Rui Miguel FeioSharing knowledge with the world

RACF The basics

Agenda

2The role of users in RACF and how to define access to the mainframe.

Users 3What are RACF groups, how do they work and how to use them.

Groups

5General resources and how to protect everything else on the mainframe.

General 6How to configure RACF and security best practices.

Settings 7How to contact Rui and keep in touch.

Contact

1What is RACF, what is it for, and how it works.

Intro 4Dataset profiles and how to protect the data on the mainframe.

Dataset

RACFINTRODUCTION

04

It’s an IBM External Security Management (ESM) product that provides access control and audit functionalities for the mainframe z/OS and z/VM operating systems.

RACF provides the tools to manage user access to critical resources. It protects resources by granting access only to authorised users of the protected resources. RACF retains information about users, resources, and access authorities in special structures called profiles in its database, and it refers to these profiles when deciding which users should be permitted access to protected system resources.

Resource Access Control Facility (RACF) .

MacrosAllows applications to use RACF macros.

7

LoggingLogs access to a protected system and protected resources.

5

AdministrationSimplifies the administration process to meet the security goals of the company.

6

Main Features.

05

UsersIdentifies and authenticates users using a userid and a password when trying to access the mainframe operating system.

1

ProtectionAllows the identification, classification and protection of mainframe system resources.

2

AccessFacilitates the maintenance of access rights to the protected resources.

3

ControlHelps controlling the means of access to protected resources on the mainframe.

4

RACF Profiles.

06

User profiles contain security information about the useridsdefined to RACF who can access (or not) the resources.

User01 Group profiles contain security information about group attributes and user connections.

Group02

General resource profiles contain security information about all resources other than user, group or dataset.

General Resources03These profiles contain the necessary information to allow RACF to make a decision as to the access authority allowed for any specific request.

What are they for?

Dataset profiles contain security information about DASD and tape datasets.

Dataset04

Access to Profiles.

07

Users and groups can be defined in RACF to have different levels of access to dataset profiles and general resource profiles (programs, transactions, commands, etc).

Accessing profiles

DatasetProfiles

GeneralResourceProfiles

Users&

Groups

Access Levels.

08

Access to the resource is not granted to users and groups.None1Users and groups can execute programs from a library, but they cannot read or write into the library.

Execute2

Users and groups can access the resource but they cannot alter its contents.

Read3

Users and groups can change the contents of the resource but they are not authorized to delete it or create a new one.

Update4Users and groups are granted authority to VSAM datasets (equivalent to the VSAM control password).

Control5

Users and groups have full control over the resource, i.e., they can create a new one, access it, modify it and delete it.

Alter6From lowest (1) to greatest (6).

Securing the Mainframe.

09

z/OS

Application

SAF RACFResource Manager

System Component

Authorisation Checking1. A userid is passed from the application or system component to the

resource manager.

2. The resource manager maintains the data that the userid wishes to access and calls SAF to perform an authorisation check. In some situations the resource manager may provide its own security

3. SAF passes the userid, the resource the userid wishes to access, and the access type to RACF (External Security Manager).

4. RACF refers to its database in order to make a decision.

5. RACF passes the Information back to SAF and ultimately to the resource manager.

6. The resource manager makes the decision to allow or deny access based on the security information it now has.

Summary.

10

RACF controls and logs access

RACF profiles protect resources

Users can logon to the mainframe

Users can be connected to Groups

Users and groups are defined to profiles

Access can go from None to Alter

What we have covered so far...RACF provides access control and audit functionalities for the mainframe. It uses profiles to describe mainframe resources that it protects: datasets, programs, commands, transactions, etc.Users can logon to the mainframe via userid/password and can be grouped together into Groups to share the same levels of access. This facilitates the security management tasks.In order to access the resources, users and groups need to be defined in the Access Control List (ACL) of the RACF profiles – dataset and general resource.The access that a user or a group can have to a resource varies from None (no access) to Alter (full access).

RACFUSERS

What are RACF users?

12

Someone who requires access to resources

In RACF users are represented by userids

Users must authenticate to gain access

User authentication is done by userid/pass

Userids can be used by people (personal)

Userids can be used by system resourcesDesigned by Freepik

Naming Convention.

