RACF

RACF or Resource Authorization Control Facility:
  • RACF is the IBM security management product for Mainframe operating system. RACF is an add-on software product that provides the basic security to a z/OS system. Other security software products are available, such as from Computer Associates, ACF2, and Top Secret. RACF is included as part of the base z/OS system but requires a separate licence to be activated.

RACF's Functions:
  • User Identification and Verification: RACF uses a user ID and a system-encrypted password to perform its user identification and verification. When you define a user to RACF, you assign a user ID and temporary password. The user ID identifies the person to the system as a RACF user. The password verifies the user’s identity.
  • Authorization Checking: With RACF, you are responsible for protecting the system resources (data sets, tape and DASD volumes, IMS and CICS transactions, TSO logon information, and terminals) and for issuing the authorities by which those resources are made available to users. RACF records your assignments in profiles stored in the RACF database. RACF then refers to the information in the profiles to decide if a user should be permitted to access a system resource.
  • Logging and Reporting: RACF has a number of logging and reporting functions that allow a resource owner to identify users who attempt to access the resource.

RACF's Role:
  • Flexible control of access to protected resources.
  • Protection of installation-defined resources.
  • Xits for installation-written routines.
  • An ISPF panel interface.

In-Built Security Features:

1. Program Property Table: 
  • The program properties table (PPT) contains a list of programs that require special attributes.
  • These attributes specify whether the programs can or cannot bypass security protection (password protection and RACF) and whether they run in a system key.
  • Programs with the NOPASS parameter are able to bypass password protection for password
    protected data sets and, thus, also bypass all RACF protection for RACF-protected resources. 
  • The system key parameter indicates whether the program is authorized to run in a system key (keys 0 through 7) and is thus able to bypass system security controls.
2. Authorized Program Facility:
  • Authorized program facility (APF) is a feature that allows system and user programs to use sensitive system functions.
  • Many system functions are sensitive (for example restricted SVCs). Therefore, these sensitive functions can be used only by authorized programs. 
  • A program is authorized if one of the conditions is true:
    •  Program runs in supervisor state (bit 15 in PSW=0).
    •  Program runs in system protection key (bits 8-11 in PSW contains key 0-7).
    •  Program runs as part of an authorized job step task (JSCBAUTH=1). This task is set if the initial program is marked AC=1 and if it is loaded from an APF authorized library or from the LPA.

     
3. SAF or System Authorization Facility:
  • The system authorization facility (SAF) is part of the operating system. SAF is available whether or not an additional security product such as RACF is installed.
  • If an additional security product is installed, SAF routes the questions using the SAF router to the security product and routes the answer back to the resource manager. 
  • Thus, SAF builds the interface between the resource managers and the security product.

RACF Resource Profiles:
  • RACF-protected resources can be divided into two categories: 1. Data sets, 2. General resources .
  • RACF maintains information entries, called Profiles, in the RACF database. It uses profiles to protect DASD and tape data sets and general resources, such as tape volumes and terminals.
  • Discrete: Discrete profiles have a one-for-one relationship with a resource. One profile for each resource. For example, a single data set can be defined with a discrete profile to allow access by one user.
  • Generic: Generic profiles have a one-for-many relationship. One profile controls access to one or more resources whose names contain patterns or character strings that RACF uses to associate them with each other. They contain a list of the authorized users and the access authority of each user. A single generic profile can protect many data sets that have a similar naming structure.
  • Grouped: In this case, the many resource names can be associated with a single RACF profile through the use of a grouping profile that contains the names of the associated resources.

GROUP Profiles:

RACF Groups:
  • A RACF group is normally a collection of users with common access requirements.
  • By adding a user to a group, you can give that user access to all of the resources that the group has access to. Likewise, by removing a user from a group, you can prevent the user from accessing those resources.
  • SYS1 is the pre-defined and highest-level group when RACF is installed.
ADDGROUP or AG: 
  • Defines a new group to RACF. The command adds a profile for the new group to the RACF database. It also establishes the relationship of the new group to the superior group you specify. Group profiles consist of a RACF segment and, optionally, other segments such as DFP and OMVS.
  • Conditions:1. Have the SYSTEM-LEVEL SPECIAL attribute. 2. Have the GROUP-LEVEL SPECIAL attribute and the Superior GROUP-LEVEL Scope. 3. Be the OWNER of the Superior group with JOIN authority.
  • Syntax: 
 ADDGROUP | AG
    (group-name)
    [DATA('installation-defined-data')]
    [SUPGROUP(group-name)]
    [OWNER(userid or group-name)]
    [TERMUACC | NOTERMUACC]
    [UNIVERSAL]
    [DFP(
          [DATAAPPL(application-name)]
          [ DATACLAS(data-class-name)]
          [MGMTCLAS(management-class-name)]
          [STORCLAS(storage-class-name)]
            )
    ]
    [OMVS[
          (AUTOGID | GID(group-identifier)[SHARED])
                ]
    ]
    [OVM[
          (GID(group-identifier))
              ]
    ]


