racf ppt.pptx

of 23/23
Resource Access Control Facility

Post on 25-Sep-2015




25 download

Embed Size (px)


Resource Control Access Facility

Resource Access Control Facility

An IBM productAn optional component of the security server of Z/OSControls what you can do on the systemProvides the tools to control access to the system resourcesFull industry support

What is RACF?

System Authorization Facility

What does RACF do?Profiles information record in RACF database

User profiles Group profilesDataset profilesGeneric resource profiles

RACF profiles

RACF basic panelInformation about a user id in the RACF databaseContains a base (user id, password, owner, default group) and an optional segment(TSO, OMVS, CICS, DFP and so on) depending upon the type of user going to be defined

User profilesSystem-wide or group-wide

SPECIAL ultimate authority

OPERATIONS full access to all the DASD and TAPE datasets

AUDITOR Responsible for auditing purposes

User attributesREVOKEPrevents from entering the systemCLAUTHCan define profiles in that classPROTECTEDUsed for started tasksWHENTells when the user has accessNONENo special privileges

User attributes(contd..)ADDUSER - define a new USERID profile Example: AU USR001 DFLTGRP(BCPSUPT) OWNER(BCP) PASSWORD(XVCFR11)ALTUSER -modify a USERID profile Example: ALU USR001 REVOKELISTUSER -list USERID profile Example: LU USR001DELUSER delete the profile Example: DU USR001CONNECT - connect a user id to a group Example: CO USR001 GROUP(OSADMIN)REMOVE -remove a user id from a group Example: RE USR001 GROUP(OSADMIN)

User id related commandsCollection of users - groupContains a group id, owner, at least one superior group and any number of sub groups Approximately 5900 users can be connected to a groupCreated to ease the administration workProvides decentralized control

Group profilesUSE Least authorityCREATEAllows to create group datasets and control who can access themCONNECT Allows the users to connect the user ids to specified group and can assign USE, CREATE or CONNECT authorityJOINDefine new users or groups and can assign group authorities

Group authoritiesGroup id related commands

ADDGROUP - define new group profileExample: AG OSADMIN SUPGROUP(SYS1) OWNER(SYSCTL)ALTGROUP -modify a group profileExample: ALG OSADMIN OWNER(SYS1)LISTGROUP - list group profileExample: LG OSADMIN DELGROUP -delete group profileExample: DG OSADMIN CONNECT -connect a user id to groupExample: CO USR001 GROUP(OSADMIN)REMOVE -remove a user id from a groupExample: RE USR001 GROUP(OSADMIN)Generic profiles - Protects more than one dataset with similar security requirements

Discrete profiles - Protects only one dataset that has a unique security requirements, Deleted when the dataset itself is deleted

Fully qualified generic profile - Not deleted when the dataset is deleted, similar to discrete profiles

Dataset profilesNONE READUPDATECONTROLALTEREXECUTEUniversal Access Authority (UACC)Dataset related commands

ADDSD - define a new dataset profileExample: AD 'SYS1.*.MSTRCTLG' UACC(NONE) OWNER(SYS1)ALTDSD - modify a dataset profileExample: ALD 'SYS1.* UACC(READ)LISTDSD - list a dataset profileExample: LD DA('SYS1.*') ALLDELDSD - delete a dataset profileExample: DD 'SYS1.*.%LIB PERMIT - add, modify, delete user/group access in a dataset profileExample: PE 'SYS1.LPALIB' ID(BCPSUPT) ACCESS(ALTER)

All the resources other than the datasets are general resourcesClasses that are defined in the class descriptor table (CDT)CDT contains both IBM defined and installation defined classes (DSNR, CICSTRN, MQCONN, MQADMIN, TSOPROC,..) in itProfile contains class name, resource name, owner, access list and which attempts(success or failure) has to be logged

Generic resource profilesGeneric resource related commands

RDEFINE - create a resource profileExample: RDEF FACILITY WIDGETS.ACCESS OWNER(PRODCTL)RALTER - modify a resource profileExample: RALT FACILITY WIDGETS.ACCESS UACC(READ)RLIST - list a resource profileExample: RL FACILITY WIDGETS.ACCESS ALLRDELETE - delete a resource profileExample: RDEL FACILITY WIDGETS.ACCESSPERMIT - add, modify, delete user/group access in a profileExample: PE WIDGETS.ACCESS CLASS(FACILITY) ID(USR001)

SETROPTS a command used to set system-wide RACF options related to resource protection dynamicallyDisplays options currently in effectControl password related optionsRefresh in-storage profile lists and global access checking tablesManages class related options, auditing options, other security related optionsRACF system options

Summary of RACF commandsAll the RACF related information is storedA primary and a secondary database (used as a backup) will be in useSYS1.RACF.PRIMSYS1.RACF.BACKDisaster recoveryRVARY command

RACF databaseIKJEFT01 to work with the profilesIRRADU00 SMF data unload utilityIRRDBU00 RACF database unload utilityIRRRID00 - remove references of user IDs and group names connections that are no longer in the databaseIRRUT400 database merge, split and extend utility programIRRUT200 - synchronizes the primary and backup RACF data setsIRRMIN00 - database initialization utility