862. Sample RACDCERT MAP and RDEFINE

commands using multiple criteria. . . . . 60963. Sample group and user structure for

delegating help desk authorities . . . . . 69764. Process flow of callers of RACF for

RACROUTE REQUEST=AUTH requests . . 75965. Process flow of SAF router for RACROUTE

REQUEST=AUTH requests . . . . . . . 76066. Process flow of RACF router . . . . . . 76167. Process flow of RACF authorization checking 762

Copyright IBM Corp. 1994, 2011 xiii

xiv z/OS V1R13.0 Security Server RACF Security Administrator's Guide

Tables1. User attributes . . . . . . . . . . . 182. Commands to list profile contents . . . . . 303. Command to search for profile names. . . . 324. Participants of the security implementation

team . . . . . . . . . . . . . . . 385. Checklist for implementation team activities 486. Group authorities . . . . . . . . . . 607. Scope of authority for user attributes at the

group level. . . . . . . . . . . . . 848. Sample profile names for STARTED class

resources . . . . . . . . . . . . . 1579. Sample data set profile names in order from

most specific to least specific (EGN off) . . . 17010. Sample data set profile names in order from

most specific to least specific (EGN on) . . . 17111. Protecting GDG data sets using generic

profiles . . . . . . . . . . . . . 17812. Access authorities for DASD data sets 18113. RACF commands used with general resource

profiles . . . . . . . . . . . . . 20714. Choosing among generic profiles, resource

group profiles, and RACFVARS profiles. . . 21115. Sample general resource profile names in

order from most specific to least specific . . 21416. ALTER, NONE, and CONTROL, UPDATE,

and READ access authorities for generalresources . . . . . . . . . . . . . 216

17. Comparison of GRPACC attribute with&RACGPID.** entry in global access checkingtable . . . . . . . . . . . . . . 222

18. Fields in RACF profile segments thatcorrespond to RACF command operands . . 228

19. Delegating authority in the FACILITY class 23320. RACF classes used to authorize operator

commands . . . . . . . . . . . . 27321. RACF operator command profiles: Naming

conventions . . . . . . . . . . . . 27722. RACF TSO commands entered as operator

commands: Naming conventions . . . . . 27823. Automatic command direction: Resource

names . . . . . . . . . . . . . . 28224. KEYSMSTR class profiles . . . . . . . 29825. Processing options controlled simultaneously

for classes sharing a POSIT value . . . . . 30626. ICHERCDE macro operands and the

corresponding operands for the RDEFINEand RALTER commands . . . . . . . . 317

27. Correlation of record type, record name, andDB2 table name . . . . . . . . . . . 404

28. Return codes for the remove ID utility(IRRRID00) . . . . . . . . . . . . 415

29. RRSFDATA resources to control propagationof certificate information . . . . . . . . 457

30. NODES class operands and the UACCmeaning for inbound jobs . . . . . . . 493

31. NODES class operands, UACC, and SYSOUTownership when node is not defined to&RACLNDE . . . . . . . . . . . . 497

32. TSO command usage when RACF protectionis enabled. . . . . . . . . . . . . 534

33. The UNIXMAP class and VLF: Effects onperformance for installations that have notreached stage 3 of application identitymapping . . . . . . . . . . . . . 554

34. Subject's and issuer's distinguished names 59835. Summary of access authorities required for

PKI Services requests . . . . . . . . . 63736. LDAP event notification of RACF profile

changes . . . . . . . . . . . . . 64337. Resource classes for z/OS systems . . . . 71538. Resource classes for z/VM systems . . . . 72339. Functions of RACF commands . . . . . . 72540. Commands and operands you can issue if

you have the SPECIAL or group-SPECIALattribute . . . . . . . . . . . . . 729

41. Commands and operands you can issue ifyou have the AUDITOR or group-AUDITORattribute . . . . . . . . . . . . . 730

42. Commands and operands you can issue ifyou have the OPERATIONS orgroup-OPERATIONS attribute . . . . . . 730

43. Commands and operands you can issue ifyou have the CLAUTH attribute . . . . . 730

44. Commands and operands you can issue ifyou have a group authority . . . . . . . 731

45. Commands and operands you can issue ifyou have an access authority . . . . . . 732

46. Commands and operands you can issue ifyou own a profile . . . . . . . . . . 732

47. Commands and operands you can issue formiscellaneous reasons. . . . . . . . . 733

48. UACC values for system data sets . . . . 74549. Required relationship between security levels

for each MAC checking type . . . . . . 77150. Security label authorization checking when