Here,

group-name: Specifies the name of the group whose profile is to be added to the RACF database. If you are defining more than one group, the list of group names must be enclosed in parentheses.

DATA('installation-defined-data'): Specifies up to 255 characters of installation-defined data to be stored in the group profile and must be enclosed in quotes.

SUPGROUP(group-name): Specifies the name of an existing RACF-defined group. This group becomes the superior group of the group profile you are defining. If you omit SUPGROUP, RACF uses your current connect group as the superior group.

OWNER(userid or group-name): Specifies a RACF-defined user or group to be assigned as the owner of the new group. If you do not specify an owner, you are defined as the owner of the group.

TERMUACC: Specifies that during terminal authorization checking, RACF allows any user in the group access to a terminal based on the universal access authority for that terminal. TERMUACC is the default value if you omit both TERMUACC and NOTERMUACC.

NOTERMUACC: Specifies that the group or a user connected to the group must be explicitly authorized (through the PERMIT command with at least READ authority) to access a terminal.

UNIVERSAL: Specifies that this is a universal group that allows an effectively unlimited number of users to be connected to it for the purpose of resource access. The number of users in a universal group with authority higher than USE, or with the attributes SPECIAL, OPERATIONS or AUDITOR at the group level, is still limited to 5957.

DFP: Allows you to specify default values for the DFP data, management, and storage classes. DFP uses this information to determine data management and DASD storage characteristics when a user creates a new group data set.
                DATAAPPL(application-name): Specifies DFP data application identifier. The maximum length of a data class name is 8 characters.
                DATACLAS(data-class-name): A data class can specify some or all of the physical data set attributes associated with a new data set.
                MGMTCLAS(management-class-name): A management class contains a collection of management policies that apply to data sets.
                STORCLAS(storage-class-name): A storage class specifies the service level (performance and availability) for data sets managed by the Storage Management Subsystem (SMS).
                MGMTCLAS(management-class-name): A management class contains a collection of management policies that apply to data sets.

OMVS: Specifies z/OS UNIX System Services information for the group being defined to RACF.                     
                AUTOGID | GID: Specifies whether RACF is to automatically assign an unused GID value to the group or if a specific GID value is to be assigned. AUTOGID Specifies that RACF is to automatically assign an unused GID value to the group.

OVM: Specifies OpenExtensions VM information for the group being defined to RACF.
               GID(group-identifier): specifies the OpenExtensions VM group identifier.

JCL for adding a new group:

******************************************
//USID007A JOB ,,NOTIFY=USID007
//STEP1 EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
                   ADDGROUP GRP1 OWNER(USID007) SUPGROUP(SUPGROUP)
/*
//
******************************************

LISTGRP or LG:
  • The LISTGRP or LG command can be used to list information about a RACF-defined group.
  • Conditions: 1. Have the SYSTEM-LEVEL SPECIAL attribute. 2. Have the AUDITOR attribute as the user. 3. You must OWN the group. 4. You must have JOIN or CONNECT authority as the group owner.
Example:

LISTGRP (GRP1 GRP2) DFP NORACF

=> Lists the Base segment information, DFP optional segment information and suppress the RACF information of groups "GRP1" and "GRP2"

ALTGRP or ALG:
  • The ALTGRP or ALG command can be used to modify or alter the segment information of a RACF-defined profile.
  • You can also change the attributes like SUPGROUP, OWNER, TERMUACC and DATA information
  • Conditions: 1. Have the SYSTEM-LEVEL SPECIAL attribute. 2. Have the GROUP-LEVEL SCOPE of the old and new Superior group you are changing. 3. You should be the OWNER or should have the JOIN authority in both old and new superior groups.
  • You cannot rename the Group name for which you should delete the group name and add a new group with this name.
Example:

