racf protection for data sets - amazon s3 · cicsplex db2 eserver ibm ibm z ibm z systems ibm z13...
TRANSCRIPT
SECURITY & COMPLIANCE CONFERENCE 2016
RACF and Data Set
Protection
John Hilman
Vanguard Professional Services
BAS5 & BAS6
VANGUARD SECURITY & COMPLIANCE 2016
Legal Notice
Copyright
©2016 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license
to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly
prohibited.
Trademarks
The following are trademarks of Vanguard Integrity Professionals – Nevada:
©2016 Vanguard Integrity Professionals, Inc. 2
Vanguard Administrator
Vanguard Advisor
Vanguard Analyzer
Vanguard SecurityCenter
Vanguard Offline
Vanguard Cleanup
Vanguard PasswordReset
Vanguard Authenticator
Vanguard inCompliance
Vanguard IAM
Vanguard GRC
Vanguard QuickGen
Vanguard Active Alerts
Vanguard Configuration Manager
Vanguard Configuration Manager Enterprise Edition
Vanguard Policy Manager
Vanguard Enforcer
Vanguard ez/Token
Vanguard Tokenless Authenticator
Vanguard ez/PIV Card Authenticator
Vanguard ez/Integrator
Vanguard ez/SignOn
Vanguard ez/Password Synchronization
Vanguard Security Solutions
Vanguard Security & Compliance
Vanguard zSecurity University
VANGUARD SECURITY & COMPLIANCE 2016
The following are trademarks or registered trademarks of the International Business Machines Corporation: Java and all Java-based trademarks are trademarks of Oracle and/or its affiliates. UNIX is a registered trademark of The Open Group in the United States and other countries.
Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation.
Other company, product, and service names may be trademarks or service marks of others.
Trademarks
©2016 Vanguard Integrity Professionals, Inc. 3
CICS
CICSPlex
DB2
eServer
IBM
IBM z
IBM z Systems
IBM z13
S/390
System z
System z9
System z10
System/390
VTAM
WebSphere
z Systems
z9
z10
z13
z/Architecture
z/OS
z/VM
zEnterprise
IMS
MQSeries
MVS
NetView
OS/390
Parallel Sysplex
RACF
RMF
VANGUARD SECURITY & COMPLIANCE 2016
Session Topics
• Types of MVS™ Data Sets
• Categories of RACF® Dataset Profiles
• Dataset Profile Naming Conventions
• Accessing Data Sets – Access Levels
– Access Lists
– Authorization Checking
• Auditing Data Sets
• RACF Commands for Data Set Protection
• Using Vanguard Administrator™ to Administer
Datasets
©2016 Vanguard Integrity Professionals, Inc. 4
VANGUARD SECURITY & COMPLIANCE 2016
What is a Data Set?
• To Make a Data Set we: – group characters together to form a field
– group fields together to collect information to form a record
– place records together which results in a file
• IBM designers coined the word Data Set – – Synonymous with file
– Stored in DASD - Direct Access Storage Device
©2016 Vanguard Integrity Professionals, Inc. 5
DASD
VOL123
VANGUARD SECURITY & COMPLIANCE 2016
A Single Record Contains Fields
©2016 Vanguard Integrity Professionals, Inc. 6
Smith, Jane 026548791 Checking $ 3,824
Fields
bank account
number
customer
name type of bank
account balance
Record
VANGUARD SECURITY & COMPLIANCE 2016
Multiple Records Make up a Data Set
©2016 Vanguard Integrity Professionals, Inc. 7
Arnold, Ben 036589294 Checking
Account $ 12,139
Black, Sally 029639211 Checking
Account $ 8,146
Mason, Bob 028538692 Checking
Account $ 9,632
Smith, Jane 026548791 Checking
Account $ 3,824
Data Set
VANGUARD SECURITY & COMPLIANCE 2016
Data Set Name Characteristics
• Length
– maximum 44 characters
• Made up of qualifiers
– 1 to 8 characters per qualifier
– qualifiers cannot start with a numeric or hyphen (–)
• High-level qualifier (HLQ) equal to RACF defined
user ID or group ID
©2016 Vanguard Integrity Professionals, Inc. 8
VANGUARD PRODUCT MONTHLY REPORT FILE . . . .
