United States Office of Administration March 31,1993
Environmental Protection and Resources Management A
Agency National Data Processing Division 208B930i4
Research Triangle Park, NC 27711
SEPA RACF
Security Administrator
Training Materials
-------�
AGENDA
09:00 -
09:05
Introduction
09:05 -
09:15
Course Overview
09:15 -
09:25
Decentralization
09:25 -
09:50
Roles and Responsibilities
09:50 -
10:00
How to Decentralize
10:00 -
10:15
Morning Break
10:15 -
10:30
Basic RACF
10:30 -
11:00
RACF Group Profiles
11:00 -
11:30
"RZkPF TTcar TTIe
11:30 -
12:30
Lunch Break
12:30 -
13:30
Adding Dataset Profiles
13:30 -
13:45
DOnTBTTlT T
JE> JL JEi A JKkJLJ JLj
13:45 -
14:00
Afternoon Break
14:00 -
14:15
RACF Resource Profiles
14:15 -
14:45
Profile Deletion Duties
14:45 -
15:00
Summary
-------�
TRAINING FOR
RACF SECURITY ADMINISTRATORS
1
-------�
Course Objectives
Explain decentralization and its purpose.
Explain the roles and responsibilities under
decentralization.
Explain the facility "RACF" by which this will be
accomplished
Nuts and bolts.
How to log on and access RACF Administrator's panels
How to administer RACF from EPA's Decentralized Level
(RSAs) ADPs.
User-ID information.
Group administration.
- Group resource protection and administration.
-------�
Decentralization
-------�
Decentralization
Centralization Defininition:
One person or group administering security for the whole world.
One group having total responsibility for all the RACF environ-
ment. This includes complete ownership of your data.
Decentralization Defininition:
The delegation of your application to local (group) administra-
tors for the purpose of controlling access and/or protection. Giv-
ing application ownership the ability to respond more quickly to
the needs of your group.
sen
4
-------�
Centralized & Decentralized
Working Together
Consistency
Centralized staff can apply secimfy tn'a^feistent manner.
Standards
Centralized staff can ensure that EPA security standards are being
followed. Education and monitoring is needed to ensure that the
decentralized staff is complying to standards.
Responsiveness
Decentralized administrators can respond more quickly to a
user's need than at the centralized level.
Control
You now have the ability to issue RACF commands designed to
manage your accounts better.
-------�
What Decentralization Means to You
You, as the RSA will now have the responsibil-
ity/ownership of maintaining proper security
for your data!
&EPA
-J
6
-------�
Roles and Responsibilities
AQ1A
Cr lal r\
-------�
ADP Coordinators
Identify the RSAs. ^
Help identify all accounts and existing User-IDs belonging to the
application.
Work with the RSA's to initially decentralize the application in
RACE
• Account Maintenance:
Request creation of new accounts (groups).
Revoke/reactivate (resume) account.
Request deletion of accounts (groups).
Add new users to the IBM system.
Update User-ID information for existing User-IDs.
* Notify RSAs whenever any of the above is done.
^ 007\
/
8
J
-------�
Account Managers
Work with the RSA's to initially decentralize the application in
RACE
Assist in the identification of the accounts and User-IDs belong-
ing to the application.
Notify the RSAs when you:
Add new users to the IBM system.
- Update User-ID information for existing User-IDs.
Change the name of the person responsible for a User-ID.
-------�
RACF Security Administrator (RSA)
Perform the steps necessary to initially decentralize the applica-
tion in RACF. _
Create and maintain the RACF profiles needed to protect the ap-
plication data.
Assume ownership of new accounts and User-IDs added by the
ADP Coordinators and Account Managers.
Connect User-IPs to accounts and new account groups.
Create the Alias needed for User-IDs.
Create RACF profiles for new User-ID and/or account for the
protection of data.
Change the initial password for new users of the IBM system and
notify the user of the temporary password.
mil
10
-------�
RSAs Roles (Cont.)
Perform password resets for User-IDs owned by the application
when needed.
Add new non-accounts as needed.
Change the ownership of accounts, non-account group, and User-
IDs as needed.
Delete non-account groups.
H£hSie User-IDs from accounts and non-account groups.
Delete RACF profiles and maintain access lists pertaining to
User-IDs and accounts to be deleted from the system.
Delete or rename data sets and tapes assigned to User-IDs and
accounts being deleted.
SEm
-------�
RSAs Roles (Cont.)
• Delete alias for deleted User-IDs.
• Add/delete RSAs for the application.
• Notify the ADP Coordinators, Account Managers, users, and
other RSAs affected by any of these actions.
/
12
-------�
TSSMS Office
• Process Requests received from the ADP Coordinators and the
RSAs to initially decentralize applications in RACE
• Notify ADPs and RSAs upon completion of the request, as well
as any problems encountered.
• Verify that nightly TSSMS processing successfully added new
account IDs to RACE
• Create the Alias for new accounts. (Groups)
• Create non-account groups as requested by the RSA.
/
13
-------�
TSSMS Office (Cont.)
• Process all changes to RACF decentralization information re-
ceived on ALL-IN-1 Email forms. Notify ADPs and RSAs upon
completion of the requests and inform them of problems encoun-
tered.
• Update the TSSMS Registration System with information en-
tered into RACF by the RSAs.
• Monitor all RACF activities of the RSAs and notify the appropri-
ate resource when problems are discovered.
-J
14
-------�
j^^L-cds ,
'Qeji3s«g>£-jZ~s '
-------�
Customer Support
• Administer all calls requesting assistance with RACF decentrali-
zation or PROTECTALL.
• Determine if a user requesting a password reset or resumption of
a User-ID belongs to a decentralized account. If so, refer the user
to the appropriate RSA. If user is not decentralized, reset the
password or resume the User-ID.
• Provide one-on-one support and hands-on training to the appli-
cations during the RACF decentralization effort.
• Provide follow-up support as needed.
Customer Support telephone numbers 1-919-541-7862
1-800-334-2405
15
-------�
-------�
HOW TO BEGIN DECENTRALIZATION
1. Identify ADP, Account Managers, and Primary RSAs.
2. Identify billable/logon accounts and associated users for owner-
ship (obtained from ADP or Account Manager).
3. Identify Group (Account) level data sets or any data set important
to the application.
4. Determine data set protection and access.
5. Define non-accounts for ownership and access.
6. Establish notification procedures to users, ADPs, Account Man-
agers, and all application RSA's of any additions, changes, or de-
letions.
/
16
-------�
Each application should establish internal procedures such as
ALL-IN-1 or hardcopy notices for keeping everyone within the
application informed.
• The user needs to be notified of any entries that affect the
User-IDs or access to protected data.
• ADPs and RSAs need to be notified of every entry into RACE
• Account Managers, if they are not RSAs, need to be notified
of every entry that affects the user/accounts.
-------�
RACF Decentralization Structure
Systems
SYS1
TSSMS &
Customer
Support
ADP1
ADP2
APPL11
EPA RSAs
APPL12
EPA RSAs
APPL21
EPA RSAs
APPL22
EPA RSAs
APPL23
EPA RSAs
BA
NA USERS
Customed
Customer2
Customers
Customer4
NA
APPL# = Application
ADP# = ADP Coordinator
EPA RSAs = EPA RACF Security Administrators
BA - Billable Accounts
NA = NorvAccounts
Customer# - Customer UseMDs owned by Application
/
18
-------�
RACF Decentralization Notes
EPA/FM Security will have System-SPECIAL.
Systems will have Group-SPECLAL. Some, under RACF policy provisions, will have
System-SPECIAL for resolution of RACF system problems.
TSSMS and the Customer Support RACF Specialist (i.e., not to exceed four and only
those who have attended RSA training) will have Group-SPECLAL, join authority, and
RACF acct/user admin commands. Customer Support RACF Specialists will have
authorities for listing, but not changing, RACF entries after completion of the
decentralization effort.
TSSMS will add new User-IDs, new billable, and non-account groups to RACF. TSSMS
will also ALTER the billable and non-account groups in RACF.
EPA RSAs will have Group-SPECLAL, but will be limited to password resets and
revokes, connecting, changing, and removing existing User-IDs on their billable accounts,
and those non-account groups under their control.
If an ADP has not been trained as an RSA, he will not have Group-SPECLAL.
If a customer is experiencing a RACF problem, he will be referred to his RSA and
ADP. Informational calls on the RACF product (i.e., how do I protect a data set?)
from a customer will be answered by Customer Support.
TSSMS will add all new and existing User-IDs to a holding pen account. When a new
User-ID is added to the holding pen account, the owner of the User-ID is the
Application that made the request. It is then the responsibility of the EPA RSA to
connect the User-ID to the appropriate billable account(s).
Example: Customerl calls and needs his password reset.
After the Customer Call Center has determined that APPL11 has claimed
ownershiD of Customerl, Customerl will be given the names and numbers of
the E^-i RSAs in APPL11 and ADP1.
19
-------�
APPENDIX D
TSSMS-RACF Decentralization Request
and
Email RACF Forms
Note: Two manuals that you will need to reference for the functions
in this appendix are these:
1. Application RACF Security Administrator's Guide (listed in
the tables as RSA Guide).
2. Customer's Guide to NCC's Registration System (listed in the
tables as TSSMS Registration).
The following abbreviations are used in the tables:
ADP = database entry
MGR = database entry
RSA = RACF entry
TSSMS = both RACF and database
TSSMPENx = TSSMPEN and a number
20
-------�
TSSMS
-RACF DECENTRALIZATION REQUEST
Completed By
Function
ADP
MGR
RSA
TSSMS
1.0
Establish Application for RACF
Decentralization.
1.1
Complete RACF_REQUEST_I (see App. D,
RSA Guide). (Note: NDPD Security
approves RSAs.)
A
X
1.2
Complete RACF_REQUEST_II (see App. D,
RSA Guide).
A, M
X
1.3
RACF updated to include application
hierarchy.
X
1.4
Ownership updated in RACF for accounts
and IDs.
X
1.5
Notice of completion attached to Email
and Mail.
X
1.6
Notify customer of ownership claim.
X
2.0
Add New Billable Account.
2 . 1
Request entered in TSSMS online data
base (TSSMS Registration).
A
2.2
Add to RACF in nightly processing.
X
2.3
ALIAS added for system catalog.
X
2.4
RACF ownership is claimed with Email
form II (see App. D, RSA Guide).
X
2.5
Ownership entered in RACF.
X
2.6
Account manager will be added as user
in nightly processing (both in
database and RACF).
X
2.7
Add group-level profile in RACF.
X
2.8
Add users (see "add user" and
"existing user")
X
21
-------�
TSSMS
-RACF DECENTRALIZATION REQUEST (cont.)
Completed By
Function
ADP
MGR
RSA
TSSMS
3.0
Add New Non-Account Group.
3 .1
Request completed with Email form II
(See App. D, RSA Guide).
X
3.2
Request completed in TSSMS.
X
3.3
Connect existing users when needed.
X
4.0
Add New User-ID.
4.1
Request entered in TSSMS online data-
base (TSSMS Registration).
A/M
4.2
Add to RACF in nightly processing.
X
4.3
Add to TSSMPENx nightly processing.
X
4.4
Ownership request for User-ID through
Email form II (see App. D, RSA Guide).
X
4.5
Ownership entered into RACF.
X
4.6
Change password and connect to account
and notify user. (User must be
connected to a billable account to log
on.)
X
4 . 7
ALIAS added for system catalog (see
App. D, RSA Guide).
X
5.0
Connect Existing User-ID to Existing
Account Group (RSA Guide).
5.1
Connect the User-ID to the account in
RACF.
X
5.2
ALIAS added for system catalog for
billable account/User-ID only.
X
5.3
Added to the TSSMS online system from
RACF with nightly processing.
X
22
-------�
TSSMS
-RACF DECENTRALIZATION REQUEST (cont.)
Completed By
Function
ADP
MGR
RSA
TSSMS
6.0
Delete Existing User-ID from One
Account Group (RSA Guide).
6.1
List User-ID in RACF.
X
6.2
Change default group of User-ID if
needed.
X
6.3
Run IRRUT100 (gives list of RACF
profiles).
X
6.4
Run CLIST to receive a listing of
tapes, datasets, etc. (see App. C).
X
6.5
Remove User-ID from access list.
X
6.6
Delete or rename datasets.
X
6.7
Remove User-ID from account.
X
6 . 8
Delete ALIAS to remove from system
catalog.
X
6.9
Nightly processing will update the
TSSMS online database from RACF
entries.
X
7.0
Revoke/Delete Billable Account Group.
7 . 1
Request entered in TSSMS online
database (TSSMS Registration).
A
7.2
Revoked in RACF for 45 days (accounts
and users).
X
7.3
Run IRRUT100 (listiug sent to the ADP
Coordinator).
X
7.4
Data management and DPSS run CLIST to
get datasets and tapes (listing sent
to the ADP Coordinator).
X
7.5
Any datasets and profiles are cleaned
up.
A/M
*
23
-------�
TSSMS-
RACF DECENTRALIZATION REQUEST (cont.)
Completed By
Function
ADP
MGR
RSA
TO CMC
7.6
Request entered in TSSMS online
database to delete the account (TSSMS
Registration).
A
7.7
After 45 days the account is deleted
from RACF.
X
7.8
ALIAS is removed for the account and
User-ID.
X
8.0
Delete a Non-Account Group.
8 .1
Run IRRUT100 to clean up access lists
and profiles.
X
8.2
All users removed from account (RSA
Guide).
X
8.3
Request is entered on Email form II
(see App. D, RSA Guide).
X
8.4
Non-account group removed from system.
X
9.0
Delete a User-ID Completely from RACF
{RSA Guide).
9 .1
List User-ID in RACF.
X
9.2
Change default of User-ID to TSSMPENx.
X
9.3
Run IRRUT100.
X
9.4
Run CLIST to receive a listing of
tapes, datasets, etc. (see App. C).
X
9.5
Remove user from access list.
X
9.6
Delete or rename datasets.
X
9.7
Remove User-ID from account. (The
only account the User-ID will remain
on is TSSMPENx.)
X
24
-------�
TSSMS
-RACF DECENTRALIZATION REQUEST (cont.)
Completed By
Function
ADP
MGR
RSA
TSSMS
9.8
Delete ALIAS to remove from system
catalog (see App. C).
X
9.9
Nightly processing will update the
TSSMS online database.
X
9 .10
List User-ID in RACF.
X
9.11
Remove User-ID from TSSMPENx.
X
10.0
Password Resets, Resumes, at User-ID
Level.
10 .1
If customer calls CCC...
10.2
...CCC determines owner of User-ID and
provides RSA/ADP information to cus-
tomer .
10.3
...Customer will contact the RSA/ADP.
10.4
...The RSA will reset/resume customer
(RSA Guide).
X
11. 0
Revoking Billable Account/Group (Re-
voking Account for a Period of Time
Only; not to be Deleted).
11.1
Contact TSSMS and Request the account
be revoked.
A
11.2
Account is revoked in the database.
X
11.3
Account is revoked in RACF with
installation data (revoJce only per
ADP) .
X
11.4
Contact TSSMS to resume account.
A
11.5
Account is resumed in the TSSMS data-
base .
X
11.6
Account is resumed in RACF.
X
25
-------�
TSSMS
-RACF DECENTRALIZATION REQUEST (cont.)
Completed By
Function
ADP
MGR
RSA
TSSMS
12.0
Revoke/Resume User-ID at the
Group/Account Level (RSA Guide).
12 .1
List User-ID in RACF. {Note: Change
default group if needed.)
X
12 .2
Revoke User-ID at group level.
X
13.0
Revoke/Resume User-ID at the User-ID
Level (RSA Guide)
13 . 1
List User-ID in RACF.
X
13.2
Revoke/resume User-ID.
X
26
-------�
Email RACF Forms
Note: Information about accounts and User-IDs to be included on these forms may be
obtained from the ADP Coordinator and/or the Account Manager.
To access the RACF forms on ALL-IN-1, do the following:
A. REQUEST (Enter request at the EM Menu and press
RETURN.)
B. Choose one of the four forms below and type the name at the prompt:
1. RACF_REQUEST_I (Enter the name of the form and press RE-
TURN.)
This form is used to establish an application within RACF.
2. RACF_REQUEST_II (Enter the name of the form and press RE-
TURN.)
This form is used to establish ownership of User-IDs and accounts.
3. RACF_REQUEST_III (Enter the name of the form and press
RETURN.)
This form is used to update a decentralized application.
4. RACF_REQUEST_IV (Enter the name of the form and press RE-
TURN.)
This form is used to update RSA information on an application.
27
-------�
EMAIL RACF FORMS
RACFREQUESTI
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
RACF REQUEST FORM 1
I. The system acronym of your application registered in EPA
Information Systems Inventory (ISI).
II. The four Primary RACF Security Acininistrators (RSA) (no more
than four per application will be tracked by TSSMS).
User-ID Name
1.
2.
3.
4.
At I, enter the ISI and press the TAB key.
At n, enter the User-ID and name of RSA(s) and press the TAB key.
RACF REQUEST FORM 1 (cont.)
III. The ADP Coordinator associated with the billable accounts for
your application and whether the ADP is to serve as an RSA.
(Note: The RSA training is a requirement.)
PLEASE MARK Y=YES OR N=N0 FOR RSA APPROVAL.
User-ID Name RSA approval
1.
This is one of two 2 ALL-IN-1 Email forms required for
a RACF decentralization request. APPROVAL FROM MDPD SECURITY IS
REQUIRED FOR ALL RSA'S.
(NOTE: THE BILLABLE ACCOUNTS, NON-ACCOUNTS, AND USERS FOR YOUR
APPLICATION WILL NEED TO BE COMPLETED ON ALL-IN-1 EMAIL FORM
RACF_REQUEST_II TO COMPLETE THIS RACF REQUEST.)
If you have any questions, call Customer Support at 919-541-7862
or 1-800-344-2405.
Are you satisfied with the above infr .nation (Y/N)">
At HI, enter User-ID and other information. Use the TAB key to move around.
Answer Y if everything is correct to send the message.
Answer N if something is incorrect; the system will return you to the top of the form.
28
-------�
EMAIL RACF FORMS (cont.)
RACFREQUESTD
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
RACF REQUEST FORM 2
(NOTE: THE RSA'S AND ADP FOR YOUR APPLICATION, WHICH YOU COMPLETED
ON ALL-IN-1 EMAIL RACF REQUEST I FORM, WILL BE SENT TO TSSMS WHEN
APPROVED.)
I. The system acronym of your application registered in EPA's
Information Systems Inventory (ISI).
(NOTE: SAME AS ENTRY ON ALL-IN-1 RACF_REQUEST_1 FORM)
II. List all billable accounts that will be OWNED by your
application; includes all IBM accounts registered uith TSSMS for
your application.
NOTE ALL BILLABLE ACCOUNTS ARE U CHARACTERS IN LENGTH.
At I, enter the ISI and press the TAB key.
At EL, enter an account and press RETURN. If you have only one account, press TAB after you
enter the account to move to section ID. If you have more than one account, press RETURN
between accounts to go to the next line. After you have all your accounts on the form, press
TAB to move to section ED.
RACF REQUEST FORM 2 (cont.)
III. List the non-account group (6-8 characters) that will be the
OWNER of your applications User-IDs and a description (up to
50 characters) of what the non-account is for.
(NOTE: IF MORE THAN 1 ACCOUNT IS NEEDED PLEASE INCLUDE IN THIS
LIST; HOWEVER, THE FIRST NON-ACCOUNT LISTED WILL BE THE OWNER
OF ALL USER-IDS FOR YOUR APPLICATION.)
Non-account Description
At HI, enter the account name and TAB to the Description field to enter the information there.
Use the TAB key to move through this section.
29
-------�
EMAIL RACF FORMS (cont.)
RACF REQUEST FORM 2 (cont.)
IV. List all users (User-ID and lastname,firstname) that the
application will be OWNER of.
User-ID Name
If you have any questions, call Customer Support at
919-541-7862 or 1-800-334-2405.
Are you satisfied with the above information (Y/N)?
At IV, enter the User-ID; then space over to the name field. (If you have more than one name,
use the RETURN key to go to the next line. After all names have been entered, press TAB to
move to the next question.)
Answer Y if everything is correct to send the message.
Answer N if something is incorrect; the system will return you to the top of the form.
30
-------�
EMAIL RACF FORMS (cont.)
RACFREQUESTJH
UNITED
STATES ENVIRONMENTAL PROTECTION AGENCY
RACF REQUEST FORM 3
Complete this form to request one of the following updates. Your
request will be sent to the TSSMS office for processing.
Select one of the following choices:
1
Establishing a non-account
2
=
Change non-account
3
=
Delete non-account
4
=
Change billable account
5
=
Assign new User-ID OWNER
Choi ce:
31
-------�
EMAIL RACF FORMS (cont.)
RACF REQUEST FORM 3 (cont'd)
Application acronym:
(check one)
Requester User-ID: Name: ADP: RSA:
Establish a non-account group (6 to 8 characters); give a
brief description (up to 50 characters) of what the
non-account group is for and a OWNER for this account.
Non-account OWNER Description
Are you satisfied with the above information (Y/N)?
Enter the application acronym and TAB to the Requester field.
Enter the requester's User-ID and name; then TAB to the ADP or RSA field and mark it with
an X.
Enter the non-account and TAB to the Owner field.
Enter the owner information and TAB to the Description field.
Enter the Description information and press ENTER.
Answer Y if everything is correct to send the message.
Answer N if something is incorrect; the system will return you to the top of the form.
32
-------�
EMAIL RACF FORMS (cont.)
RACF REQUEST FORM 3 (cont'd)
Application acronym:
Requester User-ID: Name:
(check one)
ADP: RSA:
Change non-account: OWNER to:
Are you satisfied with the above information
cr/N)?
Enter the application acronym and TAB to the Requester field.
Enter the requester's User-ID and name; then TAB to the ADP or RSA field and mark it with
an X.
Enter the non-account group name and TAB to the Owner field.
Enter the owner information and press ENTER.
Answer Y if everything is correct to send the message.
Answer N if something is incorrect; the system will return you to the top of the form.
33
-------�
EMAIL RACF FORMS (cont.)
RACF REQUEST FORM 3 (cont'd)
Application acronym:
(check one)
Reauester User-ID: Name:
ADP: RSA:
Delete non-account:
Are you satisfied with the above information
(Y/N)?
Enter the application acronym and TAB to the Requester field.
Enter the requester's User-ID and name; then TAB to the ADP or RSA field and mark it with
an X.
Enter the non-account name you want to delete and press ENTER.
Answer Y if everything is correct to send the message.
Answer N if something is incorrect; the system will return you to the top of the form.
34
-------�
EMAIL RACF FORMS (cont.)
RACF REQUEST FORM 3 (cont'd)
Application acronym:_
(check one)
Requester User-ID: Name: ADP: RSA:
Change billable account: OWNER to:
Are you satisfied with the above information (Y/N)?
Enter the application acronym and TAB to the Requester field.
Enter the requester's User-ID and name; then TAB to the ADP or RSA
field and mark it with an X.
Enter the account name and TAB to the Owner field.
Enter the owner information and press ENTER.
Answer Y if everything is correct to send the message.
Answer N if something is incorrect; the system will return you to the top of the form.
35
-------�
EMAIL RACF FORMS (cont.)
RACF REQUEST FORM 3 (cont'd)
Application acronym:
Requester User-ID: Name:
(check one)
ADP: RSA:
Assign new User-ID OWNER to:
Are you satisfied with the above information
(Y/N)?
Enter the application acronym and TAB to the Requester field.
Enter the requester's User-ID and name; then TAB to the ADP or RSA field and mark it with
an X.
Enter the new owner's information and press ENTER.