ALG GRP1 NODFP OWNER(S1GRP) SUPGROUP(S1GRP)

=> Removes the DFP segment from the Group GRP1 and changes the OWNER and SUPGRP to "S1GRP"

DELGROUP or DG:
  • The DELGROUP or DG command is used to delete a group and its relationship with its superior group.
  • This will not completely delete the other occurrences of the Group name in RACF database for which you need to invoke the RACF Remove Utility IRRRID00 through a JCL.
  • You cannot simply delete a group which has Sub-groups, Users and dataset profile for that group.
  • Conditions: 1. Have the SYSTEM-LEVEL SPECIAL attribute. 2. Have the GROUP-LEVEL SPECIAL attribute.
Example:

DG(GRP2)

=> Deletes the Group "GRP1"


USER Profiles:

  • RACF stores information in its database. For each defined user ID, RACF keeps a user profile in the class USER.
  • IBMUSER is the default user created when RACF is installed. The IBMUSER has a SYSTEM-LEVEl SPECIAL attribute. This IBMUSER is a member of group SYS1.

User Attributes:
  • User attributes are extra-ordinary capabilities or limitations that can be assigned to a user either system-wide or when the user is connected to a specific group or groups.
  • SPECIAL attribute: A user who has the SPECIAL attribute at the system level can issue all RACF commands. This attribute gives the user full control over all of the RACF profiles in the RACF database. You can assign the SPECIAL attribute at the group level. When you do, the group-SPECIAL user has full control over all of the profiles within the scope of the group.
  • AUDITOR attribute: The AUDITOR attribute is given to users who are responsible for auditing RACF security controls and functions. You can assign the AUDITOR attribute at the group level. When you do, the group-AUDITOR user’s authority is limited to profiles that are within the scope of that group.
  • OPERATIONS attribute: A user who has the system wide OPERATIONS attribute has full access
    authorization to all RACF-protected resources in the classes DATASET, DASDVOL, GDASDVOL, PSFMPL, TAPEVOL, VMBATCH, VMCMD, VMMDISK, VMNODE, and VMRDR classes. You can assign the OPERATIONS attribute at the group level. When you do, the group-OPERATIONS user’s authority is limited to resources within the scope of that group.
  • CLAUTH attribute: If a user has the CLAUTH attribute in a class, RACF allows the user to define profiles in that class. You cannot assign the CLAUTH attribute at the user or group level.
  • GRPACC attribute: When a user with the GRPACC attribute creates a data set profile for a group data set, RACF gives UPDATE access authority to other users in the group.
  • ADSP attribute: The ADSP attribute establishes an environment in which all permanent DASD data sets created by this user are automatically defined to RACF and protected with a discrete profile.
  • REVOKE attribute: The REVOKE attribute prevents the RACF-defined user from entering the system. REVOKE can be assigned at the group level, in which case the user cannot enter the system and connect to that group.
  • RESTRICTED attribute: You can prevent RACF users from gaining access to protected resources
    they are not specifically authorized to access by assigning the RESTRICTED attribute on the ADDUSER or ALTUSER command.
  • PROTECTED attribute: This attribute is used mainly for started tasks to prevent a user ID from being revoked due to multiple unsuccessful logon attempts. This attribute is assigned implicitly by default. So, if you specify PASSWORD operand with ALU command, it will be removed. You can however reassign the protection for that UserID using the below command:
                                          ALU USID007 NOPASSWORD
         To remove the protection, please issue the command:                                           
                                      ALU USID007 PASSWORD(yourpass)
  • WHEN attribute: Specifies days of the week and hours of the day during which the user has access to the system. A sample syntax is given below:
                     ADDUSER USID007 WHEN(DAYS(MONDAY) TIME(0900:1300))


Group Authorities:
  • The group authorities defines user responsibilities within the group.
  • USE: Allows you to access resources to which the group is authorized.
  • CREATE: Allows you to create RACF data set profiles for the group.
  • CONNECT: Allows you to connect other users to the group.
  • JOIN: Allows you to add new subgroups or users to the group, as well as assign group authorities to the new members.