qualifier separator
VANGUARD SECURITY & COMPLIANCE 2016
The Catalog Process
©2016 Vanguard Integrity Professionals, Inc. 9
Master Cat
User Cat
VOL123
BILL
PAY
PROD
VANGUARD
XYZ
PAY.DATA.FILE
PAY.MASTER.LIST
PAY.SOURCE.DATA
PAY.MASTER.LIST
VTOC
Alias Entries
VANGUARD SECURITY & COMPLIANCE 2016
Defining the Alias
©2016 Vanguard Integrity Professionals, Inc. 10
Master Cat
User Cat
USERCAT.VSYSB00
PAY
PAY.DATA.FILE
PAY.MASTER.LIST
PAY.SOURCE.DATA
DEFINE ALIAS (NAME(‘User_ID’) RELATE(‘User_Cat’))
DEF ALIAS (NAME(‘PAY’) RELATE(‘USERCAT.VSYSB00’))
VANGUARD SECURITY & COMPLIANCE 2016
Specifying the Volume
©2016 Vanguard Integrity Professionals, Inc. 11
User Cat
VOL123
PAY.MASTER.LIST
PAY.MASTER.LIST
VTOC
VANGUARD SECURITY & COMPLIANCE 2016
Types of z/OS® Data Sets
©2016 Vanguard Integrity Professionals, Inc. 12
USER DATA SET
BILL.JCL.CNTL
GROUP DATA SET
PAY.MASTER.LIST
SETR PROTECTALL(FAILURES|WARNING)
OTHER
XYZ.DATA.FILE
BILL PAY
VANGUARD SECURITY & COMPLIANCE 2016
RACF Data Set Profile Categories
1. DISCRETE PROFILE Data Set Profile Name VOLSER
PAY.MASTER.LIST VOL123
2. FULLY-QUALIFIED GENERIC PROFILE
PAY.MASTER.LIST
3. GENERIC PROFILE (Wildcards)
PAY.%%%%%%.*
4. ENHANCED GENERIC PROFILE (EGN)
PAY.*.**
©2016 Vanguard Integrity Professionals, Inc. 13
VANGUARD SECURITY & COMPLIANCE 2016
Data Set Profile Naming Conventions
STANDARD DATA SET PROFILE NAMES
• Two or more qualifiers
• Each qualifier must be separated by a period
• Each qualifier can be one to eight alphanumeric or
national ($,#,@) characters and the hyphen (–)
• Each qualifier must start with an alphabetic or national
character
©2016 Vanguard Integrity Professionals, Inc. 14
RACF
Data Base
VANGUARD SECURITY & COMPLIANCE 2016
Using RACF Generic Characters
RACF GENERIC CHARACTERS
• RACF generic characters (%,*,**) may be used to
substitute for one or more characters in each qualifier, and
one or more qualifiers
• RACF generic characters can not appear in the high level
qualifier
• Maximum of 44 characters, including periods and RACF
generic characters
©2016 Vanguard Integrity Professionals, Inc. 15
* ** %
VANGUARD SECURITY & COMPLIANCE 2016
Generic Character %
©2016 Vanguard Integrity Professionals, Inc. 16
Matches any single character in a data set name %
This Profile Protects these data sets
HLQ.D%FILE.DATA HLQ.D1FILE.DATA
HLQ.D2FILE.DATA
VANGUARD SECURITY & COMPLIANCE 2016
Generic Character *
©2016 Vanguard Integrity Professionals, Inc. 17
Character at end of qualifier in middle of profile
name to match zero or more characters until end
of qualifier
Qualifier at middle of profile name to match any
one qualifier in data set name
*
HLQ.AB*.END HLQ.AB.END
HLQ.ABC.END
HLQ.ABCD.END
HLQ.*.END HLQ.DATA.END
HLQ.ABC.END
HLQ.XYZ.END
VANGUARD SECURITY & COMPLIANCE 2016
Generic Character *
©2016 Vanguard Integrity Professionals, Inc. 18
Character at end of data set profile name to
match zero or more characters until end of
qualifier, zero or more qualifiers, or both
Qualifier at end of profile name to match one or
more qualifiers at the end of data set name
*
HLQ.DATA.FILE* HLQ.DATA.FILE
HLQ.DATA.FILES
HLQ.DATA.FILE.STUFF
HLQ.DATA.* HLQ.DATA.FILE
HLQ.DATA.STUFF
HLQ.DATA.FILE.STUFF
VANGUARD SECURITY & COMPLIANCE 2016
Enhanced Generic Naming
©2016 Vanguard Integrity Professionals, Inc. 19
To EGN or
not to EGN?
SETROPTS EGN SETROPTS NOEGN
VANGUARD SECURITY & COMPLIANCE 2016
Generic Character * - For EGN
©2016 Vanguard Integrity Professionals, Inc. 20
Character at end of data set profile name to
match zero or more characters until end of
qualifier
Qualifier at end of profile name to match one
more qualifier at the end of data set name
*
HLQ.DATA.FILE* HLQ.DATA.FILE
HLQ.DATA.FILES
HLQ.DATA.FILESTUF
HLQ.DATA.* HLQ.DATA.FILE
HLQ.DATA.STUFF
HLQ.DATA.FILESTUF
VANGUARD SECURITY & COMPLIANCE 2016
Generic Character **
©2016 Vanguard Integrity Professionals, Inc. 21
Qualifier as either a middle or end qualifier in a
profile name to match zero or more qualifiers **
HLQ.DATA.** HLQ.DATA
HLQ.DATA.FILE
HLQ.DATA.FILE.STUFF
HLQ.**.FILE HLQ.FILE
HLQ.DATA.FILE
HLQ.DATA.STUFF.FILE
VANGUARD SECURITY & COMPLIANCE 2016
Rules For Generic Data Set Profiles
The HLQ CANNOT contain a
generic character.
Each qualifier must contain at least 1 character and not more
than 8 characters.