Answer Y if everything is correct to send the message.
Answer N if something is incorrect; the system will return you to the top of the form.
36
-------�
EMAIL RACF FORMS (cont.)
RACFREQUESTIV
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
RACF REQUEST FORM 4
Application acronym:
(check one)
Requester User-ID: Name: ADP: RSA:
User-ID Name Non-Account RSA ADD/DELETE
1 .
2 .
3 .
U.
Are you satisfied with the above information (Y/N)?
Enter the Application acronym and TAB to the Requester field.
Enter the requester's User-ID and name: then TAB to the ADP or RSA field and mark it with
an X.
Enter the User-ID and the name; then TAB to the Non-account field.
Enter the non-account; then enter a 'P' or 'N' in the RSA field-'P' for Primary and 'N' for
Non-primary. Then enter 'A' for Add or 'D' for Delete in the Add/Delete field.
Answer Y if everything is correct to send the message.
Answer N if something is incorrect; the system will return you to the top of the form.
37
-------�
Basic RACF
&EPA
38
-------�
I
What Is RACF?
RACF (Resource Access Control Facility) is an IBM program product
that functions together with MVS to provide data security. This is
accomplished by controlling access to computer resources and data.
A TP"*® 'V A TP *W* "*T A
Why Do We Use RACF?
To protect data from inadvertent or deliberate exposure to unautho-
rized access, modification, or destruction.
To manage facility and storage resources to maximize hardware
resources (DASD, Silo, Tape) and performance.
SEPA
/
39
-------�
How Does RACF Protect Data Resources?
• Identifies a person/persons (i.e., users) who wish
to access the system.
• Verifies user's identity by password verification.
• Allows only authorized users to access protected
resources.
• Authorizes user access to protected resources.
• Records and reports access attempts.
- Successful.
- Unsuccessful.
V ** rr»A
«fcm ———————————————————————
-------�
How to Logon to the Operating System
41
-------�
No matter what platform you come through, everyone will do the
following to obtain access to the IBM host system...
42
-------�
Wm
WM
ii
si
%
NETMAIN
Environmental Protection Agency
Menu System
Date 01/17/91
Time-10:24:22
Terminal: H999999
Logmode: M2XXXXXX
Please enter selection or command and then press ENTER.
INFORMATION
SYSTEM MENU
EMAIL
APPLICATIONS
INTER-AGENCY
PUBLIC
News Alerts and User Memos
System Selection Menu
EPA Electronic Mail for 3270
EPA Applications Menu
Inter-Agency Applications Menu
Public Access Applications Menu
WARNING: The use of this computer is for official Government business only
Unauthorized use of this computer is a criminal offense under Title 18
United States Code. Section 641, and may subject violators to a fine of
up to $10,000, or imprisonment of up to 10 years, or both
Command
=> TSO
Optional Quick Logon - USERID=—> ABC
PASSWORD ===> xxxxxx
F1/F13=Help F5/F17-Refresh F12/F24-Cancel
gaga
012/001 O—O 31 FT
w*
At the COMMAND ===> line, type TSO.
TAB down to USERID ===> and type in your User-ID.
TAB to PASSWORD ===> and type in your password.
Press .
The system will process your logon request if all information is correct.
/
43
-------�
\
RACF AUTHORITY AS AN RSA
• In order for an RSA to be able to administer to the needs of
the application(s) for which he/she is responsible, the RSA
will be gi^nted GROUP SPECIAL.
• These authorities will be granted upon completion of train-
ing.
v- &EPA
/
44
-------�
Out to Lunch
V ^ rnA
j
-------�
/ X
RACF Groups
45
-------�
RACF PROFILE
What is a RACF profile?
Profiles are blocks within the RACF data base containing infor-
mation needed by RACF to control access to resources and to
identify users to protect resources.
The 4 basic profiles are...
• Group
• User
• Data sets on MVS
• General resource
- TAPEVOL
- SURROGAT
- JESSPOOL
^ wEPA
/
46
-------�
RACF GROUP PROFILE
NAME SUPERIOR OWNER DATA SUBGROUPS USERS
GROUP
255-character string
xxxxxx
User-IDs con-
Group
Group
Group
Information about
xxxxxx
nected to this
Name
Name
Owner
this group.
xxxxxx
group.
Account
xxxxxx
Non-account
t will be the same i
^ »Er*\
/
47
-------�
UNDERSTANDING
GROUP HIERARCHY
-------�
RACF TERMS
END-USER Person needing access to data.
USER-ID
PASSWORD
GROUP
Means for identifying an end-user to the security
system (RACF).
Verifies authenticity of a user to RACF.
A specified unit of users who share similar secu-
rity needs and are defined together for adminis-
trative convenience.
/
49
-------�
EPA GROUP TYPES
ACCOUNT: 4-character account code (xxxx)
(logon/billable) Installation Data = A
Only way a User-ID can log on to IBM.
The data set name must begin with the group
(account) under which the data is created and
processed. ALL application data should be
in data sets at the group level.
EXAMPLE: Regional group name is AAAA. Therefore
all data sets would look as follows:
AAAA PROD ICI
AAAA.LOADLIB
V a CDA
50
-------�
NON-ACCOUNT: 6 to 8 character account code (xxxxxx)
Installation data identifies it as a non-
account.
User cannot logon to the IBM system un-
der these account codes.
Used for ownership and access authority.
NON-ACCOUNT OWNERSHIP:
xxxuser is the non-account that will own IDs
for the application. No IDs will be con-
nected to this group.
NON-ACCOUNT ACCESS:
Identifies the access that IDs connected to
the Non-Account will have to data.
/
51
-------�
TSSMS RESPONSIBILITY
FOR GROUPS
• Adds all group/subgroups to RACF.
ADPs request Account (Group) - online registration system -
and Non-Account (Groups) be added by TSSMS through an
ALL-IN-1 request.
RSAs request new Account (Group) through ADPs.
RSAs can request Non-Account (Groups) directly to TSSMS
(through an ALL-IN-1 request)
• Deletes Groups upon receiving requests as specified above.
/
52
-------�
RSA's RESPONSIBILITY FOR GROUPS
CONNECT (ADD) User-IDs to an account (i.e., group) or
non-account.
(This will be covered more extensively when we discuss "User-IDs.")
REMOVE (DELETE) User-IDs from an account or non-
account.
(This will be covered more extensively when we discuss "User-IDs.")
LISTGRP Lists a group and all information about
the group.
/
53
-------�
LISTING A GROUP
RACF COMMAND: LISTGRP (group name)
LG
EXAMPLE: listgrp aaaa
Information for Group AAAA
Superior Group = SECADMIN Owner = SECADMIN
Installation Data = Training group for EPA billable/logon
No model data set
TERMUACC
Subgroups = REDGRP1 REDGRP2
User(s) Access = Access = UACC =
ABC CREATE 00000 None
Connect Attributes = SPECIAL
Revoke Date = None
123 USE 00000 None
Connect Attributes = GRPACC
Revoke Date = None
Reference: RSA Guide pp. 45-46
©SW ——
54
-------�
SEARCH COMMAND
PERTAINING TO GROUPS
RACF COMMANDS:
SEARCH CLASS (GROUP)
Filter (%%%xxxx) [call Customer Sup-
port if need to use]
MASK(groupname)
CLIST (any executable RACF command)
EXAMPLE: Searching for Group Names
SEARCH CLASS(GROUP) MASK(P)
SEARCH CLASS(GROUP) MASK(P) CLISTCLISTGRP ' '')
Reference; RSA Guide pp. 67-70
55
-------�
When using the CLIST parameter, RACF will automatically create
the following data set:
uuuaaaa.EXEC.RACF.CLIST
Where: uuu is your User-ID.
aaaa is your 4-character account code.
This data set can then be copied into a JCL member and submit-
ted as a job that would/could create another data set that lists the
Group information (see previously discussed LISTGRP example).
V- oEFA
56
-------�
RACF USER-IDs
57
-------�
1? ATP TTQF1?_TF* PDHPTT F
JlVxjl JL Vi/ 4mJt JLmI JLvk JL JL JL^k. JL JL JL*i P lj
RACF DATA BASE
USER PROFILE
GROUP PROFILE
USER-ID OWNER PASS-
WORD
NAME
DEFAULT
GROUP
GROUP/AUTHORITY
ABC
Groupl
****
ABC USER
AAAA
AAAA/USE
(John Doe)
DATA
255 characters of free-form text data
to be associated with the User-ID.
Reference: RSA Guide pp. 24-28
-------�
REQUESTING AND ADDING
NEW USER-IDs
To add a new User-ID, the RSA will send a request to the
ADP who will assign a new ID by adding the user to an ac-
count in the NCC's registration system. (New User-IDs can
also be established by the Account Manager.)
Once the User-ID has been input into the registration system,
TSSMS will add the User-ID into the RACF data base.
ADPs or Account Managers will notify the RSA when the
new ID is set up.
RSAs will claim ownership of the ID.
RSAs will do the following upon claiming ownership of the
ID:
/
59
-------�
RSA RESPONSIBILITY FOR
NEW USER-ID
1.
2.
3.
4.
5.
RSA will CONNECT the User-ID to the billable/logon group
and assign group authority if necessary.
RSA will define a User-ID Data Set Profile to RACF in order
to protect any user data sets.
RSA will define an ALIAS to the Master Catalog. This is a
data management function.
RSA will set a temporary User-ID password.
RSA will notify user with the new User-ID and temporary
password.
/
60
-------�
CONNECTING A USER-ID
• When TSSMS sets up/adds the User-ID, the User-ID will be
connected to a holding pen account; the owner of the User-ID
is the Application that requested the User-ID.
• The RSA will CONNECT the User-ID to the appropriate bill-
able account (group).
• RACF COMMAND:
CONNECT uuuaaaa GROUP (group) AUTHORITY(USE)
Reference: RSA Guide pp. 41-44.
61
-------�
\
GROUP AUTHORITIES
AUTHORITY LEVEL
USE
CREATE
CONNECT
JOIN
POWER
Enter the system under control of that group.
Access data sets to which the group is authorized.
Create RACF-protected user data sets.
This is the default for most users.
RACF-protect group data sets.
Control access to them.
Includes the privileges of USE group authority.
Connect users (who are already defined to RACF) to
the group and assign USE, CREATE, or CONNECT
group authority to users in the group.
Includes the privileges of USE and CREATE group
authorities.
Define new users and groups to RACF.
Assign any level of group authority to new users
(including JOIN authority). To define new users, the
user with JOIN authority must also have the CLAUTH
user attribute for the USER class. When a user
defines a new group, it becomes a subgroup of the
group in which the user has JOIN authority.
JOIN authority includes the privileges of USE,
CREATE, and CONNECT authorities. (Not used at EPA)
P
n»
OJ
S
w
C
t
-t
»
m
3
a
0
1
"O
(A
62
-------�
\
USER DATA SET PROFILE
USER-ID
USER-ID DATA SET
NAME OWNER
GROUP
w
LL1
O
QC
Q.
UACC
AUDIT
ACCESS LIST/AUTHORITY
UUUAAAA.*
USER-ID
NONE
ALL(FAILURES)
GROUPS THAT HAVE ACCESS TO
THE USER'S DATA
Command:
ADDSD 'uuuaaaa.*' OWNER(userid) UACC(NONE) GENERIC
* Owner of a user's data set will be the group if the data set is used for applications^ production data.
3ER&
63
-------�
UNIVERSAL ACCESS AUTHORITY
All data set profiles will have a UACC assigned. UACC specifies
the authority anyone in the "Universe" has to the data protected
by the RACF profile. Access authorities are...
NONE
No access allowed. (Default).
• EXECUTE Allows execute access to a Program Library.
READ
• UPDATE
• ALTER
Allows the data to be read. Rule to remem-
ber—If a user can read a data set, the user
can also copy the data set.
Allows users to change/modify the data sets,
Allows full authority to the data set, includ-
ing read, write to, and delete.
Reference: RSA Guide pp. 19-20.
~
64
-------�
DEFINING "ALIAS
ft
What is an ALIAS?
An ALIAS is an identifier/pointer that is put into the master cata-
log telling the system that as data sets are created with this User-
ID, put all the data sets together in the same place.
MASTER
sjtolume = 2/
(vokime =jT^
f
v^olume =
fcB
DATA SETS
FOR USER-
ID uuuaaaa
DASD STRING
/
65
-------�
DEFINING "ALIAS
rr
• The ALIAS Command Processor will provide the application's
RSA with the means of adding or deleting ALIAS entries directly
to the master catalog by way of a transaction file.
• RSA will issue the following command through ISPF
Option 6:
©ALIAS uuuaaaaa,ADD
Where uuu is the User-ID and aaaa is the account.
Note: There is a delay in adding the ALIAS to the master catalog.
The RSA should periodically issue the following command
to see if the ALIAS is defined to the system:
LISTC ENT('uuuaaaa')
The system will show the entry when it is there.
Reference: RSA Guide, Appendix C, pp 2-3.
<&BF9\
66
-------�
RSA's RESPONSIBILITY TO USER-ID
RSA will now have to modify the User-ID by setting a password.
This will be accomplished through RACF.
RACF Command:
ALTUSER userid
AUTHORITYCgroup authority)
DATA(installation data field)
DFLTGRP(default group)
* PASSWORD(new password) This will be
the primary function used when
altering User-IDs.
REVOKE
RESUME
ALTUSER alters information contained in the RACF User-ID pro-
file, including the fields listed above.
Reference: RSA Guide, pp. 34-37.
V.&EFA
67
-------�
LISTING A USER-ID
RACF Command:
t tfnri TPr*Ti * J
LISTUSER userid
LU
USER = ABC NAME = DOE, JOHN OWNER = Groupl CREATED=83.315
DEFAULT GROUP=AAAA PASSDATE = 93.078 PASS-Internal = 90
ATTRIBUTES = GRPACC
REVOKE DATE = None RESUME DATE = None
LAST ACCESS = 93.110/13:11:21
CLASS AUTHORITY = TAPEVOL SURROGAT JESSPOOL
DATA = John Doe, Region 1, Phone 301 457-9999
NO-MODEL-NAME
LOGON ALLOWED (DAYS) (TIME)
Any Days Any time
(List of CONNECT groups)
Reference: RSA Guide, pp. 30-33.
APPA
-------�
SEARCH COMMAND
PERTAINING TO USERS
RACF COMMAND:
SEARCH CLASS (user)
Filter (%%%xxxx) [call Customer Support if
need to use]
MASK(uuu)
CLIST (any executable RACF command)
EXAMPLES: Searching for User-ID Names
SEARCH CLASS (user) MASK(P)
SEARCH CLASS (user) MASK(P) CLISTCLISTUSER ''')
Reference: RSA Guide pp. 67-70
69
-------�
r
Afternoon Break
SEPA
\
-------�
r
Data Set Profiles
v- Sffy\
70
-------�
APPLICATION DATA SET PROFILES
RACF DATA BASE
USER-ID
USER-ID DATA SET
GROUP
APPLICATION
DATA SET
CO
ID
EE
O
DC
Q-
NAME
OWNER
UACC
AUDIT
ACCESS LIST/ACCESS AUTHORITY
List of groups who need access to
AAAA.*
ACCOUNT
NONE
ALL(FAILURES)
the application data. Access au-
thority determined as needed.
Note: All application data will have at least one profile to pro-
tect its data (see above).
Reference: RSA Guide pp. 47-66.
&EBV
71
-------�
\
ADDING DATA SET PROFILES
RACF Command:
ADDSD profile-name
OWNER(group)
UACC(authority)
GENERIC
WARNING
EXAMPLE:
ADDSD 'aaaa.*' OWNER(aaaa) UACC(NONE) GENERIC WARNING
Note: • Always add as "GENERIC"
• Always turn "WARNING" on for a temporary period of time. This
allows you to build a proper access list to meet the application's
needs. Not recommended for good security practice to leave on for
more than 30 days. With warning turned on, you have no true pro-
tection.
/
72
-------�
GRANTING ACCESS TO DATA SETS
After defining application or user data sets, users will need per-
mission to access the protected data. This is granted by having
group/users defined in the "data set profile access list."
RACF Command to give or deny access...
PERMIT Adds or deletes a group or User-ID in the data set
profile access list.
Examples:
/none \
PERMIT 'aaaa.*' GEN ID(group/userid) ACCESS ( UPDATE)
\ ALTER J
PERMIT 'aaaa.*' GEN ID(group) DELETE
Note: Access Authority is exactly the same as Universal Access Authority.
Reference: RSA Guide pp. 59-62.
&HPA
73
-------�
AAAA.
EXAMPLES
Application Data Set Profiles
Protects all data sets for the application if no
other profile exists.
AAAA.TEST.* Protects all data sets that match.
AAAA.TEST.JCL
AAAA.TEST.CLIST
AAAA.TEST.CNTL.DAILY
AAAA.PROD.* Protects all data sets that match.
A A A A.PROD. J CL
AAAA.PROD.CLIST
AAAA.PROD.CNTL.WEEKLY
/
74
-------�
F* ATA CFT PUOFTT F FYFl?riQF
MmmaJ JL "jl JL JL JLj JL JL JL JL JLj JL«i JE*i J »i Jl^^k * JL JLj
Match the data set with the RACF data set profile that best pro-
tects it.
Data Set
RACF Data Set Profile
A BCD PROD CNTI
iXl#^L/fA 1VV/ ml** • ^1 A JLj
DINABCD.*
DINABCD.TEST.JCL
ABCD.TEST.*
a urn in pimti
XJL MJr • 1 \w JLj • V— 1 X JLi
ABCD.PROD.*
ABCD.TEST.LOAD
ABCD.*
DINABCD.JCL.CLIST
DINABCD.TEST.*
ABCD.PROD.CLIST
0% rrm
r/Em
75
-------�
SEARCH COMMAND
PERTAINING TO DATA SETS
RACF COMMAND:
SEARCH
Filter (% %%xxxx) [call Customer Support if
need to use]
MASK(userid or first 4 characters of applica-
tion data set name)
CLIST (any executable RACF command)
EXAMPLES: Searching for Data Set Names
SEARCH MASK(P)
SEARCH MASK(P) CLISTCLISTUSER '' ')
SEARCH NOMASK WARNING
Reference: RSA Guide pp. 67-70
V-SBtt
/
76
-------�
LIST A DATA SET PROFILE
RACF Command: LISTDSD DACprofile name') GENERIC ALL
EXAMPLE: LD DACAAAA.*') GENERIC ALL
Listed Information for AAAA.* (G)
LEVEL OWNER UNIVERSAL ACCESS WARNING ERASE
00 AAAA NONE YES NO
AUDITING
FAILURES(READ)
NOTIFY
NO USER TO NOTIFY
YOUR ACCESS CREATION GROUP DATA SET TYPE
ALTER AAAA NON-VSAM
(ETC.)
AAAAREAD
AAAAUPD
AAAAALT
m
ACCESS
READ
UPDATE
ALTER
Reference: RSA Guide pp. 64-66.
-------�
PROTFCTAT T
JL. JL JK* JLmrn Jb> Jmrnrnm JLJI
-------�
RACF PROTECTALL
Option is turned on at system level affecting the user community.
PROTECTALL activates PROTECTALL processing.
What does that mean to you and what effect does it have on you?
• PROTECTALL tells RACF to reject any request to create or access
a data set that is not RACF protected. Another way of stating this
is to say that every data set (i.e., DASD, tape, Catalog, and GDG
base) must have a RACF data set profile defined to protect it or
all attempts to create or access the data set will fail.
• Currently to aid you in accomplishing "decentralization,"
PROTECTALL has been turned on in WARNING mode.
V ** rrm
/
79
-------�
PROTECTALL Warning
With PROTECTALL in WARNING mode, the following occurs:
• Users are able to access or create data sets that have no RACF
profile defined.
• Umail mesages are currently being generated and sent to the
owner of the data set with all the necessary information so that a
RACF data set profile can be built. It is recommended that upon
building a new RACF data set profile, this be added in WARN-
ING mode on a temporary basis. Thirty days is the recom-
mended period for WARNING to be turned on. Reports are
available through RACF to capture information concerning all
users accessing the data set. From this information, a proper ac-
cess list can be built.
/
80
-------�
PROTECTALL Warning (Cont.)
Umail messages are being generated and sent to users who have
accessed data sets that have no RACF profile. As we have already
stated, another message has been sent to the "Owner" of the data.
Upon receiving the Umail message, the user should notify the
"owner" (would/could be RS A if owner is the account) so that the
user can be permitted access to the data via the access list.
Users and owners will also receive a message either in the JOB
Log or on the screen. This is an official RACF message;
ICH408I USER (user-id) GROUP (account/non-account) NAME (person's name)
ICH408I" . " CL (data set) Vol (blank)
ICH408I Define —Warning: Resource Not Protected
/
81
-------�
PROTECTALL Warning (Cont.)
• Had PROTECTALL not been in WARNING mode, instead of
ICH408I message, it would have been an ERROR 913-XX.
This would have been a hard-fail error message. User or
group would be denied access to all data protected by speci-
fied data set profile.
/
82
-------�
Following are current messages that have
been officially published concerning
PROTECTALL
-------�
<** TSO FOKE6KUUND hardcopy ****
iNAME=JUSD.NEWS
(MEM0084 5)
October 21, 1992
IMPLEMENTATION OF RACF PROTECTALL
Memo i845
On December 5, 1992, the NCC will begin a phased
implementation of RACF PROTECTALL. PROTECTALL will
require you to determine access requirements for your
datasets and to specify those access requirements in RACF
dataset profiles.
The implementation plan calls for an initial WARN mode
phase (effective December S, 1992) followed by a final
FAIL mode phase on June 1', !993. This plan provides for
a "grace" period during which you can plan for this
change to avoid any adverse effect on access to your
datasets.
Under PROTECTALL, the system will grant access to
datasets based on enfon^d RACF rules, as described
below.
Datasets Whose Name Begins with Your User-ID
• You have full access to, and control over (create
and catalog, read, delete, update, rename),
datasets whose name begins with your User-ID. This
is true under WARN and FAIL modes, regardless of
whether or not you have created RACF dataset
profiles for your datasets. You have full RACF
authority to create and maintain RACF dataset
profiles for these datasets.
• If you have created any RACF dataset profiles for
your datasets, access (read, update, delete,
rename) to them by others will continue to be
governed by the profiles you have created.
Index 2.1 Data Center Policy and Usage (DCPU)
- 1 -
• Access to your datasets which are not covered by a
RACF dataset profile will be as follows:
In WARN mode, other User-IDs may read, delete,
and update your datasets even though the User-ID
will get a .RACF "913 INSUFFICIENT ACCESS"
message. The message will indicate the action
that was being attempted (read, update, alter -
delete, rename).
In FAIL mode, other User-IDs (including those
of NCC Customer Support) will get the RACF "913
INSUFFICIENT ACCESS" message and their access to
your datasets will be denied. The message will
indicate the action that was being attempted
(read, update, alter - delete, rename). You must
create a RACF dataset profile for the dataset(s)
in order to allow them to read, update, or
delete your datasats. For NCC Customer Support
to access your datasats, account JIDS must be
granted access in your RACF dataset profiles
prior to requesting assistance.
84
-------�
*** TSO FOREGROUND HARDCOPY ****
SNAME=JUSD.NEWS (ALERTZ )
***x*x*xx****x****xx*x NEWS ALERT ******************** 12/07/92
IMPLEMENTATION OF RACF PROTECTALL
On Saturday* December 5, 1992, the NCC began a phased
implementation of RACF PROTECTALL. PROTECTALL is a RACF feature that
automatically protects all customer data sets on both NCC IBM systems
with a default access of NONE. By default, you can only access your
own data and your group's data. For example, if your userid is III
and your account is AAAA, you are able to access data sets with a
first-level qualifier of "111AAAA" and "AAAA". All customer data
sets belonging to any other userid or group default to an access of
NONE unless a RACF profile is defined otherwise. PROTECTALL requires
you to determine access requirements for your data sets and to
specify those access requirements in RACF data set profiles. You are
able to add and/or change RACF profiles to allow data set access to
the appropriate userids and groups.
