Release 6 of z/OS.e (5655-G52),
and to all subsequent releases
and modifications until otherwise
indicated in new
editions.
IBM welcomes your comments. A form
for readers’ comments may be
provided at the back of this
document, or you
may address your comments to
the following address:
International Business Machines
Corporation
2455 South Road
Poughkeepsie, NY 12601-5400
FAX (Other
Internet e-mail:
[email protected]
World Wide Web:
http://www.ibm.com/servers/eserver/zseries/zos/webqs.html
If you would like a reply, be
sure to include your name, address,
telephone number, or FAX number.
Make sure
v Page number or topic
related to your comment
When you send information to
IBM, you grant IBM a
nonexclusive right to use or
distribute the information in any
way it
US Government Users Restricted Rights
– Use, duplication or disclosure
restricted by GSA ADP Schedule
Contract
with IBM Corp.
Softcopy publications . . . .
. . . . . . . .
. . . . . . . .
. xxiii
RACF courses . . . . .
. . . . . . . .
. . . . . . . .
. . xxiv
IBM systems center publications . .
. . . . . . . .
. . . . . . . .
xxvi
Other sources of information .
. . . . . . . .
. . . . . . . .
. . xxvi
IBM discussion areas . . .
. . . . . . . .
. . . . . . . .
. . xxvi
Summary of changes . . . .
. . . . . . . .
. . . . . . . .
. xxix
Chapter 1. Introduction . .
. . . . . . . .
. . . . . . . .
. . . . 1 How RACF Meets
Security Needs . . . . .
. . . . . . . .
. . . . . 2
User Identification and Verification
. . . . . . . .
. . . . . . . .
. 2 Authorization Checking . . .
. . . . . . . .
. . . . . . . .
. . 3 Logging and Reporting . .
. . . . . . . .
. . . . . . . .
. . . 4
User Accountability . . . . .
. . . . . . . .
. . . . . . . .
. . 5 Flexibility . . . .
. . . . . . . .
. . . . . . . .
. . . . . . 9
RACF Transparency . . . .
. . . . . . . .
. . . . . . . .
. . 10
Characteristics of a Multilevel-Secure
Environment . . . . . .
. . . . . 11 Administering
Security . . . . . . .
. . . . . . . .
. . . . . . .
12
Delegating Administration Tasks . .
. . . . . . . .
. . . . . . . 12
Administering Security When a VM
System Shares the RACF
Database . . . 13
Using RACF Commands or Panels .
. . . . . . . .
. . . . . . .
13
RACF Group and User Structure
. . . . . . . .
. . . . . . . .
. . 15
Defining Users and Groups . .
. . . . . . . .
. . . . . . . .
. 15
Protecting Resources . . . .
. . . . . . . .
. . . . . . . .
. 20
Selecting RACF Options . . .
. . . . . . . .
. . . . . . . .
. 24
The RACROUTE REQUEST=VERIFY, VERIFYX,
AUTH, and DEFINE Exits 24
The RACROUTE REQUEST=LIST Exits .
. . . . . . . .
. . . . . 24 The RACROUTE
REQUEST=FASTAUTH Exits . . .
. . . . . . . .
. 24
The RACF Command Exits . .
. . . . . . . .
. . . . . . . .
. 25 The RACF Password Processing
Exit . . . . . .
. . . . . . . .
. 25
The RACF Password Authentication
Exits . . . . . . .
. . . . . . .
25
Tools for the Security Administrator
. . . . . . . .
. . . . . . . . .
25
Using RACF Utilities . . . .
. . . . . . . .
. . . . . . . .
. . 25
© Copyright
IBM
Corp.
1994,
2005
iii
Listing Information from RACF
Profiles . . . . . .
. . . . . . . . .
29
Searching for RACF Profile Names
. . . . . . . .
. . . . . . . . 31
Using the LIST and SEARCH
Commands Effectively . . . .
. . . . . . 32
Chapter 2. Organizing for RACF
Implementation . . . . . .
. . . . . 35
Ensuring Management Commitment . . .
. . . . . . . .
. . . . . . 35
Defining Security Objectives and
Preparing the Implementation Plan .
. . . . 37
Deciding What to Protect . . .
. . . . . . . .
. . . . . . . .
. . 37
Protecting Existing Data . . .
. . . . . . . .
. . . . . . . .
. 38
Protecting New Data . . . .
. . . . . . . .
. . . . . . . .
. . 38
Establishing Ownership Structures . .
. . . . . . . .
. . . . . . . .
41
Establishing Your RACF Group
Structure . . . . . . .
. . . . . . .
42
Educating the System Users . .
. . . . . . . .
. . . . . . . .
. . 44
Summary . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . 46
Defining RACF Groups . . . .
. . . . . . . .
. . . . . . . .
. . 50
Types of Groups . . . .
. . . . . . . .
. . . . . . . .
. . . 50
Group Naming Conventions . . .
. . . . . . . .