SECLABEL class is active and eitherSETROPTS MLS(FAILURES) orMLS(WARNING) is in effect . . . . . . 772

51. Security label authorization checking whenSECLABEL class is active and eitherSETROPTS NOMLS is in effect or the user isin "writedown" mode.. . . . . . . . . 773

52. Effects of MLACTIVE settings on securitylabel authorization . . . . . . . . . . 774

53. Relationships among the SECLABEL class,SETROPTS MLS(FAILURES), SETROPTSMLACTIVE(FAILURES), and SETROPTSMLQUIET . . . . . . . . . . . . 774

54. Resource classes checked for logon and jobinitialization requests . . . . . . . . . 777

Copyright IBM Corp. 1994, 2011 xv

xvi z/OS V1R13.0 Security Server RACF Security Administrator's Guide

About this documentThis document supports z/OS (5694-A01) and contains information about ResourceAccess Control Facility (RACF), which is part of z/OS Security Server. Thisdocument provides information to help the security administrator plan for andadminister the RACF component of z/OS Security Server.

Who should use this documentSecurity administrators, group administrators, and other administrators who areresponsible for system data security and integrity on a z/OS system should usethis document for such tasks as:v Planning how to use RACF to increase the security of the systemv Deciding which resources to protectv Performing administration tasksv Coordinating with administrators of other products

Readers should be familiar with RACF concepts and terminology. The readers ofthis document should also be familiar with z/OS systems.

RACF overview information can be obtained from the RACF home page:http://www.ibm.com/servers/eserver/zseries/zos/racf/

How to use this documentMuch of this document describes how to protect resources, such as data sets,terminals, and others. In general, you first need to define users to RACF and setsome RACF options. Then, depending on your security plan, you select classes ofresources to protect and create resource profiles for them.

If you are reading this document for the first time, consider reading the followingparts first:v Chapter 1, Introduction, on page 1v Chapter 2, Organizing for RACF Implementation, on page 37v Chapter 3, Defining Groups and Users, on page 51v Defining Profiles for General Resources on page 207v Setting Up the Global Access Checking Table on page 218v Getting Started with RACF (after First Installing RACF) on page 371v Appropriate portions of Chapter 5, Specifying RACF Options, on page 113

Where to find more informationWhere necessary, this document references information in other documents. Forcomplete titles and order numbers for all elements of z/OS, see z/OS InformationRoadmap.

Softcopy documentsThe RACF library is available on the following DVD softcopy collection in bothBookManager and Portable Document Format (PDF) files. The collection includes

Copyright IBM Corp. 1994, 2011 xvii

Softcopy Reader, which is a program that enables you to view the BookManagerfiles. You can view or print the PDF files with an Adobe Reader.

SK3T-4271 z/OS Version 1 Release 13 and Software Products DVD Collection

This collection contains the documents for z/OS Version 1 Release13 and the libraries for multiple releases of more than 400z/OS-related software products, on DVDs.

The following CD softcopy collection includes books related to RACF:

SK3T-7876 IBM System z Redbooks Collection

This softcopy collection contains a set of documents called IBM

Redbooks that pertain to System z subject areas ranging frome-business application development and enablement to hardware,networking, Linux, solutions, security, Parallel Sysplex and manyothers.

RACF coursesThe following RACF classroom courses are available in the United States:

H3917 Basics of z/OS RACF Administration

H3927 Effective RACF Administration

ES885 Exploiting the Advanced Features of RACF

ES840 Implementing RACF Security for CICS

IBM provides a variety of educational offerings for RACF. For more informationabout classroom courses and other offerings, do any of the following:v See your IBM representativev Call 1-800-IBM-TEACh (1-800-426-8322)

IBM systems center publicationsIBM systems centers produce documents known as IBM Redbooks that can helpyou set up and use RACF. These documents have not been subjected to any formalreview nor have they been checked for technical accuracy, but they representcurrent product understanding (at the time of their publication) and providevaluable information on a wide range of RACF topics. They are not shipped withRACF; you must order them separately. A selected list of these documents follows.Other documents are available, but they are not included in this list, either becausethe information they present has been incorporated into IBM product manuals orbecause their technical content is outdated.