Double asterisk must stand alone as a qualifier. Must use “.**”
cannot use “HLQ.XYZ**”
ONLY ONE OCCURRENCE OF A DOUBLE ASTERISK IS
ALLOWED IN A PROFILE NAME.
©2016 Vanguard Integrity Professionals, Inc. 22
VANGUARD SECURITY & COMPLIANCE 2016
Examples of EGN Data Set Profiles
©2016 Vanguard Integrity Professionals, Inc. 23
PROFILE PROTECTS
HLQ.MYLIB (G) HLQ.MYLIB
HLQ.%%S*.PROD (G)
HLQ.TEST.PROD
HLQ.TESTDATA.PROD
HLQ.SYS.PROD
HLQ.*.JCLCNTL (G) HLQ.PROD.JCLCNTL
HLQ.TEST.JCLCNTL
HLQ.INV* (G) HLQ.INV
HLQ.INVOICE
HLQ.* (G) HLQ.SALES
HLQ.PROD
HLQ.*.** (G)
HLQ.SYS
HLQ.SYS.DATA
HLQ.SYS.DATA.CNTL
HLQ.** (G) HLQ
HLQ.ANYTHING
VANGUARD SECURITY & COMPLIANCE 2016
Most Specific Generics
RACF USES THE MOST SPECIFIC (BEST FITTING) GENERIC PROFILE WHEN DETERMINING WHICH PROFILE PROTECTS A DATA SET.
PROFILES DATA SETS
HLQ.DATA.* HLQ.DATA HLQ.D%TA.FILE HLQ.DATA.FILE HLQ.D*.FILE HLQ.DATA.FILE.STUFF HLQ.* HLQ.DTA.FILE HLQ.*.** HLQ.D1TA.FILE HLQ.**.FILE HLQ.MASTER.FILE HLQ.TSOIN.FILE HLQ.TEMP
©2016 Vanguard Integrity Professionals, Inc. 24
VANGUARD SECURITY & COMPLIANCE 2016
Data Set Access Levels
©2016 Vanguard Integrity Professionals, Inc. 25
READ
EXECUTE
NONE
UPDATE
CONTROL
ALTER
RACF
DATA
BASE
VANGUARD SECURITY & COMPLIANCE 2016
Authorization Flowchart
©2016 Vanguard Integrity Professionals, Inc. 26
RACF DATA BASE I/O LINE
TRUSTED / PRIVILEGED STC
** GAC ENTRY = or >
USER ACCESSING OWN RES.
USER ID IN STD. ACC. LIST
GROUP(s) IN STD. ACC. LIST
** ID(*) IN STD. ACC. LIST
** UACC = or >
OPERATIONS ATTRIBUTE
USER ID IN COND. ACC. LIST
GROUP(s) IN COND. ACC. LIST
** ID(*) IN COND. ACC. LIST
WARNING MODE
FAIL ALLOW
PROTECTALL
(FAILURES)
NOPROTECTALL or PROTECTALL(WARNING)
** Checks in RED do not
apply to RESTRICTED
user IDs
NO
YES
ACCESS REQUEST
Yes, Insufficient Authority Yes, Sufficient Authority
PROTECTALL
Mode
PROFILE
FOUND?
VANGUARD SECURITY & COMPLIANCE 2016
Global Access Table
READY RLIST GLOBAL DATASET ALL CLASS NAME GLOBAL DATASET
MEMBER CLASS NAME GMBR RESOURCES IN GROUP
&RACUID.**/ALTER (G)
ICFMCAT.**/READ (G)
ICFNVSAM.**/UPDATE (G)
ICFUCAT.**/UPDATE (G)
ISP*.**/READ (G)
SYS1.COBLIB/READ
SYS1.HELP/READ
SYS1.MACLIB/READ
SYS1.PROCLIB/READ
©2016 Vanguard Integrity Professionals, Inc. 27
RDEF GLOBAL DATASET
RALT GLOBAL DATASET ADDMEM(&RACUID.**/ALTER)
RALT GLOBAL DATASET ADDMEM(ICFMCAT.**/READ)
RALT GLOBAL DATASET ADDMEM(ICFUCAT.**/UPDATE)
RALT GLOBAL DATASET ADDMEM(ISP*.**/READ)
RALT GLOBAL DATASET ADDMEM(SYS1.HELP/READ)
etc . . .
VANGUARD SECURITY & COMPLIANCE 2016
Data Set Profile Access Lists
STANDARD ACCESS LIST
• Grant Groups and/or Users some level of access
CONDITIONAL ACCESS LIST
• Grant Groups and/or Users some level of access based
on a predefined condition:
• WHEN using a certain PROGRAM
• WHEN user is logged onto a certain TERMINAL
• WHEN user is logged onto a certain CONSOLE
• WHEN job submitted from a certain JESINPUT
• WHEN user enters system from certain LU (APPCPORT)
• WHEN user enters system from certain IP address (SERVAUTH)
©2016 Vanguard Integrity Professionals, Inc. 28
VANGUARD SECURITY & COMPLIANCE 2016
User ID In Access List
STANDARD ACCESS LIST CHECKING
THE STANDARD ACCESS LIST MAY ALLOW, DISALLOW
OR RESTRICT THE LEVEL OF ACCESS OTHERWISE
AUTHORIZED TO THE USER.