13

The userid name has to be one to eight characters in length.Userid length1

Any combination of alphanumeric and $, # or @.Characters2

Has to be unique. The userid cannot match an existing userid or group name.

Userid3

Users with the ability to logon to the mainframe system cannot exceed 7 characters in length.

TSO users length4

TSO userids cannot begin with a numeric character.TSO userid characters5

Base Segment.

14

BASESegment

Userid

UserName

Owner

DefaultGroup

UserAttributes

Password

Other Segments.

15

OptionalUser

Segments

TSO

CICS

OMVSCSDATA

…

Attributes – System Wide.

16

Attribute DescriptionSPECIAL A user can issue all RACF commands. This attribute gives the user full control over all RACF

profiles in the RACF database.

AUDITOR Given to users who are responsible to auditing RACF security controls and functions.

OPERATIONS A user has full access authorisation to all RACF-protected resources in specific classes: DATASET, DASDVOL, GDASDVOL, PSFMPL, TAPEVOL, VMBATCH, VMCMD, VMMDISK, VMNODE and VMRDR.

PROTECTED Used mainly for started tasks to prevent a userid from being revoked.

RESTRICTED Prevents a user from accessing protected resources

REVOKE Prevents a user from accessing the system.

CLAUTH Allows the user to define profiles in the class where user has CLAUTH

Attributes – Group Level.

17

Attribute DescriptionSPECIAL (Group Special) This attribute gives the user full control over all RACF profiles

within the scope of the group.

AUDITOR (Group Auditor) User authority is limited to RACF profiles within the scope of the group. Given to users who are responsible to auditing RACF security controls and functions.

OPERATIONS (Group Operations) A user has full access authorisation to all RACF-protected resources in specific classes: DATASET, DASDVOL, GDASDVOL, PSFMPL, TAPEVOL, VMBATCH, VMCMD, VMMDISK, VMNODE and VMRDR. Userauthority is limited to RACF profiles within the scope of the group.

REVOKE Prevents a user from accessing the profiles within the scope of the group.

• The "scope of the group” is determined by the group ownership structure• Group ownership can only occur between a superior group and its subgroups• The scope will continue as long as "groups own groups”• The scope ends when a group is owned by a user id

RACF Commands.

18

Command Description ExampleADDUSER (AU) Add a user profile AU userid NAME(‘user_name’) DFLTGRP(grp_name) OWNER(owner) PASS(password)

ALTUSER (ALU) Modify a user profile ALU userid PASSWORD(password)

LISTUSER (LU) List a user profile LU userid

DELUSER (DU) Delete a user profile DU userid

RACFGROUPS

What are RACF groups?

20

Collection of users with common access

Groups can have users connected to them

Groups facilitate user management

Groups can have subgroups

Each Group has an owner (user or group)

Groups should be owned by another Group

Why are Groups so important?By adding a user to a group, we give that user access to all of the resources to which the group has access. Likewise, by removing a user from a group, we prevent the user from accessing those resources.

Some of the benefits of using RACF groups include:• Reducing the effort to maintain access lists• Avoiding the need to refresh in-storage profiles• Providing a form of timed PERMIT• Minimising the length of access lists

Naming Convention.

21

The group name has to be one to eight characters in length.Name length1

Any combination of alphanumeric and $, # or @.Characters2

Has to be unique. The group name cannot match an existing userid or other group name.

Group3

The group name cannot begin with a numeric character.Numerics4

Group Tree.

22

SYS1

HR

STAFF HIRE

FINANCE IT

SECURITY SYSTEMS

SHARED EXTERNAL ZOS

MVS

JUNIOR SENIOR

CICS

CIC01 CIC02

DB2

DB201 DB202

HELPDESK

AUDIT OFFSHORE

INDIA AFRICA AMERICA

Owner and SupGroup.

23

The owner of a group can define new users (providing it has got CLAUTH for the USER class), can modify, list, and delete the group profile, can connect and remove users from the group, and can define, delete, and list the names of the subgroups.

The same applies for users connected to the group with Group Special attribute.

Owner

The Superior Group defines the parent group. The initial point where all groups derive from is SYS1.