. . . . . . . .
55
Group Ownership and Levels of
Group Authority . . . . .
. . . . . . 56
Summary of Steps for Defining
a RACF Group . . . .
. . . . . . . .
. 59
Summary of Steps for Deleting
Groups . . . . . .
. . . . . . . .
. . 60
Defining Users . . . .
. . . . . . . .
. . . . . . . .
. . . . . 61
User Profiles . . . . .
. . . . . . . .
. . . . . . . .
. . . . 62
Ownership of a RACF User
Profile . . . . . . .
. . . . . . . .
. 73
User Attributes . . . .
. . . . . . . .
. . . . . . . .
. . . . 73
Suggestions for Assigning User
Attributes . . . . . .
. . . . . . . .
84
Verifying User Attributes . . .
. . . . . . . .
. . . . . . . .
. 85
Assigning Security Categories, Levels,
and Labels to Users . .
. . . . . 85
Limiting When a User Can
Access the System . . .
. . . . . . . . .
86
Defining Protected User IDs . .
. . . . . . . .
. . . . . . . .
. 87
Defining Restricted User IDs . .
. . . . . . . .
. . . . . . . .
. 88
Summary of Steps for Defining
Users . . . . . .
. . . . . . . .
. . 89
Summary of Steps for Deleting
Users . . . . . .
. . . . . . . .
. . 91
General Considerations for User ID
Delegation . . . . . .
. . . . . . . 93
Chapter 4. Classifying Users and
Data . . . . . .
. . . . . . . . .
95
Security Classification of Users and
Data . . . . . .
. . . . . . . .
. 95
Effect On RACF Authorization
Checking . . . . . .
. . . . . . . .
96
Understanding Security Levels and
Security Categories . . . .
. . . . . . 97
CATEGORY and SECLEVEL Information in
Profiles . . . . .
. . . . . 98
Converting from LEVEL to SECLEVEL .
. . . . . . . .
. . . . . . 98
Deleting UNKNOWN Categories . . .
. . . . . . . .
. . . . . . 98
Understanding Security Labels . .
. . . . . . . .
. . . . . . . .
. 99
How Users Specify Current Security
Labels . . . . . .
. . . . . . . 101
Listing Security Labels . . .
. . . . . . . .
. . . . . . . .
. 102
Finding Out Which Security Labels
a User Can Use . . .
. . . . . . . 102
Searching by Security Labels . .
. . . . . . . .
. . . . . . . .
102
Restricting Security Label Changes .
. . . . . . . .
. . . . . . . 103
Requiring Security Labels . . .
. . . . . . . .
. . . . . . . .
103
Planning Considerations for Security
Labels . . . . . .
. . . . . . . 104
Chapter 5. Specifying RACF Options
. . . . . . . .
. . . . . . .
107
Using the SETROPTS Command . .
. . . . . . . .
. . . . . . .
108
SETROPTS Options for Initial Setup .
. . . . . . . .
. . . . . . .
109
Establishing Password Syntax Rules
(PASSWORD Option) . . . .
. . . 109
Setting the Maximum Password Change
Interval (PASSWORD Option) 110 Extending
Password and User ID Processing
(PASSWORD Option) . . . .
110
Revoking Unused User IDs (INACTIVE
Option) . . . . . .
. . . . . 111 Activating
List-of-Groups Checking (GRPLIST Option)
. . . . . . . .
. 112
Setting the RVARY Passwords (RVARYPW
Option) . . . . .
. . . . . 113 Restricting the
Creation of General Resource Profiles
(GENERICOWNER
Option) . . . . . .
. . . . . . . .
. . . . . . . .
. . . 114 Activating General
Resource Classes (CLASSACT Option) .
. . . . . . 115
Activating Generic Profile Checking
and Generic Command Processing 116
Activating Statistics Collection (STATISTICS
Option) . . . . .
. . . . . 116
Activating Global Access Checking (GLOBAL
Option) . . . . .
. . . . 118 RACF-Protecting All
Data Sets (PROTECTALL Option) .
. . . . . . . .
119
Activating JES2 or JES3 RACF
Support . . . . . . .
. . . . . . .
120
Preventing Access to Uncataloged Data
Sets (CATDSNS Option) . .
. . . 120 Activating Enhanced
Generic Naming for the DATASET
Class (EGN Option) 121
Controlling Data Set Modeling (MODEL
Option) . . . . .
. . . . . . 122
Bypassing Automatic Data Set
Protection (NOADSP Option) . .
. . . . 122
Displaying and Logging Real Data
Set Names (REALDSN Option) . .
. . 123
Protecting Data Sets with
Single-Qualifier Names (PREFIX Option)
. . . . 123
Activating Tape Data Set Protection
(TAPEDSN Option) . . . .
. . . . 123
Activating Tape Volume Protection
(CLASSACT(TAPEVOL) Option) . . . .
124
Establishing a Security Retention
Period for Tape Data Sets (RETPD
Option) . . . . . . .