The implementation plan calls for an initial WARN mode phase
(effective December 5, 1992) folio ed by a f inal FAIL mode phase on
June 1, 1993. This plan provides t r a "grace" period during which
you can plan for this change to avoid any adverse effect on access to
your data sets. During the WARN mode phase, if you access data sets
other than your own or your group's, you will receive warning
messages. You will need to work with the owner of the data sets
during this WARNing phase to establish the appropriate RACF profiles.
During the FAIL mode phase, if you access data sets other than your
own or your group's, RACF will REJECT your request by default. In
order to access or create the data, you now must contact the owner.
Under PROTECTALL, the system will grant access to data sets based
on enforced RACF rules. EPA customers may refer to customer memo
8845 for further information. From the initial NCC logon panel,
customers may select the information option #1 followed by selection
of option #2 for EPA Memos. Once the customer obtains a list of
available memos, individual or group memos may be selected for
browsing and/or printing. Thase memos are available online in data
set 'JUSD.NEWS(MEMO0845)' where 0845 is the memo number. In
addition to online viewing, NDPD customers may use the PRINTOFF
command under TSO to print a copy of any memo or news alert from the
JUSD.NEWS file.
For further information, contact Customer Technical Support
at (919 541-7862 or toll free 1 (800) 334-2405.
2/07/92:06/01/93
-------�
*** ISO FOKWPKOUND hardcopy ****
SNAME=JUSD.NEWS
(ALERT 15 )
********************** NEWS ALERT ******************** 02/1
UMAIL FOR RACF PROTECTALL VIOLATIONS
RACF PROTECTALL has been implemented in WARN mode since
December 5, 1992. Since then, RACF warning messages have been
issued at your terminal or in your job log if an attempt to
access a data set has violated RACF PROTECTALL restrictions (see
News Alert2 and EPA Memo 845 for information about PROTECTALL).
Beginning Tuesday, February 16, 1993, customers will also be
notified of RACF PROTECTALL warnings with a UMAIL message. Both
the owner of the data set and the person accessing the data set
will be notified.
Customers requiring data set access should work with the data
set owner to establish the appropriate RACF profiles as soon as
possible. When RACF PROTECTALL is implemented in FAIL mode,
scheduled for implementation on June 1, 1993, RACF will reject your
request for access to these same data sets unless RACF profiles
have been established. Customers are advised to address this issue
immediately to ensure minimal work disruption once PROTECTALL FAIL
mode is in effect.
For further information or assistance, contact Customer
Technical Support at (919) 541-7862 or toll free 1 <800)
334-2405.
2/12/93:06/01/93
-------�
- - Mailbox item display
Command ===>
Message-ID: <"93-03-13-09:38:28.75*PTQ"@NCCIBM1.BITNET>
Date: Sat, 13 Mar 93 09:38 EST
To: EXC@NCCIBM1.BITNET
If om: PTQ@NCCIBM1. BITNET
Kibject: TECHNICAL SUPPORT USERIDS IN RACF UMAILS
Customers who have received UMAIL messages concerning RACF Protectall warnings
may have noticed unfamiliar userids containing a number in the third postition,
such as DM1, DM2, 0P1, and CN1 in the accessing userid list. The NCC would
like to clarify that these userids are used in the management of the
National Computer Center resources and are not an attempt by an individual to
access your data sets. For example userid DM1 is used by the Data Management
department to back up your data sets. Please note that if you do not create a
profile, Data management will not able to back up your data sets once RACF
Protectall is in FAIL mode.
The NCC appreciates your co-operation in responding to the need to build the
appropriate RACF profiles for your data as required by the implementation of
RACF Protectall in FAIL mode. PLEASE NOTE: Once you create a RACF profile for
your data sets you will no longer receive the warning UMAIL messages.
Please continue to direct all questions regarding the RACF UMAILS to Customer
Support at 919-541-7862 or 1-800-334-2405.
******************************* Bottom Of Data ********************************
Line 9 of 29
SCROLL ==> PAGE
87
-------�
Mailbox item display-
Command ===>
Date: Wed, 03 Mar 93 07:55 EST
To: FLM@NCCIBM1.BITNET
flrom: PTQ@NCCIBM1.BITNET
Bdject: PROTECTALL ERRORS (ACCT MANAGER)
This UMAIL lists datasets under your account that do not have a RACF profile.
After June 1 1993 none of the users/accounts listed below will be able access
these datasets.
Please review the News Alert concerning RACF protectall implementation for
further information or call Customer Support at 919-541-7862 or 800-334-2405.
ACCESSING ACCESSING DATASET
USERID GROUP NAME
USER VMH GROUP PLAB SSBCNAD.NAME.ADD.IS
****~~***~**~~~~~~~~~*~~***~*** Bottom Of DcLtcL ********************************
Line 10 of 23
SCROLL ==> PAGE
88
-------�
Command ===>
Mailbox item display
Line 7 of 48
SCROLL ==> PAGE
Text of forwarded message
Message-ID: < "93 - 03 -13 -09 :25 :13 . 34*PTQ"@NCCIBM1. BITNET>
fl|te: Sat, 13 Mar 93 09:25 EST
TTO: EXC@NCCIBM1.BITNET
From: PTQ@NCCIBM1.BITNET
Subject: RACF PROTECTALL ERRORS
You are accessing datasets that do not have a RACF profile. After June 1 1993
you will not be able to access these datasets unless a profile is created by
the dataset owner.
Please review the News Alert concerning implementation of RACF protectall for
further information or call Customer Support at 919-541-7862 or 800-334-2405.
LIST OF DATASETS BEING ACCESSED BY EXC
ACWAIR1.PPREPT.G0458V00
BFRAIR4.PPREPT.GO18 9V0 0
CTORX93.PPREPT.G0248V00
CTORX93.PPREPT.G0255V00
DOZYNVA.PPREPT.GO 0 3 4V0 0
DOZYNVA.PPREPT.GO 0 41V0 0
FEVYNMA'. PPREPT. GO 173V00
89
-------�
Command ===>
Mailbox item display-
Line 7 of 22
SCROLL ==> PAGE
- Text of forwarded message
Message-ID: <"93 - 03-13 - 09:22:15.39*PTQ"@NCCIBM1.BITNET>
|^te: Sat, 13 Mar 93 09:22 EST
|i: EXC@NCCIBM1.BITNET
From: PTQONCCIBMl.BITNET
Subject: RACF PROTECTALL ERRORS
You have datasets that do not have a RACF profile. After June 1 1993 none of
the userids listed below will be able to access these datasets.
Please review the News Alert concerning RACF protectall implementation for
further information or call Customer Support at 919-541-7862 or 800-334-2405.
ACCESSING ACCESSING DATASET
USERID GROUP. NAME
LCJ SEIS EXCAIRA. UPDATE. JAN9 3
******************************* Bottom Of Data ********************************
90
-------�
RSA Class Authorization Attributes
91
-------�
RESOURCE CLASSES
At EPA, every User-ID added to RACF is assigned three General
Resource Class authority attributes:
• TAPEVOL
• SURROGAT
• JESSPOOL
v. APPA
lee*
92
-------�
DEFINING RESOURCE PROTECTION
Resource classes are defined differently from data sets.
• RDEFINE Adds a resource profile.
• RALTER Alters a resource profile.
• RDELETE Deletes a resource profile.
• PERMIT Adds/deletes access to a resource profile.
J"
Reference: RSA Guide p. 72.
0% noA
r/Em ————
/
93
-------�
Protecting Data on Tapes
Through RACF
-------�
TAPEVOL
What is TAPEVOL?
TAPEVOL is a resource class within RACF that is used to protect
data residing on tapes.
What does this mean to the application?
• Only tape volumes can be protected.
• Individual data sets residing on a tape cannot be pro-
tected at the data set level at EPA at this time.
• Protecting the tape volume will apply to all data sets on
the tape.
Reference: RSA Guide pp. 72-81.
95
-------�
ADDING A TAPEVOL
RESOURCE PROFILE
RACF Command:
RDEF TAPEVOL 999999 OWNER(group) UACC(NONE)
AUDIT (FAILURES(RE AD))
Notes:
999999 is the profile name.
OWNER is the group that you want to own and control the
tape volume's protection.
UACC is defined and means exactly the same as it does in a
User-ID data set profile or an application data set profile.
/
96
-------�
PERMITTING ACCESS TO TAPEVOL
RESOURCE PROFILE
RACF Command:
/none \
I READ 1
PERMIT 999999 CLASS(TAPEVOL) ID(group) ACCESS ( UPDATE 1
ALTER J
Note: Difference between this PERMIT and the PERMIT for
data set profile is in the syntax. For a reource class pro-
file, the class is placed in a specific class name placed in
( ).
999999 is the profile-name.
/
97
-------�
T TSTTNG TAPFVOT
Jmmmm JR» JL
-------�
SURROGAT Resource Class
v»EF¥V
99
-------�
SURROGAT
What is SURROGAT?
SURROGAT is a resource class within RACF that allows other
individuals to execute batch jobs for you under your User-ID.
Why would you want to do this?
• Good security practices are to never share your User-ID and
password with another.
• If you had to be away from work (i.e., vacation, sick leave,
etc.) and you are responsible for running production material
for your application, you could use the SURROGAT class
profile. You can delegate your authority for the jobs to run
without sharing your User-ID and password.
• Production continues.
Reference: RSA Guida pp. 82-92.
-------�
ADDING A SURROGAT
RESOURCE PROFILE
RACF Command:
RDEF SURROGAT userid.SUBMIT OWNER(group) UACC(NONE)
Where userid is your User-ID.
Notes: Profile-name is always userid.SUBMIT.
UACC is always NONE.
¥
v-SER*
/
101
-------�
PERMITTING ACCESS TO
SURROGAT PROFILE
RACF Command:
PERMIT userid.SUBMIT CLASS(SURROGAT) ID(userid)
ACCESS (READ)
Note: userid.SUBMIT is your User-ID.
ID(userid) is the User-ID of the person who will be sub-
mitting for you.
v-SER*
102
-------�
REMOVING ACCESS
TO SURROGAT PROFILE
RACF Command:
PERMIT userid.SUBMIT CLASS(SURROGAT) ID(userid) DELETE
Note: • When you no longer need another user to submit
jobs for you, immediately remove them from your
SURROGAT profile.
• You do not have to delete the SURROGAT profile.
There could be other times when someone will need
to submit jobs for you.
«EBfV
/
103
-------�
\
LISTING A SURROGAT PROFILE
RACF Command: RLIST SURROGAT userid.SUBMIT ALL
Pass Name
SURROGAT userid.SUBMIT
LEVEL OWNER UNIVERSAL ACCESS YOUR ACCESS WARNING
00 userid NONE ALTER NO
INSTALLATION DATA
NONE
APPLICATION DATA
NONE
AUDITING
FAILURES(READ)
ID ACCESS
userid READ
Note: Restrict searches and lists of large groups to non-produc-
tion hours.
V. a rnji
oEm
/
104
-------�
Protecting Data in Your Computer Jobs
v— oEm ——————
105
-------�
JESSPOOL Resource Class
106
-------�
JESSPOOL
What is JESSPOOL?
JESSPOOL is a resource class within RACF that allows for the
control of access to job data sets on the input/output (JES) spool.
Why would you want to do this?
• Jobs waiting in the queues to be printed can be accessed
and viewed by anyone on the system.
• If your job contains data that you want to protect.
Reference: RSA Guide pp. 93-94.
SEfi&
107
-------�
DEFINING JESSPOOL
RESOURCE PROFILE
RACF Command:
RDEF JESSPOOL profile-name UACC(NONE)
Profile-name is a six-part name with the following format:
localnodid.userid.jobname.jobid.dsnumber.name
localnodid &RACLNDE The system will place the appropriate local
node ID in this variable for you.
userid Your User-ID.
jobname The name of the job whose output you want to protect.
jobid The jobid assigned by the system (JES) at the time your job is
submitted.
dsnumber Assigned by the system (JES) at the time of execution.
name The name associated with the DSN parameter in your JCL.
Reference: RSA Guide pp. 93-94.
SEF*V
108
-------�
TlFFTWTMr: IFS^POOT
JL/JLjJL aJL^I VJ ^ 1-jc-/t-/X
RESOURCE PROFILE
RACF Command:
RDEF JESSPOOL &RACLNDE.USERID.*
Notes:
• This is all that will be necessary for you to define.
• This resource profile will protect all your jobs on the
spool.
/
109
-------�
PERMITTING ACCESS TO
JESSPOOL PROFILE
EACF Command:
PERMIT &RACLNDE.userid.* CLASS(JESSPOOL) ID (££&)
ACCESS(READ)
Notes:
As with TAPEVOL and SURROGAT resource class profiles, the
access permitted need only be READ.
v-$ERfV
110
-------�
LISTING JESSPOOL PROFILE
RACF Command:
RLIST JESSPOOL &RACLNDE.userid.* ALL
Class Name UNIVERSAL ACCESS YOUR ACCESS WARNING
JESSPOOL &RACLNDE.USERID.* NONE ALTER NO
INSTALLATION DATA
NONE
APPLICATION DATA
NONE
AUDITING
FAILURES(READ)
ffi ACCESS
uuu READ
AAAA READ
/
111
-------�
Deletion for:
Data Sets
Data Set & Resource Profiles
___
User-IDs
Groups
** rvm
/
112
-------�
RSA's RESPONSIBILITY
FOR DELETION
1.
2.
3.
4.
5.
6.
7.
Deletes or renames all data associated with a User-ID or group being deleted.
This is inclusive of all data residing either on DASD or tape. Tapes owned by
a user must be reassigned or released before the ID is removed from the ac-
count.
Deletes RACF profiles including user data set profiles, TAPEVOL profiles,
SURROGAT profiles, and JESSPOOL profiles.
Removes User-ID or group from all profiles that they are permitted access to.
Removes User-IDs from accounts and non-account groups.
Deletes the ALIAS for User-IDs removed from the account.
Notifies the ADP Coordinators, Account Managers, users, and RSAs affected
by any of these actions.
Requests, through ALL-IN-1, the deletion of non-account.
<&ERA
113
-------�
"N
DELETION OF DATA
RSAs will need a listing of online data sets and tapes associated with a User-ID/
account combination in order to delete all data for a User-ID. The RSAs can execute
the following CLIST to obtain this information.
• From ISPF Option 6...
• The CLISTs for userlist will prompt you for the User-ID, User-ID account to be
removed, and your bin number.
• The CLISTs for ACCTLIST will prompt you for the account to be removed and
your bin number.
• Both CLISTs will submit a job under your User-ID for viewing online by way
of ISPF option E.S.
From the information obtained from the CLIST, the RSA can use the following com-
mands to delete or rename data.
EX 'JMAS.UACCT.CLIST(userlist)'
[For User-IDs]
EX 'JMAS.UACCT.CLIST(ACCTLIST)'
[For groups]
&EPA
114
-------�
DELETION COMMANDS
Deletion of data is a Data Management function through ISPF 3.4.
•DATA SET LIST UTILITY
OPTION
blank -
V
Display data set list'
Display VTOC information only
P - Print data set
PV - Pnnt VTOC information only
Enter one or both of the parameters below
DSNAME LEVEL =>
VOLUME ===>
INITIAL DISPLAY VIEW
CONFIRM DELETE REQUEST
=> VOLUME (VOLUME. SPACE. ATTRIB, TOTAL)
=> YES (YES or NO)
The Mowing line commands will be available when he list is displayed:
Browse data set
Edit data set
Delete data set
Rename data set
Data set information
Information (short)
C- Catalog data set
U- Uncatalog data set
P - Pnnt data set
X- Print index listing
M- Display member list
Z - Compress data set
F - Free unused space
= - Repeat last command
TSO CMD, CLIST or REXX exec
IPSa
012/001 O—O 3 I FT
Where DSNAMI LEVEL ===> uuuaaaa
AAAA
[For User-ID]
[For group]
This will then take you to the next screen.
/
115
-------�
DELETION COMMANDS (Cont.)
gSAvV;n5 "-ifiWgtyf-
DSLIST - DATA SETS BEGINNING WITH
COMMAND ===>
COMMAND NAME
ROW 1 of 22
SCROLL ===> PAGE
MESSAGE
VOLUME
,'jv?
D uuuaaaa AFP.PROFIES
D uuuaaaa APPENDIX.UCSGT12
D uuuaaaa AS400.CPF
D uuuaaaa. JONES CKLST1
D uuuaaaaCLIST
D uuuaaaa.CNTL
OVH012
OVH012
OVH014
OVH014
OVH005
OVH017
gaga
012/001 O-O 3I FT
To do the actual deletion, all you have to do is type a 'D' under the command field
on each line.
&ERA
/
116
-------�
DELETION OF PROFILES
* Search and create a data set of all User-ID data set profiles. As soon as the
search command has completed, execute the CLIST. This will delete all the
profiles found.
SEARCH MASK(uuuaaaa) CLISTCDELDSD ' ' GEN')
EX EXEC.RACECLIST
~ Search and create a data set of all account data set profiles. As soon as the
search command has completed, execute the CLIST. This will delete all the
profiles found.
SEARCH MASK(AAAA) CLISTCDELDSD ' ' GEN')
EX EXEC.RACECLIST
• For TAPEVOL, SURROGAT, and JESSPOOL, do the search and execute.
SEARCH MASK(TAPE9) CLASS (TAPEVOL) CLISTCDELDSD ' ' ')
EX EXEC.RACF.CLIST
SEARCH MASK(userid.SUBMIT) CLASS (SURROGAT) CLISTCDELDSD ' ' ')
EX EXEC.RACF.CLIST
SEARCH MASK(&RACLNDE.userid) CLASS (JESSPOOL)CLIST('DELDSD ' ' ')
EX EXEC.RACF.CLIST
V- SEF¥\
117
-------�
REMOVE USER OR GROUPS
FROM ACCESS
In order to find where a User-ID is connected to groups or where
a User-ID and/or group is permitted access to data, RACF pro-
vides a utility that can be run as a job to obtain this information.
RACF UTILITY = IRRUT100 (Cross Reference Utility)
Code the following into JCL:
//XREF
JOB
//STEP
EXEC
PGM=IRRUT100
//SYSUT1
DD
UNIT=SYSDA, SPACE=(TRK,(5,1))
// SYSPRINT
DD
SYSOUT=A
//SYSIN
DD
*
USERID
GROUP
/END
Note; Do not run this job during normal production hours.
AEFA
/
118
-------�
REMOVE USER-ID
FROM CONNECTED GROUPS
Command:
LISTUSER userid
From this listing, you will be able to determine to which groups
the User-ID is connected.
Command:
REMOVE userid GROUP(groupname)
119
-------�
REMOVE USER OR GROUP
FROM PROFILE ACCESS
Command:
userid
PERMIT 'profile-name' GEN ID(group) DELETE
, i
/
120
-------�
F)FI FTF AT IAS
JmmJ MLmt JLmJ JB» JH«af JL Jk MLmJ «JL JL JAb mmJr
After all resources are removed and the User-ID has been re-
moved from the account group, the RSA needs to delete the
ALIAS from the master catalog.
From ISPF Option 6, type:
©ALIAS uuuaaaa,DELETE [For users]
/
121
-------�
NOTIFICATION TO TSSMS
RSA notifies ADP that the account revoked on the online regis-
tration has been cleaned up. At that time the ADP can mark the
account for deletion in the TSSMS registration system.
^ AFRIl
/
122
-------�
If at any stage, RSAs have any prob-
lems, they should contact Customer
Support.
^1-919-541-7862
1-800-334-2405
123
-------�
GLOSSARY
EPA TERMS
RACF TERMS
RACF COMMANDS
-------�
EPA TERMS
ADP COORDINATOR - Automatic Data Processing
Coordinator
ACCOUNT MANAGER - Manager of the application or
account.
RSA - RACF Security Administrator for the application.
TSSMS - Time Sharing Services Management System.
ACCOUNT - billable/logon 4 character code (xxxx)
installation data = a
Only way a userid can logon to IBM.
NON-ACCOUNT - 6 to 8 character code (xxxxxx)
installation data identifies it as a non-account
User cannot logon to the IBM using a non-account
Used for ownership and access authority
NON-ACCOUNT OWNERSHIP - xxxuser is the non-account
that will own IDs for the application. No Ids will
be connected to this group.
NON-ACCOUNT ACCESS - identifies the access the Ids
connected to the Non-account will have to resources.
-------�
RACF TERMS
ACCESS - the ability to obtain the use of a protected
resource.
ACCESS AUTHORITY - an authority that relates to a request
for a type of access to protected resources. Authorities are
NONE, READ, EXECUTE, UPDATE, & ALTER
ACCESS LIST - a list within a resource profile that displays a
userid or group with their defined access authority.
ALIAS - an identifier/pointer in the Master Catalog telling the
system where user data is located and where it will reside.
ATTRIBUTE - the extraordinary privileges, restrictions, and
processing environments assigned to a user. User attributes
are: SPECIAL, AUDITOR, AND OPERATIONS.
AUTHORITY - the right to access resources.
CENTRALIZED - one person/group administrating security
for the whole EPA environment. One person/group having
total control for the entire RACF environment. Inclusive of
complete ownership of your data..
DATA SECURITY - the protection of data from unauthorized
disclosure, modification, and/or destruction, whether
accidental or intentional.
DATA SET PROFILE - a profile that provides RACF
protection of one or more data sets.
-------�
DECENTRALIZED - the delegation to local (group)
administrators for the purpose of controlling access and/or
protection of their data.
DEFAULT GROUP - the group specified in a user profile
that is the default current connect group.
GENERAL RESOURCE - any system resource, other than an
MVS data set, defined in the Class Description Table (CDT).
In MVS, general resources include TAPE VOL,
SURROGATE, & JESSPOOL.
GENERAL RESOURCE PROFILE - a profile that provides
RACF protection for one or more general resources. The
information in the profile may include profile name, owner,
UACC, and access list.
GENERIC PROFILE - a resource profile, including MVS
data set profiles, that can provide RACF protection for one or
more resources. Resources protected by a generic profile
have similar names and identical security requirements.
Protects one or more data sets.
GROUP - a collection of RACF defined users who share
similar security needs and are defined together for
administrative convenience.
GROUP AUTHORITY - an authority that describes which
functions a user can perform in a group. Authorities the users
will be given are USE and CREATE.
GROUP DATA SET - a RACF protected data set in which
-------�
either the high-level qualifier of the data set name is a RACF
group name.
GROUP PROFILE - a profile that defines a group. The
information in the profile includes the group name, owner,
and users of the group.
GROUP-RELATED USER ATTRIBUTE - a user attribute
assigned at the group level that allows the user to control the
resource, group, and user profiles associated with the group
and its subgroups. Group attributes are GROUP-SPECIAL,
GROUP-AUDITOR, & GROUP OPERATOR.
MVS - Multiple Virtual Storage.
OWNER - the user or group who creates a profile or is
named the owner of a profile. The owner can modify, list, or
delete the profile.
PASSWORD - in computer security, a string of characters
known to the computer system and an end user. Must be
specified to gain fill or limited access to the system and to the
data stored in the system. In RACF, the password is used to
verify the identity of the user.
PROFILE - block of data that describes the significant
characteristics of a user, a group of users, or a computer
resource (i.e., data set, TAPEVOL, SURROGAT,
JESSPOOL).
PROTECTED RESOURCE - a resource that is defined to
RACF for the purpose of controlling access to the resource.