GG24-4282 Secured Single Signon in a Client/Server EnvironmentGG24-4453 Enhanced Auditing Using the RACF SMF Data Unload UtilityGG26-2005 RACF Support for Open Systems Technical Presentation GuideSG24-4820 OS/390 Security Server Audit Tool and Report ApplicationSG24-5158 Ready for e-business: OS/390 Security Server EnhancementsSG24-6840 Communications Server for z/OS V1R2 TCP/IP Implementation Guide Volume 7:

Security

Preface

xviii z/OS V1R13.0 Security Server RACF Security Administrator's Guide

Other sources of informationIBM provides customer-accessible discussion areas where RACF may be discussedby customer and IBM participants. Other information is also available through theInternet.

Internet sourcesThe following resources are available through the Internet to provide additionalinformation about the RACF library and other security-related topics:v Online libraryTo view and print online versions of the z/OS publications, use this address:http://www.ibm.com/systems/z/os/zos/bkserv/

v RedbooksThe documents known as IBM Redbooks that are produced by the InternationalTechnical Support Organization (ITSO) are available at the following address:http://www.redbooks.ibm.com

v Enterprise systems securityFor more information about security on the S/390 platform, OS/390, andz/OS, including the elements that comprise the Security Server, use this address:http://www.ibm.com/systems/z/advantages/security/

v RACF home pageYou can visit the RACF home page on the World Wide Web using this address:http://www.ibm.com/systems/z/os/zos/features/racf/

v RACF-L discussion listCustomers and IBM participants may also discuss RACF on the RACF-Ldiscussion list. RACF-L is not operated or sponsored by IBM; it is run by theUniversity of Georgia.To subscribe to the RACF-L discussion and receive postings, send a note to:listserv@listserv.uga.edu

Include the following line in the body of the note, substituting your first nameand last name as indicated:subscribe racf-l first_name last_name

To post a question or response to RACF-L, send a note, including an appropriateSubject: line, to:racf-l@listserv.uga.edu

v Sample codeYou can get sample code, internally-developed tools, and exits to help you useRACF. This code works in our environment, at the time we make it available,but is not officially supported. Each tool or sample has a README file thatdescribes the tool or sample and any restrictions on its use.To access this code from a Web browser, go to the RACF home page and selectthe Resources file tab, then select Downloads from the list, or go tohttp://www-03.ibm.com/systems/z/os/zos/features/racf/goodies.html.The code is also available from ftp.software.ibm.com through anonymous FTP.To get access:1. Log in as user anonymous.2. Change the directory, as follows, to find the subdirectories that contain the

sample code or tool you want to download:cd eserver/zseries/zos/racf/

Preface

About this document xix

An announcement will be posted on the RACF-L discussion list wheneversomething is added.

Note: Some Web browsers and some FTP clients (especially those using agraphical interface) might have problems using ftp.software.ibm.combecause of inconsistencies in the way they implement the FTP protocols. Ifyou have problems, you can try the following: Try to get access by using a Web browser and the links from the RACF

home page. Use a different FTP client. If necessary, use a client that is based on

command line interfaces instead of graphical interfaces. If your FTP client has configuration parameters for the type of remote

system, configure it as UNIX instead of MVS.

RestrictionsBecause the sample code and tools are not officially supported, There are no guaranteed enhancements. No APARs can be accepted.

The z/OS Basic Skills Information CenterThe z/OS Basic Skills Information Center is a Web-based information resourceintended to help users learn the basic concepts of z/OS, the operating system thatruns most of the IBM mainframe computers in use today. The Information Centeris designed to introduce a new generation of Information Technology professionalsto basic concepts and help them prepare for a career as a z/OS professional, suchas a z/OS system programmer.

Specifically, the z/OS Basic Skills Information Center is intended to achieve thefollowing objectives:v Provide basic education and information about z/OS without chargev Shorten the time it takes for people to become productive on the mainframev Make it easier for new people to learn z/OS.

To access the z/OS Basic Skills Information Center, open your Web browser to thefollowing Web site, which is available to all users (no login required):http://publib.boulder.ibm.com/infocenter/zos/basics/index.jsp

To request copies of IBM publicationsDirect your request for copies of any IBM publication to your IBM representativeor to the IBM branch office serving your locality.