©2016 Vanguard Integrity Professionals, Inc. 29
GROUP10
JIMMY
GROUP05
JANICE
Data Set Profile Name UACC WARNING Access List
VAN.DATA.* NONE NO GROUP10 / READ
GROUP05 / UPDATE
JANICE / READ
* / READ
GROUP15
BILLY
VANGUARD SECURITY & COMPLIANCE 2016
User ID In Access List
IF USER IS ON THE STANDARD ACCESS
LIST:
A. IF ACCESS LEVEL IS SUFFICIENT,
ACCESS IS ALLOWED
B. IF ACCESS IS LESS THAN THE REQUESTING
ACCESS,
– CHECK CONDITIONAL ACCESS LIST
(PREVENTS ACCESS BASED ON GROUP
ACCESS, ID(*), THE UACC, AND OPERATIONS)
©2016 Vanguard Integrity Professionals, Inc. 30
VANGUARD SECURITY & COMPLIANCE 2016
List-of-Groups Checking
©2016 Vanguard Integrity Professionals, Inc. 31
• LIST-OF-GROUPS REFERS TO
MATCHING A USER’S RACF
CONNECT GROUPS TO GROUP
NAMES IN AN ACCESS LIST
• LIST-OF-GROUPS CHECKING IS
A GLOBAL RACF OPTION
ACTIVATED USING SETROPTS
ACCESS IS BASED ON THE HIGHEST AUTHORITY OF ANY GROUP
IN THE ACCESS LIST TO WHICH THE USER ID IS CONNECTED
IF USER IS NOT ON STANDARD ACCESS LIST:
VANGUARD SECURITY & COMPLIANCE 2016
Permit ID(*)
AN ASTERISK (*) IN THE ACCESS LIST ALLOWS:
• ALL RACF DEFINED USERS ACCESS TO THE DATA
SET PER THE ACCESS LEVEL
AD ‘VAN.DATA.*’ OW(VAN) UACC(NONE)
PE ‘VAN.DATA.*’ ID(*) AC(READ)
©2016 Vanguard Integrity Professionals, Inc. 32
VANGUARD SECURITY & COMPLIANCE 2016
Universal Access Authority
• Defines default access authority to a resource for
ALL users or groups not specifically permitted
access – even those users NOT defined to RACF
AD 'SYS1.HELP' GEN UACC(READ)
©2016 Vanguard Integrity Professionals, Inc. 33
SYS1.HELP
VANGUARD SECURITY & COMPLIANCE 2016
OPERATIONS Attribute
• Access to most RACF protected data sets
• Access to some general resources
• Allows the user to allocate new data sets
• Allows the user to delete data sets
• Assign to the minimum number of users
• Primary use is storage management
• Can be superseded during authorization checking
©2016 Vanguard Integrity Professionals, Inc. 34
VANGUARD SECURITY & COMPLIANCE 2016
Conditional Access
EXAMPLE
• Normally, allow the PERSNL READ access to the
Payroll Data Sets
• However, when executing the PAYUPD program, allow
the PERSNL UPDATE access to the Payroll Data Sets
• Program Access to Data Sets (PADS)
PE ‘PAYROLL.**’ ID(PERSNL) ACCESS(READ)
PE ‘PAYROLL.**’ ID(PERSNL) AC(UP) WHEN(PROGRAM(PAYUPD))
©2016 Vanguard Integrity Professionals, Inc. 35
PAYROLL.** NONE PERSNL(READ) PERSNL(UPDATE) WHEN(PAYUPD)
Data Set
Profile Name UACC Access List Conditional Access List
VANGUARD SECURITY & COMPLIANCE 2016
Program Access To Data Sets
ALLOWS A RACF USER-ID OR RACF GROUP TO:
• ACCESS A SPECIFIC DATA SET,
• WITH A SPECIFIC ACCESS LEVEL,
• WHEN EXECUTING A "CONTROLLED PROGRAM"
©2016 Vanguard Integrity Professionals, Inc. 36
BOB
PERSNL
PAYROLL.MASTER
Normal
Access
PAYUPD
READ
UPDATE
VANGUARD SECURITY & COMPLIANCE 2016
WARNING Mode
• Allows a user to fail the authorization checking
process and still have access
• Used primarily as an implementation tool
• Use “WARNING” with the notify option
• Could be misused and create a security exposure
©2016 Vanguard Integrity Professionals, Inc. 37
VANGUARD SECURITY & COMPLIANCE 2016
Ownership Versus Access to Data Sets
• Profile Ownership: – gives user ID / group ID full administrative control over
profile; including access list
– does NOT allow access to data set itself
• Access to data set requires: – user ID is TRUSTED or PRIVILEGED
– GAT allows access
– user ID = high-level qualifier
– user ID / group ID in access list (via PERMIT)
– ID(*) allows access
– UACC allows access
– OPERATIONS attribute
– WARNING Mode
©2016 Vanguard Integrity Professionals, Inc. 38
VANGUARD SECURITY & COMPLIANCE 2016
Commands For Data Set Profiles
ADDSD (AD) ADD A DATA SET PROFILE ALTDSD (ALD) MODIFY A DATA SET PROFILE PERMIT (PE) CREATE, MODIFY, OR DELETE
ACCESS LIST ENTRIES IN A DATA SET PROFILE
LISTDSD (LD) LIST A DATA SET PROFILE DELDSD (DD) DELETE A DATA SET PROFILE
©2016 Vanguard Integrity Professionals, Inc. 39
VANGUARD SECURITY & COMPLIANCE 2016
ADDSD Command Syntax
ADDSD (AD) ‘profile_name’ or (‘profile_name-1’ . . .)