Access Authority for data sets:
  • NONE: Does not allow users to access the data set. 
  • EXECUTE: Allows users to load and execute, but not to read or copy, programs in the library.
  • READ: Allows users to access the data set for reading only.
  • UPDATE: Allows users to read from, copy from, or write to the data set. UPDATE does not authorize a user to delete, rename, move, or scratch the data set.
  • CONTROL: Allows users to retrieve, update, insert, or delete records in the specified data set.
  • ALTER: Allows users to read, update, delete, rename, move, or scratch the data set.

ADDUSER or AU:
  • The ADDUSER or AU command is used to define a new user to RACF under an already existing group.
  • Conditions: 1. Have the SYSTEM-LEVEL SPECIAL attribute. 2. Have the GROUP-LEVEL attribute. 3. You have JOIN authority in the user's default group. 4. The user's default group must come under the scope of the group where you have a GROUP-LEVEL SPECIAL attribute.
Example:


                                      AU USID007 NAME('DEMO_USER') OWNER(SGRP1) 
                                             DFLTGRP(SGRP1) PASSWORD(yourpass) 
                                             TSO(PROC(IKJDB2) ACCTNUM(ACCT#))
                                             WHEN(DAYS(MONDAY) TIME(0800:1200))

LISTUSER or LU:
  • The LISTUSER or LU command can be used to list information about a RACF-defined user.
  • You can use this command to list the RACF segment and optionally other segments in the User profile.
  • Conditions: Have the SYSTEM-LEVEL SPECIAL attribute. 2. Have the GROUP-LEVEL SPECIAL attribute. 3. Have the SYSTEM-LEVEL or GROUP-LEVEL AUDITOR attribute.
Example: 

                                   LU USID007 NORACF DFP NOCICS NODCE

The above command displays the DFP and TSO segment information and suppresses the RACF, CICS and DCE segment information.

ALTUSER or ALU:
  • The ALTUSER or ALU command is used to change the information in a User's profile including the User's System-wide attributes and authorities.
  • Conditions: 1. Have the SYSTEM-LEVEL or GROUP-LEVEL SPECIAL attribute. 2. Have the SYSTEM-LEVEL or GROUP-LEVEL OPERATIONS attribute.
Example: 

              ALU USID007 TSO(PROC(IKJSMS)) NODFP WHEN(DAYS(MONDAY))

The above command will change the TSO procedure to IKJSMS and defines the DFP segment information. Also, the time of access is changed for the user.


DELUSER or DU:
  • The DELUSER or DU command can be used to delete a user from RACF. However, all the occurrences of a User in the RACF database such as: if the user is the OWNER of a group, OWNER of a User's profile, OWNER of a Group Dataset will still remain undeleted. So, you can remove all the  occurrences for this user in the RACF database using the Remove Utility IRRRID00.
  • Conditions: 1. Have the SYSTEM-LEVEL or GROUP-LEVEL SPECIAL attribute. 2. The User profile to be deleted should be under the scope of the Group where you have GROUP-LEVEL SPECIAL attribute 3. You must be the OWNER of the User's profile.
Example:

                                          DELUSER USID007


Connecting Users to Groups:
  • The CONNECT or CO command is used to connect RACF-defined users to RACF-defined Groups.
  • Group authorities are also issued through this command.
  • This command is also used to assign GROUP-LEVEL user attributes.
  • Conditions: 1. Have the SYSTEM-LEVEL or GROUP-LEVEL SPECIAL attribute. 2. You should be the OWNER of the Group. 3. Have the JOIN or CONNECT authority in the Group.
Example: 

                CO USID007 GROUP(GROUP2) AUTHORITY(JOIN) SPECIAL



Removing Uers from Groups:
  • The REMOVE command is used to remove a user from a group and assign a new Owner to the Group the User owns.
  • The REMOVE command does not delete the User's profile RACf database. Instead it just removes the connection.
  • Conditions: 1. Have the SYSTEM-LEVEL or GROUP-LEVEL SPECIAL attribute. 2. Have the OWNER authority of the Group. 3. Have the JOIN or CONNECT authority in the Group.
Example: 


                                      REMOVE USID007 GROUP(GROUP2)


Changing Default Group of a User:
  • First, connect the User to the new group if not already connected.
  • Change the Default Group of the User to the new Group.
  • Remove the User from the Old Default Group.
Example:

                                     CO USID007 GROUP2
                                     ALU USID007 DFLTGRP(GROUP2)
                                     RE USID007 GROUP(SGRP2)



Resource Profiles:
  • In RACF, resource profiles contain a description of a resource, including the authorized users and the access authority of each user. Resource profiles can be discrete, generic, or, additionally for the DATASET class, fully-qualified generic.
  • DISCRETE: It can protect a single resource that has unique security requirements. A discrete profile matches the name of the resource it protects and cannot exist independently of the resource. In the DATASET class, if you delete the resource, you delete the profile.
  • GENERIC: It can protect several resources that have a similar naming structure and security requirements. Specify generic characters in the profile name if you want to protect more than one resource with the same security requirements.

Dataset Profiles:

ADDSD:
  • Adds RACF protection to data sets with either discrete or generic profiles.
  • The ADDSD command adds a profile for the data set to the RACF database to control access to the data set.
  • It also places the user ID on the access list and gives ALTER authority to the resource unless SETROPTS NOADDCREATOR is in effect.
  • Conditions: 1. The HLQ of the profile should match the UserID. 2. The HLQ matches a Group in which they have CREATE authority. 3. Have the SYSTEM-LEVEL or GROUP-LEVEL SPECIAL attribute.
Example:


For Discrete:                 ADDSD 'USID007.GRP1.PS007' UACC(NONE)
For Generic:                 ADDSD 'USID.**' UACC(READ) NOTIFY(USID007) WARNING
                                    SETROPTS GENERIC(USID007.**) REFRESH

Here, the 'WARNING' parameter sends a notification to the User when access attempts are made to the User's datasets and then allows to update the User's files.


LISTDSD:
  • The LISTDSD command is used to list a dataset profile defined to RACF.
  • Conditions: Have the SYSTEM-LEVEL OPERATIONS attribute. 2. Have the SYSTEM-LEVEL or GROUP-LEVEL AUDITOR attribute. 3. Atleast READ access to the profile when the HLQ of the resources matches your UserID.
Examples:

                                 LISTDSD DATASET('USID007.**')
                                 LISTDSD ID(USID007)
                                 LISTDSD PREFIX(CPAC)
                                 LISTDSD DATASET('SYS1.**') ALL


ALTDSD:
  • The ALTDSD command is used to alter the RACF-defined dataset profile.
  • You can even protect and disable RACF protection from Non-VSAM DASD datasets and also from Tape datasets.
  • Conditions: 1. Have the SYSTEM-LEVEL OPERATIONS attribute. 2. Have the SYSTEM-LEVEL or GROUP-LEVEL SPECIAL attribute. 3. Atleast READ access to the profile when the HLQ of the resources matches your UserID.
Examples:

                                     ALTDSD 'USID007.**' AUDIT(S(U),F(R))

The above command will update the successful logins to be logged and read the unsuccessful login attempts.

DELDSD:
  • The DELDSD command is used to remove the RACF protection over the datasets.
Examples:

For Discrete:                      DELDSD 'USID007.SGRP1.PS007'
For Generic:                       DELDSD 'USID007.**'
                                          SETROPTS GENERIC(USID007.**) REFRESH


PERMIT:
  • The PERMIT command is used to allow users with specific access to a particular resource.
  • As discussed earlier, the access given through UACC applies for all users.
  • PERMIT explicitly allows specific users to access the resource.
  • Conditions: 1. Have the SYSTEM-LEVEL SPECIAL attribute or the resource must come under the scope of the Group where you have GROUP-LEVEL SPECIAL attribute. 2. If the resource is a dataset then the HLQ of the dataset you are protecting must be the same as your UserID. 3. You must be the OWNER of the resource.
Examples:

                            PERMIT 'profile_name' ID(LEKHA,DBA) ACCESS(UPDATE)

The above command allows the User 'LEKHA' and the Users of the Group 'DBA' have 'UPDATE' access to the group that are protected by the GENERIC profile 'USID007.**'.

                           PERMIT 'USID007.*' ID(ARJUN) DELETE

The above command will remove the entries pertaining to the User 'ARJUN' from the access list of the GENERIC dataset profile 'USID007.*'.