. . . . . . . .
. . . . . . . .
. . 124
Establishing National Language Defaults
(LANGUAGE Option) . . . . .
. 126
SETROPTS Options to Activate
In-Storage Profile Processing . . .
. . . . 126
SETROPTS GENLIST Processing . .
. . . . . . . .
. . . . . . 126
SETROPTS RACLIST Processing . .
. . . . . . . .
. . . . . . 128
Refreshing In-Storage Generic Profile
Lists (GENERIC REFRESH Option)
131
Refreshing Global Access Checking
Lists (GLOBAL REFRESH Option)
132
Refreshing Shared Systems (REFRESH
Option) . . . . . . .
. . . . 132
SETROPTS Options for Special
Purposes . . . . . . .
. . . . . . .
132
Protecting Undefined Terminals (TERMINAL
Option) . . . . . .
. . . . 133
Activating the Security Classification
of Users and Data . . .
. . . . . 133
Establishing the Maximum VTAM
Session Interval (SESSIONINTERVAL
Option) . . . . . . .
. . . . . . . .
. . . . . . . .
. . 134
SETROPTS Options Related to Security
Labels . . . . . .
. . . . . . 135
Restricting Changes to Security
Labels (SECLABELCONTROL option) 135
Preventing Changes to Security Labels
(MLSTABLE Option) . . . . .
. 135
Contents v
Quiescing RACF Activity (MLQUIET
Option) . . . . . . .
. . . . . . 136
Preventing the Copying of Data
to a Lower Security Label (SETROPTS
MLS Option) . . . . . .
. . . . . . . .
. . . . . . . .
. 136
Enforcing Multilevel Security (MLACTIVE
Option) . . . . . .
. . . . . 137
Restricting Access to z/OS UNIX
Files and Directories (MLFSOBJ
Option) 139
Restricting Access to Interprocess
Communication Objects (MLIPCOBJ
Option) . . . . . . . .
. . . . . . . .
. . . . . . . .
. 139
Activating Security Labels by System
Image (SECLBYSYSTEM Option) 140
SETROPTS Options for Automatic
Control of Access List Authority .
. . . . 141
Automatic Addition of Creator’s User
ID to Access List . . .
. . . . . . 141
Automatic Omission of Creator’s User
ID from Access List . .
. . . . . 141
Specifying the Encryption Method for
User Passwords . . . .
. . . . . . 142
Using Started Procedures . .
. . . . . . . .
. . . . . . . .
. . 143
Authorizing Access to Resources . .
. . . . . . . .
. . . . . . .
144
Setting Up the STARTED Class .
. . . . . . . .
. . . . . . . .
144
Using the Started Procedures Table
(ICHRIN03) . . . . . .
. . . . . 146
Started Procedure Considerations . .
. . . . . . . .
. . . . . . 147
Chapter 6. Protecting Data Sets on
DASD and Tape . . .
. . . . . . 149
Protecting Data Sets . . . .
. . . . . . . .
. . . . . . . .
. . 150
Controlling the Creation of New
Data Sets . . . . . .
. . . . . . .
153
Data Set Profile Ownership .
. . . . . . . .
. . . . . . . .
. . 155
Data Set Profiles . . . . .
. . . . . . . .
. . . . . . . .
. . 155
Automatic Profile Modeling for Data
Sets . . . . . . .
. . . . . . .
163
Password-Protected Data Sets . . .
. . . . . . . .
. . . . . . 166
Protecting Data Sets That Have
Duplicate Names . . . .
. . . . . . 167
Disallowing Duplicate Names for Data
Set Profiles . . . . .
. . . . . 168
Using the PROTECT Operand or
SECMODEL for Non-VSAM Data Sets
168
Protecting Multivolume Data Sets with
Discrete Profiles . . . .
. . . . 168
Protecting DASD Data Sets . .
. . . . . . . .
. . . . . . . .
. . 169
Access Authorities for DASD Data
Sets . . . . . . .
. . . . . . .
169
Erasing of Scratched (Deleted) DASD
Data Sets . . . . .
. . . . . . 171
Protecting Catalogs . . . . .
. . . . . . . .
. . . . . . . .
. 172
DASD Volume Authority . . .
. . . . . . . .
. . . . . . . .
. . 173
DFDSS-Authorized Storage Administration .
. . . . . . . .
. . . . . 174
Choosing Which Tape-Related Options
to Use . . . . .
. . . . . . . 175
Protecting Existing Data on Tape
(SETROPTS TAPEDSN in Effect) .
. . . 177
Protecting New Data on Tape .
. . . . . . . .
. . . . . . . .
. 178
Security Levels and Security
Categories for Tapes . . .
. . . . . . . 181
Security Labels for Tapes . .
. . . . . . . .
. . . . . . . .
. 181
Tape Volume Profiles That Contain
a TVTOC . . . . . .
. . . . . . 182
Predefining Tape Volume Profiles for
Tape Data Sets . . . .