There is also a toll-free customer support number (1-800-879-2755) availableMonday through Friday from 8:30 a.m. through 5:00 p.m. Eastern Time. You canuse this number to:v Order or inquire about IBM publicationsv Resolve any software manufacturing or delivery concernsv Activate the program reorder form to provide faster and more convenientordering of software updates

Preface

xx z/OS V1R13.0 Security Server RACF Security Administrator's Guide

How to send your comments to IBMWe appreciate your input on this publication. Feel free to comment on the clarity,accuracy, and completeness of the information or give us any other feedback thatyou might have.

Use one of the following methods to send us your comments:1. Send an email to mhvrcfs@us.ibm.com2. Visit the Contact z/OS web page at http://www.ibm.com/systems/z/os/zos/

webqs.html3. Mail the comments to the following address:

IBM CorporationAttention: MHVRCFS Reader CommentsDepartment H6MA, Building 7072455 South RoadPoughkeepsie, NY 12601-5400U.S.A.

4. Fax the comments to us as follows:From the United States and Canada: 1+845+432-9405From all other countries: Your international access code +1+845+432-9405

Include the following information:v Your name and addressv Your email addressv Your telephone or fax numberv The publication title and order number:

z/OS V1R13.0 Security Server RACF Security Administrator's GuideSA22-7683-15

v The topic and page number related to your commentv The text of your comment.When you send comments to IBM, you grant IBM a nonexclusive right to use ordistribute your comments in any way it believes appropriate without incurring anyobligation to you.

IBM or any other organizations will only use the personal information that yousupply to contact you about the issues that you submit.

If you have a technical problemDo not use the feedback methods listed above. Instead, do one of the following:v Contact your IBM service representativev Call IBM technical supportv Visit the IBM support portal at http://www.ibm.com/systems/z/support/

Copyright IBM Corp. 1994, 2011 xxi

xxii z/OS V1R13.0 Security Server RACF Security Administrator's Guide

Summary of changesThis document contains terminology, maintenance, and editorial changes. Technicalchanges or additions to the text and illustrations are indicated by a vertical line tothe left of the change.

You might notice changes in the style and structure of some content in thisdocumentfor example, headings that use uppercase for the first letter of initialwords only, and procedures that have a different look and format. The changes areongoing improvements to the consistency and retrievability of information in ourdocuments.

Changes made in z/OS Version 1 Release 13, SA22-7683-15This document contains information previously presented in z/OS Security ServerRACF Security Administrator's Guide, SA22-7683-14, which supports z/OS Version 1Release 12.

New information:

v Establishing RACF security for RRSF TCP/IP connections on page 459

Changed information:

v Determining PTKTDATA Profile Names on page 254 is updated in support ofAPAR OA29784.

v The following topics are updated in support of the new PKDS options of theRACDCERT command: Chapter 10, Program signing and verification, on page 351 Chapter 13, The RACF remote sharing facility (RRSF), on page 427 Chapter 18, RACF and digital certificates, on page 567

v Chapter 13, The RACF remote sharing facility (RRSF), on page 427 is updatedto support TCP/IP as a network protocol for RACF remote sharing facility(RRSF).

v Chapter 24, Distributed identity filters, on page 701 is updated to includeinformation about the new QUERY function of the RACMAP command:

v Appendix A, Supplied RACF resource classes, on page 715 is updated withinformation about the following new classes: GZMFAPLA LDAP VMDEV ZMFAPLA

v Appendix C, Listings of RACF supplied certificates, on page 735 is updated toinclude information about new supplied certificates.

v Support is added for the following APARs: OA29784 OA34629

v Based on a reader's comment, the example in Step 4 of Steps for automaticallyassigning unique IDs through UNIX services on page 546 is revised.

Copyright IBM Corp. 1994, 2011 xxiii

Deleted information:

v The information presented in the chapter previously entitled RACF and DCEis removed from this document.Beginning in z/OS Version 1 Release 13, z/OS Distributed ComputingEnvironment (DCE) and Distributed Computing Environment Security Server(DCE Security Server) are no longer available.

Changes made in z/OS Version 1 Release 12, SA22-7683-14This document contains information previously presented in z/OS Security ServerRACF Security Administrator's Guide, SA22-7683-13, which supports z/OS Version 1Release 11.