[ OWNER(user-id or group-name) ]
[ UACC(access authority) ]
[ DATA('data or comment') ]
[ GENERIC ]
[ LEVEL(nn) ]
[ FROM(‘profile_name_2’) ]
[ AUDIT(access-attempt [(audit-access-
level)]) ]
[ WARNING | NOWARNING ]
©2016 Vanguard Integrity Professionals, Inc. 40
ADDSD ‘SYS2.*.**’ OWNER(SYS2) UACC(NONE)
AD ‘BILL.*.**’ OWNER(BILL) UACC(NONE)
AD ‘VAN.PROD.FILE’ OW(VAN) UA(NONE) GENERIC
ADDSD
VANGUARD SECURITY & COMPLIANCE 2016
ALTDSD Command Syntax
©2016 Vanguard Integrity Professionals, Inc. 41
ALTDSD (ALD) ‘profile_name’ or (‘profile_name-1’ . . .)
[ OWNER(user-id or group-name) ]
[ UACC(access authority) ]
[ DATA('data or comment') ]
[ GENERIC ]
[ LEVEL(nn) ]
[ WARNING | NOWARNING ]
[ GLOBALAUDIT(access-attempt
[(audit-access-level)]) ]
ALTDSD ‘SYS2.*.**’ AUDIT(FAILURES(READ) SUCCESS(UPDATE))
ALD ‘SYS1.MIGLIB’ GEN LEVEL(87)
ALTDSD
VANGUARD SECURITY & COMPLIANCE 2016
PERMIT Command Syntax
PERMIT (PE) ‘profile-name-1’
[ GENERIC ]
[ ID(name. . . | *) ]
[ ACCESS(access-authority) ]
[ FROM(‘profile-name-2’) ]
[ DELETE ]
[ RESET [ (ALL | STANDARD |
WHEN) ]
©2016 Vanguard Integrity Professionals, Inc. 42
PERMIT
PERMIT ‘SYS2.*.**’ ID(CICSGRP) ACCESS(UPDATE))
VANGUARD SECURITY & COMPLIANCE 2016
PERMIT Command Examples
PE 'SYS2.*.**' ID(MVSGRP) ACCESS(ALTER)
PE 'SYS2.*.**' ID(CICSGRP) DELETE
PE 'VAN.PROD.**' RESET
PE 'VAN.PROD.**' ID(LVPAYCLK) AC(UPDATE)
PE 'VAN.PROD.**' ID(LVCSTSRV)
PE ‘VAN.PROD.FILE' GEN ID(*) AC(READ)
©2016 Vanguard Integrity Professionals, Inc. 43
VANGUARD SECURITY & COMPLIANCE 2016
Listing Data Set Profiles
HOW DO I:
q Look at a particular data set profile
q Find the best fitting profile that protects a data set
q Find out which data sets a profile protects
©2016 Vanguard Integrity Professionals, Inc. 44
DATASET(‘profile-name’. . .)