-------�
RACF - Resource Access Control Facility
RACF DATA BASE - a collection of interrelated or
independent data items stored together without unnecessary
redundancy.
RESOURCE GROUP PROFILE - a general resource profile
in a resource group class.
RESOURCE PROFILE - a profile that provides RACF
protection for one or more resources. USER and GROUP
profiles are NOT resource profiles.
STANDARD ACCESS LIST - a list within a profile of all
authorized users and their access authorities, (NONE, READ,
UPDATE, & ALTER).
UACC - Universal ACCess authority - the default access
authority to which all users or groups have to a resource.
USER - a person who requires access to data on a computer
system.
USER DATA SET - a data set defined to RACF in which the
high level qualifier of the data set name is the vz&r idand the
account combined.
USER IDENTIFICATION and VERIFICATION - the act of
identifying and verifying a RACF defined user to the system
during logon and batch job processing. RACF identifies the
user by the user ID and verifies the user by the password.
-------�
USER PROFILE - a description of a RACF defined user that
includes the user ID, user name, default group, password,
owner, user attributes, and other pertinent information.
USER ID - a string of characters that uniquely identifies a
user to the system. A means for identifying an end-user to
the security system (RACF).
-------�
RACF COMMANDS
ADDSD - defines a new data set profile to RACF
ADDUSER - defines a new user to RACF and establishes the
user's relationship to an existing RACF defined group.
ALTUSER - alters information in a user profile.
CONNECT - connects a user to a group.
DELDSD - deletes a data set profile.
LISTDSD - lists a data set profile.
LISTGRP - lists a group profile.
LISTUSER - lists a user profile.
PASSWORD - allows a user to change their password; resets
a password.
PERMIT - adds or deletes userids/groups from a resource
access list.
RALTER - alters a general resource group.
RDEFINE - defines a general resource profile.
RDELETE - deletes a general resource profile.
-------�
REMOVE - removes a user from a group.
RLIST - lists a general resource profile.
SEARCH - searches and displays a list of RACF profiles,
users, or groups.
MISCELLANEOUS COMMANDS
LISTC - list catalog entry within the Master catalog. Used to
determine if an alias exists.
-------�
« ~
*t *¦»:'A'
-------�
United States Office of Administration 462/001C
Environmental Protection and Resources Management November 2,1992
Agency National Data Processing Division
flesearch'Triangle Park, NIC 27711
EPA Application RACF
Security Administrator's
Guide
-------�
APPLICATION RACF
SECURITY ADMINISTRATOR'S GUIDE
September 1991
Revised
April 20, 1992
Revised
November 2, 1992
Contract No. 68-01-7437
U.S. ENVIRONMENTAL PROTECTION AGENCY
NATIONAL DATA PROCESSING DIVISION
RESEARCH TRIANGLE PARK, NORTH CAROLINA
-------�
Table of Contents
1.0 INTRODUCTION 1
2.0 INFORMATION SECURITY MANAGEMENT CONCEPTS 2
3.0 INFORMATION SECURITY STANDARDS 3
3.1 Application vs. Personal Datasets 3
3.2 Dataset Naming Standards 3
3.3 Data Protection and Access Standards 3
3.4 RACF Privileges 5
4.0 RACF AND ITS FUNCTIONS 6
5.0 RACF ADMINISTRATIVE DOMAINS 8
5.1 Domain Based on Resource Ownership by a User-ID 10
5.2 Domain Based on the RACF Group-SPECIAL Privilege 11
5.3 Creating a Sub-Domain 12
6.0 USING RACF GROUPS FOR ACCESS TO RACF-PROTECTED DATASETS 15
7.0 TSSMS AND CUSTOMER SUPPORT 16
7.1 TSSMS 16
7.2 Customer Support 16
8.0 APPLICATION RACF SECURITY ADMINISTRATOR (RSA)
RESPONSIBILITIES "... 17
9.0 USING RACF COMMANDS 19
iii
-------�
10.0 USER-ID ADMINISTRATION 24
10.1 RACF User-ID Segments and Fields 24
10.1.1 TSO Segment 24
10.1.2 General RACF Segment Fields 24
10.1.3 Fields Related to User-ID RACF Capabilities 25
10.1.4 Fields Related to User-ID Control 27
10.2 Listing a User-ID 28
10.3 Changing a User-ID 34
10.4 Revoking a User-ID 38
10.5 RACF Considerations When Deleting a User-ID 40
10.6 Data Considerations When Deleting a User-ID 41
10.7 Connecting a User-ID to a RACF Group
or Changing a User-ID's Connect Attributes 41
10.8 Removing a User-ID from a RACF Group 43
11.0 RACF GROUPS 45
11.1 Group Types 45
11.2 Listing a Group 45
12.0 PROTECTION OF APPLICATION DATASETS AND OTHER RESOURCES . 47
12.1 Identification and Standards 47
12.2 Determining Access to Protected Application Datasets 48
12.3 Protecting a Dataset Through RACF 49
12.4 Protecting Tapes Through RACF 72
13.0 DEFINING A SURROGATE USER-ID 82
14.0 PROTECTING DATA IN YOUR COMPUTER JOBS 93
15.0 APPLICATION RACF AUDITOR 95
15.1 Types of Audits 95
iv
-------�
15.2 Application Certification Audit 96
15.2.1 Application Policies and Procedures 96
15.2.2 Application Worksheets 96
15.2.3 Application Dataset Protection and Access 96
15.2.4 User-IDs with CREATE and GRPACC Authorities 96
15.3 Operational Audits 96
15.3.1 RACF Report Writer . 97
15.3.2 RACF Audit Report Examples 99
Appendix A, Worksheets A-l
Appendix B, Work Example B-l
Appendix C, RACF Decentralization C-l
Appendix D D-l
TSSMS-RACF Decentralization Request D-2
Email RACF Forms D-8
List of Figures
Figure 1. Steps in Implementing an Information Security
Management Plan 2
Figure 2. RACF Functionality 8
Figure 3. RACF Access Checking 9
Figure 4. Domain Based on Resource Ownership by a User-ID 10
Figure 5. Domain Based on RACF Group-SPECIAL Privilege 11
Figure 6. HELPDESK Domain 12
Figure 7. Dataset Administration Domain 13
Figure 8. Sample Application Domain 14
v
-------�
Application RACF
Security Administrator's Guide
1.0 INTRODUCTION
The Application RACF Security Administrator's Guide presents the RACF administrative
structure and procedural guidance required for Environmental Protection Agency (EPA) Program
Offices to perform RACF administration for their applications on IBM mainframes utilizing IBM
Resource Access Control Facility (RACF) security software. The guide has been prepared by
EPA's National Data Processing Division (NDPD).
In March 1991 the EPA Office of the Inspector General (01G) concluded an audit of the
Agency's use of RACF. The OIG recommended (1) that the Agency place more RACF control
over application security in the hands of the applications and (2) that procedural guidance in
using RACF be provided to the applications. EPA's Office of Information Resources
Management (OIRM) responded with a plan to grant the EPA Program Offices RACF
administrative authorities. The Application RACF Security Administrator's Guide presents the
technical implementation of that plan.
EPA is responsible for establishing Agency information security policy. Consequently, OIRM
must meet provisions of the Computer Security Act of 1987 (Public Law 100-235) and other
Federal laws and regulations pertinent to Agency information management. The NDPD, under
OARM, Research Triangle Park (RTP), N.C., is responsible for technical implementation of
information security policy on Agency data processing platforms.
In 1987 OIRM published the EPA Information Resources Management Policy Manual. Chapter
8 of this manual specifically addressed information security. In December 1989 OIRM
published the EPA Information Security Manual, an Agency procedural guide for use in
determining and implementing application security requirements. The Application RACF
Security Administrator's Guide supplements that procedural guidance.
l
-------�
2.0 INFORMATION SECURITY MANAGEMENT CONCEPTS
A basic understanding of information security management concepts must exist to implement an
application's RACF security management strategy. While a detailed discussion of how to
implement an information security management plan is beyond the scope of this guide, the basic
steps are presented in Figure 1.
Figure 1. Steps in Implementing an Information Security Management Plan
2
-------�
With regard to statutory requirements, various ones exist to protect Agency data. Each Program
Office therefore should familiarize itself with statues and directives pertinent to its applications
and incoiporate them into the application's overall security management plan. Among the
statutory requirements are the following:
• Computer Security Act of 1987.
• OMB Circulars A-76, A-123, and A-130.
• Paperwork Reduction Act of 1980.
• Paperwork Reduction Reauthorization Act of 1986.
• Federal Managers' Financial Integrity Act of 1982.
• Toxic Substances Control Act (TSCA) of 1964.
• Federal Insecticide, Fungicide, and Rodenticide Act (FIFRA).
With regard to Agency requirements, OIRM published the EPA Information Resources
Management Policy Manual in 1987. Chapter 8 of this manual specifically addressed
information security. In December 1989, OIRM published the EPA Information Security
Manual, an Agency procedural guide to help determine and implement application security
requirements. Requirements from these documents should also be incorporated into each
application's overall information security management plan.
With regard to specific application requirements, these are defined by each application and are
usually based on operational, functional, or political considerations. For example, in a budget
system it may not be desirable for one program to have access to another program's budget.
3
-------�
3.0 INFORMATION SECURITY STANDARDS
3.1 APPLICATION VS. PERSONAL DATASETS
All data, source code, load modules, JCL, etc., used to maintain or execute the application
should be contained in datasets whose high-level prefix begins with the application's billable
group (account), not in user libraries (datasets whose high-level qualifier is the User-ID and
account).
3.2 DATASET NAMING STANDARDS
A sound dataset naming standard must be adopted for application datasets. The naming standard
must reflect the puipose (for example, development, test, or production) and use (for example,
JCL, source, or data) of the dataset. These dataset naming standards facilitate the creation of
RACF dataset profiles (protection profiles) to protect the dataset(s) and to manage application
data storage requirements.
3.3 DATA PROTECTION AND ACCESS STANDARDS
All data and tape files on the NCC system must be protected through an applicable RACF
protection profile. A universal access level of NONE must be used for sensitive data (e.g.,
Privacy Act, contractual data, or financial data), Confidential Business Information (TSCA,
FIFRA, etc.), and sensitive Agency correspondence as noted by EPA senior management. A
universal access of no higher than READ must be used for all other Agency data. All
exceptions to this standard must be documented in the application's risk analysis report that
provides the basis of this exception.
The capability of creating a RACF dataset profile (RACF CREATE authority) to protect a
dataset must be restricted to personnel designated by EPA management (e.g., ADP Coordinator
or Account Manager) as responsible for application security. The RACF Security Administrator
(RSA) is recognized as an individual appointed by ADP management-for this puipose.
Indiscriminate access to data is not allowed. READ access to sensitive data, and access other
than READ to nonsensitive data, must be granted based on an evaluation of an accesser's need
to know or on job function or responsibility. The capability of an application customer to delete
and create application datasets (RACF ALTER access) must be restricted based on customer
need or job function or responsibility. This access capability must not be granted indiscriminate-
ly. Access to datasets based on connection to a billable account must not be granted. RACF
groups established expressly for access by individuals with the same access requirements will
be used instead of billable accounts.
4
-------�
3.4 RACF PRIVILEGES
NDPD management will review and approve the assignment of all RACF privileges. RACF
documentation will provide the bases for evaluating each case by an individual need (through
a job function review checklist established by NDPD). Operational exceptions, caused by
exceptions in IBM guidance or special operational needs, will be documented in the checklist.
RACF System SPECIAL privileges will be granted to the minimum number of individuals
required to ensure responsible administration of RACF. The RACF Systems AUDITOR
privilege will be respricted to the minimum number of individuals required to ensure thti the
RACF and systems security environment is properly monitored and audited. The RACF
Systems OPERATIONS authority will be restricted to the minimum number of personnel
required to ensure that data management functions at the data center are properly maintained and
executed.
Granting RACF Group-SPECIAL authority will be based on an application group request or
NDPD operational group request that an individual be designated as a RACF Security
Administrator, receive RSA training, and be approved by EPA management (e.g., ADP
Coordinator or Account Manager).
To maintain proper separation of duties and responsibilities, no individual will have two or more
RACF system-wide attributes (System SPECIAL, OPERATIONS, and AUDITOR).
5
-------�
4.0 RACF AND ITS FUNCTIONS
RACF is an IBM software product that interfaces with IBM's MVS operating system to provide
for the following:
• User identification and verification. A user is identified to the system through a RACF-
defined User-ID. The user is authenticated through the password supplied with the
User-ID at logon.
• Resource definition. RACF resource definitions (profiles) contained within the RACF
database name the resource to be protected (e.g., dataset name) and the level of access
granted all system users to the resource. A specific list of User-IDs and/or groups and
their access levels can be defined within the profile. For the purposes of this manual,
the following are considered to be resources:
- Dataset.
-- Tape (an individual volume serial number (e.g., 102345).
- Computer job printout awaiting print (available through SDSF, SYSD, or the TSO
STATUS command).
- User-ID (obtained through the Time Sharing Services Management System
(TSSMS).
- Group (account), obtained through TSSMS. A group is a named list of User-IDs,
datasets, or other resources.
• Resource authorization, which is accomplished through interaction of the operating
system routines accessing the resource with RACF. RACF is configured on Agency
IBM mainframes in "always call" mode. RACF is always called by operating system
routines to determine if access should be granted to the resource based on the resource
profile. For example, data management routines call RACF to determine if a requestor
should have access to a dataset. RACF returns a code to the data management routines
which indicates the results of the profile check. The resource is protected by virtue of
the data management routine's honoring of the return code to either grant or deny
access to the dataset. RACF rules provide for a sequence of access authorization
checking prior to granting access.
• Logging and reporting of RACF use and resource access. Resources and system
accesses can be logged by RACF in System Management Facility (SMF) data for
security audit reporting. Many of the RACF logging features are globally implemented
by the NCC Computer Security Staff through RACF commands. Other logging features
are specified in the resource profile by its creator. The RACF report writer can be
6
-------�
used by RACF auditors to generate reports detailing resource accesses and attempts at
access.
RACF functionality is presented in Figure 2, and RACF access checking is presented in Figure
3. The following steps are involved.
1. Customer supplies User-ID and password, which is verified and authenticated by
RACF.
2. Customer requests access to a resource (e.g., dataset).
3. MVS operating system calls RACF to determine access.
4. RACF checks profile in database to determine dataset access specifications.
5. RACF returns code to MVS indicating access is accepted or denied.
6. MVS allows or denies access to the resource.
7. The access or denial of access is logged to system SMF, from which audit reports are
generated by the RACF report writer.
7
-------�
5.0 RACF ADMINISTRATIVE DOMAINS
RACF provides for administrative authority based on domains. Each domain is established
through a hierarchical arrangement of RACF resources (e.g., User-IDs, groups, datasets) based
on ownership within the RACF database.
Through a careful analysis of an application's administrative requirements, RACF domains can
be established so that appropriate RACF administrative authorities can be assigned and
controlled.
Figure 2. RACF Functionality
8
-------�
Figure 3. RACF Access Checking
9
-------�
5.1 DOMAIN BASED ON RESOURCE OWNERSHIP BY A USER-ID
Figure 4 shows the lowest and most limited domain: administrative authority and control based
on ownership of a RACF resource profile by an individual User-ID.
Each RACF User-ID is allowed full administrative control of all resources whose RACF re-
source profile is owned by the User-ID or for which the RACF resource profile name begins
with the User-ID (e.g., a RACF resource profile covering a user dataset). If the User-ID has
been granted the CREATE privilege under a RACF group, the User-ID can create u^ own
RACF dataset resource profiles for datasets whose names begin with the group.
If the User-ID owns the RACF resource profile of another User-ID, then administrative control
(e.g., password resets) is gained over the owned User-ID.
In Figure 4, User-ID AAA owns and has full administrative control over the RACF dataset
profile and User-ID BBB. User-ID CCC has no RACF administrative control over the dataset
profile or User-ID BBB. In this domain, control is limited to the owner of the resource (User-
ID AAA).
AAA
CCC
BBB
RACF
DATASET
PROFILE
Figure 4. Domain Based on Resource Ownership by a User-ID
10
-------�
5.2 DOMAIN BASED ON THE RACF GROUP-SPECIAL PRIVILEGE
In Figure 5, an administrative group, ADMIN, has been established within the RACF database.
Group ADMIN owns the RACF dataset profiles and owns User-ID BBB. User-ID's AAA and
CCC are connected to group ADMIN with RACF Group-SPECIAL privileges.
In this domain, User-IDs AAA and CCC have RACF administrative authority over the RACF
generic dataset profiles and over User-ID BBB. This is due to their RACF Group-SPECIAL
privilege under the group owning the dataset profiles and the User-ID. This arrangement
provides for administration by multiple administrators (both User-IDs AAA and CCC} and
provides an administrative backup capability. If User-ID AAA is not available to perform a
password reset for User-ID BBB or to grant access to a dataset covered by the dataset profile,
then User-ID CCC can be contacted to perform the reset or to grant the access.
ADMIN
BBB
RACF
DATASET
PROFILES
Figure 5. Domain Based on RACF Group-SPECIAL Privilege
11
-------�
5.3 CREATING A SUB-DOMAIN
A sub-domain is shown in Figure 6. In the figure, RACF group HELPDESK has been
established. HELPDESK is owned by ADMIN. User-ID BBB has been connected to
HELPDESK with the RACF Group-SPECIAL privilege. Ownership of the application's User-
IDs DDD and EEE has been assigned to group HELPDESK. This enables User-ID BBB to reset
the application's User-IDs, but not those of AAA and CCC.
In this domain, User-IDs AAA and CCC have full administrative control over User-IDs BBB,
DDD, and EEE. User-ID BBB has administrative control only over User-IDs DDD and EEE.
In Figure 7, the domain is divided further. RACF group DATAOWN has been established to
own the application's datasets. User-ID FFF has been connected to group DATAOWN with the
RACF Group-SPECIAL privilege. User-ID FFF now has full RACF administrative control over
the application datasets' RACF profiles.
Figure 8 shows the Sample Application Domain.
ADMIN
£cc } GROUP-SPECIAL
BBB
RACF
DATASET
PROFILES
HELPDESK
BBB - GROUP- SPECIAL
DDD
EEE
Figure 6. HELPDESK Domain
12
-------�
ADMIN
Figure 7. Dataset Administration Domain
13
-------�
Functionality based on Job role.
Access granted based on functionality.
Figure 8. Sample Application Domain
14
-------�
6.0 USING RACF GROUPS FOR ACCESS TO RACF-PROTECTED DATASETS
RACF groups are designed for collections of User-IDs with the same access requirements.
When groups are established for the purpose of granting access in RACF dataset profiles, the
administration of dataset access is simplified. This is due to the fact that it is simpler to list a
group and to determine which User-IDs are connected to the group than it is to list all of the
application's RACF dataset profiles to determine who has access. This effort is additionally
helped, and provides for self-documentation of access, when the established groups are named
to indicate the access granted. The following symbolic RACF dataset profile and access list
demonstrates this concept:
ACCOUNT.PROD.DATA. *
AAA UPDATE
BBB UPDATE
CCC READ
DDD ALTER
In order to determine who has access to the datasets covered by the profile, a listing of the
profile must be obtained and examined. This is simple for one profile, but it becomes
administratively complex when a multitude of profiles are involved.
Establishing one RACF group for read access (DATAREAD), one for update access
(DATAUPD), and one for alter access (DATAALT) and granting them access to the dataset
profile results in the following access list:
AC COUNT. PROD. DAT A.*
DATAREAD READ
DATAUPD UPDATE
DATAALT ALTER
To grant access to the datasets covered by the profile, User-IDs AAA and BBB are connected
to group DATAUPD. User-ID CCC is connected to group DATAREAD, and User-ID DDD
is connected to group DATAALT.
A listing of the User-IDs connected to the access groups reveals who has access to the datasets.
Since the groups are named to indicate access level (e.g., DATAREAD), the accesss level is
self-documenting.
15
-------�
7.0 TSSMS AND CUSTOMER SUPPORT
7.1 TSSMS
NDPD's Time Sharing Services Management System (TSSMS) administers all account/User-ID
registration procedures and systems for Agency IBM mainframes using RACF.
TSSMS employs an online system to allow ADP Coordinators and account managers to request
account/User-ID transactions. These transactions will be enetered in the IBM RACF abase
through a batch job in nightly processing. Until decentralization is completed Agencywide,
TSSMS will maintain twice the entries to the IBM RACF database.
Each application's RACF security structure must be defined to RACF through transactions
requested through TSSMS. These transactions are requested through either the TSSMS online
system or self-documenting ALL-IN-1 Email forms (see Appendix D). Additionally, for each
application, TSSMS will establish initial RACF high-level structures which are required to
provide a uniform hierarchical structure for the decentralization of RACF (see Appendix C).
Any questions concerning the information presented in Appendixes A and D should be referred
to NCC Customer Support (919-541-7862 or 1-800-334-0741).
ADP Coordinators, account managers, and RSA's must work closely together to complete all
requests. Data entered in RACF will take precedence over the information in the TSSMS online
database, with the following exceptions: establishing a new billable account group, deleting a
billable account group, and adding a new User-ID. All other RACF entries will be used to
update the TSSMS online database. For details on how to complete requests and for learning
who is responsible, see Appendix D.
7.2 CUSTOMER SUPPORT
Customer Support will be available to assist the application's RSA with any RACF decentraliza-
tion questions or concerns. Requests for assistance will be directed to a Customer Support
specialist who will help the RSA determine the RACF structure appropriate for the application.
After the application has been decentralized, Customer Support will be available to provide
continuing support.
Customer Support can be reached by calling 919-541-7862 or 1-800-334-2405, or by using the
NCC Online Problem Reporter via the NCC IBM mainframe. The NCC Online Problem
Reporter is located in ISPF Option E.U., Customer Utilities. Customer Support telephone calls
receive immediate attention, whereas the Problem Reporter is checked twice daily.
16
-------�
8.0 APPLICATION RACF SECURITY ADMINISTRATOR (RSA) RESPONSIBILITIES
Application RACF Security Administrators have the following responsibilities:
• Determination of the application's security requirements.
• Determination of the RACF structure required to implement the application's security
requirements.
• Coordination with the application's ADP Coordinator and/or account manager to ensure
that account/User-ID transactions required by the application's RACF security
requirements are requested through TSSMS on an initial and ongoing basis.
• Alteration of application User-ID profiles within RACF to conform to application
security requirements.
• Resets of passwords for the User-IDs of requesting application customers.
• RACF protection of application datasets, tapes, and other data processing resources.
• Determining access requirements for those resources and granting access as required.
RACF requires that a valid User-ID and an associated password be supplied at system logon.
No access can be gained to the system without them.' Proper administration of them is the first
line of defense against unauthorized system access and any damage to system data and other
resources resulting from that access. The RSA is responsible for properly administering User-
IDs under his/her RACF control.
Administration of a User-ID includes ensuring that the owner of the User-ID understands, and
complies with, NCC IBM Mainframe Security Policy (NDPD Operations Policy Number 210.08)
User-ID provisions:
• You may not allow any other individual to use your User-ID and password to access
the system (this is called "sharing" a User-ID).
«
• You may own (be registered for the use of) only one User-ID unless you have received
an exemption to this policy provision from NDPD.
• When you use your User-ID and password for the first time, you must change the
password that was given to you and must verify your new password to RACF.
Afterwards, you must change your password every 90 days. If you forget your
password and contact NCC Customer Support to obtain another one, you must change
it when you first use it.
17
-------�
• When you change your password, it must be at least six to eight characters long and
must contain at least one alpha and at least one numeric character.
• When changing your password, you may not use any of the previous ten passwords that
you have used.