. . . . . 184
RACF Security Retention Period
Processing (TAPEDSN Must Be Active)
185
Authorization Requirements for Tape Data
Sets When Both TAPEVOL
and
TAPEDSN Are Active . . .
. . . . . . . .
. . . . . . . .
. 187
Authorization Requirements for Tape Data
Sets When TAPEVOL Is
Inactive
and TAPEDSN Is Active . .
. . . . . . . .
. . . . . . . .
. 187
vi z/OS V1R6.0
Authorization Requirements for Tape Data
Sets When TAPEVOL Is
Active
and TAPEDSN Is Inactive . . .
. . . . . . . .
. . . . . . .
188
JCL Changes . . . . . .
. . . . . . . .
. . . . . . . .
. . 188
Password-Protected Tape Data Sets .
. . . . . . . .
. . . . . . 189
Using the PROTECT Parameter for
Tape Data Set or Tape
Volume
Protection . . . . . .
. . . . . . . .
. . . . . . . .
. . 189
RACF Authorization of Bypass Label
Processing (BLP) . . . .
. . . . 190
Authorization Requirements for Labels
. . . . . . . .
. . . . . . . 191
Tape Data Set and Tape Volume
Protection with Nonstandard Labels (NSL)
191
Tape Data Set and Tape Volume
Protection for Nonlabeled (NL) Tapes
191
Chapter 7. Protecting General Resources
. . . . . . .
. . . . . . . 193
Defining Profiles for General
Resources . . . . . . .
. . . . . . . .
195
Summary of Steps for Defining
General Resource Profiles . . .
. . . . 196
Choosing Between Discrete and Generic
Profiles in General Resource
Classes . . . . . . .
. . . . . . . .
. . . . . . . .
. . 198
RACFVARS Profiles . . . .
. . . . . . . .
. . . . . . . .
. 199
Generic Profile Checking of General
Resources . . . . . . .
. . . . 202
Granting Access Authorities . . .
. . . . . . . .
. . . . . . . .
204
How Global Access Checking Works
. . . . . . . .
. . . . . . . 207
Candidates for Global Access Checking
. . . . . . . .
. . . . . . 207
Creating Global Access Checking Table
Entries . . . . . . .
. . . . 207
Stopping Global Access Checking for
a Specific Class . . . .
. . . . . 211 Listing
the Global Access Checking Table .
. . . . . . . .
. . . . 212
Special Considerations for Global
Access Checking . . . .
. . . . . . 212
Field-Level Access Checking . . .
. . . . . . . .
. . . . . . . .
213
Delegating Authority to Profiles in
the FACILITY Class . . . .
. . . . . 219
Providing the Ability to List
User Information . . . . .
. . . . . . . .
219
Providing the Ability to Reset User
Passwords . . . . .
. . . . . . . 220
Creating Resource Group Profiles . .
. . . . . . . .
. . . . . . .
221
Adding a Resource to a Profile
. . . . . . . .
. . . . . . . .
. 223
Deleting a Resource from a
Profile . . . . . .
. . . . . . . .
. . 223
Which Profiles Protect a Particular
Resource? . . . . . .
. . . . . . 223
Resolving Conflicts among Multiple
Profiles . . . . . .
. . . . . . . 224
Considerations for Resource Group
Profiles . . . . . .
. . . . . . . 225
Using RACF Variables in Profile
Names (RACFVARS Class) . . . .
. . . 226
Defining RACF Variables . . .
. . . . . . . .
. . . . . . . .
. 226
Example of Protecting Several Tape
Volumes Using the RACFVARS Class
227
Using RACF Variables . . .
. . . . . . . .
. . . . . . . .
. . 227
Controlling VTAM LU 6.2 Bind .
. . . . . . . .
. . . . . . . .
. . 231
Protecting Applications . . .
. . . . . . . .
. . . . . . . .
. . 233
Protecting File Services Provided by
LFS/ESA . . . . . .
. . . . . . . 234
Protecting Terminals . . . .
. . . . . . . .
. . . . . . . .
. . 235
Contents vii
Limiting Specific Groups of Users
to Specific Terminals . . .
. . . . . 237
Limiting the Times That a
Terminal Can Be Used . .
. . . . . . . .
. 238
Using Security Labels to Control
Terminals . . . . . .
. . . . . . .
238
Using the TSO LOGON Command
with the RECONNECT Operand .
. . . 238
Protecting Consoles . . . . .
. . . . . . . .
. . . . . . . .
. 239
Using the Secured Signon Function
. . . . . . . .
. . . . . . . .
. 240
The RACF PassTicket . . . .
. . . . . . . .
. . . . . . . .
. 241
Defining Profiles in the PTKTDATA
Class . . . . . . .
. . . . . . .
241
When the Profile Definitions Are
Complete . . . . . .
. . . . . . . 247
How RACF Processes the Password
or PassTicket . . . .
