resource access control facility (racf) in mainframes
TRANSCRIPT
Resource Access Control Facility
An IBM product An optional component of the security
server of Z/OS Controls what you can do on the system Provides the tools to control access to the
system resources Full industry support
What is RACF?
System Authorization Facility
What does RACF do?
Profiles – information record in RACF database
User profiles Group profiles Dataset profiles Generic resource profiles
RACF profiles
RACF basic panel
Information about a user id in the RACF database
Contains a base (user id, password, owner, default group) and an optional segment(TSO, OMVS, CICS, DFP and so on) depending upon the type of user going to be defined
User profiles
System-wide or group-wide
◦ SPECIAL ultimate authority
◦ OPERATIONS full access to all the DASD and TAPE datasets
◦ AUDITOR Responsible for auditing purposes
User attributes
REVOKE◦ Prevents from entering the system
CLAUTH◦ Can define profiles in that class
PROTECTED◦ Used for started tasks
WHEN◦ Tells when the user has access
NONE◦ No special privileges
User attributes(contd..)
ADDUSER - define a new USERID profile Example: AU USR001 DFLTGRP(BCPSUPT)
OWNER(BCP) PASSWORD(XVCFR11) ALTUSER -modify a USERID profile Example: ALU USR001 REVOKE LISTUSER -list USERID profile Example: LU USR001 DELUSER – delete the profile Example: DU USR001 CONNECT - connect a user id to a group Example: CO USR001 GROUP(OSADMIN) REMOVE -remove a user id from a group Example: RE USR001 GROUP(OSADMIN)
User id related commands
Collection of users - group Contains a group id, owner, at least one
superior group and any number of sub groups
Approximately 5900 users can be connected to a group
Created to ease the administration work Provides decentralized control
Group profiles
USE ◦ Least authority
CREATE◦ Allows to create group datasets and control who can
access them CONNECT
◦ Allows the users to connect the user ids to specified group and can assign USE, CREATE or CONNECT authority
JOIN◦ Define new users or groups and can assign group
authorities
Group authorities
Group id related commands
ADDGROUP - define new group profileExample: AG OSADMIN SUPGROUP(SYS1)
OWNER(SYSCTL) ALTGROUP -modify a group profileExample: ALG OSADMIN OWNER(SYS1) LISTGROUP - list group profileExample: LG OSADMIN DELGROUP -delete group profileExample: DG OSADMIN CONNECT -connect a user id to groupExample: CO USR001 GROUP(OSADMIN) REMOVE -remove a user id from a groupExample: RE USR001 GROUP(OSADMIN)
Generic profiles - Protects more than one dataset with similar security requirements
Discrete profiles - Protects only one dataset that has a unique security requirements, Deleted when the dataset itself is deleted
Fully qualified generic profile - Not deleted when the dataset is deleted, similar to discrete profiles
Dataset profiles
NONE READ UPDATE CONTROL ALTER EXECUTE
Universal Access Authority (UACC)
Dataset related commands
ADDSD - define a new dataset profileExample: AD 'SYS1.*.MSTRCTLG' UACC(NONE)
OWNER(SYS1) ALTDSD - modify a dataset profileExample: ALD 'SYS1.* UACC(READ) LISTDSD - list a dataset profileExample: LD DA('SYS1.*') ALL DELDSD - delete a dataset profileExample: DD 'SYS1.*.%LIB PERMIT - add, modify, delete user/group access in
a dataset profileExample: PE 'SYS1.LPALIB' ID(BCPSUPT)
ACCESS(ALTER)
All the resources other than the datasets are general resources
Classes that are defined in the class descriptor table (CDT)
CDT contains both IBM defined and installation defined classes (DSNR, CICSTRN, MQCONN, MQADMIN, TSOPROC,..) in it
Profile contains class name, resource name, owner, access list and which attempts(success or failure) has to be logged
Generic resource profiles
Generic resource related commands
RDEFINE - create a resource profileExample: RDEF FACILITY WIDGETS.ACCESS
OWNER(PRODCTL) RALTER - modify a resource profileExample: RALT FACILITY WIDGETS.ACCESS UACC(READ) RLIST - list a resource profileExample: RL FACILITY WIDGETS.ACCESS ALL RDELETE - delete a resource profileExample: RDEL FACILITY WIDGETS.ACCESS PERMIT - add, modify, delete user/group access in a
profileExample: PE WIDGETS.ACCESS CLASS(FACILITY)
ID(USR001)
SETROPTS – a command used to set system-wide RACF options related to resource protection dynamically
Displays options currently in effect Control password related options Refresh in-storage profile lists and global
access checking tables Manages class related options, auditing
options, other security related options
RACF system options
Summary of RACF commands
All the RACF related information is stored A primary and a secondary database (used
as a backup) will be in use◦ SYS1.RACF.PRIM◦ SYS1.RACF.BACK
Disaster recovery◦ RVARY command
RACF database
IKJEFT01 – to work with the profiles IRRADU00 – SMF data unload utility IRRDBU00 – RACF database unload utility IRRRID00 - remove references of user IDs
and group names connections that are no longer in the database
IRRUT400 – database merge, split and extend utility program
IRRUT200 - synchronizes the primary and backup RACF data sets
IRRMIN00 - database initialization utility
RACF utilities
THANK YOUAayush SinghCSE- Mainframes