• If you supply an incorrect password more than four times without an intervening
successful access, your access to the system will be denied. You then must contact
NCC Customer Support to regain your access.
• If you do not log on to the system for 99 days, your User-ID will be disabled in RACF
and you will be denied access to the system on your next access attempt. You must
then contact NCC Customer Support to obtain a reset of your User-ID.
• If you do not use the system for a year, your User-ID will be purged from RACF.
• When contacting NCC Customer Support for assistance, you must be able to identify
yourself based on information TSSMS has about you (name, telephone number,
account, and User-ID). You must be able to be reached at the telephone number
TSSMS has for you. This precaution is necessary to protect you from someone
pretending to be you and obtaining your User-ID and password. It also ensures that
processing services are given only to legitimate, registered users.
User-IDs are assigned and tracked through TSSMS. To update the RACF WORKATTR
information, the TSSMS online system must be maintained by ADP Coordinators or account
managers with the correct information for each User-ID. RACF WORKATTR information will
be updated in RACF during nightly processing to include the updates entered that day in the
online system. (See Section 7.0 for a description of the functions that you, your ADP
Coordinator, or your account manager must complete in order for TSSMS to register your
application in the RACF hierarchy.)
18
-------�
9.0 USING RACF COMMANDS
Specific RACF commands exist through which RACF functions are obtained. The RACF user
must have access to the commands. Access to the commands is granted based on specific RACF
administrative responsibilities. In this guide, only the command options available at the NCC
are presented. Following are ways in which RACF commands may be issued:
• Interactively through ISPF RACF panels.
• Interactively by signing on the system under TSO and typing the command with its
required key words and information.
• In a batch job by including them in the SYSIN of a step which executes TSO in batch:
//RACFCMD EXEC PGM = IKJEFTO1. DYNAMNBR=256
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
Command 1
Command 2
Command N
/*
In the command examples in this guide, all words in capital letters are required and must be
typed as specified. Each command creates or operates on a RACF description of the resource.
This description is called a RACF profile. Resources are:
•
User-IDs
•
Groups (accounts)
•
System-defined resources
•
Datasets
•
Tapes
•
Data contained in computer job listings
RACF can be used to protect datasets, tapes, and data contained in job listings. Only RACF
administrators can perform RACF functions on User-IDs, accounts, and system-defined
resources.
Each command requires basic information:
• The name of the resource (dataset name, tape volume, jobname).
19
-------�
• The owner (OWNER) of the RACF resource profile. The owner controls the RACF
profile and acts as the RACF administrator for the profile. This should be a group to
which the owner is attached with the RACF Group-SPECIAL authority.
• The access (UACC) to be granted to all users on the system.
The following information should also be specified:
• An access list consisting of users or groups (with their respective access levels) who
may access the resource at a level other than that of the UACC.
• Any audit criteria to be recorded for access attempts against the resource.
Access levels which can be used for the UACC or which can be granted to specific users and/or
groups in the access list are these:
•
NONE
No access.
•
READ
Read access (also gives the capability of copying).
•
UPDATE
Read and write access.
•
CONTROL
Read and write access (VSAM datasets).
•
ALTER
Read and write access; the capability to delete and rename the
protected resource; for a discrete profile, access list control for the
profile.
• EXECUTE Execute only access to a private load (program) library. This access
is more restrictive than READ. READ allows the program executor
to copy the program, but EXECUTE does not.
Auditing criteria you may request in conjunction with ALTER, -CONTROL, UPDATE,
EXECUTE, and READ are these:
• ALL All access attempts.
• FAILURES Only unauthorized attempts.
• SUCCESS Only authorized accesses.
• NONE No auditing.
You may use the NOTLFY(UUU) option of the RACF commands to obtain an interactive audit
display as the audit criteria is met. This display will appear at your terminal. NCC Customer
Support can assist you in obtaining hard copy audit reports for sensitive data.
-------�
If you choose to use the RACF ISPF panels, they can be accessed by selecting the options
specified on the following ISPF screens:
ISPF/PDF PRIMARY OPTION MENU
OPTION
===> E
User-ID -
UUU
0
ISPF PARMS
- Specify terminal and user parameters
Prefix
UUUAAAA
1
BROWSE
- Display source data or output listings
Terminal -
3278
2
EDIT
- Create or change source data
PF Keys -
24
3
UTILITIES
- Perform utility functions
T ime
09:05
4
FOREGROUND
Invoke language processors under TSO
Date
91/04/0
5
BATCH
- Submit job for language processing
Julian
91.095
6
COMMAND
- Enter TSO Command, CLIST, or REXX exec
Proc
SEPATST
7
DIALOG TEST
- Perform dialog testing
Applid
ISR
8
LM UTILITIES
- Perform library administrator utility functions
9
IBM PRODUCTS
- Additional IBM program development products
10
SCLM
- Software Configuration and Library Manager
c
CHANGES
- Display summary of changes for this release
T
TUTORIAL
- Display information about ISPF/PDF
X
EXIT
- Terminate ISPF using log and list defaults
E
EPA
- EPA/NCC Application Option Menu
G
Group
- Group Application Option Menu
U
User
- User Defined Application Option Menu
Enter
END command to
terminate ISPF.
EPA / NCC OPTION MENU
OPTION ===> R
A
ASM2
- Disk Storage Management System
B
NCC BD",
- NCC Bulk Data Transfer Dialog
BD
IBM BDT
- Bulk Data Transfer Dialog
C
COBAID
- VS COBOL II Conversion Aid
FA
FI LEAID
- Data Management Utility
FL
FLSF
- Font Library Service Facility
FO
FOCUS
- Invoke Focus
ISMF
ISMF
- IBM ISMF dialog
J
JSTS
- Job Status Tracking System
JX
JES/328X
- Remote Printer Services
L
LIBRARIAN
- Perform Librarian Services
M
UCLA MAIL
- UCLA Mail BITNET Interface
PDS
PDS/E
- PDS/E Utility Program
PLS
PLSORT
- Phase Linear Sort Panels Product
R
RACF
- Resource Access Control Facility.
S
SDSF
- Spool Display and Search Facility
SDF
SDF II
- Screen Definition Facility
TH
TSOHELP
- TSO Help Tutorial
TMS
UCC1/ISPF
- UCC1/ISPF Subsystem (TMS)
U
Ut iIi t i es
- NCC Supplied Utilities
You can obtain more complete documentation on RACF by ordering the Resource Access
Control Facility (RACF) General User's Guide and/or the Resource Access Control Facility
(RACF) Command Language Reference from IBM Corporation.
21
-------�
On the system you can obtain help with a RACF command in the following ways:
• Taking the online RACF tutorial.
• Typing the HELP command on the command option line of each RACF ISPF panel.
• Typing the HELP command followed by the RACF command under TSO.
The RACF online tutorial can be accessed through the following sequence of RACF ISPF
panels:
RACF - SERVICES OPTION MENU
OPTION ===> 98
SELECT ONE OF THE FOLLOWING:
1 DATASET PROFILES
2 GENERAL RESOURCE PROFILES
3 GROUP PROFILES AND USER-TO-GROUP CONNECTIONS
4 USER PROFILES AND YOUR OWN PASSWORD
5 SYSTEM OPTIONS
8 VM MINIDISK PROFILES
9 VM FILE PROFILES
10 VM DIRECTORY PROFILES
98 TUTORIAL
99 EXIT
TUTORIAL RACF Tutorial
Option ===>
To view the following topics in sequence, press ENTER.
For a specific topic, enter the nuiiber of your selection.
1 About this Tutorial
2 RACF Concepts
3 Using RACF on MVS
it Using RACF on VM
ENTER = Proceed PF15 = End tutorial
The RACF HELP command can be entered interactively under TSO to display information
regarding a specific RACF command. The syntax of the HELP command is:
HELP command name
For example, to obtain help on the RACF LIST USER command under TSO, type either format
of the HELP command below:
HELP LU
HELP LU Syntax
22
-------�
Complete information about the command is displayed as a result of the first command. Only
the syntax of the command is displayed as a result of the second command.
If you do not specify a valid RACF command following the HELP command, you will get a
display pertinent to TSO commands, and not RACF commands.
23
-------�
10.0 USER-ID ADMINISTRATION
10.1 RACF USER-ID SEGMENTS AND FIELDS
Each RACF User-ID profile (definition) has several segments within RACF. Only one, the
RACF segment, is available to RSAs. These segments are described in the following
subsections. The fields described in these subsections are currently used in Agency RACF
implementation. The RACF segment fields are based on general RACF fields, RACF
capabilities granted to the User-ID, or control over the User-ID's access made possible by the
fields.
10.1.1 TSO Segment
A TSO segment must be defined for User-IDs requiring TSO access to the system. If a User-ID
is to be used solely to access the system through CICS, a TSO segment should not be defined.
Values for the following fields must be supplied in the TSO segment:
• ACCTNUM (the User-ID's RACF group).
• PROC (the logon procedure to be used by the User-ID at system logon). This is
generally SEPATSO.
10.1.2 General RACF Segment Fields
The following are general RACF segment fields:
USER-ID A User-ID is obtained from TSSMS and consists of three alphabetic
characters. Various combinations of letters and numbers are used for
special-case User-IDs (those associated with system-started task
procedures, for example).
24
-------�
NAME This field is up to 20 alphanumeric characters and contains the name
of the employee assigned the User-ID. The characters must be
enclosed in single quotes if the character string contains any blanks.
PASSWORD This field contains the password assigned to the User-ID. The
password is set to expire and must be changed by the User-ID at
system logon. The password is six to eight alphanumeric characters
and should contain at least one number and one character.
DFLTGRP
DFLTGRP (default group) is generally the first RACF group to
which the User-ID is added in RACF. Any of the groups to which
the User-ID is connected can be specified as a value. A User-ID
cannot be removed from its DFLTGRP unless another group to which
the User-ID is connected is designated as the new DFLTGRP.
DATA
This field provides for 255 characters of free-form text data to be
associated with the User-ID. An example would be the insertion of
a comment to indicate that a revoked User-ID was revoked because
the employee was on vacation.
GROUP
This field is the group to which the User-ID is connected and for
which changes are to be made in the ALTUSER command.
10.1.3 Fields Related to User-ID RACF Capabilities
The following fields are related to User-ID RACF capabilities:
AUTHORITY Authority is the User-ID's RACF access to group-level resources.
The allowed values are:
USE The User-ID may use group-level RACF-pro-
tected resources. This is the default value if
none is supplied in the command.
CREATE The User-ID may create RACF profiles to
protect the group level resources. This authori-
ty allows the User-ID to control the protection
of group level resources and to control access
to those resources. This authority should not
be indiscriminately given to User-IDs and
should be more strictly controlled by Program
Office RACF Administrators.
25
-------�
The authority should be granted only to personnel responsible for
RACF dataset protection administrative requirements.
CONNECT This authority allows the User-ID to connect
existing RACF User-IDs to a RACF group.
JOIN This authority allows the User-ID to add new
User-IDs or subgroups to the group, and to
assign group authorities to the new User-IDs.
CLAUTH The value(s) supplied for CLAUTH determine the RACF
resource classes for which a User-ID can define RACF profiles
(which resources the User-ID can protect). You must have
CLAUTH authority for a class in order to grant the authority to
a User-ID. NOCLAUTH is the default value if a CLAUTH
authority is not specified in a command. For the puipose of
Agency RACF implementation, the following values are allowed:
TAPEVOL Allows the User-ID to create RACF profiles for
tape volumes.
OUTPUT Allows the RSA to create RACF profiles for com-
puter job output for User-IDs under his/her RACF
control.
USER Allows the User-ID to perform administrative
functions for User-IDs.
GRPACC GRPACC specifies that the group will be allowed update access
to any group level datasets defined by the User-ID. Inadvertent
access to a dataset may be granted through this field to User-IDs
sharing the group but without a requirement for updating the
group's datasets. NOGRPACC is the default value if GRPACC
is not specified.
UACC UACC is the default universal access placed in any RACF
profiles created by the User-ID if no UACC is specified in the
command creating the profile. The default value if none is
supplied is NONE. Inadvertent access may be granted to all
system User-IDs to the group's datasets if an inappropriate value
is used. If, for example, UPDATE is specified, all system users
will be able to update datasets protected by the User-ID if no
other value is supplied in the resource protection command.
26
-------�
10.1.4 Fields Related to User-ID Control
The following fields are related to User-ID control:
OWNER The OWNER is the administrator of the RACF User-ID profile. The
owner should be the RACF group to which the administrator of the
User-ID is connected. Your User-ID will be used if no value is
specified.
WHEN The subfields associated with the WHEN field can be used to control
when the User-ID has access to the system. Generally, User-IDs
should be restricted to normal working hours to avoid "hacking" or
unauthorized application access during unsupervised times. Personnel
with a requirement for troubleshooting and application maintenance
should probably have no restrictions. Each subfield can be used
without the other. There are no default restrictions.
DAYS WEEKDAYS specifies access only Monday through
Friday. A specific day or list of days specifies
access only on that or those days (e.g., Monday,
Friday specifies access only on Monday and Fri-
day).
TIME Eastern time applies. The start and stop times
associated with this subfield determine the interval
of time during which a User-ID may access the
system. The values are supplied in the format:start-
time: stop-time, where times are in 24-hour notation
(hours = 00 to 24 and minutes = 00 through 59).
For example, to restrict a User-ID's access of the
application to 8:00 a.m. through 5:00 p.m., the
following values would be supplied:
TTME(0800:1700)
RESUME This field specifies that the User-ID's access to the system is to be
restored (resumed). If used with a date, the User-ED's access is
restored effective that date (e.g., RESUME(08/15/91) would restore
a revoked User-ID's access to the system on August 15, 1991).
27
-------�
REVOKE This field specifies that the User-ID's access to the system is to be
denied. If specified with a data, the User-ID's access is denied
effective that date. For example, REVOKE(07/15/91) specifies that
the User-ID's access to the system will be denied effective July 15,
1991).
10.2 LISTING A USER-ID
For you to list a User-ID, it must be owned by a group to which you are connected with the
RACF Group-SPECIAL privilege. You must also have RACF read access to the TSO fields in
order to list the TSO information for the User-ID.
You may list the contents of a User-ID's RACF prolile by issuing the LIST USER (LU)
command under TSO
LU
or by supplying the information indicated on the following RACF ISPF panels (a sample display
output follows the panels).
RACF - SERVICES OPTION MENU
OPTION ===> 4
SELECT ONE OF THE FOLLOWING:
1 DATASET PROFILES
2 GENERAL RESOURCE PROFILES
3 GROUP PROFILES AND USER-TO-GROUP CONNECTIONS
4 USER PROFILES AND YOUR OUN PASSWORD
5 SYSTEM OPTIONS
8 VM MINIDISK PROFILES
9 VM FILE PROFILES
10 VM DIRECTORY PROFILES
98 TUTORIAL
99 EXIT
28
-------�
RACF - USER PROFILE SERVICES
OPTION ===> 8
SELECT ONE OF THE FOLLOWING:
1 ADD
2 CHANGE
3 DELETE
4 PASSWORD
5 AUDIT
Add a user profile
Change a user profile
Delete a user profile
Change your own password or interval
Monitor user activity (Auditors only)
8 DISPLAY Display profile contents
9 SEARCH Search the RACF database for profiles
ENTER THE FOLLOWING INFORMATION:
USER
uuu
User-ID
RACF - DISPLAY FOR USER PROFILE
COMMAND ===>
To select the following options, enter any character.
Include TSO information
Include DFP information
Include OPERPARM information
Include CICS information
Include NATIONAL LANGUAGE information
- Exclude basic RACF information
29
-------�
BROWSE - RACF COMMAND OUTPUT
LINE 00000000 COL 001 080
COMMAND ===>
SCROLL ===> PAGE
******************************** jQp qp DATA ********************************
ATTRIBUTES=GRPACC
REVOKE DATE=NONE RESUME DATE=NONE
LAST-ACCESS=91.093/13:11:21
CLASS AUTHOR IZATI0NS=TAPEV0L
NO-INSTALLATION-DATA
NO-MODEL-NAME
LOGON ALLOWED (DAYS) (TIME)
ANYDAY ANYTIME
GROUP=AAAA AUTH=CREATE C0NNECT-0WNER=T31 CONNECT-DATE=86.044
C0NNECTS= 2,739 UACC=READ LAST-CONNECT=90.101/14:12:59
CONNECT ATTR1BUTES=GRPACC
REVOKE DATE=NONE RESUME DATE=NONE
GROUP=AAAA AUTH=CREATE CONNECT-OWNER=T31 CONNECT-DATE=86.119
C0NNECTS=27,893 UACC=NONE LAST-CONNECT=91.088/13:57:48
CONNECT ATTRIBUTES=GRPACC
REVOKE DATE=N0NE RESUME DATE=N0NE
SECURITY-LEVEL=NONE SPECIFIED
CATEGORY-AUTHORIZATION
NONE SPECIFIED
SECURITY-LABEL=NONE SPECIFIED
TSO INFORMATION
ACCTNUM= AAAAUIDDD,B999
DEST=
PROC= SEPATST
SIZE= 00005000
MAXSIZE= 00000000
UNIT= SYSDA
USERDATA= 0000
NO DFP INFORMATION
NO CICS INFORMATION
NO LANGUAGE INFORMATION
NO OPERPARM INFORMATION
******************************* bottom of data
USER=UUU NAME=Brown.John
DEFAULT-GROUP=AAAA Pi
in OWNER=SECTY1 CREATED=83.315
PASSDATE=91.078 PASS-INTERVAL= 90
30
-------�
The displayed fields are these:
USER The User-ID.
NAME The user's name.
OWNER The RACF owner of the User-ID. This is the User-ID or account that has been
granted RACF administrative control over the User-ID. Administrative control is
used, for example, to reset the password if the owner forgets it.
CREATED The Julian date the User-ID was put in RACF.
DEFAULT-GROUP If the User-ID is allowed to use multiple RACF groups, RACF uses this group as
the default group unless it is changed at logon or in the profile.
PASSDATE The date on which the User-ID last changed the password.
PASS-INTERVAL The interval (days) at which the User-ID is required to change the password.
ATTRIBUTES RACF privileges allowed the User-ID, regardless of the group used to access the
system:
NONE No privileges.
SPECIAL Full RACF administrative privileges.
AUDITOR Full RACF auditing privileges.
OPERATIONS Full authorization to all RACF-protected resources that meet
certain conditions, generally for the data management purposes
(backups, restores, etc.).
GRPACC Allows other users of the group to access group level datasets
created by this User-ID. RACF grants them update access.
CLAUTH TAPE VOL (tapes) and OUTPUT (job output) are assigned to
all User-IDs.
ADSP Not used at the NCC.
REVOKE The User-ID may not use the system.
31
-------�
REVOKE DATE The date on which RACF is to deny access to the system. This could be used,
for example, to "turn off" the User-ID while the user is on vacation.
RESUME DATE The date on which RACF is to grant access to the system. This could be
used, for example, to "turn on" the User-ID when the user returns from
vacation.
LAST-ACCESS The Julian date and time the system was last accessed.
CLASS AUTHORIZATIONS The RACF classes for which the User-ID is allowed to create RACF profiles.
TAPE VOL allows the creation of RACF profiles to protect data on tape
volumes.
INSTALLATION-DATA RACF allows informational comments to be associated with the User-ID. If
comments have been associated with the User-ID, this field would read
INSTALLATION DATA, followed by the comments.
NO-MODEL-NAME Not used at the NCC.
LOGON ALLOWED The information following this display indicates any day or time restrictions
placed on the User-ID's access. There are no restrictions unless the RACF
administrator of the User-ID places restrictions on it (e.g., to allow a part-time
employee access only during the days and times he or she is scheduled to
work).
GROUP
Any additional RACF group the User-ID is allowed to use when logging on
to the system.
AUTH
The authority the User-ID has over RACF-protected group-level datasets for
the group:
USE The User-ID may use the group's protected datasets.
CREATE The User-ID may RACF-protect the group's datasets and may
control who can access them.
CONNECT-OWNER
CONNECT-DATE
CONNECT The User-ID may connect (add) RACF-defined User-IDs to
the group. This is reserved for RACF administrators.
JOIN The User-ID may define new users or groups to RACF. This
is reserved for RACF administrators, who must also have
CLAUTH=USER authority.
The RACF administrator who owns this group.
The Julian date the User-ID was connected to this account.
32
-------�
CONNECTS
UACC
LAST-CONNECT
CONNECT ATTRIBUTES
The number of times the system was accessed the system using this
group.
The default access allowed to datasets protected by this User-ID unless
a different value was specified in the RACF profile created to protect the
data.
The Julian date and time the system was last accessed with this group.
The RACF privileges the User-ID has under this group. See ATTRIB-
UTES for the User-ID level previously defined.
REVOKE DATE, RESUME DATE Same as defined previously, but applicable for the User-ID's use of
this group only.
SECURITY-LEVEL, CATEGORY-AUTHORIZATION,
SECURITY-LABEL Not currently used at the NCC.
TSO INFORMATION
DFP INFORMATION
CICS INFORMATION
LANGUAGE INFORMATION
OPERPARM INFORMATION
Standard default information used by the system during TSO access. If
no information is put here by the RACF administrator, the User-ID
cannot use TSO.
DFP information is for use by NCC Data Management only.
Not currently used at the NCC.
Not currently used at the NCC.
Not currently u«;ed at the NCC.
33
-------�
10.3 CHANGING A USER-ID
You may use the RACF ALTUSER (ALU) command to change any of the RACF information
associated with the User-ID:
ALU User-ID
AUTHORITY(group authority)
CLAUTH(class authority) | NOCLAUTH
DATA(installation data) | NODATA
DFLTGRP(default group)
GROUP(group name)
NAME(user's name)
OWNER(owner)
PASSWORD (password)
RESUME (date)
REVOKE (date)
UACC (uacc)
WHEN (DAYS(days) TIME(time))
GRPACC | NOGRPACC
TSO (ACCTNUM(group) PROC($EPATSO)) | NOTSO
Alternately, the following sequence of RACF ISPF panels can be used:
-------�
RACF - SERVICES OPTION MENU
OPTION ===> L,
SELECT ONE OF THE FOLLOWING:
1
DATASET PROFILES
2
GENERAL RESOURCE PROFILES
3
GROUP PROFILES AND USER-TO-GROUP CONNECTIONS
L,
USER PROFILES AND YOUR OWN PASSWORD
5
SYSTEM OPTIONS
8
VM MINIDISK PROFILES
9
VM FILE PROFILES
10
VM DIRECTORY PROFILES
98
TUTORIAL
99
EXIT
RACF - USER PROFILE SERVICES
OPTION
===> 2
SELECT
ONE OF THE
FOLLOWING:
1
ADD
Add a user profile
Z
CHANGE
Change a user profile
3
DELETE
Delete a user profile
U
PASSWORD
Change your own password or interval
5
AUDIT
Monitor user activity (Auditors only)
8
DISPLAY
Display profile contents
9
SEARCH
Search the RACF database for profiles
ENTER THE FOLLOWING INFORMATION:
USER
===>
UUU User-ID
RACF - CHANGE
USER UUU
COMMAND ===>
ENTER THE DESIRED CHANGES:
OWNER ===>
User-ID or group name
USER NAME ===>
DEFAULT GROUP ===>
Group name
PASSWORD ===>
User's initial password
PASSWORD INTERVAL ===>
1 - 254 days, NO, or blank
REVOKE ===>
YES, mn/dd/yy (date) or blank
RESUME ===>
YES, mm/dd/yy (date) or blank
Press ENTER to
continue.