New information:

v Administering the RACFVARS member list on page 240v Creating a RACFVARS member report on page 399v DIGTCERT profile names on page 591v Disabling LDAP change notification on page 646

Changed information:

v Activating Generic Profile Checking and Generic Command Processing onpage 123 is updated to include information about the NOGENERIC option ofthe RDELETE command and the UNUSABLE indicator in the output of theRLIST and SEARCH commands for certain general resource profiles.

v Field-level access checking on page 225 is updated to support a new field inthe ICSF segment of certain general resource profiles.

v How RACF uses the RACFVARS member list on page 240 is updated tosupport APAR OA30567.

v Steps for verifying a signed program on page 366 is updated with additionalplanning information.

v Size considerations for public and private keys on page 578 is updated toinclude information about the BPECC and NISTECC key types in support of theelliptic curve cryptography (ECC) algorithm for generating keys for digitalcertificates.

v The following topics are updated to support enhancements to the KERBLINKclass: RRSF Considerations for z/OS Network Authentication Service on page 459 Supplied resource classes for z/OS systems on page 715

v Appendix A, Supplied RACF resource classes, on page 715 includes anupdated description for the KERBLINK class.

Deleted information:

v The information presented in the chapter previously entitled RACF andInformation Management System (IMS) is removed from this document. Theinformation is now presented in the following IMS publications: IMS Version 10 System Administration Guide (SC18-9718) IMS Version 11 System Administration Guide (SC19-2443)

The "Readers' Comments - We'd Like to Hear from You" section at the back of thispublication has been replaced with a new section How to send your comments toIBM on page xxi. The hardcopy mail-in form has been replaced with a page thatprovides information appropriate for submitting readers comments to IBM.

Preface

xxiv z/OS V1R13.0 Security Server RACF Security Administrator's Guide

Changes made in z/OS Version 1 Release 11, SA22-7683-13This document contains information previously presented in z/OS Security ServerRACF Security Administrator's Guide, SA22-7683-12, which supports z/OS Version 1Release 10.

New information:

v Using restricted user IDs for distributed identity users on page 92v Reducing application logon statistics on page 126v Chapter 10, Program signing and verification, on page 351v IRRRID00 return codes on page 415v RRSF considerations for distributed identity filters on page 457v Automatically assigning unique IDs through UNIX services on page 545v Special RRSF considerations for automatic unique IDs on page 550v Chapter 24, Distributed identity filters, on page 701

Changed information:

v The following topics are updated to describe automatic assignment of uniqueUIDs and GIDs through z/OS UNIX services: Controlling the use of shared UNIX identities on page 541 Enabling automatic assignment of unique UNIX identities on page 543 Enabling default OMVS segments processing on page 550

v The following topics are updated to support distributed identity filters and thenew RACMAP command: Summary of Steps for Deleting Users on page 96 Using the Database Unload Utility Output with DB2 on page 400 Using the RACF remove ID (IRRRID00) utility on page 410 Preparing to Use Automatic Direction on page 441 Using Automatic Direction of Application Updates on page 454

v Field-level access checking on page 225 is updated to support new commandoperands and new fields in RACF profiles.

v RACF and ICSF on page 292 is updated to support the new ICSF segment.v DB2 table names on page 403 is updated to support new output records fromthe database unload (IRRDBU00) utility.

v LDAP event notification on page 642 is updated to describe LDAP changelogging for general resources.

v Appendix A, Supplied RACF resource classes, on page 715 includes newclasses.

v Appendix B, Summary of RACF commands and authorities, on page 725includes information about the functions and authorities related to the newRACMAP command.

v Appendix C, Listings of RACF supplied certificates, on page 735 includesinformation about a new IBM certificate that is supplied to support programverification for the modules of z/OS Cryptographic Services System SSL.

v Support for the following APARs is added: OA26109 OA26110 OA26302 OA26468

Preface

Summary of changes xxv

v The following topics were added or updated based on comments from readers: Special Considerations for Global Access Checking on page 223 Defining RACF Variables on page 238 IRRRID00 utility: Running the output CLIST as a batch job on page 420 Translating Security Information on page 498 Examples of deleting digital certificates on page 590 RACF and key rings on page 593

Moved information:

v The information presented in the chapter previously entitled Configuring z/OSto participate in an EIM domain is removed from this document. Theinformation is now presented in z/OS Integrated Security Services EIM Guide andReference.

