Resource Access Control Facility (RACF) in Mainframes
5,904 views
23 slides
Jul 23, 2015
Slide 1 of 23
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
About This Presentation
Security Services in Mainframes platform
Slide Content
Resource Access Control Facility
An IBM product An optional component of the security server of Z/OS Controls what you can do on the system Provides the tools to control access to the system resources Full industry support What is RACF?
System Authorization Facility
What does RACF do?
Profiles – information record in RACF database User profiles Group profiles Dataset profiles Generic resource profiles RACF profiles
RACF basic panel
Information about a user id in the RACF database Contains a base (user id, password, owner, default group) and an optional segment(TSO, OMVS, CICS, DFP and so on) depending upon the type of user going to be defined User profiles
System-wide or group-wide SPECIAL ultimate authority OPERATIONS full access to all the DASD and TAPE datasets AUDITOR Responsible for auditing purposes User attributes
REVOKE Prevents from entering the system CLAUTH Can define profiles in that class PROTECTED Used for started tasks WHEN Tells when the user has access NONE No special privileges User attributes(contd..)
ADDUSER - define a new USERID profile Example: AU USR001 DFLTGRP(BCPSUPT) OWNER(BCP) PASSWORD(XVCFR11) ALTUSER -modify a USERID profile Example: ALU USR001 REVOKE LISTUSER -list USERID profile Example: LU USR001 DELUSER – delete the profile Example: DU USR001 CONNECT - connect a user id to a group Example: CO USR001 GROUP(OSADMIN) REMOVE -remove a user id from a group Example: RE USR001 GROUP(OSADMIN) User id related commands
Collection of users - group Contains a group id, owner, at least one superior group and any number of sub groups Approximately 5900 users can be connected to a group Created to ease the administration work Provides decentralized control Group profiles
USE Least authority CREATE Allows to create group datasets and control who can access them CONNECT Allows the users to connect the user ids to specified group and can assign USE, CREATE or CONNECT authority JOIN Define new users or groups and can assign group authorities Group authorities
Group id related commands ADDGROUP - define new group profile Example: AG OSADMIN SUPGROUP(SYS1) OWNER(SYSCTL) ALTGROUP -modify a group profile Example: ALG OSADMIN OWNER(SYS1) LISTGROUP - list group profile Example: LG OSADMIN DELGROUP -delete group profile Example: DG OSADMIN CONNECT -connect a user id to group Example: CO USR001 GROUP(OSADMIN) REMOVE -remove a user id from a group Example: RE USR001 GROUP(OSADMIN)
Generic profiles - Protects more than one dataset with similar security requirements Discrete profiles - Protects only one dataset that has a unique security requirements, Deleted when the dataset itself is deleted Fully qualified generic profile - Not deleted when the dataset is deleted, similar to discrete profiles Dataset profiles
NONE READ UPDATE CONTROL ALTER EXECUTE Universal Access Authority (UACC)
Dataset related commands ADDSD - define a new dataset profile Example: AD 'SYS1.*.MSTRCTLG' UACC(NONE) OWNER(SYS1) ALTDSD - modify a dataset profile Example: ALD 'SYS1.* UACC(READ) LISTDSD - list a dataset profile Example: LD DA('SYS1.*') ALL DELDSD - delete a dataset profile Example: DD 'SYS1.*.%LIB PERMIT - add, modify, delete user/group access in a dataset profile Example: PE 'SYS1.LPALIB' ID(BCPSUPT) ACCESS(ALTER)
All the resources other than the datasets are general resources Classes that are defined in the class descriptor table (CDT) CDT contains both IBM defined and installation defined classes (DSNR, CICSTRN, MQCONN, MQADMIN, TSOPROC,..) in it Profile contains class name, resource name, owner, access list and which attempts(success or failure) has to be logged Generic resource profiles
Generic resource related commands RDEFINE - create a resource profile Example: RDEF FACILITY WIDGETS.ACCESS OWNER(PRODCTL) RALTER - modify a resource profile Example: RALT FACILITY WIDGETS.ACCESS UACC(READ) RLIST - list a resource profile Example: RL FACILITY WIDGETS.ACCESS ALL RDELETE - delete a resource profile Example: RDEL FACILITY WIDGETS.ACCESS PERMIT - add, modify, delete user/group access in a profile Example: PE WIDGETS.ACCESS CLASS(FACILITY) ID(USR001)
SETROPTS – a command used to set system-wide RACF options related to resource protection dynamically Displays options currently in effect Control password related options Refresh in-storage profile lists and global access checking tables Manages class related options, auditing options, other security related options RACF system options
Summary of RACF commands
All the RACF related information is stored A primary and a secondary database (used as a backup) will be in use SYS1.RACF.PRIM SYS1.RACF.BACK Disaster recovery RVARY command RACF database
IKJEFT01 – to work with the profiles IRRADU00 – SMF data unload utility IRRDBU00 – RACF database unload utility IRRRID00 - remove references of user IDs and group names connections that are no longer in the database IRRUT400 – database merge, split and extend utility program IRRUT200 - synchronizes the primary and backup RACF data sets IRRMIN00 - database initialization utility RACF utilities
THANK YOU Aayush Singh CSE- Mainframes
Download
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 5,904
- Slides 23
- Favorites 4
- Age 3785 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
45 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
45 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
21
Know for Certain
DaveSinNM
20 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
24 views