. . . . . . 247
Enabling the Use of PassTickets
. . . . . . . .
. . . . . . . .
. 249
Protecting the Vector Facility .
. . . . . . . .
. . . . . . . .
. . 250
Controlling Access to Program Dumps .
. . . . . . . .
. . . . . . .
251
Using RACF to Control Access
to Program Dumps . . . .
. . . . . . 251
Using Non-RACF Methods to Control
Access to Program Dumps . .
. . . 253
Controlling the Allocation of Devices
. . . . . . . .
. . . . . . . .
253
Protecting LLA-Managed Data Sets . .
. . . . . . . .
. . . . . . .
255
Controlling Data Lookaside Facility
(DLF) Objects (Hiperbatch) . . .
. . . . 256
Using RACROUTE REQUEST=LIST,GLOBAL=YES
Support . . . . . . .
259
The RACGLIST Class . . . .
. . . . . . . .
. . . . . . . .
. 259
Controlling the Use of Remote
Sharing Functions . . . . .
. . . . . . .
266
Controlling Access to the RACLINK
Command . . . . . .
. . . . . . 267
Controlling Password Synchronization .
. . . . . . . .
. . . . . . 267
Controlling Automatic Direction . .
. . . . . . . .
. . . . . . .
269
Controlling Message Traffic . .
. . . . . . . .
. . . . . . . .
. . 273
RACF and APPC . . . . .
. . . . . . . .
. . . . . . . .
. . 276
Protection of APPC/MVS Transaction
Programs (TPs) . . . .
. . . . . 277
LU Security Capabilities . .
. . . . . . . .
. . . . . . . .
. . 278
Origin LU Authorization . . .
. . . . . . . .
. . . . . . . .
. 278
RACF and CICS . . . .
. . . . . . . .
. . . . . . . .
. . . . 279
RACF and DB2 . . . . .
. . . . . . . .
. . . . . . . .
. . . 279
RACF and ICSF . . . .
. . . . . . . .
. . . . . . . .
. . . . 279
RACF Support for NDS and Lotus
Notes for z/OS . . . .
. . . . . . .
280
Administering Application User Identities
. . . . . . . .
. . . . . . 280
System Considerations . . . .
. . . . . . . .
. . . . . . . .
281
Considerations for Application User
Names . . . . . . .
. . . . . . 284
Storing encryption keys using the
KEYSMSTR class . . . .
. . . . . . 284
Steps for storing a key in
a KEYSMSTR profile . . . .
. . . . . . .
285
viii z/OS V1R6.0
Chapter 8. Administering the
Dynamic Class Descriptor Table (CDT)
287
Overview of the class descriptor
table . . . . . .
. . . . . . . .
. . 287
Using the dynamic CDT . .
. . . . . . . .
. . . . . . . .
. . . 288
Profiles in the CDT class .
. . . . . . . .
. . . . . . . .
. . . 289
Adding a dynamic class with a
unique POSIT value . . .
. . . . . . . .
290
Steps for adding a dynamic
class with a unique POSIT
value . . . . . .
290
Adding a dynamic class that
shares a POSIT value . . .
. . . . . . . .
291
When a POSIT value is shared .
. . . . . . . .
. . . . . . . .
292
Steps for adding a dynamic
class with a shared POSIT
value . . . . . .
292
Changing a POSIT value for a
dynamic class . . . . .
. . . . . . . .
293
Steps for changing a POSIT
value of an existing dynamic
class . . . . . 293
Guidelines for changing dynamic CDT
entries . . . . . .
. . . . . . . 294
Deleting a class from the
dynamic CDT . . . . .
. . . . . . . .
. . 296
Steps for deleting a dynamic
CDT class . . . . . .
. . . . . . . .
296
Disabling the dynamic CDT . .
. . . . . . . .
. . . . . . . .
. . 298
Re-enabling a previously defined
dynamic class . . . . .
. . . . . . . 298
Steps to re-enable a previously
defined dynamic class . . . .
. . . . . 299
Recommendation for moving to the
dynamic CDT . . . . .
. . . . . . 299
Sysplex considerations for the
dynamic CDT . . . . .
. . . . . . . .
301
Shared system considerations for the
dynamic CDT . . . . .
. . . . . . 301
RRSF considerations for the dynamic
CDT . . . . . . .
. . . . . . .
302
Chapter 9. Protecting Programs . .
. . . . . . . .
. . . . . . .
303
Program security modes . . .
. . . . . . . .
. . . . . . . .
. . 305
Program control by SMFID in BASIC
or ENHANCED mode . . .
. . . . 308
Maintaining a clean environment in
BASIC or ENHANCED mode . .
. . . 309
More complex controls: Using EXECUTE
access for programs or
libraries
(BASIC mode) . . . . .
. . . . . . . .
. . . . . . . .
. . 310
Migrating from BASIC to ENHANCED
program security mode . . . .
. . 311 Protecting program
libraries . . . . . .