Supgroup

Determines administration

Determines structure

But bear in mind…When creating a RACF group, always remember that:

• If you don’t specify the OWNER your userid becomes the OWNER of the group

• If you don’t specify the SUPGROUP, your userid’s current connect group becomes the superior group.

• If the OWNER is a group, this group will also become the SUPGROUP.

Naming Convention.

24

The group name has to be one to eight characters in length.Name length1

Any combination of alphanumeric and $, # or @.Characters2

Has to be unique. The group name cannot match an existing userid or other group name.

Group3

#CIO

$WIN $MVS

@ZVM @ZOS

ZOS01

CICS

CICS01 CICS02

ZOS02

IMS

ZOS03

WAS

ZOS04

DB2

DB201 DB202

$AS400 $LINUX

@SUSE @REDHAT

Base Segment.

25

BASESegment

GroupName

Owner

SuperiorGroup

InstallationData

ConnectedUsers

Subgroups

Other Segments.

26

OptionalGroup

Segments

DFP

OMVS

CSDATATME

OVM

Universal Groups.

27

Regular, normal RACF groups can only have up to 5,957 connected users.

Limitation of regular groups1RACF Universal groups allow more than 5,957 to be connected.

Universal Groups2

To create a RACF Universal group you just need to use the UNIVERSAL parameter with the add Group command:

AG group OW(owner) SUP(supgroup) UNIVERSAL

Setup an Universal group3

With Universal groups, the LISTGRP command will only list users with authority higher than USE or with the attributes SPECIAL, OPERATIONS or AUDITOR.

Downside4To view all members of a RACF Universal group, you will need to use the Database Unload Utility (IRRDBU00).

List all users5

Group Attributes.

28

Attribute DescriptionUSER Allows the user to access resources to which the group is authorised

CREATE Allows the user to create RACF dataset profiles for the group

CONNECT Allows the user to connect other users to the group

JOIN Allows the user to add new subgroups or users to the group, as well as assign group authorities to the new members

• The "scope of the group” is determined by the group ownership structure• Group ownership can only occur between a superior group and its subgroups• The scope will continue as long as "groups own groups”• The scope ends when a group is owned by a user id

RACF Commands.

29

Command Description ExampleADDGROUP (AG) Add a group profile AG group OWNER(owner) SUPGRP(grp_name)

ALTGROUP (ALG) Modify a group profile ALG group OWNER(owner) SUPGRP(grp_name)

LISTGRP (LG) List a group profile LG group

DELGROUP (DG) Delete a group profile DG group

CONNECT (CO) Connect a user to a RACF group CO user GROUP(group) OWNER(owner)

REMOVE (RE) Remove a user from a RACF group RE userid GROUP(group)

RACFDATSET PROFILES

What are they?

31

RACF dataset profiles protect datasets

HLQ of profile must match user or group

Must be owned by a user or a group

PROTECTALL requires dataset profiles

Why are RACF Dataset profiles so important?Dataset profiles allow the security administrator to define who can read the content of a dataset, who can edit it, and who can create or delete a dataset. In essence, it’s the way to protect datasets on the mainframe using RACF.

If RACF option PROTECTALL is enabled, datasets can only be accessed if there’s a dataset profile in place in RACF.

Categories.

32

Protects one data set that has unique security requirements. If the data set is deleted, the profile is deleted. Avoid using them.

TSSS.EXRT222.OUTPUT VOL123

Discrete1

Can protect one or many data sets whose data set name matches profile name. Uses "generic" characters % and *.

TSSS.%%%%%%%.*

Generic2

Can protect one or more data sets with the same data set name. The profile is not deleted if the data set is deleted.

TSSS.EXRT222.OUTPUT

Fully-qualified generic3

Similar to generic profiles but can also use the ** as a generic character. Implemented to provide comparable capability provided for General Resources.

TSSS.*.**

Enhanced generic4

Generic profiles are the standard (use GEN with the RACF commands)

Naming Convention.