35
-------�
RACF - CHANGE USER UUU
COMMAND ===>
TO ASSIGN A USER
TO CANCEL A USER
ATTRIBUTE, ENTER YES
ATTRIBUTE, ENTER NO
GROUP ACCESS
ADSP
OIDCARD
NO-PASSWORD
===> SPECIAL
===> OPERATIONS
===> AUDITOR
CHANGE OR DELETE
THE MODEL PROFILE USED FOR USER DATA
SETS (OPTIONAL):
NEW MODEL
DELETE
===> YES if no model
is to be used
TO ADD OR CHANGE
OPTIONAL INFORMATION, ENTER YES
===> YES
RACF - CHANGE USER UUU
COMMAND ===>
To add or change the following information, enter any character.
Y CLASS AUTHORITY
Y INSTALLATION DATA
_ SECURITY LEVEL OR CATEGORIES
_ SECURITY LABEL
Y LOGON RESTRICTIONS
_ NATIONAL LANGUAGES
_ DFP PARAMETERS
Y TSO PARAMETERS
_ OPERPARM PARAMETERS
CICS PARAMETERS
RACF
- CHANGE USER
UUU
CLASS AUTHORITY
COMMAND =
==>
ENTER THE
DESIRED
ACTION ===
=>
ADD or
DELETE
ENTER THE
CLASSES
FOR WHICH
AUTHORITY IS
TO BE ADDED OR DELETED:
===>
===>
--->
--->
-==>
===>
===>
===>
===>
===>
===>
===>
===>
== = >
srs>
===>
===>
===>
= = = >
===>
A
II
II
II
===>
===>
===>
===>
===>
===>
===>
===>
===>
A /
II 1
II 1
II 1
--->
===>
=::>
= ==>
===>
—>
== = >
:::>
36
-------�
RACF • CHANGE USER UUU
INSTALLATION DATA
COMMAND ===>
CHANGE OR DELETE
THE INSTALLATION DATA:
DATA
<= End of data
DELETE
===> YES if the profile is not to contain
installation data.
RACF - CHANGE USER
UHEN THE USER MAY ACCESS
UUU
THE SYSTEM
COMMAND ===>
TO CHANGE DAYS, ENTER YES OR NO
MONDAY ===>
TUESDAY ===>
WEDNESDAY ===>
THURSDAY ===>
FRIDAY ===>
SATURDAY ===>
SUNDAY ===>
ENTER OPTIONAL TIME RESTRICTION:
ANYTIME ===>
... or ...
START TIME ===>
END TIME ===>
YES o.- Blank
HH:MMam/pm
HH:MMam/pm
RACF
- CHANGE USER
UUU
TSO-
RELATED INFORMATION
COMMAND ===>
To DELETE the TSO segment,
enter YES
II
II
II
V
z
o
OR
Enter the desired changes:
JOB CLASS
===>
MESSAGE CLASS
===>
HOLD CLASS
===>
SYSOUT CLASS
===>
ACCOUNT NUMBER
===>
AAAA
LOGON PROCEDURE NAME
===>
SEPATSO
REGION SIZE
===>
UNIT
===>
DESTINATION ID
===>
MAXIMUM REGION SIZE
II
II
II
V
USER DATA
===>
LOGON SECURITY LABEL
===>
37
-------�
10.4 REVOKING A USER-ID
The ALTUSER (ALU) command is also used to revoke a User-ID:
ALU UUU REVOKE
Alternately, the following sequence of RACF ISPF panels can be used:
RACF - SERVICES OPTION MENU
OPTION ===> 4
SELECT ONE OF THE FOLLOWING:
1 DATASET PROFILES
2 GENERAL RESOURCE PROFILES
3 GROUP PROFILES AND USER-TO-GROUP CONNECTIONS
4 USER PROFILES AND YOUR OWN PASSWORD
5 SYSTEM OPTIONS
8 VM MINIDISK PROFILES
9 VM FILE PROFILES
10 VM DIRECTORY PROFILES
98 TUTORIAL
99 EXIT
RACF -
USER PROFILE SERVICES
OPTION
===> 2
SELECT
ONE OF THE FOLLOWING:
1
ADD
Add a user profile
2
CHANGE
Change a user profile
3
DELETE
Delete a user profile
4
PASSWORD
Change your own password or interval
5
AUDIT
Monitor user activity (Auditors only)
8
DISPLAY
Display profile contents
9
SEARCH
Search the RACF database for profilers
ENTER
THE FOLLOWING
INFORMATION:
USER ===> UUU
User-ID
38
-------�
RACF - CHANGE
USER UUU
COMMAND ===>
ENTER THE DESIRED CHANGES:
OWNER ===>
User-ID or group name
USER NAME ===>
DEFAULT GROUP ===>
Group name
PASSWORD ===>
User's initial password
PASSWORD INTERVAL ===>
1 - 254 days, NO, or blank
REVOKE ===> yes
YES, mm/dd/yy (date) or blank
RESUME ===>
YES, mm/dd/yy (date) or blank
Press ENTER to
continue.
RACF - CHANGE USER UUU
COMMAND ===>
TO ASSIGN A USER
TO CANCEL A USER
ATTRIBUTE, ENTER YES
ATTRIBUTE, ENTER NO
GROUP ACCESS
ADSP
OIDCARD
NO-PASSWORD
===> SPECIAL
===> OPERATIONS
===> AUDITOR
E
CHANGE OR DELETE
THE MODEL PROFILE USED FOR USER DATA
SETS (OPTIONAL):
NEW MODEL
DELETE
===> YES if no model
is to be used
TO ADD OR CHANGE
OPTIONAL INFORMATION, ENTER YES
===> YES
39
-------�
10.5 RACF CONSIDERATIONS WHEN DELETING A USER-ID
I
A User-ID cannot be deleted from RACF if the User-ID owns any RACF dataset profiles.
RACF will display a message to this effect if a delete of a User-ID owning RACF dataset
profiles is attempted. Additionally, since a User-ID may be reassigned to another individual,
the new individual will obtain all RACF accesses previously granted to the User-ID if that
access is not removed prior to deletion of the User-ID.
A RACF utility, IRRUT100, should be executed before deletion of a User-ID. The u.i'ity
will display all occurrences of the User-ID in RACF. This display should be used to remove
the User-ID from all access lists in which it occurs. It should also be used to determine the
ownership of any RACF resources by the User-ID so that a new owner can be assigned.
The utility should be executed overnight in a batch job. The JCL (less your job card) to
accomplish this follows:
//RACFXREF EXEC PGM=IRRUT100
//SYSPRINT DD SYSOUT=*
//SYSUT1 DD UNIT=SYSDA,SPACE=(TRK,(40,10))
//SYSIN dd *
uuu
/*
A sample output from the utility follows:
OCCURRENCES OF UUU
IN STANDARD ACCESS LIST OF GENERAL RESOURCE PROFILE UUU.* (G)
OWNER OF OUTPUT UUU.*
IN NOTIFY FIELD OF GENERAL RESOURCE PROFILE OUTPUT UUU.* (G)
OWNER OF TAPEVOL 123456
IN STANDARD ACCESS LIST OF DATASET PROFILE UUU.AAA.* (G)
OWNER OF DATASET PROFILE UUU.AAAA.* (G)
In the preceding sample output, User-ID UUU is the owner of the resource profile for'job
output UUU.* and is both in the access list of the profile and on the notify parameter of the
profile. The User-ID is also owner of dataset profile UUU.AAAA.* and is in the standard
access list of the profile. Prior to deletion from RACF, User-ID UUU must be removed
from the standard access lists appearing in the utility's output. A new owner of all owned
resource profiles must be assigned, or the resource profile must be deleted from RACF.
40
-------�
10.6 DATA CONSIDERATIONS WHEN DELETING A USER-ID
NCC Operations policy requires that a disposition be made of all data resources (datasets and
tapes) belonging to a deleted User-ID. The disposition (delete or rename) must be made
within 45 days of the notice supplied to the User-ID's account manager or ADP Coordinator.
If production data is contained in datasets or tapes belonging to a deleted User-ID, the
application is at risk of losing that data when the User-ID is deleted. If a rename of the
resources is not accomplished by the application within the 45-day notice period, the datasets
and tapes are removed from the system by NCC Data Management to make the data space
and tapes available to other customers who are active on the system.
10.7 CONNECTING A USER-ID TO A RACF GROUP OR CHANGING A USER-
ID'S CONNECT ATTRIBUTES
The User-ID is always connected to an initial group when added to RACF. In order to use
any other RACF group for either billing or data access purposes, the User-ID must be
specifically connected (attached) to the group. This is done through the CONNECT (CO)
command, which has the following syntax:
CO User-ID AUTHORITY(group authority) GROUP(group)
OWNER(owner) UACC(universal access) GRPACC
• The RESUME parameter can be specified to resume a User-ID's access to the
system through the group.
• The REVOKE parameter can be used to disable the User-ID's access to the system
through the group. The REVOKE parameter is used to deny the User-ID use of the
group until a disposition can be made of any group level resource profiles owned by
the User-ID. The User-ID cannot be purged (deleted) from the group until a
disposition is made of all group resource profiles owned by the User-ID.
• A date can be specified with the RESUME and REVOKE parameters to indicate a
specific date on which access through the group is to start or stop.
The CONNECT command is also used to change a User-ID's connect attributes for a group
to which the User-ID is already connected.
The following sequence of ISPF RACF panels can be used to connect a User-ID to a group,
to resume the User-ID's access to the group, or to revoke a User-ID's access to the group.
41
-------�
RACF - SERVICES OPTION MENU
OPTION ===> 3
SELECT ONE OF THE FOLLOWING:
1 DATASET PROFILES
2 GENERAL RESOURCE PROFILES
3 GROUP PROFILES AND USER-TO-GROUP CONNECTIONS
4 USER PROFILES AND YOUR OUN PASSWORD
5 SYSTEM OPTIONS
8 VM MINIDISK PROFILES
9 VM FILE PROFILES
10 VM DIRECTORY PROFILES
98 TUTORIAL
99 EXIT
RACF -
GROUP PROFILE SERVICES
OPTION
===> 4
SELECT
ONE OF THE FOLLOWING:
1
ADD
Add a user profile
2
CHANGE
Change a user profile
3
DELETE
Delete a user profile
4
CONNECT
Add or change a user connection
5
REMOVE
Remove users from the group
8
DISPLAY
Display profile contents
9
SEARCH
Search the RACF database for profiles
ENTER
THE FOLLOWING
INFORMATION:
GROUP NAME
===>
RACF - ADD OR CHANGE CONNECTION TO AAAA
COMMAND ===>
IDENTIFY THE USER:
USER ===> uuu User-ID
*
ENTER THE CONNECTION INFORMATION TO BE ADDED OR CHANGED:
OWNER ===> aaaa User-ID or group name
DEFAULT UACC ===> none NONE, READ, UPDATE,
CONTROL, or ALTER
GROUP AUTHORITY ===> use USE, CREATE, CONNECT,
or JOIN
Press ENTER to continue.
42
-------�
RACF - ADD OR CHANGE
CONNECTION TO AAAA
COMMAND ===>
TO ALLOW USER
TO DENY USER
ATTRIBUTES, ENTER YES
ATTRIBUTES, ENTER NO
GROUP ACCESS ===> no
Allow the group to access new group
data sets
ADSP
o
c
A
II
il
II
Create discrete profiles for new
permanent data sets
REVOKE
===>
YES, mn/dd/yy (date), or blank
RESUME
===>
YES, mn/dd/yy (date), or blank
SPECIAL
===>
Grant Group-SPECIAL attribute
OPERATIONS
===>
Grant Group-OPERATIONS attribute
AUDITOR
Grant Group-AUDITOR attribute
10.8 REMOVING A USER-ID FROM A RACF GROUP
The REMOVE (RE) command is used to remove a User-ID from a RACF group:
RE User-ID GROUP(group) OWNER(account)
The owner parameter specifies an account to be assigned ownership of all group-level RACF
profiles owned by the User-ID being removed from the group.
The following ISPF RACF panels sequence can be used in place of the command:
RACF - SERVICES OPTION MENU
OPTION ===> 3
SELECT ONE OF THE FOLLOWING:
1
DATASET PROFILES
2
GENERAL RESOURCE PROFILES
3
GROUP PROFILES AND USER-TO-GROUP CONNECTIONS
4
USER PROFILES AND YOUR OWN PASSWORD
5
SYSTEM OPTIONS
8
VM MINIDISK PROFILES
9
VM FILE PROFILES
10
VM DIRECTORY PROFILES
98
TUTORIAL
99
EXIT
43
-------�
RACF -
GROUP PROFILE SERVICES
OPTION
===> 5
SELECT
ONE OF THE FOLLOWING:
1
ADD
Add a group profile
2
CHANGE
Change a group profile
3
DELETE
Delete a group profile
4
CONNECT
Add or change a user connect
on
5
REMOVE
Remove users from the group
8
DISPLAY
Display profile contents
9
SEARCH
Search the RACF database for
profiles
ENTER
THE FOLLOWING
INFORMATION:
GROUP NAME
===> AAAA
RACF - REMOVE A USER FROM
AAAA
COMMAND ===>
ENTER THE FOLLOWING:
USER ===> UUU User-ID
NEW OWNER ===> AAAA User-ID or
group name
44
-------�
11.0 RACF GROUPS
11.1 GROUP TYPES
Two types of RACF groups exist: account and nonaccount. Account groups are used for
system logon. Computer charges and resource utilizations are accrued for accounting and
budgetary purposes against account groups. Nonaccount groups are used for RACF
administrative and resource access purposes. When entering a RACF group into RACF, you
must first decide if the group is to be used for billable or administrative purposes.
A RACF feature called "list of groups checking" is in effect. When a resource's access list
contains a group, RACF checks each group to which a User-ID requesting the resource is
connected (attached) in determining whether or not access should be granted to the resource.
The User-ID does not, therefore, have to be logged on the system with a particular group in
order to have resource access based on that group. Billable groups (accounts) can be placed in
access lists. This should be avoided, however, to prevent confusion between account and
nonaccount groups.
The RACF command for adding a group to RACF is reserved for the TSSMS Office.
11.2 LISTING A GROUP
The LISTGRP (LG) command is used to display information about a RACF group:
Alternately, the following sequence of ISPF RACF panels is used to display information about
a RACF group (a sample output follows the panels):
LG group
RACF - GROUP PROFILE SERVICES
OPTION ===> 8
SELECT ONE OF THE FOLLOWING:
1 ADD
2 CHANGE
3 DELETE
4 CONNECT
5 REMOVE
Add a group profile
Change a group profile
Delete a group profile
Add or change a user connection
Remove users from the group
8 DISPLAY
9 SEARCH
Display profile contents
Search the RACF database for profiles
ENTER THE FOLLOWING INFORMATION:
GROUP NAME
> AAAA
45
-------�
RACF -
DISPLAY FOR GROUP PROFILE
COMMAND ===>
ENTER OPTIONAL
INFORMATION:
DFP
o
z
A
II
II
II
YES to include DFP-RELATED information.
The default is NO.
RACF
===> YES
NO to exclude basic RACF information.
The default is YES.
INFORMATION FOR GROUP AAAA
SUPERIOR GROUP = BBBB OWNER
= HELPER
NO INSTALLATION DATA
NO MODEL DATASET
TERMUACC
NO SUBGROUPS
USER(S) = ACCESS = ACCESS COUNT
=
UNIVERSAL ACCESS =
UUU CREATE
000000
READ
CONNECT ATTRIBUTES = GRPACC
REVOKE DATE = NONE
RESUME
DATE = NONE
UUU USE
000000
NONE
CONNECT ATTRIBUTES = GRPACC
REVOKE DATE = NONE
RESUME
DATE = NONE
UUU USE
000000
READ
CONNECT ATTRIBUTES = GRPACC
REVOKE DATE = NONE
RESUME
DATE = NONE
46
-------�
12.0 PROTECTION OF APPLICATION DATASETS AND OTHER RESOURCES
12.1 IDENTIFICATION AND STANDARDS
For application datasets to be protected, they and their contents must be identified. This task
may not be simple if the application does not currently provide for standards such as the
following:
• All application data must be in datasets at the group (account) level. That is, the dataset
name must begin with the group (account) under which the data is created and
processed.
• A dataset naming standard must be in place to indicate the nature of the data (e.g.,
ACCOUNT.TEST.DATA, ACCOUNT.PROD.JCL).
• The capability of an individual user to create a dataset must be carefully evaluated and
controlled.
• RACF protection of user-level datasets must be carefully monitored to ensure that
application group-level dataset protection is not compromised.
• The capability of an individual user to create RACF protection for group-level datasets
must be carefully evaluated and controlled.
Each application should put these standards in place for the following reasons:
• RACF allows a user full control over datasets whose name begins with the user's User-
ID. If application data is in a user dataset, the user—not the application-has full
control over the data and its protection (or lack of protection).
• Users are more transient than applications. A disposition (e.g., renaming) of user-level
datasets is required when the user leaves the employment of the application. This
creates an unnecessary administrative burden to both the application and the data center.
• Application documentation is not always current. Sound dataset naming standards are
self-documenting.
• RACF hierarchical protection capabilities allow for protection of multiple datasets with
one RACF profile. The datasets must have hierarchical naming standards. Datasets
ACCOUNT.PROD.DATA and ACCOUNT.PROD.JCL, for example, can be protected
by one RACF profile (ACCOUNT.PROD.*). If the second dataset were named
ACCOUNT. JCL.PROD, two profiles would be required. Utilizing RACF hierarchical
capabilities eases the application RACF administrative burden.
47
-------�
• Access to data can best be determined based on dataset contents. Data entry personnel,
for example, may not require access to datasets containing test programs.
• A dataset's RACF protection can be compromised if the data is placed in another
dataset that does not have equivalent protection. If dataset ACCOUNT.PROD.DATA
has no universal read access, but the data is copied by a user into dataset US-
ER. PROD. DATA which has universal read access, the data is obviously no longer
protected.
• A dataset's RACF protection can also be compromised through creation of a different
group-level RACF profile for the data. If dataset
ACCOUNT.PROD.DATA.SAMPLES is RACF-protectedby ACCOUNT. PROD. ^* with
no universal read access, the protection can be breached through creation, by a user
with RACF dataset protection authority, of RACF profile
USER. ACCOUNT.PROD.DATA.SAMPLES with a universal access of read.
Standards that address the issues and problems provide for a more efficient, secure, and easily
managed application security function.
12.2 DETERMINING ACCESS TO PROTECTED APPLICATION DATASETS
There is no complex secret to determining access requirements for application datasets. A
simple rule should be used: Access to data should be predicated on the mission support
requirement of the personnel accessing the data. For example, if an employee's responsibility
is solely data entry, the employee does not need to be able (in RACF) to create and maintain
datasets containing application software programs. Nor should the employee require any
capability for creating or protecting any application dataset.
The access rule is usually broken because standards do not exist. For example, a data entry
person is allowed to create and protect datasets into which she/he is to enter data for the current
month. A more sound practice is for the application RACF security administrator, or personnel
so designated, to preallocate the datasets at the beginning of the prooessing cycle and to grant
the data entry personnel update access.
Reality often does not provide sufficient personnel for a true separation of duties. Applicable
regulations, however, require separation of duties. The OIG in its March 1991 audit of the
Agency's use of RACF cited the Agency for the number of personnel with inappropriate RACF
capabilities (e.g., capability of creating and protecting datasets). Attention to policy,
decentralized control, and standards will help correct the situation. Each application employee's
job responsibilities should be evaluated against RACF access levels prior to granting the RACF
access.
48
-------�
12.3 PROTECTING A DATASET THROUGH RACF
You should answer the following questions before you use RACF to protect your datasets:
• Are the datasets used for production work or personal use?
• Can the datasets be identified, grouped, and named by function (e.g., JCL, load
modules, test, development, production)?
• What access should any general system user have to the datasets (UACC)? In other
words, what should be the base level of protection?
• What users or accounts need access to the dataset at a level different than the UACC?
• What levels of access do they need?
• What level of access auditing is required for the datasets?
• Who should be the RACF administrator of the RACF dataset profiles?
The following guidelines are provided to assist in your evaluation of these questions:
• You should use group-level datasets (datasets whose name begins with your RACF
group) for production and other application-related datasets. You should use dataset
names beginning with your User-ID only for those datasets unrelated to production or
application.
• Naming datasets by function (e.g., JCL, Source, Load, Data) makes the puipose of the
dataset clear for the application and its users. It also help in determining access
requirements. Data entry personnel, for example, do not generally require access to
application source code, but do require access to load modules and data. Dividing the
data (by dataset name) into production, test, and development categories should be done
for the same reasons.
• Establishing a dataset naming convention will help protect many datasets with a, limited
number of RACF profiles. For example, the following two datasets with identical
protection requirements require two profiles:
AAAA.TEST1 .DATA
AAAA. DATA. TEST2
If the first dataset is renamed to AAA.DATA.TEST1, then the single profile
AAAA.DATA.* can be created to protect both.
49
-------�
To protect everything under your User-ID and group, you can create one RACF profile
of the format UUUAAAA.* (UUU represents your User-ID, and AAAA represents
your RACF group).
Additional profiles will have to be created only for those datasets with different
protection and access requirements.
A UACC of UPDATE or ALTER does not protect your data. Any system user can
delete or change your data.
A UACC of READ should be used if a large number of users need to read the data.
It will be almost impossible to maintain access lists allowing a large number of users
access unless they use a small number of RACF groups which can be put in the access
list.
You should require a UACC of NONE for sensitive data.
A UACC of EXECUTE is recommended for all load module (program) datasets to
prevent copying of your load modules. This ensures that only current versions of the
programs are being executed and that a user has not copied and is using an older
version. The program library must be a partitioned dataset, however, and the programs
cannot call or load another program during execution.
In determining access requirements, it may be helpful to consider personnel functions;
data entry personnel may require different levels of access than programmers.
If you do not know who is accessing your data or their access requirements, use
WARN MODE and NOTIFY as explained in the dataset protection commands.
You should ask your ADP Management to establish separate RACF groups to be used
by the application:
— Personnel with the same access requirements or functionality (e.g., data entry
personnel, programmers) can be placed in their own RACF groups,
— The RACF group, with its own access level, can be placed in access lists. Access
lists do not have to be updated when personnel changes occur. This makes
maintenance of access lists easier.
— RACF administration of group-level datasets is limited to the one User-ID owning
the profile. A group cannot own a profile unless users connected to (allowed to
use) the group have RACF Group-SPECIAL privileges. The use of Group-
SPECIAL provides greater flexibility in administering the profiles. All members
of the group with the privilege can administer the profile. Annual leave or other
50
-------�
absence of one profile administrator does not leave the application without a profile
administrator. RACF Group-SPECIAL privileges can be obtained after appropriate
training in RACF administration. This can be obtained by contacting NCC
Customer Support.
These RACF commands are used to protect your data:
• ADDSD (AD) Add dataset protection.
• ALTDSD (ALD) Alter dataset protection.
• DELDSD (DD) Delete dataset protection.
• PERMIT (PE) Permit access to a protected dataset.
• LISTDSD (LD) List dataset protection.
You may use these commands for:
• Any dataset whose name begins with your User-ID.
• Any dataset for which you are the owner of the RACF profile.
• Any dataset for which the owner of the RACF profile is a group to which you are
connected with RACF Group-SPECIAL privileges.
• Any datasets whose name begins with a RACF group to which you are connected.
• Any RACF-protected dataset to which you have been granted the appropriate level of
RACF access by the owner of the dataset's RACF profile.
The asterisk (*) and percent sign (%) can be used in the RACF dataset profile names that you
create:
% used to specify a match of any single character in the dataset name:
AAAA.DATA%.TEST covers datasets AAAA.DATA1 .TEST,
AAAA.DATA2.TEST, etc.