Preface

xxvi z/OS V1R13.0 Security Server RACF Security Administrator's Guide

Chapter 1. IntroductionHow RACF Meets Security Needs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

User Identification and Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Authorization Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Logging and Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4User Accountability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

RACF Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6RACF Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6What RACF Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6How Users and Groups Are Authorized to Access Resources . . . . . . . . . . . . . . . . . 7RACF Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Flexibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9RACF Transparency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Implementing Multilevel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Multilevel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Characteristics of a Multilevel-Secure Environment . . . . . . . . . . . . . . . . . . . . . 11

Mandatory Access Control (MAC) . . . . . . . . . . . . . . . . . . . . . . . . . . 11Security Labels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Discretionary Access Control (DAC) . . . . . . . . . . . . . . . . . . . . . . . . . 11Resource Reuse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Identification and Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 12Auditability of Security-Related Events . . . . . . . . . . . . . . . . . . . . . . . . 12

Administering Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Delegating Administration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Administering Security When a z/VM System Shares the RACF Database . . . . . . . . . . . . . 13Using RACF Commands or Panels . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Choosing between using RACF TSO commands and ISPF panels . . . . . . . . . . . . . . . 14RACF Group and User Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Defining Users and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Assigning Optional User Attributes . . . . . . . . . . . . . . . . . . . . . . . . . 17Assigning Group Authorities . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Profiles Associated with Users and Groups . . . . . . . . . . . . . . . . . . . . . . . 19

Protecting Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Protecting Data Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Protecting General Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Installation-Defined Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Authority to Create Resource Profiles. . . . . . . . . . . . . . . . . . . . . . . . . 22Authority to Modify or Delete Resource Profiles . . . . . . . . . . . . . . . . . . . . . 22Owners of Resource Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Setting Up the Global Access Checking Table . . . . . . . . . . . . . . . . . . . . . . 23

Security Classification of Users and Data . . . . . . . . . . . . . . . . . . . . . . . . 24Selecting RACF Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Using RACF Installation Exits to Customize RACF . . . . . . . . . . . . . . . . . . . . . . 24The RACROUTE REQUEST=VERIFY, VERIFYX, AUTH, and DEFINE exits . . . . . . . . . . . . . 24The RACROUTE REQUEST=LIST exits . . . . . . . . . . . . . . . . . . . . . . . . . 25The RACROUTE REQUEST=FASTAUTH exits. . . . . . . . . . . . . . . . . . . . . . . 25The RACF command exits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25The RACF password processing exits . . . . . . . . . . . . . . . . . . . . . . . . . . 25The RACF password authentication exits . . . . . . . . . . . . . . . . . . . . . . . . 26

Tools for the Security Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Using RACF utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

RACF database initialization utility (IRRMIN00) . . . . . . . . . . . . . . . . . . . . . 26RACF database split/merge/extend utility (IRRUT400) . . . . . . . . . . . . . . . . . . . 26RACF database unload utility (IRRDBU00) . . . . . . . . . . . . . . . . . . . . . . . 27RACF database verification utility (IRRUT200). . . . . . . . . . . . . . . . . . . . . . 27RACF cross-reference utility (IRRUT100). . . . . . . . . . . . . . . . . . . . . . . . 27

Copyright IBM Corp. 1994, 2011 1

RACF remove ID utility (IRRRID00) . . . . . . . . . . . . . . . . . . . . . . . . . 27RACF SMF data unload utility (IRRADU00) . . . . . . . . . . . . . . . . . . . . . . 28

RACF block update command (BLKUPD) . . . . . . . . . . . . . . . . . . . . . . . . 28Using the RACF report writer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Using the data security monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Recording statistics in RACF profiles . . . . . . . . . . . . . . . . . . . . . . . . . . 29Listing information from RACF profiles . . . . . . . . . . . . . . . . . . . . . . . . . 29Searching for RACF profile names . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Using the LIST and SEARCH commands effectively . . . . . . . . . . . . . . . . . . . . . 32

This topic introduces you to using RACF to administer security on your system.

