Scribd Logo
Upload

Welcome to Scribd!

  • RACF

    Uploaded by

    s5mora
    175 views23 pages
    Resource Access Control Facility is an optional component of the security server of Z / OS. It Provides the tools to control access to the system resources. RACF profiles profiles - information record in RACF database user profiles group profiles Generic resource profiles RACF basic panel user profiles information about a user id in the database Contains a base (user id, password, owner, default group) and an optional segment(TSO, OMVS, CICS, DFP and so on)

    Original Description:

    Original Title

    RACF ppt.pptx

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Resource Access Control Facility is an optional component of the security server of Z / OS. It Provides the tools to control access to the system resources. RACF profiles profiles - information record in RACF database user profiles group profiles Generic resource profiles RACF basic panel user profiles information about a user id in the database Contains a base (user id, password, owner, default group) and an optional segment(TSO, OMVS, CICS, DFP and so on)

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    175 views23 pages

    RACF

    Uploaded by

    s5mora
    Resource Access Control Facility is an optional component of the security server of Z / OS. It Provides the tools to control access to the system resources. RACF profiles profiles - information record in RACF database user profiles group profiles Generic resource profiles RACF basic panel user profiles information about a user id in the database Contains a base (user id, password, owner, default group) and an optional segment(TSO, OMVS, CICS, DFP and so on)

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 23

    Resource Access Control Facility

    What is RACF?
    An IBM product
    An optional component of the security
    server of Z/OS
    Controls what you can do on the system
    Provides the tools to control access to the
    system resources
    Full industry support

    System Authorization
    Facility

    What does RACF do?

    RACF profiles
    Profiles information record in RACF
    database
    User profiles
    Group profiles
    Dataset profiles
    Generic resource profiles

    RACF basic panel

    User profiles
    Information about a user id in the RACF
    database
    Contains a base (user id, password, owner,
    default group) and an optional
    segment(TSO, OMVS, CICS, DFP and so on)
    depending upon the type of user going to
    be defined

    User attributes

    System-wide or group-wide
    SPECIAL
    ultimate authority

    OPERATIONS
    full access to all the DASD and TAPE datasets

    AUDITOR
    Responsible for auditing purposes

    User attributes(contd..)

    REVOKE
    Prevents from entering the system

    CLAUTH
    Can define profiles in that class

    PROTECTED
    Used for started tasks

    WHEN
    Tells when the user has access

    NONE
    No special privileges

    User id related commands


    ADDUSER - define a new USERID profile
    Example: AU USR001 DFLTGRP(BCPSUPT) OWNER(BCP)
    PASSWORD(XVCFR11)
    ALTUSER -modify a USERID profile
    Example: ALU USR001 REVOKE
    LISTUSER -list USERID profile
    Example: LU USR001
    DELUSER delete the profile
    Example: DU USR001
    CONNECT - connect a user id to a group
    Example: CO USR001 GROUP(OSADMIN)
    REMOVE -remove a user id from a group
    Example: RE USR001 GROUP(OSADMIN)

    Group profiles
    Collection of users - group
    Contains a group id, owner, at least one
    superior group and any number of sub
    groups
    Approximately 5900 users can be connected
    to a group
    Created to ease the administration work
    Provides decentralized control

    Group authorities

    USE
    Least authority

    CREATE
    Allows to create group datasets and control who can
    access them

    CONNECT
    Allows the users to connect the user ids to specified
    group and can assign USE, CREATE or CONNECT
    authority

    JOIN
    Define new users or groups and can assign group
    authorities

    Group id related commands


    ADDGROUP - define new group profile
    Example: AG OSADMIN SUPGROUP(SYS1)
    OWNER(SYSCTL)
    ALTGROUP -modify a group profile
    Example: ALG OSADMIN OWNER(SYS1)
    LISTGROUP - list group profile
    Example: LG OSADMIN
    DELGROUP -delete group profile
    Example: DG OSADMIN
    CONNECT -connect a user id to group
    Example: CO USR001 GROUP(OSADMIN)
    REMOVE -remove a user id from a group
    Example: RE USR001 GROUP(OSADMIN)

    Dataset profiles

    Generic profiles - Protects more than one


    dataset with similar security requirements

    Discrete profiles - Protects only one dataset


    that has a unique security requirements,
    Deleted when the dataset itself is deleted

    Fully qualified generic profile - Not deleted


    when the dataset is deleted, similar to
    discrete profiles

    Universal Access Authority


    (UACC)
    NONE
    READ
    UPDATE
    CONTROL
    ALTER
    EXECUTE

    Dataset related commands


    ADDSD - define a new dataset profile
    Example: AD 'SYS1.*.MSTRCTLG' UACC(NONE)
    OWNER(SYS1)
    ALTDSD - modify a dataset profile
    Example: ALD 'SYS1.* UACC(READ)
    LISTDSD - list a dataset profile
    Example: LD DA('SYS1.*') ALL
    DELDSD - delete a dataset profile
    Example: DD 'SYS1.*.%LIB
    PERMIT - add, modify, delete user/group access in a
    dataset profile
    Example: PE 'SYS1.LPALIB' ID(BCPSUPT)
    ACCESS(ALTER)

    Generic resource profiles


    All the resources other than the datasets
    are general resources
    Classes that are defined in the class
    descriptor table (CDT)
    CDT contains both IBM defined and
    installation defined classes (DSNR,
    CICSTRN, MQCONN, MQADMIN, TSOPROC,..)
    in it
    Profile contains class name, resource name,
    owner, access list and which
    attempts(success or failure) has to be
    logged

    Generic resource related commands


    RDEFINE - create a resource profile
    Example: RDEF FACILITY WIDGETS.ACCESS
    OWNER(PRODCTL)
    RALTER - modify a resource profile
    Example: RALT FACILITY WIDGETS.ACCESS UACC(READ)
    RLIST - list a resource profile
    Example: RL FACILITY WIDGETS.ACCESS ALL
    RDELETE - delete a resource profile
    Example: RDEL FACILITY WIDGETS.ACCESS
    PERMIT - add, modify, delete user/group access in a profile
    Example: PE WIDGETS.ACCESS CLASS(FACILITY) ID(USR001)

    RACF system options


    SETROPTS a command used to set
    system-wide RACF options related to
    resource protection dynamically
    Displays options currently in effect
    Control password related options
    Refresh in-storage profile lists and global
    access checking tables
    Manages class related options, auditing
    options, other security related options

    Summary of RACF
    commands

    RACF database
    All the RACF related information is stored
    A primary and a secondary database (used
    as a backup) will be in use

    SYS1.RACF.PRIM
    SYS1.RACF.BACK

    Disaster recovery
    RVARY command

    RACF utilities
    IKJEFT01 to work with the profiles
    IRRADU00 SMF data unload utility
    IRRDBU00 RACF database unload utility
    IRRRID00 - remove references of user IDs
    and group names connections that are no
    longer in the database
    IRRUT400 database merge, split and
    extend utility program
    IRRUT200 - synchronizes the primary and
    backup RACF data sets
    IRRMIN00 - database initialization utility

    THANK YOU

    You might also like