* used at the end of a dataset profile to specify a match of zero or more characters
until the end of the profile, zero or more qualifiers until the end of the profile, or
both:
AAAA. DAT A* covers datasets AAAA.DATA1, AAAA.DATA2,
AAAA.DATA1 .TEST, AAAA.DATA.NEW, etc.
51
-------�
used at the end of a profile to specify a match of one or more qualifiers until the
end of the profile:
AAAA.DATA.* covers datasets AAAA. DATA. TEST,
AAAA.DATA.NEW, etc.
used in the middle of a profile to specify a match of any qualifier:
AAAA.*.TEST covers datasets AAAA.DATA1 .T^ST,
AAAA. DATA2. TEST, AAAA. SOURCE. TEST,
etc.
used at the end of qualifier in the middle of a profile to specify a match of zero or
more characters until the end of the qualifier:
AAAA. DATA*. TEST covers dataset names AAAA.DATA1.TEST,
AAAA.DATA99.TEST, etc.
Note that the % character would not include
AAAA.DATA99.TEST, as it specifies a single
character.
A generic character cannot be contained in the high-level (beginning) qualifier of a dataset
profile.
To create a RACF dataset profile to protect a dataset or a hierarchy of datasets, issue the
ADDSD (AD) command under TSO:
AD 'profile name' AUDIT(audit criteria(audit level))
ERASE GENERIC NOTIFY(User-ID) OWNER(owner) UACC(uacc)
WARNING
These items require special mention:
ERASE Specifies that the system is to overwrite the DASD space occupied by
your dataset with binary l's and O's to totally erase your data when the
dataset is deleted. This prevents intentional or inadvertent recovery of
your data by another user gaining access to the identical DASD space.
This option should be used only for especially sensitive data.
52
-------�
Use the ALTDSD (ALD) command under TSO to change a RACF dataset profile:
ALD 'profile name' AUDIT(audit criteria(audit level) ERASE
GENERIC NOTIFY (User-ID) OWNER(User-ID) WARNING
NOERASE, NONOTIFY, and NOWARNING are used to cancel the ERASE,
NOTIFY, and WARNING options.
Use the following sequence of RACF ISPF panels to change a RACF dataset profile.
RACF - SERVICES OPTION MENU
OPTION
===> 1
SELECT
ONE OF THE FOLLOWING:
1
DATASET PROFILES
2
GENERAL RESOURCE PROFILES
3
GROUP PROFILES AND USER-TO-GROUP CONNECTIONS
4
USER PROFILES AND YOUR OWN PASSWORD
5
SYSTEM OPTIONS
8
VM MINIDISK PROFILES
9
VM FILE PROFILES
10
VM DIRECTORY PROFILES
98
TUTORIAL
99
EXIT
RACF - DATASET PROFILE SERVICES
OPTION ===> 2
SELECT ONE OF
THE FOLLOWING:
1 ADD
2 CHANGE
3 DELETE
4 ACCESS
5 AUDIT
Add a profile
Change a profile
Delete a profile
Maintain the access lists
Monitor access attempts (for auditors only)
8 DISPLAY
9 SEARCH
Display profile contents
Search the RACF database for profiles
55
-------�
RACF
- DATASET PROFILE
SERVICES - CHANGE
COMMAND ===>
ENTER THE FOLLOWING
INFORMATION:
PROFILE NAME
===> 'dataset
name'
GENERIC
===>
YES for a generic profile
TYPE
=SS>
Blank, MOOEL, or TAPE
VOLUME SERIAL
===>
If a discrete profile and the
dataset is not cataloged
UNIT
===>
If you are adding a profile
and specified VOLUME SERIAL
PASSWORD
===>
Dataset password, if the data
is password protected
USE A MODEL
===>
YES or NO
RACF - CHANGE OATASET PROFILE
COMMAND ===>
PROFILE: 'dataset name'
ENTER THE DESIRED CHANGES:
OWNER
LEVEL
FAILED ACCESSES
UACC =
AUDIT SUCCESSES =
AUDIT FAILURES
REMOVE NOTIFY
NOTIFY USER
ERASE ON DELETE =
RETENTION PERIOD
User-ID or group name
0-99
KAIL or WARN
NONE, READ, UPDATE,
CONTROL, ALTER OR EXECUTE
READ, UPDATE, CONTROL,
ALTER, or NOAUDIT
READ, UPDATE, CONTROL,
ALTER, or NOAUDIT
YES or blank
User-ID
YES, NO or blank
(Tape only) 0-65533 (days)
or 99999 (for never expires)
TO CHANGE OPTIONAL INFORMATION, ENTER YES
56
-------�
NOTIFY Specifies a User-ID to be notified interactively of access attempts against
the dataset. Notification is especially useful for identifying users of the
data prior to fully protecting your data through RACF when used with the
WARNING option.
WARNING Specifies that users attempting to gain access to the data will be notified
that they do not have sufficient access. Access will still be granted to the
user. This feature is useful to notify users that at some point in the future
their access will be denied, but that now a grace period exists.
GENERIC Specifies that the dataset profile to be created is a generic profile. This
option is not required if the dataset profile contains generic characters, but
it is required for a fully qualified dataset name not containing generic
characters.
Use the following sequence of RACF ISPF panels to create a RACF dataset profile.
RACF - SERVICES OPTION MENU
OPTION
===> 1
SELECT
ONE OF THE FOLLOWING:
1
DATASET PROFILES
2
GENERAL RESOURCE PROFILES
3
GROUP PROFILES AND USER-TO-GROUP CONNECTIONS
U
USER PROFILES AND YOUR OUN PASSWORD
5
SYSTEM OPTIONS
8
VM MINIDISK PROFILES
9
VM FILE PROFILES
10
VM DIRECTORY PROFILES
98
TUTORIAL
99
EXIT
RACF - DATASET PROFILE SERVICES
OPTION ===> 1
SELECT ONE OF
THE FOLLOWING:
? ADD
2 CHANGE
3 DELETE
4 ACCESS
5 AUDIT
Add a profile
Change a profile
Delete a profile
Maintain the access lists
Monitor access attempts (for auditors only)
8 DISPLAY
9 SEARCH
Display profile contents
Search the RACF database for profiles
53
-------�
RACF - DATASET PROFILE
SERVICES - ADD
COMMAND ===>
ENTER THE FOLLOWING INFORMATION:
PROFILE NAME
===> 'dataset
name'
GENERIC
===> YES
YES for a generic profile
TYPE
===>
Blank, MODEL, or TAPE
VOLUME SERIAL
===>
If a discrete profile and the
dataset is not cataloged
UNIT
===>
If you are adding a profile
and specified VOLUME SERIAL
PASSWORD
===>
Dataset password, if the data
is password protected
USE A MODEL
===>
YES or NO
RACF
ADD
DATASET PROFILE
COMMAND ===>
PROFILE: 'dataset
name'
ENTER OR CHANGE THE FOLLOWING
INFORMATION:
OWNER
===>
UUU
User-ID or group name
LEVEL
===>
0
0-99
FAILED ACCESSES
===>
FAIL or WARN
UACC
===>
NONE, READ, UPDATE,
CONTROL, ALTER or EXECUTE
AUDIT SUCCESSES
===>
READ, UPDATE, CONTROL,
ALTER, or NOAUDIT
AUDIT FAILURES
===>
READ, UPDATE, CONTROL,
ALTER, or NOAUDIT
INDICATOR
===>
SET, NOSET, or ONLY
NOTIFY
===>
User-ID
ERASE ON DELETE
===>
YES or blank
TO ADD OPTIONAL INFORMATION,
ENTER
YES ===> NO
54
-------�
To delete an existing RACF dataset profile, issue the DELDSD (DD) command under TSO:
DD 'profile name'
or use the following sequence of RACF ISPF panels.
RACF - SERVICES OPTION MENU
OPTION
===> 1
SELECT
ONE OF THE FOLLOWING:
1
DATASET PROFILES
2
GENERAL RESOURCE PROFILES
3
GROUP PROFILES AND USER-TO-GROUP CONNECTIONS
4
USER PROFILES AND YOUR OWN PASSWORD
5
SYSTEM OPTIONS
8
VM MINIDISK PROFILES
9
VM FILE PROFILES
10
VM DIRECTORY PROFILES
98
TUTORIAL
99
EXIT
RACF - DATASET PROFILE SERVICES
OPTION ="> 3
SELECT ONE OF THE FOLLOWING:
1
ADD
Add a profile
2
CHANGE
Change a profile
3
DELETE
Delete a profile
4
ACCESS
Maintain the access lists
5
AUDIT
Monitor access attempts (for auditors only)
8
DISPLAY
Display profile contents
9
SEARCH
Search the RACF database for profiles
57
-------�
RACF - DATASET PROFILE SERVICES - DELETE
COMMAND ===>
ENTER THE FOLLOWING INFORMATION:
PROFILE NAME ===> 'dataset name'
GENERIC ===> YES for a generic profile
TYPE ===> Blank, MODEL, or TAPE
VOLUME SERIAL ===> If a discrete profile and the
dataset is not cataloged
UNIT ===> If you are adding a profile
and specified VOLUME SERIAL
PASSWORD ===> Dataset password, if the data
is password protected
USE A MODEL ===> YES or NO
RACF - DELETE DATASET PROFILE
COMMAND ===>
PROFILE: 'dataset name'
IF THE PROFILE IS DISCRETE, ENTER OR VERIFY THE INDICATOR:
INDICATOR ===> NOSET To turn the indicator off, enter SET
To leave indicator as is, enter NOSET
To confirm the delete request, press the ENTER key.
(The profile will be deleted.)
To cancel the delete request, enter the END conmand.
58
-------�
To permit User-IDs and/or groups access to the dataset(s) protected by the RACF dataset
profile, issue the PERMIT (PE) command under TSO:
PE 'profile name' ID(User-ID,User-ID,group) ACCESS(access)
or use the following sequence of RACF ISPF panels.
RACF - SERVICES OPTION MENU
OPTION
===> 1
SELECT
ONE OF THE FOLLOWING:
1
DATASET PROFILES
2
GENERAL RESOURCE PROFILES
3
GROUP PROFILES AND USER-TO-GROUP CONNECTIONS
4
USER PROFILES AND YOUR OWN PASSWORD
5
SYSTEM OPTIONS
8
VM MINIDISK PROFILES
9
VM FILE PROFILES
10
VM DIRECTORY PROFILES
98
TUTORIAL
99
EXIT
RACF - DATASET PROFILE SERVICES
OPTION ===> 4
SELECT ONE OF THE
FOLLOWING:
1 ADD
Add a profile
2 CHANGE
Change a profile
3 DELETE
Delete a profile
4 ACCESS
Maintain the access lists
5 AUDIT
Monitor access attempts (for auditors only)
8 DISPLAY
Display profile contents
9 SEARCH
Search the RACF database for profiles.
59
-------�
RACF - DATASET PROFILE
SERVICES - ACCESS
COMMAND ===>
ENTER THE FOLLOUING
INFORMATION:
PROFILE NAME
===> 'dataset
name'
GENERIC
===> Y
YES for a generic profile
TYPE
===>
Blank, MODEL, or TAPE
VOLUME SERIAL
===>
If a discrete profile and the
dataset is not cataloged
UNIT
===>
If you are adding a profile
and specified VOLUME SERIAL
PASSWORD
===>
Dataset password, if the data
is password protected
USE A MODEL
===>
YES or NO
RACF - MAINTAIN
DATASET ACCESS LIST
OPTION ===> 1
PROFILE: '
dataset name'
SELECT ONE OF
THE FOLLOWING:
^,
1 ADD
Add users or groups.
Copy the access list
from an existing profile.
2 REMOVE
Remove specific users and groups from the access list.
3 RESET
Remove all users and
groups from the access list.
RACF - MAINTAIN DATASET ACCESS LIST - ADD
COMMAND ===>
PROFILE: 'dataset name'
ENTER YES FOR EITHER OR BOTH OF THE FOLLOWING:
COPY ===> NO YES to copy the access list from another
profile.
SPECIFY ===> YES YES to specify the users and groups to be
added to the access list.
60
-------�
RACF - MAINTAIN DATASET ACCESS LIST - ADD
COMMAND ===>
PROFILE: 'dataset name'
ENTER THE ACCESS AUTHORITY TO BE GRANTED:
AUTHORITY ===> NONE, READ, UPDATE,
CONTROL, ALTER or EXECUTE
ENTER THE USERS OR GROUPS FOR WHICH ENTRIES ARE TO BE ADDED:
===> User-ID ===> User-ID ===> group ===> group ===>
TO ADD THESE ENTRIES TO THE CONDITIONAL ACCESS LIST,
ENTER YES ===>
To remove User-IDs and/or groups from the access list of the RACF dataset profile, issuethe
PERMIT command under TSO:
PE 'profile name' ID(User-ID,User-ID,group) DELETE
or use the following sequence of RACF ISPF panels.
RACF - SERVICES OPTION MENU
OPTION
II
II
II
V
SELECT
ONE OF THE FOLLOWING:
1
DATASET PROFILES
2
GENERAL RESOURCE PROFILES
3
GROUP PROFILES AND USER-TO-GROUP CONNECTIONS
4
USER PROFILES AND YOUR OWN PASSWORD
5
SYSTEM OPTIONS
8
VM MINIDISK PROFILES
9
VM FILE PROFILES
10
VM DIRECTORY PROFILES
98
TUTORIAL
99
EXIT
61
-------�
RACF - DATASET PROFILE SERVICES
OPTION ===> 4
SELECT ONE OF
THE FOLLOWING:
1 ADD
Add a profile
2 CHANGE
Change a profile
3 DELETE
Delete a profile
4 ACCESS
Maintain the access lists
5 AUDIT
Monitor access attempts (for auditors only)
8 DISPLAY
Display profile contents
9 SEARCH
Search the RACF database for profiles
RACF - MAINTAIN DATASET ACCESS LIST
OPTION ===> 2
PROFILE:
dataset name'
SELECT ONE OF
THE FOLLOWING:
1 ADD
Add users or groups.
Copy the access list from an existing profile.
2 REMOVE
Remove specific users and groups from the access list.
3 RESET
Remove all users and groups from the access list.
RACF - MAINTAIN DATASET ACCESS LIST - REMOVE
COMMAND ===>
PROFILE: 'dataset name'
ENTER THE USERS AND GROUPS FOR WHICH ENTRIES ARE TO BE REMOVED:
===> User-ID ===> User-ID ===> group ===> group ===>
TO REMOVE ENTRIES FROM THE CONDITIONAL ACCESS LIST, ENTER YES
A
II
II
II
To remove all User-IDs and groups from the access list, issue the PERMIT command under
TSO:
PE 'profile name' RESET
or use the following sequence of RACF ISPF panels.
62
-------�
RACF - SERVICES OPTION MENU
OPTION
II
II
It
V
SELECT
ONE OF THE FOLLOWING:
1
DATASET PROFILES
2
GENERAL RESOURCE PROFILES
3
GROUP PROFILES AND USER-TO-GROUP CONNECTIONS
4
USER PROFILES AND YOUR OWN PASSWORD
5
SYSTEM OPTIONS
8
VM MINIDISK PROFILES
9
VM FILE PROFILES
10
VM DIRECTORY PROFILES
98
TUTORIAL
99
EXIT
RACF - DATASET PROFILE SERVICES
OPTION ===> 4
SELECT ONE OF
THE FOLLOWING:
1 ADD
2 CHANGE
3 DELETE
4 ACCESS
5 AUDIT
Add a profile
Change a profile
Delete a profile
Maintain the access lists
Monitor access attempts (for auditors only)
8 DISPLAY
9 SEARCH
Display profile contents
Search the RACF database for profiles
RACF - MAINTAIN DATASET ACCESS LIST
OPTION ===> 3
PROFILE:
dataset name'
SELECT ONE OF
THE FOLLOWING:
1 ADD
Add users or groups.
Copy the access list from an existing profile.
2 REMOVE
Remove specific users and groups from the access list.
3 RESET
Remove all users and groups from the access list. •
RACF - RESET ACCESS LIST
COMMAND ===>
PROFILE: 'dataset name'
TO SELECT THE ACCESS LIST OR LISTS TO BE RESET, ENTER YES:
STANDARD ===> YES To reset the standard access list.
CONDITIONAL ===> NO To reset the conditional access list.
63
-------�
To display the contents of your RACF dataset profile issue the LISTDSD (LD) command:
LD DA('profile name') all
or use the following sequence of RACF ISPF panels (a sample output follows the panels).
RACF - SERVICES OPTION MENU
OPTION ===> 1
SELECT ONE OF THE FOLLOWING:
1 DATASET PROFILES
2 GENERAL RESOURCE PROFILES
3 GROUP PROFILES AND USER-TO-GROUP CONNECTIONS
4 USER PROFILES AND YOUR OWN PASSWORD
5 SYSTEM OPTIONS
8 VM MINIDISK PROFILES
9 VM FILE PROFILES
10 VM DIRECTORY PROFILES
98 TUTORIAL
99 EXIT
RACF - DATASET PROFILE SERVICES
OPTION ===> 8
SELECT ONE OF THE FOLLOWING:
2 CHANGE
3 DELETE
4 ACCESS
5 AUDIT
1 ADD
Add a profile
Change a profile
Delete a prof ile
Maintain the access lists
Monitor access attempts (for auditors only)
8 DISPLAY
9 SEARCH
Display profile contents
Search the RACF database for profiles
64
-------�
RACF - DATASET PROFILE SERVICES - DISPLAY
COMMAND ===>
ENTER THE FOLLOWING INFORMATION:
PROFILE NAME
GENERIC
TYPE
VOLUME SERIAL
UNIT
PASSWORD
===> 'dataset name'
===> YES YES for a generic profile
===> Blank, MODEL, or TAPE
===> If a discrete profile and the
dataset is not cataloged
===> If you are adding a profile
and specified VOLUME SERIAL
===> Dataset password, if the data
is password protected
USE A MODEL
YES or NO
RACF - DISPLAY DATASET PROFILE
COMMAND ===>
PROFILE: 'dataset name'
TO SELECT INFORMATION TO BE DISPLAYED, -ENTER YES:
ACCESS LIST ===>
Profile access st
HISTORY ===>
Profile history
STATISTICS ===>
Profile use statistics
DFP ===>
Profile DFP information
DATASETS ===>
Protected datasets
NO RACF ===>
Limit the display to the selected
information.
TO LIMIT THE DISPLAY TO PROFILES FOR DATASETS ON SPECIFIC VOLUMES,
ENTER ONE OR MORE VOLUME SERIAL NUMBERS:
65
-------�
BROWSE - RACF COMMAND OUTPUT
LINE 00000000 COL
001 080
COMMAND ===>
SCROLL
= ==> PAGE
INFORMATION FOR DATASET dataset name (G)
LEVEL OWNER UNIVERSAL ACCESS WARNING ERASE
00 UUU NONE NO NO
AUDITING
FAILURES(READ)
NOTIFY
NO USER TO BE NOTIFIED
YOUR ACCESS CREATION GROUP DATASET TYPE
ALTER AAAA NON-VSAM
GLOBALAUDIT
NONE
NO INSTALLATION DATA
SECURITY LEVEL
NO SECURITY LEVEL
CATEGORIES
NO CATEGORIES
SECLABEL
NO SECLABEL
ID ACCESS
UUU READ
UUU READ
ID ACCESS CLASS ENTITY NAME
NO ENTRIES IN CONDITIONAL ACCESS LIST
******************************** BOTTOM OF DATA ***
66
-------�
The SEARCH command is used to search the RACF database for a list of all RACF dataset
profiles which meet the specified search criteria. The search can be combined with the CLIST
generating capability of the command to perform any of the RACF dataset profile functions for
the profiles found by the search. Issue the SEARCH (SE) command under TSO:
SR
A listing of all of your RACF dataset profiles will be directed to your terminal.
To search for all of your RACF dataset profiles for which you have specified the WARN option,
issue:
SR WARNING
To search for specific profiles, you may use either the MASK or FILTER operand (but not both
together). The FILTER option allows you to build more complex search arguments. Issue the
command under TSO as follows:
SR MASK(search argument 1, search argument2)
where search argument consists of strings of alphanumeric characters used to define the range
of profiles to be included in the search. The two search arguments combined cannot exceed 44
characters. For example:
SR MASK(AAAA. *) would return all dataset profiles beginning with the
string AAAA.
SR FILTER(AAAA. DATA %) would return a list of all dataset profiles beginning
with AAAA and having a second qualifier of
DATA and ending with any character.
SR FILTER(AAAA.DATA.*) would return a list of all dataset profiles beginning
with AAAA.DATA and having any other characters
in the third or remaining qualifiers.
67
-------�
To use the CLIST function, issue the CLIST form of the command under TSO as follows:
SR CLISTf string 1' 'string2')
where string 1 is any valid RACF command and string2 is any valid operand for the command.
The dataset profile found by the search command is inserted between the two strings. For
example:
SR CLIST('LD DA(' ') ALL') would build a CLIST containing commands of the
format LD DA('dataset name') ALL
A CLIST dataset with a name of the format UUUAAA.EXEC.RACF.CLIST is built. The
commands can be modified using the ISPF editor prior to execution if desired. To execute the
CLIST, issue the following command under TSO:
EX EXEC.RACF.CLIST
The commands in the CLIST will be executed.
Use the following sequence of RACF ISPF panels to perform the search and CLIST functions:
RACF - SERVICES OPTION MENU
OPTION ===> 1
SELECT ONE OF THE FOLLOWING:
1 DATASET PROFILES
2 GENERAL RESOURCE PROFILES
3 GROUP PROFILES AND USER-TO-GROUP CONNECTIONS
4 USER PROFILES AND YOUR OWN PASSWORD
5 SYSTEM OPTIONS
8 VM MINIDISK PROFILES
9 VM FILE PROFILES
10 VM DIRECTORY PROFILES
98 TUTORIAL
99 EXIT
68
-------�
RACF - DATASET PROFILE SERVICES
OPTION ===> 9
SELECT ONE OF
THE FOLLOWING:
1 ADD
2 CHANGE
3 DELETE
4 ACCESS
5 AUDIT
Add a profile
Change a profile
Delete a profile
Maintain the access lists
Monitor access attempts (for auditors only)
8 DISPLAY
9 SEARCH
Display profile contents
Search the RACF database for profiles
RACF - SEARCH FOR DATASET PROFILES
COMMAND ===>
ENTER MASK(S)
OR FILTER (OPTIONAL):
MASK1
==> stringl
Selects profiles with names that begin with the specified
character string.
MASK2 =
==> string2
Selects profiles with names that contain the specified
string somewhere after MASK1.
FILTER
Selects profiles with names that match the specified
character string.
Press ENTER to continue.
RACF - SEARCH FOR DATASET PROFILES
COMMAND ===>
ENTER THE DESIRED SEARCH CRITERIA (OPTIONAL):
AGE ===> 0-99999 (days)
TYPE ===> ALL GENERIC, DISCRETE, VSAM, NONVSAM,
MODEL, TAPE or ALL
USER ===> Enter a User-ID to select the profiles the user
is authorized to see (a Y
TO SPECIFY ADDITIONAL SEARCH CRITERIA, ENTER YES ===> Y
69
-------�
RACF - SEARCH FOR DATASET PROFILES
COMMAND ===>
ENTER ONE OF THE FOLLOWING SEARCH CRITERIA (OPTIONAL):
WARNING
LEVEL
SECURITY LEVEL
CATEGORY
SECURITY LABEL
YES or NO
0-99
Enter a security-level name, or enter * to select
profiles with an undefined security-level.
Enter a category name, or enter * to select
profiles with an undefined category.
Enter a security label name.
RACF - GENERATE TSO CLIST
COMMAND ===>
ENTER STRINGS TO
DEFINE THE CLIST RECORD.
