Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
RACF Your Way:
CSDATA and LEVEL
Presented by
Vanguard Integrity Professionals
Copyright
©2013 Vanguard Integrity Professionals, Inc. All Rights Reserved. You
have a limited license to view these materials for your organization’s
internal purposes. Any unauthorized reproduction, distribution, exhibition
or use of these copyrighted materials is expressly prohibited.
Trademarks
IBM, RACF, CICS, DB2, and z/OS are trademarks or registered
trademarks of International Business Machines Corporation in the United
States, other countries, or both. Vanguard Administrator, Vanguard
Advisor, and Vanguard Analyzer are trademarks of Vanguard Integrity
Professionals – Nevada.
Legal Notice
2
©2013 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
RACF Your Way
• Custom Data Field (CSDATA)
– A new Segment on the User & Group profile
– Introduced in IBM® z/OS® V1R10
– User definable
– Securable
• LEVEL field
– Been there forever (well at least a very long time)
– IBM/RACF® does not use the field for any “decisions”
– Not to be confused with SECLEVEL
3
©2013 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
RACF Your Way - Overview
CSDATA
What is it & Why should I care
How do we define it
How do we maintain/use it
How do we secure it
LEVEL
Why would we want to use it
Where is it
How is it used
4
©2013 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
RACF Your Way - CSDATA
WHAT is CSDATA.
A user definable segment available on the User & Group
profiles.
No need for Assembler or any other programming skills
Defined in the CFIELD General Resource Class using
standard RACF commands
5
©2013 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
RACF Your Way - CSDATA
WHY do I need it
Provides an alternative to Installation Data or use of other
predefined segments to keep YOUR info in the RACF
database
Access to view/change can be secured using the FIELDS
class
Formatted and labeled (unlike the free form Installation Data)
6
©2013 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
RACF Your Way – Examples of Use
What would I put in CSDATA
Any info that you want for example:
– Department
– Employee ID
– SSN
– Email address
– Physical Location (City/State)
– etc, etc
7
©2013 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
RACF Your Way - CSDATA
HOW do I define it
The CSDATA segment is defined in the CFIELDS General
Resource class
Uses 9 keywords to build the segment
Can define multiple “fields” in the CSDATA segment
8
©2013 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
RACF Your Way - CSDATA
9
©2013 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
RACF Your Way - CSDATA
RACF Command format
Numeric field:
Character field:
10
©2013 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
RACF Your Way - CSDATA
OK….got it defined, now what.
Before using the new field we have tell TSO how to parse the
RACF command
11
©2013 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
RACF Your Way - CSDATA
OK….got it defined, now what.
Populating a CSDATA segment on a profile
Displaying a CSDATA segment
12
©2013 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
RACF Your Way - CSDATA
Other ways to “get” the CSDATA:
– RACF Panels
– Vanguard AdministratorTM
– LDAP SDBM
– R_admin
– IRRXUTIL
– RACROUTE REQUEST=EXTRACT
– ICHEINTY
13
©2013 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
RACF Your Way - CSDATA
14
©2013 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
RACF Your Way - CSDATA
HOW do we secure this data
Controlling access to CFIELD definitions
To View – grant READ access
To Modify – grant UPDATE
Controlling access to CSDATA SEGMENTS
To View – grant READ access
To Modify – grant UPDATE
NOTE: This allows access for the data on all users/groups
&RACUID can be used on the access list to allow a user to access
only their own data
15
©2013 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
RACF Your Way - CSDATA
Examples:
Allow all users to view Custom field definitions
RDEFINE FIELD CFIELD.CFDEF.* UACC(READ)
Allow the user SECUSER to define/alter field definitions
ALU SECUSER CLAUTH(CFIELD)
PERMIT CFIELD.CFDEF.* CLASS(FIELD) ID(SECUSER)
ACCESS(UPDATE)
Allow users to update their own email address data
RDEF FIELD USER.CSDATA.EMAIL UACC(NONE)
PERMIT USER.CSDATA.EMAIL CLASS(FIELD) ID(&RACUID)
ACCESS(UPDATE)
Allow the HR group to view/update an Employee ID number
RDEF FIELD USER.CSDATA.EMPID UACC(NONE)
PERMIT USER.CSDATA.EMPID CLASS(FIELD) ID(HR)
ACCESS(UPDATE)
16
©2013 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
RACF Your Way - CSDATA
In summary:
Use REDFINE the CFDEF Segment in the CFIELD class
(this will represent the RACF keyword)
Use IRRDPI00 to activate the newly defined keyword
Use the new keyword (CSDATA keyword(---)) to store data
in the segment of a USER or GROUP profile
17
©2013 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
RACF Your Way - LEVEL
• LEVEL field
– Been there forever (well at least a very long time)
– IBM/RACF does not use the field for any “decisions”
– Not to be confused with SECLEVEL
18
©2013 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
RACF Your Way - LEVEL
What is it?