Refreshing Dataset profile in the RACF database:
  • RACF stores recently referred profiles in the Real Storage. The list of recently referred profiles is called "In-Storage Profile List".
  • The least recently used profile are replaced by the new profiles. So, until the profile gets replaced in the In-Storage Profile List, RACF keeps returning the old result.
  • Please issue the below command so that the profiles in the In-Storage List are updated to reflect the RACF database.
                                                           SETROPTS REFRESH

RVARY:
  • The RVARY command is used to:
               1. Deactivate and Reactivate the RACF functions.                                       2. Deactivate or Reactivate secondary RACF databases and switch the RACF databases in case of failure.
               3. Deactivate protection of resources belonging to classes defined in CDT(Class Descriptor Table) while RACF is inactive.

Syntax:
          
                        RVARY ACTIVE|INACTIVE[NOCLASSACT(class_name)]
                                      SWITCH(dataset_name)
                                      LIST|NOLIST

Examples:

                              RVARY LIST

The above command lists the primary and secondary RACF databases.

                          RVARY ACTIVE DATASET(SYS1.RACFSEC)

The above command activates the secondary RACF databases.

                         RVARY SWITCH DATASET(SYS1.RACFSEC)

The above command switches to use secondary RACF database.

                          RVARY INACTIVE,NOCLASSACT(TAPEVOL)

The above command deactivates RACF and removes the protection of TAPEVOL class while RACF is inactive.


General Resource Profiles:
  • A general resource profile protects the system resources other than datasets.
  • A general resource profile includes the general resource profile name, UACC, access list.
  • General resources with similar characteristics belong to the same class.
  • General resources are all of the resources that are defines in CDT. Some of the common general resource classes are DASD, TAPEVOL, load modules, terminals etc,.
  • If a general resource class is not activ, the resource is not protected even if a general resource profile is defined for the resource.
RDEF:
  • The RDEFINE or RDEF command is used to define a profile belonging to classes specified in the CDT.
Examples:
 
                     RDEF TESTCLAS USID007.GRP1.** ADDMEM(USID007)
                                UACC(READ) NOTIFY(USID007)

The above command creates a profile under the class "TESTCLAS" and the profile will be a member of "USID007" with "READ" access.


RLIST:
  • The RLIST command is used to list the attributes of the profile.
  • Conditions: 1. Have the SYSTEM-LEVEL SPECIAL attribute. 2. Have the AUDITOR or OPERATIONS attribute at SYSTEM-LEVEL. 3. If you are the OWNER of a resource.
Example:

                   RLIST OPERCMDS USID007.GRP1.** UACC(READ) 
                               NOTIFY(USID007)


RALTER or RALT:
  • The RALTER or RALT command can be used to modify the attributes of the general resource profile.
  • Conditions: 1. Have the SYSTEM-LEVEL or GROUP-LEVEL SPECIAL attribute. 2. If you are the OWNER of the profile. 3. If you have the SYSTEM-LEVEL or GROUP-LEVEL AUDITOR attribute.
Example:

        RALT OPERCMDS USID007.** UACC(UPDATE) OWNER(USID007)


RDELETE or RDEL:
  • The RDELETE or RDEL command is used to delete the general resource profile attributes.
  • Conditions: 1. Have the SYSTEM-LEVEL or GROUP-LEVEL SPECIAL attribute. 2. You should be the OWNER of the profile. 3. Have the SYSTEM-LEVEL or GROUP-LEVEL OPERATIONS attribute.
Examples:

                                 RDEL TESTCLAS USID007.**



Allowing a User or Group to access a profile:

             PE USID007.** CL(class_name) ID(LEKHA) ACCESS(CONTROL) DELETE


Searching a Profile in a Class:
  • The SEARCH command can be used to search the RACF database.
Examples:

SEARCH CLASS(FACILITY) MASK(USID007)

The above command lists all the generic profiles starting with USID007.

SEARCH CLASS(FACILITY) FILTER(**.GRP1.**)

The above command lists the discrete and generic profiles with 'GRP1' as the second level qualifier.

SEARCH CLASS(FACILITY) USER(USID007)

The above command lists all the discrete and generic profiles in the class with the UserID 'USID007'.

SEARCH CLASS(FACILITY) AGE(90)

The above command lists all the profiles in the 'FACILITY' class that are not accessed for the past 90 days.