. . . . . . . .
. . . . . . 313
Program access to data sets (PADS)
in BASIC mode . . .
. . . . . . 314
Choosing between the PADCHK and
NOPADCHK operands . . . . .
. 318
Program access to SERVAUTH resources
in BASIC or ENHANCED mode 319
ENHANCED program security mode .
. . . . . . . .
. . . . . . . 320
Program access to data sets (PADS)
in ENHANCED mode . . .
. . . . 320
Using EXECUTE access for programs
and libraries in ENHANCED mode
321
When to use MAIN or BASIC
. . . . . . . .
. . . . . . . .
. . 321
Defining programs as MAIN or BASIC
. . . . . . . .
. . . . . . .
323
How protection works for programs
and PADS . . . . . .
. . . . . . .
324
How program control works . .
. . . . . . . .
. . . . . . . . .
324
Informational messages for program
control . . . . . .
. . . . . . . 325
Authorization checking for access
control to load modules . . .
. . . . 325
Authorization checking for access
control to data sets . .
. . . . . . . 326
Processing for execute-controlled libraries
. . . . . . . .
. . . . . . 327
Examples of controlling programs and
using PADS . . . . .
. . . . . . 329
Examples of defining load modules
as controlled programs . . .
. . . . 329
Examples of setting up program
access to data sets . .
. . . . . . . 330
Example of setting up an
execute-controlled library . . .
. . . . . . .
331
Example of setting up program
control by system ID . .
. . . . . . . 331
Chapter 10. Operating Considerations
. . . . . . . .
. . . . . . . 333
Coordinating Profile Updates . . .
. . . . . . . .
. . . . . . . .
333
Getting Started with RACF (after
First Installing RACF) . . .
. . . . . . 335
Logging On as IBMUSER and
Checking Initial Conditions . . .
. . . . 336
Contents ix
Defining Administrator User IDs for
Your Own Use . . . .
. . . . . . 337
Defining at Least One User ID
to Be Used for Emergencies
Only . . . . . 337
Logging on as RACFADM, Checking
Groups and Users, and Revoking
IBMUSER . . . . . . .
. . . . . . . .
. . . . . . . .
. 337
Defining a System-Wide Auditor . .
. . . . . . . .
. . . . . . .
338
Defining Users and Groups . .
. . . . . . . .
. . . . . . . .
. 338
Defining Group Administrators, Group
Auditors, and Data Managers . .
. . 338
Protecting System Data Sets .
. . . . . . . .
. . . . . . . .
. 340
Setting RACF Options . . .
. . . . . . . .
. . . . . . . .
. . 340
JCL Parameters Related to RACF
. . . . . . . .
. . . . . . . .
. 344
Restarting Jobs . . . . . .
. . . . . . . .
. . . . . . . .
. . 345
Authorizing Only RACF-Defined Users
to Access RACF-Protected Resources
346
Using the TSO or ISPF Editor .
. . . . . . . .
. . . . . . . .
. . 347
Service by IBM Personnel . .
. . . . . . . .
. . . . . . . .
. . 347
Failsoft Processing . . . . .
. . . . . . . .
. . . . . . . .
. . 347
Considerations for RACF Databases .
. . . . . . . .
. . . . . . .
348
Backup RACF Database . . .
. . . . . . . .
. . . . . . . . .
349
Sharing Data without Sharing a RACF
Database . . . . .
. . . . . . 350
Number of Resident Data Blocks
. . . . . . . .
. . . . . . . .
. 350
Chapter 11. Working With The
RACF Database . . . . .
. . . . . . 351
Using the RACF Database Unload
Utility (IRRDBU00) . . . .
. . . . . . 352
Diagnosis . . . . . . .
. . . . . . . .
. . . . . . . .
. . 352
Allowable Parameters . . . .
. . . . . . . .
. . . . . . . .
. 355
IRRRID00 Job Control Statements . .
. . . . . . . .
. . . . . . 374
Finding Residual IDs . . .
. . . . . . . .
. . . . . . . .
. . 377
IRRRID00 Output . . . . .
. . . . . . . .
. . . . . . . . .
379
Processing Profiles and Resources .
. . . . . . . .
. . . . . . .
381
What IRRRID00 Verifies . .
. . . . . . . .
. . . . . . . .
. . 382
Processing a Hierarchy of Groups .
. . . . . . . .
. . . . . . .
383
Processing Global Profiles . .
. . . . . . . .
. . . . . . . .
. 383
Processing MEMBER Data . . .
. . . . . . . .
. . . . . . . .
384
Processing Universal Groups . . .
. . . . . . . .
. . . . . . .
384
IRRRID00 and Tivoli . . .
. . . . . . . .
. . . . . . . .
. . 384
Chapter 12. The RACF Remote
Sharing Facility (RRSF) . . .
. . . . . 387
The RRSF Network . . . . .
. . . . . . . .
. . . . . . . .
. . 388
Types of User ID Associations
. . . . . . . .