ID(name . . . )
PREFIX(char . . . )
[ GENERIC | NOGENERIC ]
[ AUTHUSER ]
[ HISTORY ]
[ STATISTICS ]
[ ALL ]
[ DSNS ]
[ DFP ]
[ NORACF ]
LISTDSD (LD)
VANGUARD SECURITY & COMPLIANCE 2016
Listing a Particular Data Set Profile
©2016 Vanguard Integrity Professionals, Inc. 45
INFORMATION FOR DATASET VAN.PROD.** (G) LEVEL OWNER UNIVERSAL ACCESS WARNING ERASE ----- -------- ---------------- ------- ----- 00 VAN NONE NO NO AUDITING -------- FAILURES(READ) GLOBALAUDIT ----------- SUCCESS(UPDATE) NOTIFY -------- NO USER TO BE NOTIFIED YOUR ACCESS CREATION GROUP DATASET TYPE ----------- -------------- ------------ NONE VANGUARD NON-VSAM
LD DA('VAN.PROD.**') AU
VANGUARD SECURITY & COMPLIANCE 2016
Listing the Access List
©2016 Vanguard Integrity Professionals, Inc. 46
NO INSTALLATION DATA SECURITY LEVEL ------------------------------------------ NO SECURITY LEVEL CATEGORIES ---------- NO CATEGORIES SECLABEL -------- NO SECLABEL ID ACCESS -------- ------- LVPAYCLK UPDATE LVCSTSRV READ ID ACCESS CLASS ENTITY NAME -------- ------- -------- ------------------------------ NO ENTRIES IN CONDITIONAL ACCESS LIST
LD DA('VAN.PROD.**') AU
VANGUARD SECURITY & COMPLIANCE 2016
Listing the Data Set HLQ
©2016 Vanguard Integrity Professionals, Inc. 47
INFORMATION FOR DATASET VAN.PROCLIB LEVEL OWNER UNIVERSAL ACCESS WARNING ERASE ----- -------- ---------------- ------- ----- 00 VAN NONE NO NO " " " " " INFORMATION FOR DATASET VAN.PROD.DATA.** (G) LEVEL OWNER UNIVERSAL ACCESS WARNING ERASE ----- -------- ---------------- ------- ----- 00 VAN NONE NO NO " " " " " INFORMATION FOR DATASET VAN.PROD.** (G) LEVEL OWNER UNIVERSAL ACCESS WARNING ERASE ----- -------- ---------------- ------- ----- 00 VAN NONE NO NO " " " " "
LD ID(VAN)
VANGUARD SECURITY & COMPLIANCE 2016
Listing the Prefix of a Data Set
©2016 Vanguard Integrity Professionals, Inc. 48
INFORMATION FOR DATASET VAN.PROD.DATA.** (G) LEVEL OWNER UNIVERSAL ACCESS WARNING ERASE ----- -------- ---------------- ------- ----- 00 VAN NONE NO NO " " " " " INFORMATION FOR DATASET VAN.PROD.STUFF.** (G) LEVEL OWNER UNIVERSAL ACCESS WARNING ERASE ----- -------- ---------------- ------- ----- 00 VAN NONE NO NO " " " " " INFORMATION FOR DATASET VAN.PROD.** (G) LEVEL OWNER UNIVERSAL ACCESS WARNING ERASE ----- -------- ---------------- ------- ----- 00 VAN NONE NO NO " " " " "
LD PRE(VAN.PROD)
VANGUARD SECURITY & COMPLIANCE 2016
Undercutting Exercise - Commands
• Buddy requests UPDATE access to
VAN.PROD.FILE
• Management approves request
• What profile protects VAN.PROD.FILE?
• Give BUDDY UPDATE access to that profile?
– What are the ramifications?
• Do I need a new profile built?
– What are the ramifications if I build a new profile?
©2016 Vanguard Integrity Professionals, Inc. 49
VANGUARD SECURITY & COMPLIANCE 2016
INFORMATION FOR DATASET VAN.PROD.** (G) LEVEL OWNER UNIVERSAL ACCESS WARNING ERASE ----- -------- ---------------- ------- ----- 00 VAN NONE NO NO " " " " "
Finding the Best Fitting Profile
©2016 Vanguard Integrity Professionals, Inc. 50
Is the Data Set protected by a discrete profile?
If not, then find the best-fitting generic profile.
LD DA('VAN.PROD.FILE')
LD DA('VAN.PROD.FILE') GENERIC
VANGUARD SECURITY & COMPLIANCE 2016
Finding Data Sets Protected by a Profile
©2016 Vanguard Integrity Professionals, Inc. 51
INFORMATION FOR DATASET VAN.PROD.** (G) CATALOGUED DATA SETS AFFECTED BY PROFILE CHANGE ----------------------------------------------- VAN.PROD.FILE VAN.PROD.MASTER.FILE VAN.PROD.PAYROLL VAN.PROD.RACF.BKUP VAN.PROD.RACF.PRIM
What data sets are protected
by the VAN.PROD.** profile?