RACLIST:
  • RACLIST storage is used to contain the frequently accessed profiles. However, this needs to be refreshed manually using "SETR REFRESH".
  • The SETROPTS command is used to RACLIST a general resource class.
                                SETROPTS RACLIST(class_name)


Set RACF Options or SETROPTS:
  • The SETROPTS command is used to setup System-wide RACF options.
Syntax:

SETR [ADSP | NOADSP]
          [{AUDIT | NOAUDIT}({class-name ... | *})]
          [{CLASSACT | NOCLASSACT}( {class-name... | *})]
          [ERASE[({ALL | SECLEVEL(seclevel-name) | NOSECLEVEL})] | NOERASE]
          [{GENLIST | NOGENLIST}(class-name ...)]
          [INACTIVE(unused-userid-interval) | NOINACTIVE]
          [LANGUAGE([PRIMARY(language)] [SECONDARY(language)])]
          [LIST]

          [{RACLIST | NORACLIST}(class-name ...)]
          [PASSWORD([HISTORY(number-previous-passwords) | NOHISTORY]
                                  [INTERVAL(password-change-interval)] 
                                  [REVOKE(number-invalid-passwords) | NOREVOKE]
                                  [WARNING(days-before-password-expires) | NOWARNING])]

          [REFRESH]
          [RVARYPW([SWITCH(switch-pw)] [STATUS(status-pw)])]
          [REALDSN | NOREALDSN]
          [TAPEDSN | NOTAPEDSN]
          [TERMINAL(NONE | READ)]


Here,

ADSP: Specifies that data sets created by users who have the automatic data set protection (ADSP) attribute is RACF-protected automatically. ADSP is in effect when RACF is using a newly initialized database.


AUDIT(class-name ... | *): Specifies the names of the classes for which you want RACF to perform auditing.

CLASSACT(class-name ...|*): Specifies those classes defined by entries in the class descriptor table for which RACF protection is to be in effect.


ERASE(erase-indicator): Specifies that data management is to physically erase the DASD data set extents at the time the DASD data set is deleted (scratched) or released for reuse.


GENLIST(class-name ...): Activates the sharing of in-storage generic profiles for the classes specified. When GENLIST is active for a class, the generic profiles for that class are loaded into common storage (ECSA) instead of being resident in the private storage (ELSQA) of each user who references the class. Before activating GENLIST for a class, you should check with your system programmer to determine if your system is configured with enough ECSA to contain the profiles.


INACTIVE(unused-userid-interval): Specifies the number of days (1 to 255) that a user ID can remain unused and still be considered valid.


LANGUAGE: Specifies the system-wide defaults for national languages to be used on your system. You can specify a primary language, a secondary language, or both.


LIST: Specifies that the current RACF options are to be displayed.


HISTORY(number-previous-passwords): Specifies the number of previous passwords (1 to 32) that RACF saves for each user ID and compares with an intended new password. If there is a match with one of these previous passwords, or with the current password, RACF rejects the intended new password.


INTERVAL(password-change-interval): Specifies the maximum number of days (1 to 254) that each user’s password is valid.


REVOKE(number-invalid-passwords): Specifies the number (1 to 255) of consecutive incorrect password attempts RACF allows before it revokes the user ID on the next incorrect attempt.


WARNING: Specifies the number of days (1 to 255) before a password expires when RACF is to issue a warning message to a TSO user.


RACLIST(class-name ...): Activates the sharing of in-storage profiles, both generic and discrete, for the classes specified.


REALDSN: Specifies that RACF is to record, in any SMF log records and operator messages, the real data set name (not the naming-conventions name) used on the data set commands and during resource access checking and resource definition.


REFRESH: Refreshes the in-storage generic profiles when specified with GENERIC, GLOBAL or RACLIST, or the in-storage program control tables.


RVARYPW([SWITCH(switch-pw)] [STATUS(status-pw)]): Specifies the passwords that the operator is to use to respond to requests to approve RVARY command processing, where switch-pw is the response to a request to switch RACF databases or change the operating mode of RACF and status-pw is the response to a request to change RACF or database status from ACTIVE to INACTIVE or from INACTIVE to ACTIVE.


TAPEDSN: Activates tape data set protection. When tape data set protection is in effect, RACF can protect individual tape data sets as well as tape volumes.