. . . . . . . .
. . 390
Password Synchronization . . . .
. . . . . . . .
. . . . . . . 391
The RACLINK Command . . .
. . . . . . . .
. . . . . . . . .
392
User ID Associations . . .
. . . . . . . .
. . . . . . . .
. . . 393
Command Direction . . . . .
. . . . . . . .
. . . . . . . .
. . 395
Directing Commands Using the AT
Option . . . . . .
. . . . . . . 396
Directing Commands Using the ONLYAT
Option . . . . . . .
. . . . 399
Automatic Direction . . . . .
. . . . . . . .
. . . . . . . .
. . 399
Output Processing . . . .
. . . . . . . .
. . . . . . . .
. . 403
Synchronization . . . . .
. . . . . . . .
. . . . . . . . .
408
Using Automatic Direction of
Application Updates . . . .
. . . . . . . 413
Using Automatic Password Direction .
. . . . . . . .
. . . . . . . 416
Relationship to User ID Associations
. . . . . . . .
. . . . . . . 416
RRSF Considerations for JES Security
. . . . . . . .
. . . . . . 416
RRSF Considerations for Network
Authentication Service . . . .
. . . . 416
Synchronizing Database Profiles . .
. . . . . . . .
. . . . . . . .
417
RACF Support for DB2 Authorization .
. . . . . . . .
. . . . . . .
421
Configuring the RACF DB2 External
Security Module . . . . .
. . . . . 421
Migrating to the RACF DB2
External Security Module . . .
. . . . . . . 422
RACF Profile Checking . . .
. . . . . . . .
. . . . . . . .
. . 422
Matching Schema Names . . . .
. . . . . . .
. . . . . . . . .
422
Protecting DB2 Objects . . .
. . . . . . . .
. . . . . . . .
. . 423
DROP and ALTER INDEX Privileges
. . . . . . . .
. . . . . . . 432
CREATETMTAB Privilege . . . .
. . . . . . . .
. . . . . . .
432
The XAPLDIAG Output Parameter .
. . . . . . . .
. . . . . . . 433
DB2 Aliases for System-Directed
Access . . . . . . .
. . . . . . .
434
Considerations for Remote and Local
Resources . . . . . . .
. . . . 434
DB2 GRANT commands . . .
. . . . . . . .
. . . . . . . .
. 434
Authority Checking for All Packages
in a Collection . . . .
. . . . . . 434
Contents xi
Administering the RACF External
Security Module . . . .
. . . . . . . 436
Initialization . . . . . . .
. . . . . . . .
. . . . . . . .
. . 436
Authorization processing examples . .
. . . . . . . .
. . . . . . .
439
Example 2: Allowing access (auditing
for all attempts) . . .
. . . . . . 440
Example 3: Denying access . .
. . . . . . . .
. . . . . . . .
. 441
Example 4: Deferring to DB2 .
. . . . . . . .
. . . . . . . .
. 442
Example 5: Allowing access
(multiple-subsystem scope) . . .
. . . . . 443
Example 6: Allowing access
(single-subsystem scope) . . .
. . . . . . 444
Converting DB2 Authorizations to RACF
Profiles . . . . .
. . . . . . . 445
Common Problems and Considerations .
. . . . . . . .
. . . . . . 445
Chapter 14. RACF and DCE . .
. . . . . . . .
. . . . . . . .
. 447
Cross Linking DCE Identities and RACF
User IDs . . . . .
. . . . . . 447
Defining Cross Linking Information .
. . . . . . . .
. . . . . . .
448
The RACF DCEUUIDS Class . .
. . . . . . . .
. . . . . . . .
. 449
Defining Profiles to the RACF
DCEUUIDS Class . . . . .
. . . . . . 449
Activating the DCEUUIDS Class . .
. . . . . . . .
. . . . . . .
449
Administering DCE Information in RACF
. . . . . . . .
. . . . . . .
449
Single Signon Support for DCE .
. . . . . . . .
. . . . . . . .
. 450
Using Encryption with Single Signon .
. . . . . . . .
. . . . . . 451
Chapter 15. RACF and Tivoli
Products . . . . . .
. . . . . . . . .
453
Establishing a RACF Identity for
a Tivoli Administrator . . .
. . . . . . . 453
Listing Profiles in the TMEADMIN
Class . . . . . . .
. . . . . . .
453
Chapter 16. RACF and Information
Management System (IMS) . . .
. . 455
Overview of RACF and IMS . .
. . . . . . . .
. . . . . . . .
. . 455
Controlling Access to IMS System Data
Sets and Databases . . .
. . . . 456
IMS System Generation Considerations .
. . . . . . . .
. . . . . . 457
Establishing Audit Trail Capabilities
. . . . . . . .
. . . . . . . .
. 459
Controlling Access to IMS Control
Regions . . . . . . .
. . . . . . .
461
Controlling Access to IMS
Transactions . . . . .