The LEVEL field is a user modifiable field available on
Dataset & General Resource Profiles
It is a 2 digit numeric field (00 – 99)
Is recorded in SMF records created when access to a
resource/dataset is audited.
19
©2013 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
RACF Your Way - LEVEL
Why do I need this?
Can tie related Dataset and General resource profiles
together.
Simplifies reporting on related profiles that can not be
selected using traditional masking.
Aids in generating audit reports for regulatory compliance
20
©2013 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
RACF Your Way - LEVEL
How do I Use it?
For Datasets:
AD or ALD ‘profile’ LEVEL(nn)
For General Resources:
RDEF or RALT class profile LEVEL(NN)
To Search for “leveled” profiles:
SEARCH CLASS(class) LEVEL(nn)
21
©2013 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
RACF Your Way - LEVEL
Example – APF Libraries
“Tag” all the profiles for APF libraries as level 10.
Create Access Review reports for APF libraries
Generate daily Vanguard AdvisorTM reports for any access
above READ
22
©2013 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
RACF Your Way - LEVEL
Use Vanguard AnalyzerTM (Option B) to determine
which are your APF libraries.
23
©2013 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
RACF Your Way - LEVEL
Determine the protecting profile
24
©2013 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
RACF Your Way - LEVEL
Update the protecting profile:
Note: It is recommended that APF libraries be protected with fully qualified Generic profiles.
25
©2013 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
RACF Your Way - LEVEL
26
©2013 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
RACF Your Way - LEVEL
Now you can get access lists in a single report for all
APF libraries.
27
©2013 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
RACF Your Way - LEVEL
Or….you can report on all Access to an APF library
higher that READ.
28
©2013 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
RACF Your Way - LEVEL
Other uses:
PII (Personally Identifiable Information)
“LEVEL” datasets with PII Data, CICS® transactions that access PII
data and DB2® Tables containing PII data
Security related information
RACF Database, SMF datasets containing type 80 records,
Security administrators personal datasets
Resources specific to a critical/sensitive business application
Payroll, accounting, pricing, etc
29
©2013 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Questions
30
©2013 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Vanguard’s zSecurity University – Upcoming Schedule
10/28 - 11/1 V201:Intermediate RACF Administration Online 11/4 - 11/8 V101:Developing Effective RACF Administration Skills Online 11/13-11/15 V204: Automating Security Reviews using VCM Las Vegas 11/18-11/22 V101:Developing Effective RACF Administration Las Vegas 11/18-11/22 V201:Intermediate RACF Administration Washington, DC
Register to attend a course, or to get more information: http://www.go2vanguard.com/training/index.php
Customer Savings: Special Discounts for software customers and VSC 2013 attendees
Don’t forget that all of the zSecurity University courses are eligible for CPE Credits and all course materials for in person classes are provided on a
tablet computing device that the attendee keeps at the end of the class.
31
©2013 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.