33

A dataset profile can have two or more naming qualifiers.Number of qualifiers1

Each qualifier must be separated by a period.Qualifiers separation2

Any combination of alphanumeric and $, # or @.Characters3

The first character of each qualifier cannot be a numeric.No numerics at the start4

Dataset profiles can have wildcards (%, *, **)Wildcards5

Generic Profiles.

34

Profile Dataset NameHLQ.DATA.* HLQ.DATA

HLQ.D%TA.FILE HLQ.DATA.FILE

HLQ.D*.FILE HLQ.DATA.FILE.STUFF

HLQ.* HLQ.MY.FILE

HLQ.*.** HLQ.YOUR.FILE

HLQ.**.FILE HLQ.MASTER.FILEHLQ.BACKUP.FILE

RACFusesthemostspecificGenericProfilewhendeterminingwhichprofileprotectsadataset.

SRMASK(hlq.)willdisplaythesearchorderRACFwilluse

1. To see which of two generic profiles is more specific, compare the profile names, character by character. 2. Where they first differ, if one has a discrete character and the other has a generic character, the one with

the discrete character wins. 3. If both have a generic character where they differ, then:

• If one has a % and the other has a * or **, the one with % wins.• If one has a * and the other has a **, the one with * wins.

Access Levels.

35

Level Description

NONE User/Group is not allowed to access the dataset

EXECUTE User/Group is allowed to execute a program from the dataset, but not to Read, Copy or Modify the dataset

READ User/Group is allowed to Read and Copy the dataset

UPDATE User/Group is allowed to Read, Copy and Modify the dataset

CONTROL (VSAM data sets) User/Group is allowed to perform improved control interval processing. This is control-interval access (access to individual VSAM data blocks),and the ability to Retrieve, Update, Insert, or Delete records in the data set

ALTER User/Group has full authority over the dataset (Read, Update, Create, Delete, Rename, Allocate)

Access Control List.

36

• Standard Access Control List:– Grants User/Group some level of access

• Conditional Access Control List:– Grants User/Group some level of access based on a condition:

– WHENusingacertainPROGRAM– WHENuserisloggedontoacertainTERMINAL– WHENuserisloggedontoacertainCONSOLE– WHENjobsubmittedfromacertainJESINPUT– WHENuserenterssystemfromcertainLU(APPCPORT)– WHENuserenterssystemfromcertainIPaddress(SERVAUTH)

UACC and ID(*).

37

Level DescriptionID(*) Defines the default access level to all RACF defined users

UACC (Universal Access) Defines the default access level to all users and groups defined or not in RACF

UACCvalueisarequiredfieldwhendefininganewdatasetprofile

Access.

38

Condition DescriptionOwn Profile • Userid/Group has full admin control over profile (including Access List)

• Does not allow access to dataset itself

Don’t Own Profile • GAT allows access to dataset• Userid = dataset HLQ• Userid/Group is in ACL• ID(*) allows access• UACC allows access• OPERATIONS attribute• WARNING Mode

• Each dataset profile defined to RACF requires a RACF-defined user or group as the owner of the profile.• The owner (if a user) has full control over the profile, including the access list. If the owner of the dataset profile is a group, users with group-SPECIAL

in that group have full control over the profile.• Ownership of dataset profiles is assigned when the profiles are defined to RACF. Note that ownership of a dataset profile does not mean that the owner

can automatically access that data set.• To access a data set, the owner must still be authorized in the profile's access list, unless the high-level qualifier of the profile name is the owner's user

ID.

RACF Commands.

39

Command Description ExampleADDSD (AD) Add a dataset profile AD ‘ds_profile’ UACC(uacc_level) OW(owner)

ALTDSD (ALD) Modify a dataset profile ALD ‘ds_profile’ UACC(uacc_level) OW(owner)

LISTDSD (LD) List a dataset profile LD DATASET(‘ds_profile’)

DELDSD (DD) Delete a dataset profile DD ‘ds_profile’

PERMIT (PE) Define, modify or delete ACL entries on a dataset profile PE ‘dsprofile’ GEN ID(group) AC(access)

RACF GENERALRESOURSE PROFILES

What are they?