. . . . . . . .
. . 461
Grouping IMS Transactions under a
Common Profile . . . . .
. . . . 462
Controlling Access to IMS Physical
Terminals . . . . . .
. . . . . . .
463
Authorization to IMS/ESA Control
Region Resources . . . .
. . . . . . 463
Defining Application Group Names for
IMS . . . . . . .
. . . . . . 464
Summary . . . . . . .
. . . . . . . .
. . . . . . . .
. . . 466
Planning for Security . . . .
. . . . . . . .
. . . . . . . .
. . 468
Defining JES as a RACF Started
Procedure . . . . . . .
. . . . . . .
469
Forcing Batch Users to Identify
Themselves to RACF . . . .
. . . . . . 470
Support for Execution Batch Monitor
(XBM) (JES2 Only) . . .
. . . . . . 470
Defining and Grouping Operators .
. . . . . . . .
. . . . . . . .
. 470
JES User ID Early Verification .
. . . . . . . .
. . . . . . . .
. . 471
User ID Propagation When Jobs
Are Submitted . . . . .
. . . . . . . 471
Allowing Surrogate Job Submission .
. . . . . . . .
. . . . . . .
471
Controlling User ID Propagation in
a Local Environment . . . .
. . . . 473
Using Protected User IDs for
Batch Jobs . . . . .
. . . . . . . .
. . 474
Propagating Protected User IDs . .
. . . . . . . .
. . . . . . .
474
Using Protected User IDs for
Surrogate Job Submission . . .
. . . . . 474
xii z/OS V1R6.0
Controlling Access to Data Sets
JES Uses . . . . . .
. . . . . . . .
476
Controlling Input to Your System
. . . . . . . .
. . . . . . . .
. . 477
How RACF Validates Users . .
. . . . . . . .
. . . . . . . . .
477
Controlling the Use of Job
Names . . . . . .
. . . . . . . .
. . 478
Authorizing the Use of Input
Sources . . . . . . .
. . . . . . . .
481
Authorizing Network Jobs and SYSOUT
(NJE) . . . . . .
. . . . . . . 482
Authorizing Inbound Work . . .
. . . . . . . .
. . . . . . . .
483
Authorizing Outbound Work . . .
. . . . . . . .
. . . . . . . .
500
Defining Profiles for SYSIN and
SYSOUT Data Sets . . .
. . . . . . 501
Letting Users Create Their Own
JESSPOOL Profiles . . . . .
. . . . 503
Protecting JESNEWS . . . .
. . . . . . . .
. . . . . . . . .
504
Protecting SYSLOG . . . .
. . . . . . . .
. . . . . . . . .
506 Spool Offload Considerations (JES2
Only) . . . . . .
. . . . . . . 506
How RACF Affects Jobs Dumped
from and Restored to Spool
(JES3 Only) 507
Authorizing Console Access . . .
. . . . . . . .
. . . . . . . .
507
JES3 Consoles . . . . .
. . . . . . . .
. . . . . . . .
. . 510
Controlling Where Output Can Be
Processed . . . . . .
. . . . . . . 510
Authorizing the Use of Your
Installation’s Printers . . .
. . . . . . . . .
511 Authorizing the Use of Operator
Commands . . . . . .
. . . . . . . 512
Commands from RJE Work Stations
. . . . . . . .
. . . . . . . 512
Commands from NJE Nodes . . .
. . . . . . . .
. . . . . . .
512
Who Authorizes Commands When RACF
Is Active . . . . . .
. . . . 513
Chapter 18. RACF and Storage
Management Subsystem (SMS) . .
. . . 515
Overview of RACF and SMS .
. . . . . . . .
. . . . . . . .
. . 515
RACF General Resource Classes for
Protecting SMS Classes . . .
. . . . 515
Controlling the Use of SMS
Classes . . . . . .
. . . . . . . .
. . 516
Refreshing Profiles for SETROPTS RACLIST
Processing for MGMTCLAS
and STORCLAS . . . . .
. . . . . . . .
. . . . . . . .
. 517
DFP Segment in User and Group
Profiles . . . . . .
. . . . . . . 518
DFP Segment in Data Set
Profiles . . . . . .
. . . . . . . .
. . 519
How RACF Uses the Information in
the DFP Segments . . .
. . . . . 520
Controlling Access to the DFP
Segment . . . . . . .
. . . . . . .
520
Controlling the Use of Other
SMS Resources . . . . .
. . . . . . . .
523
Chapter 19. RACF and TSO/E .
. . . . . . . .
. . . . . . . .
. 525
TSO/E Administration Considerations .
. . . . . . . .
. . . . . . . 525
Protecting TSO Resources . . .
. . . . . . . .
. . . . . . . .
. 526
Field-Level Access Checking for TSO .
. . . . . . . .
. . . . . . .
529
Controlling the Use of the TSO
SEND Command . . . . .
. . . . . . . 529
Restricting Spool Access by TSO
Users . .