Resource Access Control Facility (RACF) in Mainframes

Resource Access Control Facility

An IBM product An optional component of the security

server of Z/OS Controls what you can do on the system Provides the tools to control access to the

system resources Full industry support

What is RACF?

System Authorization Facility

What does RACF do?

Profiles – information record in RACF database

User profiles Group profiles Dataset profiles Generic resource profiles

RACF profiles

RACF basic panel

Information about a user id in the RACF database

Contains a base (user id, password, owner, default group) and an optional segment(TSO, OMVS, CICS, DFP and so on) depending upon the type of user going to be defined

User profiles

System-wide or group-wide

◦ SPECIAL ultimate authority

◦ OPERATIONS full access to all the DASD and TAPE datasets

◦ AUDITOR Responsible for auditing purposes

User attributes

REVOKE◦ Prevents from entering the system

CLAUTH◦ Can define profiles in that class

PROTECTED◦ Used for started tasks

WHEN◦ Tells when the user has access

NONE◦ No special privileges

User attributes(contd..)

ADDUSER - define a new USERID profile Example: AU USR001 DFLTGRP(BCPSUPT)

OWNER(BCP) PASSWORD(XVCFR11) ALTUSER -modify a USERID profile Example: ALU USR001 REVOKE LISTUSER -list USERID profile Example: LU USR001 DELUSER – delete the profile Example: DU USR001 CONNECT - connect a user id to a group Example: CO USR001 GROUP(OSADMIN) REMOVE -remove a user id from a group Example: RE USR001 GROUP(OSADMIN)

User id related commands

Collection of users - group Contains a group id, owner, at least one

superior group and any number of sub groups

Approximately 5900 users can be connected to a group

Created to ease the administration work Provides decentralized control

Group profiles

USE ◦ Least authority

CREATE◦ Allows to create group datasets and control who can

access them CONNECT

◦ Allows the users to connect the user ids to specified group and can assign USE, CREATE or CONNECT authority

JOIN◦ Define new users or groups and can assign group

authorities

Group authorities

Group id related commands

ADDGROUP - define new group profileExample: AG OSADMIN SUPGROUP(SYS1)

OWNER(SYSCTL) ALTGROUP -modify a group profileExample: ALG OSADMIN OWNER(SYS1) LISTGROUP - list group profileExample: LG OSADMIN DELGROUP -delete group profileExample: DG OSADMIN CONNECT -connect a user id to groupExample: CO USR001 GROUP(OSADMIN) REMOVE -remove a user id from a groupExample: RE USR001 GROUP(OSADMIN)

Generic profiles - Protects more than one dataset with similar security requirements

Discrete profiles - Protects only one dataset that has a unique security requirements, Deleted when the dataset itself is deleted

Fully qualified generic profile - Not deleted when the dataset is deleted, similar to discrete profiles

Dataset profiles

NONE READ UPDATE CONTROL ALTER EXECUTE

Universal Access Authority (UACC)

Dataset related commands

ADDSD - define a new dataset profileExample: AD 'SYS1.*.MSTRCTLG' UACC(NONE)

OWNER(SYS1) ALTDSD - modify a dataset profileExample: ALD 'SYS1.* UACC(READ) LISTDSD - list a dataset profileExample: LD DA('SYS1.*') ALL DELDSD - delete a dataset profileExample: DD 'SYS1.*.%LIB PERMIT - add, modify, delete user/group access in

a dataset profileExample: PE 'SYS1.LPALIB' ID(BCPSUPT)

ACCESS(ALTER)

All the resources other than the datasets are general resources

Classes that are defined in the class descriptor table (CDT)

CDT contains both IBM defined and installation defined classes (DSNR, CICSTRN, MQCONN, MQADMIN, TSOPROC,..) in it

Profile contains class name, resource name, owner, access list and which attempts(success or failure) has to be logged

Generic resource profiles

Generic resource related commands

RDEFINE - create a resource profileExample: RDEF FACILITY WIDGETS.ACCESS

OWNER(PRODCTL) RALTER - modify a resource profileExample: RALT FACILITY WIDGETS.ACCESS UACC(READ) RLIST - list a resource profileExample: RL FACILITY WIDGETS.ACCESS ALL RDELETE - delete a resource profileExample: RDEL FACILITY WIDGETS.ACCESS PERMIT - add, modify, delete user/group access in a

profileExample: PE WIDGETS.ACCESS CLASS(FACILITY)

ID(USR001)

SETROPTS – a command used to set system-wide RACF options related to resource protection dynamically

Displays options currently in effect Control password related options Refresh in-storage profile lists and global

access checking tables Manages class related options, auditing

options, other security related options

RACF system options

Summary of RACF commands

All the RACF related information is stored A primary and a secondary database (used

as a backup) will be in use◦ SYS1.RACF.PRIM◦ SYS1.RACF.BACK

Disaster recovery◦ RVARY command

RACF database

IKJEFT01 – to work with the profiles IRRADU00 – SMF data unload utility IRRDBU00 – RACF database unload utility IRRRID00 - remove references of user IDs

and group names connections that are no longer in the database

IRRUT400 – database merge, split and extend utility program

IRRUT200 - synchronizes the primary and backup RACF data sets

IRRMIN00 - database initialization utility

RACF utilities

THANK YOUAayush SinghCSE- Mainframes