LD DA('VAN.PROD.**') DSNS NORACF
VANGUARD SECURITY & COMPLIANCE 2016
Data Set Profile Modeling
©2016 Vanguard Integrity Professionals, Inc. 52
AD 'VAN.PROD.FILE' GEN FROM('VAN.PROD.**')
VAN.PROD.** VAN NONE FAILURES/READ LVPAYCLK/UPDATE
LVCSTSRV/READ
Profile Name Owner UACC Audit Access List
VAN.PROD.FILE VAN NONE FAILURES/READ LVPAYCLK/UPDATE
LVCSTSRV/READ
VAN.PROD.FILE
VAN.PROD.MASTER.FILE
VAN.PROD.PAYROLL
VAN.PROD.RACF.BKUP
VAN.PROD.RACF.PRIM
VANGUARD SECURITY & COMPLIANCE 2016
Update the Access List
©2016 Vanguard Integrity Professionals, Inc. 53
PE 'VAN.PROD.FILE' GEN ID(BUDDY) AC(UPDATE)
VAN.PROD.FILE
VAN.PROD.MASTER.FILE
VAN.PROD.PAYROLL
VAN.PROD.RACF.BKUP
VAN.PROD.RACF.PRIM
VAN.PROD.FILE VAN NONE FAILURES/READ LVPAYCLK/UPDATE
LVCSTSRV/READ
BUDDY/UPDATE
VAN.PROD.** VAN NONE FAILURES/READ LVPAYCLK/UPDATE
LVCSTSRV/READ
Profile Name Owner UACC Audit Access List
VANGUARD SECURITY & COMPLIANCE 2016
Data Set Profiles – RACF Panels
©2016 Vanguard Integrity Professionals, Inc. 55
VANGUARD SECURITY & COMPLIANCE 2016
Add a Data Set Profile
©2016 Vanguard Integrity Professionals, Inc. 56
VANGUARD SECURITY & COMPLIANCE 2016
Enter Profile Name
©2016 Vanguard Integrity Professionals, Inc. 57
VANGUARD SECURITY & COMPLIANCE 2016
Specify the Owner
©2016 Vanguard Integrity Professionals, Inc. 58
VANGUARD SECURITY & COMPLIANCE 2016
Select Access List
©2016 Vanguard Integrity Professionals, Inc. 59
VANGUARD SECURITY & COMPLIANCE 2016
Enter 1 to Add to Access List
©2016 Vanguard Integrity Professionals, Inc. 60
VANGUARD SECURITY & COMPLIANCE 2016
Enter YES to Specify
©2016 Vanguard Integrity Professionals, Inc. 61
VANGUARD SECURITY & COMPLIANCE 2016
Enter ID and Access Level
©2016 Vanguard Integrity Professionals, Inc. 62
VANGUARD SECURITY & COMPLIANCE 2016
Adding Another ID to the Access List
©2016 Vanguard Integrity Professionals, Inc. 64
VANGUARD SECURITY & COMPLIANCE 2016
Enter Another ID and Access Level
©2016 Vanguard Integrity Professionals, Inc. 65
VANGUARD SECURITY & COMPLIANCE 2016
Display a Data Set Profile - RACF Panels
©2016 Vanguard Integrity Professionals, Inc. 66
VANGUARD SECURITY & COMPLIANCE 2016
Enter the Profile Name
©2016 Vanguard Integrity Professionals, Inc. 67
VANGUARD SECURITY & COMPLIANCE 2016
Request the Access List
©2016 Vanguard Integrity Professionals, Inc. 68
VANGUARD SECURITY & COMPLIANCE 2016
Profile Displayed
©2016 Vanguard Integrity Professionals, Inc. 69
VANGUARD SECURITY & COMPLIANCE 2016
Profile Displayed
©2016 Vanguard Integrity Professionals, Inc. 70
VANGUARD SECURITY & COMPLIANCE 2016
Undercutting Exercise – RACF Panels
• Buddy requests UPDATE access to
VAN.PROD.FILE
• Management approves request
• What profile protects VAN.PROD.FILE?
• Give BUDDY UPDATE access to that profile?
– What are the ramifications?
• Do I need a new profile built?
– What are the ramifications if I build a new profile?
©2016 Vanguard Integrity Professionals, Inc. 71
VANGUARD SECURITY & COMPLIANCE 2016
Finding the Best Fitting Profile
©2016 Vanguard Integrity Professionals, Inc. 72
VANGUARD SECURITY & COMPLIANCE 2016
Profile Displayed
©2016 Vanguard Integrity Professionals, Inc. 73
VANGUARD SECURITY & COMPLIANCE 2016
Finding Protected Data Sets
©2016 Vanguard Integrity Professionals, Inc. 74
VANGUARD SECURITY & COMPLIANCE 2016
Protected Data Sets Displayed
©2016 Vanguard Integrity Professionals, Inc. 75
VANGUARD SECURITY & COMPLIANCE 2016
Model a Data Set Profile – Panels
©2016 Vanguard Integrity Professionals, Inc. 76
VANGUARD SECURITY & COMPLIANCE 2016
Enter the Model Profile
©2016 Vanguard Integrity Professionals, Inc. 77
VANGUARD SECURITY & COMPLIANCE 2016
Change the New Data Set Profile
©2016 Vanguard Integrity Professionals, Inc. 78
VANGUARD SECURITY & COMPLIANCE 2016
Select the Access List
©2016 Vanguard Integrity Professionals, Inc. 79
VANGUARD SECURITY & COMPLIANCE 2016
Update the Access List
©2016 Vanguard Integrity Professionals, Inc. 80
VANGUARD SECURITY & COMPLIANCE 2016
Administrator for Data Set Profiles
©2016 Vanguard Integrity Professionals, Inc. 82
VANGUARD SECURITY & COMPLIANCE 2016
Adding Data Set Profiles
©2016 Vanguard Integrity Professionals, Inc. 83
VANGUARD SECURITY & COMPLIANCE 2016
Specify Profile Name
©2016 Vanguard Integrity Professionals, Inc. 84
VANGUARD SECURITY & COMPLIANCE 2016
Enter Owner and UACC
©2016 Vanguard Integrity Professionals, Inc. 85
VANGUARD SECURITY & COMPLIANCE 2016
Edit the Standard Access Permits
©2016 Vanguard Integrity Professionals, Inc. 86
VANGUARD SECURITY & COMPLIANCE 2016
Specify the Access Level – Press F3
©2016 Vanguard Integrity Professionals, Inc. 88
VANGUARD SECURITY & COMPLIANCE 2016
Enter Another ID in Access List
©2016 Vanguard Integrity Professionals, Inc. 89
VANGUARD SECURITY & COMPLIANCE 2016
Specify the Access Level – Press F3
©2016 Vanguard Integrity Professionals, Inc. 90
VANGUARD SECURITY & COMPLIANCE 2016
Results of Access Permits - Press F3
©2016 Vanguard Integrity Professionals, Inc. 91
VANGUARD SECURITY & COMPLIANCE 2016
Enter GO to Generate Commands
©2016 Vanguard Integrity Professionals, Inc. 92
VANGUARD SECURITY & COMPLIANCE 2016
Review the Commands
©2016 Vanguard Integrity Professionals, Inc. 93
VANGUARD SECURITY & COMPLIANCE 2016
Undercutting Exercise - Administrator
• Buddy requests UPDATE access to
VAN.PROD.FILE
• Management approves request
• What profile protects VAN.PROD.FILE?
