z/OS: RACF Administration

Course Overview

This course introduces students to the concepts, terminology, commands, and procedures involved in administering and auditing a RACF secured system. No previous RACF experience is assumed and all major aspects of RACF administration and auditing are covered. The course can be run with either online labs (if a suitable environment is available) or with paper based labs (if online access is not available).

Audience

This course will benefit RACF Administrators, RACF Auditors, help desk personnel, and anyone requiring a knowledge of RACF administration principles and practices. It is of particular benefit to those new to RACF administration or auditing.

Skills Gained

After completing the course, delegates will be able to:

• Identify the need for security in business information systems
• Understand how RACF meets business information systems security needs
• Design a group structure to meet their installations requirements
• Describe the various ways in which RACF commands can be issued
• Use the group related commands to administer the group structure
• Describe the effect of the various group profile related parameters
• Use the user related commands to administer user profiles
• Use the various group authorities effectively
• Explain the management and use of the various non-RACF segments in user profiles
• Describe the effect of the various user profiles related parameters
• Connect users to groups and manage the assigned group authorities
• Describe the advantages and disadvantages of both discrete and generic dataset profiles
• Use the dataset related commands to manage both discrete and generic profiles
• Specify the appropriate auditing parameters for dataset profiles
• Provide users with the appropriate access to protected datasets
• Use the general resource commands to manage general resources
• Describe how CICS transactions, load modules, secured signon, and the started task table can be protected and controlled
• Describe how digital certificates, field level access checking, and RACF variables can be protected and controlled
• Use the search command to locate specified profiles in the database
• Use and explain the operation of the rvary and setropts management commands
• Explain how RACF Remote Sharing operates and how its use can be controlled
• Identify how the operation of RACF changes when running in a parallel sysplex
• Explain how to control RACF operation in a parallel sysplex
• Describe how to use the RACF Report Writer product to format and print audit records
• Identify how to process RACF audit records within a DB2 database
• Use and interpret the output of the Data Security Monitor
• Use the database unload utility, cross reference utility, remove id utility, database verification utility, database split/merge/extend utility, and the database block update utility.

Prerequisites

No previous RACF experience is required, however delegates should be fully familiar with the OS/390 environment.

Course Outline

Introduction

What is RACF?

Why do we need security?

Security in the old days

Security these days

What security do we need?

Where are the dangers?

How can RACF help?

RACF profiles

How RACF operates

The RACF database

Resource Classes

The RACF Manuals

The Manual Library

RACF Security Administrators Guide

RACF Command Language Reference

BookManager

Planning for Security

The Security Policy

Resource Ownership

Grouping Resources and Users

Document the Plan

The Group Structure

What are Groups?

Why have Groups?

Users and Groups

The Initial Group Structure

The Group Hierarchy

System Special and Group Special

Group Profile Ownership

Group Connections

The RACF Commands

Entering RACF Commands

RACF Commands and the Manuals

Entering RACF Commands in Batch

Online Help

Defining RACF Groups

Group Profile Commands

Basic ADDGROUP

Specifying the Superior Group

Dataset Profile Modelling

RACF Remote Sharing Parameters

Other ADDGROUP Parameters

Non-RACF Segments

Full ADDGROUP Syntax

Full ALTGROUP Syntax

Full LISTGRP Syntax

LISTGRP Output

Full DELGROUP Syntax

Group Command Authority

Defining Users

User Profile Commands

Basic ADDUSER

Specifying the Default Group

Group Authority

Class Authority

Group Access Authority

RACF Remote Sharing Parameters

Dataset Profile Modelling

RACF Authorities

RACF Attributes

Security Levels and Security Categories

Security Level Checking

Security Category Checking

Security Labels

Other ADDUSER Parameters

Non-RACF Segments (CICS)

Non-RACF Segments (DCE)

Non-RACF Segments (DFP, LAUGUAGE, OMVS)

Non-RACF Segments (NETVIEW)

Non-RACF Segments (OPERPARM)

Non-RACF Segments (TSO)

Non-RACF Segments (WORKATTR)

