RACF Your Way: CSDATA and LEVELSecure Site · 2019. 4. 5. · RACF Your Way • Custom Data Field (CSDATA) –A new Segment on the User & Group profile –Introduced in IBM® z/OS®

RACF Your Way:

CSDATA and LEVEL

Presented by

Vanguard Integrity Professionals

Copyright

©2013 Vanguard Integrity Professionals, Inc. All Rights Reserved. You

have a limited license to view these materials for your organization’s

internal purposes. Any unauthorized reproduction, distribution, exhibition

or use of these copyrighted materials is expressly prohibited.

Trademarks

IBM, RACF, CICS, DB2, and z/OS are trademarks or registered

trademarks of International Business Machines Corporation in the United

States, other countries, or both. Vanguard Administrator, Vanguard

Advisor, and Vanguard Analyzer are trademarks of Vanguard Integrity

Professionals – Nevada.

Legal Notice

2

©2013 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to

view these materials for your organization’s internal purposes. Any unauthorized reproduction,

distribution, exhibition or use of these copyrighted materials is expressly prohibited.

RACF Your Way

• Custom Data Field (CSDATA)

– A new Segment on the User & Group profile

– Introduced in IBM® z/OS® V1R10

– User definable

– Securable

• LEVEL field

– Been there forever (well at least a very long time)

– IBM/RACF® does not use the field for any “decisions”

– Not to be confused with SECLEVEL

3




RACF Your Way - Overview

CSDATA

What is it & Why should I care

How do we define it

How do we maintain/use it

How do we secure it

LEVEL

Why would we want to use it

Where is it

How is it used

4




RACF Your Way - CSDATA

WHAT is CSDATA.

A user definable segment available on the User & Group

profiles.

No need for Assembler or any other programming skills

Defined in the CFIELD General Resource Class using

standard RACF commands

5





WHY do I need it

Provides an alternative to Installation Data or use of other

predefined segments to keep YOUR info in the RACF

database

Access to view/change can be secured using the FIELDS

class

Formatted and labeled (unlike the free form Installation Data)

6




RACF Your Way – Examples of Use

What would I put in CSDATA

Any info that you want for example:

– Department

– Employee ID

– SSN

– Email address

– Physical Location (City/State)

– etc, etc

7





HOW do I define it

The CSDATA segment is defined in the CFIELDS General

Resource class

Uses 9 keywords to build the segment

Can define multiple “fields” in the CSDATA segment

8





9





RACF Command format

Numeric field:

Character field:

10





OK….got it defined, now what.

Before using the new field we have tell TSO how to parse the

RACF command

11





OK….got it defined, now what.

Populating a CSDATA segment on a profile

Displaying a CSDATA segment

12





Other ways to “get” the CSDATA:

– RACF Panels

– Vanguard AdministratorTM

– LDAP SDBM

– R_admin

– IRRXUTIL

– RACROUTE REQUEST=EXTRACT

– ICHEINTY

13





14





HOW do we secure this data

Controlling access to CFIELD definitions

To View – grant READ access

To Modify – grant UPDATE

Controlling access to CSDATA SEGMENTS

To View – grant READ access

To Modify – grant UPDATE

NOTE: This allows access for the data on all users/groups

&RACUID can be used on the access list to allow a user to access

only their own data

15





Examples:

Allow all users to view Custom field definitions

RDEFINE FIELD CFIELD.CFDEF.* UACC(READ)

Allow the user SECUSER to define/alter field definitions

ALU SECUSER CLAUTH(CFIELD)

PERMIT CFIELD.CFDEF.* CLASS(FIELD) ID(SECUSER)

ACCESS(UPDATE)

Allow users to update their own email address data

RDEF FIELD USER.CSDATA.EMAIL UACC(NONE)

PERMIT USER.CSDATA.EMAIL CLASS(FIELD) ID(&RACUID)

ACCESS(UPDATE)

Allow the HR group to view/update an Employee ID number

RDEF FIELD USER.CSDATA.EMPID UACC(NONE)

PERMIT USER.CSDATA.EMPID CLASS(FIELD) ID(HR)

ACCESS(UPDATE)

16





In summary:

Use REDFINE the CFDEF Segment in the CFIELD class

(this will represent the RACF keyword)

Use IRRDPI00 to activate the newly defined keyword

Use the new keyword (CSDATA keyword(---)) to store data

in the segment of a USER or GROUP profile

17




RACF Your Way - LEVEL

• LEVEL field

– Been there forever (well at least a very long time)

– IBM/RACF does not use the field for any “decisions”

– Not to be confused with SECLEVEL

18





What is it?

The LEVEL field is a user modifiable field available on

Dataset & General Resource Profiles

It is a 2 digit numeric field (00 – 99)

Is recorded in SMF records created when access to a

resource/dataset is audited.

19





Why do I need this?

Can tie related Dataset and General resource profiles

together.

Simplifies reporting on related profiles that can not be

selected using traditional masking.

Aids in generating audit reports for regulatory compliance

20





How do I Use it?

For Datasets:

AD or ALD ‘profile’ LEVEL(nn)

For General Resources:

RDEF or RALT class profile LEVEL(NN)

To Search for “leveled” profiles:

SEARCH CLASS(class) LEVEL(nn)

21





Example – APF Libraries

“Tag” all the profiles for APF libraries as level 10.

Create Access Review reports for APF libraries

Generate daily Vanguard AdvisorTM reports for any access

above READ

22





Use Vanguard AnalyzerTM (Option B) to determine

which are your APF libraries.

23





Determine the protecting profile

24





Update the protecting profile:

Note: It is recommended that APF libraries be protected with fully qualified Generic profiles.

25





26





Now you can get access lists in a single report for all

APF libraries.

27





Or….you can report on all Access to an APF library

higher that READ.

28





Other uses:

PII (Personally Identifiable Information)

“LEVEL” datasets with PII Data, CICS® transactions that access PII

data and DB2® Tables containing PII data

Security related information

RACF Database, SMF datasets containing type 80 records,

Security administrators personal datasets

Resources specific to a critical/sensitive business application

Payroll, accounting, pricing, etc

29




Questions

30




Vanguard’s zSecurity University – Upcoming Schedule

10/28 - 11/1 V201:Intermediate RACF Administration Online 11/4 - 11/8 V101:Developing Effective RACF Administration Skills Online 11/13-11/15 V204: Automating Security Reviews using VCM Las Vegas 11/18-11/22 V101:Developing Effective RACF Administration Las Vegas 11/18-11/22 V201:Intermediate RACF Administration Washington, DC

Register to attend a course, or to get more information: http://www.go2vanguard.com/training/index.php

Customer Savings: Special Discounts for software customers and VSC 2013 attendees

Don’t forget that all of the zSecurity University courses are eligible for CPE Credits and all course materials for in person classes are provided on a

tablet computing device that the attendee keeps at the end of the class.

31




Documents

RACF Your Way: CSDATA and LEVELSecure Site · 2019. 4. 5. · RACF Your Way • Custom Data Field (CSDATA) –A new Segment on the User & Group profile –Introduced in IBM® z/OS®