• Give BUDDY UPDATE access to that profile?
– What are the ramifications?
• Do I need a new profile built?
– What are the ramifications if I build a new profile?
©2016 Vanguard Integrity Professionals, Inc. 94
VANGUARD SECURITY & COMPLIANCE 2016
Find Best Fitting Profile
©2016 Vanguard Integrity Professionals, Inc. 95
VANGUARD SECURITY & COMPLIANCE 2016
Select Data Sets
©2016 Vanguard Integrity Professionals, Inc. 96
VANGUARD SECURITY & COMPLIANCE 2016
Enter Full Data Set Name
©2016 Vanguard Integrity Professionals, Inc. 97
VANGUARD SECURITY & COMPLIANCE 2016
Display Covering Profile?
©2016 Vanguard Integrity Professionals, Inc. 98
VANGUARD SECURITY & COMPLIANCE 2016
Covering Profile Found
©2016 Vanguard Integrity Professionals, Inc. 99
VANGUARD SECURITY & COMPLIANCE 2016
What to do From Here?
©2016 Vanguard Integrity Professionals, Inc. 100
VANGUARD SECURITY & COMPLIANCE 2016
Finding Protected Data Sets
©2016 Vanguard Integrity Professionals, Inc. 101
VANGUARD SECURITY & COMPLIANCE 2016
Protected Data Sets Displayed
©2016 Vanguard Integrity Professionals, Inc. 102
VANGUARD SECURITY & COMPLIANCE 2016
Fastpath to Clone a Data Set Profile
©2016 Vanguard Integrity Professionals, Inc. 103
VANGUARD SECURITY & COMPLIANCE 2016
The Clone Data Set Command Panel
©2016 Vanguard Integrity Professionals, Inc. 104
VANGUARD SECURITY & COMPLIANCE 2016
Replicate the Line
©2016 Vanguard Integrity Professionals, Inc. 105
VANGUARD SECURITY & COMPLIANCE 2016
Update the Commands
©2016 Vanguard Integrity Professionals, Inc. 106
VANGUARD SECURITY & COMPLIANCE 2016
DELDSD Command Syntax
©2016 Vanguard Integrity Professionals, Inc. 107
DELDSD (DD) ‘profile-name’ or (‘profile_name_1’ . . .)
[ GENERIC ]
DD 'VAN.PROD.FILE' GEN
NOTE: Deletes data set profile, NOT data set itself
VANGUARD SECURITY & COMPLIANCE 2016
Delete a Data Set Profile – RACF Panels
©2016 Vanguard Integrity Professionals, Inc. 108
VANGUARD SECURITY & COMPLIANCE 2016
Enter the Profile to be Deleted
©2016 Vanguard Integrity Professionals, Inc. 109
VANGUARD SECURITY & COMPLIANCE 2016
Clear the Indicator Bit
©2016 Vanguard Integrity Professionals, Inc. 110
VANGUARD SECURITY & COMPLIANCE 2016
Delete Data Set Profile - Administrator
©2016 Vanguard Integrity Professionals, Inc. 111
VANGUARD SECURITY & COMPLIANCE 2016
Using Reports to Delete a Profile
©2016 Vanguard Integrity Professionals, Inc. 112
VANGUARD SECURITY & COMPLIANCE 2016
Data Set Profile Summary Report
©2016 Vanguard Integrity Professionals, Inc. 113
VANGUARD SECURITY & COMPLIANCE 2016
Delete the Data Set Profile
©2016 Vanguard Integrity Professionals, Inc. 114
VANGUARD SECURITY & COMPLIANCE 2016
Review the Commands
©2016 Vanguard Integrity Professionals, Inc. 115
VANGUARD SECURITY & COMPLIANCE 2016
Implementing Changes
• For changes to take effect after defining new generic
profiles or after changing generic profiles, one of
following is required:
• User of data set issues LISTDSD command:
LD DA('VAN.PROD.FILE') GEN
• Security administrator issues:
SETR GENERIC(DATASET) REFRESH
• User of data set logs off then back on
©2016 Vanguard Integrity Professionals, Inc. 116