Full ADDUSER Syntax

Basic ALTUSER

ALTUSER Only Parameters

Full ALTUSER Syntax

Full LISTUSER Syntax

LISTUSER Output

Full DELUSER Syntax

User Command Authority

Basic PASSWORD

Changing Other Users Passwords

Full Syntax of PASSWORD

Password Command Authority

Connecting Users to Groups

Connect and Remove Commands

Basic CONNECT

Full CONNECT Syntax

Basic REMOVE

Full REMOVE Syntax

Connect/Remove Command Authority

Dataset Profiles

Dataset Profile Commands

Basic ADDSD

Discrete Dataset Profiles

Discrete Profile Parameters

Generic Dataset Profiles

Generic Wildcard Characters - %

Generic Wildcard Characters - *

Generic Wildcard Characters - **

Specifying Dataset Attributes

Access Levels

Auditing Access Attempts

Profile Copying

RACF Remote Sharing Parameters

Security Level & Category Checking

Other Profile Attributes

Full ADDSD Syntax

Basic ALTDSD

ALTDSD Only Parameters

Full ALTDSD Syntax

Basic LISTDSD

Listing Many Dataset Profiles

Listing Generic or Discrete Profiles

Specifying What to List

Full LISTDSD Syntax

LISTDSD Output

Full DELDSD Syntax

Dataset Command Authority

Basic PERMIT

Conditional Access Lists

Permitting Many Users Access

Removing Users and Groups

Deleting Access Lists

Full PERMIT Syntax

Permit Command Authority

General Resource Profiles

General Resource Profile Commands

Basic RDEFINE

Common RDEFINE Parameters

Adding Additonal Profile Information

When the class is DLFCLASS

When the Class is APPCLU

When the Class is PTKTDATA

When the Class is STARTED

When the Class is SYSMVIEW

When the Class is TAPEVOL

When the Class is TERMINAL

Full RDEFINE Syntax

Resource Grouping Classes

Protecting CICS Transactions

Protecting Load Modules

Protecting SDSF

Basic RALTER

RALTER Only Parameters

Full RALTER Syntax

Basic RLIST

Common RLIST Parameters

Listing Non-RACF Segments

Special RLIST Features

Full RLIST Access

RLIST Output

Full RDELETE Syntax

Remember PERMIT?

General Resource Command Authority

Special RACF Features

The Started Task Table

Using ICHRIN03

Using the STARTED Class

The Global Access Checking Table

Using the Global Access Checking Table

RACF Variables

Using the RACFVARS Class

Using RACF Variables

Field Level Access Checking

Using the FIELD Class

FIELD Class Examples

The FACILITY Class

Digital Certificates

Basic RACDCERT

Full RACDCERT Syntax

RACDCERT Command Authority

SEARCH Command Basics

SEARCH Control Parameters

The FILTER & MASK Parameters

FILTER & MASK Examples

The Backup RACF Database

The RACF Database Name Table

The RVARY Command

The SETROPTS Command

Basic SETROPTS

Dataset Related Parameters

General Parameters

In-Storage Profile Parameters

B1 Security Parameters

JES Parameters

Userid & Password Parameters

Auditor Parameters

SETROPTS LIST Example

SETROPTS Command Authority

RACF Remote Sharing Facility

The RACF Remote Sharing Facility

RACF Command Direction

RACF Password Synchronisation

Managed User Associations

Controlling RACLINK Use

Controlling Password Synchronisation

Controlling the AT Keyword

Automatic RACF Command Direction

Controlling Automatic RACF Command Direction

Combined RACF Command Direction

Use of ONLYAT Keyword

Automatic Password Synchronisation

Controlling Automatic Password Synchronisation

Password Synchronisation by Command

Combined RACF Command Direction

Defining RRSF Nodes

The RACF Subsystem & Parameter Library

RACF and Sysplex

Types of Sysplex

Basic Sysplex

Parallel Sysplex

RACF and Sysplex

RACF Communication

RACF Data Sharing

RACF Data Sharing Problems

The Four Sysplex Modes

The RACF Database Name Table

Coupling Facility Structures

Defining Coupling Facility Structures

In-Storage Profiles

RACLISTed profiles via RACROUTE

In-Storage Profiles and Sysplex

Introducing RACGLIST

RACGLIST and REFRESH

Using RACGLIST

Auditing RACF

RACF Auditing

The RACF Report Writer

Basic RACFRW Commands

Full RACFRW Syntax

Full SELECT Syntax

Basic EVENT Syntax

Full EVENT Syntax

Full LIST Syntax

RACFRW Output Example

Full SUMMARY Syntax

RACF/SMF Data Unload Utility

SMF Unload Utility JCL

Using the Unloaded RACF SMF Data

Processing the RACF SMF Data with DB2

The Standard DB2 Tables

The Data Security Monitor

The System & Group Tree Reports

Program Properties & Authorised Caller Table Reports

Class Descriptor Table & RACF Exits Reports

The Global Access Table Report

Started Procedure Table Reports

Selected User Attribute Reports

Selected Data Sets Report

RACF Utility Programs

The Database Unload Utility

The Database Cross Reference Utility

The Database Cross Reference Utility Output

The RACF Remove ID Utility

The Database Verification Utility

Database Verification Utility Output

The Database Split/Merge/Extend Utility

The Database Block-Update Utility Command

4/2003 TC

z/OS: RACF Administration / RACF (RACFGB)