41

Protect all resources other than Datasets

General Resources grouped by Classes

Must be owned by a user or a group

Why are RACF General Resource profiles so important?General resource profiles protect all resources other than datasets on the mainframe, for example: CICS transactions, TCP/IP ports, MVS commands, JES2 commands, ISPF panels, DB2 subsystems, etc.

Need to Know.

42

• Classes must be activated:– SETROPTS CLASSACT(class_name)– But… we need to define the profiles before activating it

• Classes can be RACLISTed to improve performance:– SETROPTS RACLIST(class_name)

• Dynamic refreshing of in-storage profiles:– SETROPTS RACLIST(class_name) REFRESH– When… adding, modifying, or deleting RACLISTed profiles

Profile Types.

43

DiscreteProfiles

GenericProfiles

Generic characters %, *, **, and & can be used

Generic characters can be used in any qualifier

Access Control List.

44

• Standard Access Control List:– Grants User/Group some level of access

• Conditional Access Control List:– Grants User/Group some level of access based on a condition:

– WHENuserisloggedontoacertainTERMINAL– WHENuserisloggedontoacertainCONSOLE– WHENjobsubmittedfromacertainJESINPUT– WHENuserenterssystemfromcertainLU(APPCPORT)– WHENuserenterssystemid(SYSID)

UACC and ID(*).

45

Level DescriptionID(*) Defines the default access level to all RACF defined users

UACC (Universal Access) Defines the default access level to all users and groups defined or not in RACF

UACCvalueisarequiredfieldwhendefininganewGeneric profile

RACF Commands.

46

Command Description ExamplesRDEFINE (RDEF) Add a Generic Resource profile RDEF class_name profile_name ADDMEM(member)

RALTER (RALT) Modify a Generic Resource profile RALT class_name profile_name UACC(acc_level)

RLIST (RL) List a Generic Resource profile RL class_name profile_name ALL

RDELETE (RDEL) Delete a Generic Resource profile RDEL class_name profile_name

PERMIT (PE) Define, modify or delete ACL entries on a Generic Resource profile

PE gr_profile CL(class) ID(grp_name) AC(access_level)

RACFSETTINGS

What is SETROPS?

48

Where RACF is configured (settings)

Accessible by System Special users

Accessible by System Auditor users

Why is SETROPS so important?SETROPS contains the default settings for the RACF environment. These values can be modified by system special userids. System auditor userids have the ability to visualise the entire SETROPS configuration.

Need to Know.

49

• SPECIAL users can set global controls

• AUDITOR users can set tracking options

• Need to Refresh after updating:– Generic– Global– RACLIST– WHEN(PROGRAM)

• An SMF record is written for every SETROPTS

Parameters – Examples.

50

Parameter DescriptionCLASSACT Specifies classes for which RACF protection will be in

effect

RACLIST Discrete and Generic profiles for the General Resource classes specified will be copied into storage and shared by all users

LOGOPTIONS Audit selected access attempts to resources whetherthey are RACF protected or not

PROTECTALL Creation of or access to unprotected data sets is not allowed

INTERVAL (Pasword) Maximum number of days a user's password is valid

MINCHANGE (Password) Number of days that must pass between auser’s password changes

MIXEDCASE (Password) Support for mixed-case passwords

RACF Commands.

51

Command Description ExamplesSETROPTS parameter Modify SETROPTS values SETROPTS

PASSWORD(REVOKE(5) RULE1(LENGTH(6:8) ALPHA(1,6) ALPHANUM(2:5))

RULE2(LENGTH(7) ALPHA(1,7) ALPHANUM(2:6))RULE3(LENGTH(8) ALPHA(1,8) ALPHANUM(2:7)))

SETROPS LIST List RACF settings SETROPS LIST

SETROPS REFRESH Refresh in-storage profile for a specific CLASS SETROPTS GENERIC(class_name) REFRESH

CONTACTS

Contacts.

53

ruif@rmfconsulting.com+44 (0)7570 911459

l

t

f

Phone & email Social Media

https://twitter.com/rfeio

https://www.facebook.com/RuiMiguelFeio

https://www.linkedin.com/in/rfeio

g https://plus.google.com/+RuiMiguelFeio

Other Presentations

s http://www.slideshare.net/rmfeio

http://www.RuiFeio.com

Website