TERMINAL(READ | NONE): Used to set the universal access authority (UACC) associated with undefined terminals. If you specify TERMINAL but do not specify READ or NONE, the system prompts you for a value.


Important RACF Elements:


RACF Database: 
  • The RACF database contains information about all the profiles via Users, Groups, Datasets and other resources defined to RACF.
  • A backup database can be defined and maintained using RVARY commands.
  • The RACF database is updated using SETROPTS REFRESH command.
Access Control List:
  • The LISTDSD command is used to find out the list of users who can access a particular profile.
Class Descriptor Table:
  • The CDT contains RACF information that specifies how general resources are processed.
  • The CDT consists of an entry for each class except USER, GROUP and DATASET.
Global Access Checking Table:
  • During User authorization phase, RACF checks the GAC table before it checks in In-Storage profile and RACLISt in Real Storage.
  • GAC Table is maintained in real Storage and is used for public resources that are shared among all users and are frequently accessed by all users.

JCL for GAC Table:


***********************************

//USID007 JOB ,,NOTIFY=USID007
//STEP1 EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
                     RDEF GLOBAL DATASET
                     RALT GLOBAL DATASET ADDMEM('SYS1.HELP/READ')
                     SETROPTS GLOBAL(DATASET) REFRESH
/*
//

***********************************


Started Procedure Table:
  • In general, only RACF users and Groups can access RACF-protected resources. To enable started procesdures to access the RACF-protected resources, these started procedures must have user IDs and group names.
  • You can add the entries in the SPT Table using ICHRIN00 or using ALU or AU commands.
  • Usually, the IDs associated with started procedures are assigned the PROTECTED attribute to avoid any misuse of their IDs.
Data Security Monitor or DSMON:
  • DSMON is a APF batch program which normally runs while RACF is active and generates reports that you can specify on the FUNCTION and USEROPT control statements.
  • The reports generated are as follows:
  • System Report: Lists CPU ID, CPU Model, MVS Level, SYSRES Volume etc,.
  • Program Property Table Report: Lists Program name, Bypassing password protection and associated system keys.
  • Authorized Caller Table Report: Lists who are authorized to execute RACF functions like RACINIT and RACLIST.
  • RACF Exits Report: Lists RACF exits for the RACF functions like RACINIT, RACDEF, RACHECK, FRACHECK and RACLIST.
  • Selected User Attributes Report: Lists the User names who have SPECIAL, AUDITOR, OPERATIONS attributes and also the UserIDs which are revoked.
  • Selected User Attributes Summary Report: Lists the number of RACF-defined Users, number of SPECIAL, AUDITOR, OPERATIONS attributed users.
  • Started Procedures Table Report: Lists the started procedures, STCs, UserIDs and Groups assigned to each STC tasks.
  • Group Tree Report: Lists the binary hierarchy of Groups from SYS1 group.
  • Class Descriptor Table Report: Lists the resource classes, status, audit, statistics, UACC etc,.
  • Global Access Checking Table Report: Lists the frequently accessed resources that are shared among all users.
  • Selected Database Report: Lists sensitive datasets, its DSNAME, VOLSER, RACF-protected or not.
JCL for DSMON:

***********************************
//USID007 JOB ,,NOTIFY=USID007
//STEP1 EXEC PGM=ICHDSM00
//SYSUT1 DD DSN=SYS1.PARMLIB,DISP=SHR
//SYSUT2 DD SYSOUT=*
//SYSPRINT DD SYSOUT=*
//SYSIN DD *
                    LINECOUNT 0
                    FUNCTION RACCDT SYSPPT RACGAC
/*
//
***********************************

Here,


RACCDT => RACF Class Descriptor Table Report function.
SYSPPT   => RACF Program Property Table Report
RACGAC => RACF Global Access Checking Table Report


RACF Auditing Tools:
  • Data Security Monitor  or DSMON
  • RACF Data Unload Utility IRRDBU00: Reads a RACF database either a primary or secondary and creates a sequential dataset.
  • SMF Data Unload utility IRRADU00: Copies the contents of the SMF dump datasets obtained using IFASMFDP.
  • RACF Report Writer RACFRW: Lists the contents of SMF records obtained using IFASMFDP in 3 phases. That is, Command processing phase, Record Selection phase and Report Generation phase.

0 comments:

Post a Comment