Over the past several years, it has become much easier to create and accesscomputerized information. No longer is system access limited to a handful ofhighly skilled programmers; information can now be created and accessed byalmost anyone who takes a little time to become familiar with the newer,easier-to-use, high-level inquiry languages. As a result of this improved ease ofuse, the number of people using computer systems has increased dramatically.More and more people are becoming increasingly dependent on computer systemsand the information they store in these systems.

As the general computer literacy and the number of people using computers hasincreased, the need for data security has taken on a new level of importance. Nolonger can the installation depend on keeping data secure simply because no oneknows how to access the data. Further, making data secure does not mean justmaking confidential information inaccessible to those who should not see it; itmeans preventing the inadvertent destruction of files by people who might noteven know that they are improperly manipulating data.

As the security administrator, it is your job to ensure that your installation's data isproperly protected. RACF can help you do this.

How RACF Meets Security NeedsThe RACF licensed program satisfies the preferences of the end user withoutcompromising any of the concerns raised by security personnel. The RACFapproach to data security is to provide an access control mechanism that:U Offers effective user verification, resource authorization, and loggingcapabilitiesU Supports the concept of user accountabilityU Is flexibleU Has little noticeable effect on the majority of end users, and little or noimpact on an installation's current operationU Is easy to install and maintain

User Identification and VerificationRACF controls access to and protects resources. For a software access controlmechanism to work effectively, it must first identify the person who is trying togain access to the system, and then verify that the user is really that person.

RACF uses a user ID and a system-encrypted password or password phrase toperform its user identification and verification. When you define a user to RACF,you assign a user ID and temporary password. The user ID identifies the person tothe system as a RACF user. The password or password phrase verifies the user'sidentity.

Introduction

2 z/OS V1R13.0 Security Server RACF Security Administrator's Guide

The temporary password permits initial entry to the system, at which time theperson is required to choose a new password. Unless the user divulges it, no oneelse knows the user ID-password combination.

During terminal processing, RACF allows the use of an operator identification card(OIDCARD) in place of, or in addition to, the password or password phrase. (TheOIDCARD information is also encrypted.) By requiring a user to know both thecorrect password and the correct OIDCARD, you have increased assurance that theproper user has entered the user ID.

The secured signon function provides an alternative to the RACF password calleda PassTicket, which allows workstations and client machines to communicate witha host without using a RACF password or password phrase. Using this functioncan enhance security across a network. For more information, see Using theSecured Signon Function on page 252.

Authorization CheckingHaving identified a valid user, the software access control mechanism must nextcontrol interaction between the user and the system resources. It must authorizenot only what resources that user can access, but also in what way the user canaccess them, such as for reading only, or for updating as well as reading. Thiscontrolled interaction, or authorization checking, is shown in Figure 1 on page 4.Before this activity can take place, however, someone with the proper authority atthe installation must establish the constraints that govern those interactions.

With RACF, you are responsible for protecting the system resources (data sets, tapeand DASD volumes, IMS and CICS transactions, TSO logon information, andterminals) and for issuing the authorities by which those resources are madeavailable to users. RACF records your assignments in profiles stored in the RACFdatabase. RACF then refers to the information in the profiles to decide if a usershould be permitted to access a system resource.

Introduction

Chapter 1. Introduction 3

Logging and ReportingThe ability to log information, such as attempted accesses to a resource, and togenerate reports containing that information can prove useful to a resource owner,and is very important to a smoothly functioning security system.

Because RACF can identify and verify a user's user ID and recognize whichresources the user can access, RACF can record the events where user-resourceinteraction has been attempted. This function records actual access activities orvariances from the expected use of the system.

RACF has a number of logging and reporting functions that allow a resourceowner to identify users who attempt to access the resource. In addition, you andyour auditor can use these functions to log all detected successful and unsuccessfulattempts to access the RACF database and RACF-protected resources. Logging allaccess attempts allows you to detect possible security exposures or threats. Thelogging and reporting functions are:v Logging: RACF writes records to the system management facility (SMF) fordetected, unauthorized attempts to enter the system. Optionally, RACF writesrecords to SMF for authorized attempts and detected, unauthorized attempts to: Access RACF-protected resources Issue RACF commands Modify profiles on the RACF databaseRACF writes these records to an SMF data set. To list SMF records, you can useeither the RACF SMF data unload utility (IRRADU00) or the RACF reportwriter.

(1)

(7)

(2)

(6)

(3)

(5)

(4)

RACF

(1) User requests access to a resource using aresource mana