STRING1
===> stringl
STRING2
===> string2
TO DISPLAY NAMES
WHICH APPEAR IN THE GENERATED CLIST, ENTER YES
===> NO
RACF - SEARCH CLIST PROCESSING
OPTION ===> 1
SELECT ONE OF
THE FOLLOWING:
1 EDIT
Edit the CLIST dataset UUUAAAA.EXEC.RACF.CLIST
2 EXECUTE
Run the TSO CLIST
To return to
the RACF selection menu, enter the END comnand.
70
-------�
Selecting option 1, EDIT, on the preceding screen will place you in the ISPF editor. A sample
ISPF editor screen is show below:
EDIT UUUAAAA.EXEC.RACF.CLIST COLUMNS 009 080
COMMAND ===> SCROLL = ==> PAGE
****** ***************************** TOp 0F DATA ********************* ********
000010 TSOEXEC LD DA( 'dataset name' ) ALL
000020 TSOEXEC LD DA( 'dataset name' ) ALL
****** **************************** BOTTOM OF DATA ******************* *******
A trick to use if you have to add many RACF dataset profiles is to create one or more initial
dataset profiles to be used as models for the additional dataset profiles you will create later.
You can then specify these as models when adding additional dataset profiles.
In the example below, a generic dataset profile UUUAAAA.SOURCE.LIB is used as a model
for a new dataset profile. UUUAAAA.SOURCE.LIB has been previously created with an
OWNER of UUU and a UACC of READ. User-IDl has been granted UPDATE access, and
User-ID2 has been granted ALTER access. The following command creates a generic RACF
dataset profile for UUUAAAA.JCL using UUUAAAA.SOURCE.LIB as a model:
AD 'UUUAAAA.JCL' FGENERIC FROM ('UUUAAAA.SOURCE.LIB') GENERIC
Since the model dataset profile does not contain any generic characters, FGENERIC is used to
tell RACF that the model profile is a generic dataset profile. The FROM option specifies the
dataset profile to be used as a model. Since the dataset profile to be created does not contain
any generic characters, the GENERIC option is used to tell RACF that the dataset profile is to
be a generic profile.
Dataset profile UUUAAAA.JCL will have an OWNER of UUU and a UACC of READ. User-
IDl will have UPDATE access, and User-ID2 will have ALTER access. User-ID UUU will
be added to the access list with ALTER access.
71
-------�
12.4 PROTECTING TAPES THROUGH RACF
The following statements apply for protection of tape data:
• Only tape volumes can be protected.
• Individual datasets on a tape volume cannot currently be protected.
• The level of protection you specify for the tape volume will apply to all datasets on the
tape.
— Avoid placing data that needs protection and data that does not need protection on
the same tape volume.
— Avoid placing data with different protection requirements on the same tape.
The RACF RDEFINE (RDEF) command can be typed interactively under TSO to protect a tape
volume:
RDEF TAPEVOL 999999 AUDIT(audit criteria(access level)) OWNER(owner)
UACC(uacc)
where
999999 represents the tape volume number (volser) that you supply,
audit criteria is the type of access attempts you want audited,
access level is the level of access attempts you want to audit.
owner is the User-ID you want to own and control the tape volume's protection (RACF
profile).
uacc is the access you want any user on the system to have to your data (READ, UPDATE,
ALTER, NONE).
You can also use the following sequence of RACF ISPF panels to protect your tape data:
72
-------�
RACF - SERVICES OPTION MENU
OPTION ===> 2
SELECT ONE OF THE FOLLOWING:
1 DATASET PROFILES
2 GENERAL RESOURCE PROFILES
3 GROUP PROFILES AND USER-TO-GROUP CONNECTIONS
1
SELECT
ONE OF THE
FOLLOWING:
1
ADD
Add a profile
2
CHANGE
Change a profile
3
DELETE
Delete a profile
4
ACCESS
Maintain access list
5
AUDIT
Monitor access attempts (Auditors only)
8
DISPLAY
Display profile contents
9
SEARCH
Search the RACF database for profiles
RACF - GENERAL RESOURCE SERVICES - ADD
OPTION ===>
ENTER THE FOLLOWING PROFILE INFORMATION:
CLASS ===> TAPEVOL
PROFILE ===> 999999
<==end of data
USE A MODEL ===> YES or NO
Note: Embedded Blanks are not allowed in class or profile names.
(If working with a FILE or DIRECTORY name which contains blanks,
please return to the RACF - SERVICES OPTION MENU and select
either VM FILE PROFILES or VM DIRECTORY PROFILES option.)
73
-------�
COMMAND ===>
CLASS:
PROFILE
RACF - ADD GENERAL RESOURCE PROFILE
TAPEVOL
999999
ENTER OR CHANGE THE FOLLOWING INFORMATION:
OUNER
LEVEL
FAILED ACCESSES
UACC
===> User-ID
===> 0
AUDIT SUCCESSES ===>
AUDIT FAILURES ===>
NOTIFY ===>
TO ADD OPTIONAL INFORMATION, ENTER YES
User-ID or group name
0-99
FAIL or WARN
NONE, READ, UPDATE,
CONTROL, ALTER or EXECUTE
READ, UPDATE, CONTROL,
ALTER or NOAUDIT
READ, UPDATE, CONTROL,
ALTER or NOAUDIT
User-ID
You may alter the RACF profile to change any of its information or to add additional
information. To do this, type the RALTER (RALT) command under TSO:
RALT TAPEVOL 999999 AUDIT(audit criteria (audit level)) OWNER(User-ID)
UACC(uacc)
The following sequence of RACF ISPF panels can be used to alter the profile for a tape.
RACF - SERVICES OPTION MENU
OPTION ===> 2
SELECT ONE OF THE FOLLOWING:
1 DATASET PROFILES
2 GENERAL RESOURCE PROFILES
3 GROUP PROFILES AND USER-TO-GROUP CONNECTIONS
4 USER PROFILES AND YOUR OWN PASSWORD
5 SYSTEM OPTIONS
8 VM MINIDISK PROFILES
9 VM FILE PROFILES
10 VM DIRECTORY PROFILES
98 TUTORIAL
99 EXIT
74
-------�
RACF -
GENERAL RESOURCE PROFILE SERVICES
OPTION
===> 2
SELECT
ONE OF THE
FOLLOWING:
1
ADD
Add a prof iIe
2
CHANGE
Change a profile
3
DELETE
Delete a profile
U
ACCESS
Maintain access list
5
AUDIT
Monitor access attempts (Auditors only)
8
DISPLAY
Display profile contents
9
SEARCH
Search the RACF database for profiles
RACF - GENERAL RESOURCE SERVICES - CHANGE
OPTION ===>
ENTER THE FOLLOWING PROFILE INFORMATION:
CLASS ===> TAPEVOL
PROFILE ===> 012300
<==end of data
USE A MODEL ===> YES or NO
Note: Embedded Blanks are not allowed in class or profile names.
(If working with a FILE or DIRECTORY name which contains blanks,
please return to the RACF - SERVICES OPTION ME'U and select
either VM FILE PROFILES or W DIRECTORY PROF1LIS option.)
RACF - CHANGE GENERAL RESOURCE PROFILE
COMMAND ===>
CLASS: TAPEVOL
PROFILE 012300
ENTER THE DESIRED CHANGES:
OWNER ===>
LEVEL ===>
FAILED ACCESSES ===>
UACC ===>
AUDIT SUCCESSES ===>
AUDIT FAILURES ===>
REMOVE NOTIFY ===>
NEW NOTIFY ===>
TO CHANGE OPTIONAL INFORMATION,
User-ID or group name
0-99
FAIL or WARN
NONE, READ, UPDATE,
CONTROL, ALTER or EXECUTE
READ, UPDATE, CONTROL,
ALTER, or NOAUDIT
READ, UPDATE, CONTROL,
ALTER, or NOAUDIT
YES or Blank
New User-ID
ENTER YES ===>
75
-------�
In order to delete the RACF profile for a tape, type the RDELETE (RDEL) command under
TSO:
RDEL TAPEVOL 999999
If your tapes contain sensitive data, you should contact NCC Customer Support to obtain
information on degaussing services. Degaussing removes all data from your tape so that it
cannot be recovered by the next user of the tape.
The next sequence of RACF ISPF panels can be used to delete your tape's RACF profit.
RACF - SERVICES OPTION MENU
OPTION ===> 2
SELECT ONE OF THE FOLLOWING:
1 DATASET PROFILES
2 GENERAL RESOURCE PROFILES
3 GROUP PROFILES AND USER-TO-GROUP CONNECTIONS
A USER PROFILES AND YOUR OWN PASSWORD
5 SYSTEM OPTIONS
8 VM MINIDISK PROFILES
9 VM FILE PROFILES
10 VM DIRECTORY PROFILES
98 TUTORIAL
99 EXIT
RACF -
GENERAL RESOURCE PROFILE SERVICES
OPTION
ro
A
II
II
II
SELECT
ONE OF THE
FOLLOWING:
1
ADD
Add a profile
2
CHANGE
Change a profile
3
DELETE
Delete a profile
4
ACCESS
Maintain access list
5
AUDIT
Monitor access attempts (Auditors only)
8
DISPLAY
Display profile contents
9
SEARCH
Search the RACF database for profiles
76
-------�
RACF - GENERAL RESOURCE SERVICES - DELETE
OPTION ===>
ENTER THE FOLLOUING PROFILE INFORMATION:
CLASS ===> TAPEVOL
PROFILE ===> 999999
<==end of data
USE A MODEL ===> YES or NO
Note: Embedded Blanks are not allowed in class or profile names.
(If working with a FILE or DIRECTORY name which contains blanks,
please return to the RACF - SERVICES OPTION MENU and select
either VM FILE PROFILES or VM DIRECTORY PROFILES option.)
RACF - DELETE GENERAL RESOURCE PROFILE
COMMAND ===>
CLASS:
PROFILE:
TAPEVOL
999999
To confirm the delete request, press the ENTER key.
(The profile will be deleted.)
To cancel
the delete request, enter the END command.
Any user on the system will be granted the access which you specified in the profile's UACC.
If you want a user or all users of a particular RACF group to have a different level of access,
you must grant them that access. To grant access to the tape through the RACF profile, use the
RACF PERMIT (PE) command:
PE 999999 CLASS (TAPEVOL) ACCESS(access level)
ID (User-ID, User-ID, group)
A separate PERMIT command is required for each access level you want to grant. For
example, to grant READ access to Jack and UPDATE access to Jill and all users of group Hill,
type the following commands:
PE 999999 CLASS (TAPEVOL) ACCESS(READ) ID(Jack)
PE 999999 CLASS (TAPEVOL) ACCESS(UPDATE) ID(jm,Hill)
The PERMIT command is also used to deny access. For example, if John is a user on group
Hill, you can deny him access (the other users of group Hill will not be affected):
PE 999999 CLASS(TAPEVOL) ACCESS(NONE) ID(John)
77
-------�
The PERMIT command is also used to remove someone from the access list. If you want to
remove Jack from the access list, type the following command:
PERMIT 999999 CLASS(TAPEVOL) ID(Jack) DELETE
To remove all User-IDs and groups from the access list, type the following PERMIT command:
PERMIT 999999 CLASS(TAPEVOL) RESET
The following sequence of RACFISPF panels is used to perform the preceding functions. Like
the interactive command, the panel sequence must be executed for each access level you want
to grant (only the add function is shown in the example).
RACF - SERVICES
OPTION MENU
OPTION ===> 2
SELECT ONE OF THE FOLLOWING:
1
DATASET PROFILES
2
GENERAL RESOURCE PROFILES
3
GROUP PROFILES AND USER-TO
GROUP CONNECTIONS
4
USER PROFILES AND YOUR OWN
PASSWORD
5
SYSTEM OPTIONS
8
VM MINIDISK PROFILES
-
9
VM FILE PROFILES
10
VM DIRECTORY PROFILES
98
TUTORIAL
99
EXIT
RACF
- GENERAL RESOURCE PROFILE SERVICES
OPTION
II
II
II
V
¦p**
SELECT
ONE OF THE
FOLLOWING:
1
ADD
Add a profile
2
CHANGE
Change a profile
3
DELETE
Delete a profile
4
ACCESS
Maintain access list
5
AUDIT
Monitor access attempts (Auditors only)
8
DISPLAY
Display profile contents
9
SEARCH
Search the RACF database for profiles
78
-------�
RACF - GENERAL RESOURCE SERVICES - ACCESS
OPTION ===>
ENTER THE FOLLOWING PROFILE INFORMATION:
CLASS ===> TAPEVOL
PROFILE ===> 999999
<==end of data
USE A MODEL ===> YES or NO
Note: Embedded Blanks are not allowed in class or profile names.
(If working with a FILE or DIRECTORY name which contains blanks,
please return to the RACF - SERVICES OPTION MENU and select
either VM FILE PROFILES or VM DIRECTORY PROFILES option.)
RACF - MAINTAIN GENERAL RESOURCE ACCESS LIST
OPTION ===> 1
CLASS:
TAPEVOL
PROFILE
999999
SELECT ONE OF
THE FOLLOWING:
1 ADD
Add users or groups.
Copy the access list from an existing profile.
2 REMOVE
Remove specified users and groups from the access list.
3 RESET
Remove all users and groups from the access list.
RACF - MAINTAIN
GENERAL RESOURCE ACCESS LIST - ADD
COMMAND ===>
CLASS: TAPEVOL
PROFILE 999999
ENTER YES FOR EITHER OR BOTH
OF THE FOLLOWING:
COPY ===>
YES to copy the access list from another
profile.
SPECIFY ===> YES
YES to specify the users and groups to be
added to the access list.
79
-------�
RACF -
MAINTAIN GENERAL RESOURCE ACCESS LIST - ADD
COMMAND ===>
CLASS:
TAPEVOL
PROFILE
999999
ENTER THE ACCESS
AUTHORITY TO BE GRANTED:
AUTHORITY
===> READ NONE, READ, UPDATE,
CONTROL, ALTER or EXECUTE
ENTER THE USERS
OR GROUPS FOR WHICH ENTRIES ARE TO BE ADDED:
===> JACK
A A A A A
II li II II II
II II II II II
II II II U II
A A A A A
II II II II II
II II II II M
II II II II II
A A A A A
11 II II II II
II II II II II
II II II II II
A A A A A
U (1 11 II ||
II II II II II
II II II II II
TO ADD THESE ENTRIES TO A CONDITIONAL ACCESS LIST,
ENTER YES
===>
Use the RLIST (RL) command to display the tape's RACF profile and its access list:
RL TAPEVOL 999999 ALL
Use the following sequence of RACF ISPF panels to perform this function (a sample output is
provided).
RACF - SERVICES OPTION MENU
OPTION ===> 2
SELECT ONE OF THE FOLLOWING:
1 DATASET PROFILES
2 GENERAL RESOURCE PROFILES
3 GROUP PROFILES AND USER-TO-GROUP CONNECTIONS
4 USER PROFILES AND YOUR OWN PASSWORD
5 SYSTEM OPTIONS
8 VM MINIDISK PROFILES
9 VM FILE PROFILES
10 VM DIRECTORY PROFILES
98 TUTORIAL
99 EXIT
80
-------�
RACF -
GENERAL RESOURCE PROFILE SERVICES
OPTION
===> 8
SELECT
ONE OF THE
FOLLOWING:
1
ADD
Add a profile
2
CHANGE
Change a profile
3
DELETE
Delete a profile
4
ACCESS
Maintain access list
5
AUDIT
Monitor access attempts (Auditors only)
8
DISPLAY
Display profile contents
9
SEARCH
Search the RACF database for profiles
RACF - GENERAL RESOURCE SERVICES - DISPLAY
OPTION ===>
ENTER THE FOLLOWING PROFILE INFORMATION:
CLASS ===> TAPEVOL
PROFILE ===> 999999
<==end of data
USE A MODEL ===> YES or NO
Note: Embedded Blanks are not allowed in class or profile names.
(If working with a FILE or DIRECTORY name which contains blanks,
please return to the RACF - SERVICES OPTION MENU and select
either VM FILE PROFILES or VM DIRECTORY PROFILES option.)
81
-------�
13.0 DEFINING A SURROGATE USER-ID
You should not share your User-ID and password with another individual. However, under a
RACF 1.9 feature, you can allow other individuals to execute batch jobs under your User-ID
without them having to know your password. This allows execution of jobs for which you are
responsible when you are not available to execute the jobs (e.g., annual leave). This feature is
especially useful when an application has a particular User-ID which is used to execute and track
all production jobs.
You are accountable for anything done under your User-ID. This feature of RACF protects you
from liability in the following ways:
• The person executing under your User-ID is known to the system.
• The person executing under your User-ID does not have to know your password.
• You do not have to hard-code your password in JCL where it may be discovered by
another individual.
In other words, you maintain control over your User-ID and password and their use. You
should be aware that anyone you allow to execute batch jobs under your User-ID receives all
access and privileges of your User-ID. The individual could, for example, submit a batch job
under your User-ID to delete all of your files.
You can use this feature of RACF by defining a RACF profile and coding appropriate
information in the jobcard of the batch job to be executed under your User-ID. You can allow
individuals to execute batch jobs under your User-ID READ access in the profile's access list.
For example, assume that JOE wants to submit a job under User-ID TOM. The jobcard would
contain TOM as the first three characters of the job name. An additional field "USER" would
be included on the jobcard. In this example, the file would be coded as USER=TOM.
To define the RACF surrogate User-ID profile, issue the RDEFINE-command either in TSO
batch or under interactive TSO:
RDEFINE SURROGAT your user-id.SUBMIT UACC(NONE) OWNER(your user-id)
You can also use the following sequence of RACF ISPF panels to define a surrogate User-ID:
82
-------�
RACF - SERVICES OPTION MENU
OPTION ===> 2
SELECT ONE OF THE FOLLOWING:
1
DATASET PROFILES
2
GENERAL RESOURCE PROFILES
3
GROUP PROFILES AND USER-TO-GROUP CONNECTIONS
4
USER PROFILES AND YOUR OWN PASSWORD
5
SYSTEM OPTIONS
8
VM MINIDISK PROFILES
9
VM FILE PROFILES
10
VM DIRECTORY PROFILES
98
TUTORIAL
99
EXIT
RACF
- GENERAL RESOURCE PROFILE SERVICES
OPTION
===> 1
SELECT
ONE OF THE
FOLLOWING:
1
ADD
Add a profile
2
CHANGE
Change a profile
3
DELETE
Delete a profile
4
ACCESS
Maintain access list
5
AUDIT
Monitor access attempts (Auditors only)
8
DISPLAY
Display profile contents
9
SEARCH
Search the RACF database for profiles
RACF - GENERAL RESOURCE SERVICES - ADD
OPTION ===>
ENTER THE FOLLOUING PROFILE INFORMATION:
CLASS ===> SURROGAT
PROFILE ===> user-id.SUBMIT
<==end of data
USE A MODEL ===> YES or NO
Note: Embedded Blanks are not allowed in class or profile names.
(If working with a FILE or DIRECTORY name which contains blanks,
please return to the RACF - SERVICES OPTION MENU and select
either VM FILE PROFILES or VM DIRECTORY PROFILES option.)
83
-------�
RACF - ADD
GENERAL RESOURCE
PROFILE
COMMAND ===>
CLASS: SURROGAT
PROFILE user-id.SUBMIT
ENTER OR CHANGE THE FOLLOWING INFORMATION:
OWNER
===> User-ID
User-ID or group name
LEVEL
===> 0
0-99
FAILED ACCESSES
===>
FAIL or WARN
UACC
A
II
II
II
NONE, READ, UPDATE,
CONTROL, ALTER or EXECUTE
AUDIT SUCCESSES
===>
READ, UPDATE, CONTROL,
ALTER or NOAUDIT
AUDIT FAILURES
===>
READ, UPDATE, CONTROL,
ALTER or NOAUDIT
NOTIFY
===>
User-ID
TO ADD OPTIONAL INFORMATION
ENTER YES
A
II
II
II
You may alter the RACF profile to change any of its information or to add additional
information. To do this, type the RALTER (RALT) command under TSO:
RALT SURROGAT user-id.SUBMIT AUDIT(audit criteria (audit level)) OWNER(User-
ID) UACC(uacc)
The following sequence of RACF ISPF panels can be used to alter the profile for a surrogate
User-ID:
RACF - SERVICES OPTION MENU
OPTION ===> 2
SELECT ONE OF THE FOLLOWING:
1 DATASET PROFILES
2 GENERAL RESOURCE PROFILES
3 GROUP PROFILES AND USER-TO-GROUP CONNECTIONS
4 USER PROFILES AND YOUR OWN PASSWORD
5 SYSTEM OPTIONS
8 VM MINIDISK PROFILES
9 VM FILE PROFILES
10 VM DIRECTORY PROFILES
98 TUTORIAL
99 EXIT
84
-------�
RACF -
GENERAL RESOURCE PROFILE SERVICES
OPTION
===> 2
SELECT
ONE OF THE
FOLLOWING:
1
ADD
Add a profile
2
CHANGE
Change a profile
3
DELETE
Delete a profile
4
ACCESS
Maintain access list
5
AUDIT
Monitor access attempts (Auditors only)
8
DISPLAY
Display profile contents
9
SEARCH
Search the RACF database for profiles
RACF - GENERAL RESOURCE SERVICES - CHANGE
OPTION ===>
ENTER THE FOLLOWING PROFILE INFORMATION:
CLASS ===> SURROGAT
PROFILE ===> user-id.SUBMIT
<==end of data
USE A MODEL ===> YES or NO
Note: Embedded Blanks are not allowed in class or profile names.
(If working with a FILE or DIRECTORY name which contains blanks,
please return to the RACF - SERVICES OPTION MENU and select
either VM FILE PROFILES or VM DIRECTORY PROFILES option.)
RACF -
CHANGE GENERAL
RESOURCE PROFILE
COMMAND ===>
CLASS: SURROGAT
PROFILE user
¦id.SUBMIT
ENTER THE DESIRED CHANGES:
OWNER
===>
User-ID or group name
LEVEL
===>
0-99
FAILED ACCESSES
===>
FAIL or WARN
UACC
===>
NONE, READ, UPDATE,
CONTROL, ALTER or EXECUTE
AUDIT SUCCESSES
===>
READ, UPDATE, CONTROL,
ALTER, or NOAUDIT
AUDIT FAILURES
===>
READ, UPDATE, CONTROL,
ALTER, or NOAUDIT
REMOVE NOTIFY
===>
YES or Blank
NEW NOTIFY
===>
New User-ID
TO CHANGE OPTIONAL INFORMATION, ENTER
VES ===>
85
-------�
In order to delete the RACF profile for a surrogate User-ID, type the RDELETE (RDEL)
command under TSO:
RDEL SURROGAT USER.ID.SUBMIT
The next sequence of RACF ISPF panels can be used to delete your RACF surrogate User-ID.
RACF - SERVICES OPTION MENU
OPTION ===> 2
SELECT ONE OF THE FOLLOWING:
1 DATASET PROFILES
2 GENERAL RESOURCE PROFILES
3 GROUP PROFILES AND USER-TO-GROUP CONNECTIONS
4 USER PROFILES AND YOUR OWN PASSWORD
5 SYSTEM OPTIONS
8 VM MINIDISK PROFILES
9 VM FILE PROFILES
10 VM DIRECTORY PROFILES
98 TUTORIAL
99 EXIT
RACF -
GENERAL RESOURCE PROFILE SERVICES
OPTION
===> 3
SELECT
ONE OF THE
FOLLOWING:
1
ADD
Add a profile
2
CHANGE
Change a profile
3
DELETE
Delete a profile
4
ACCESS
Maintain access list
5
AUDIT
Monitor access attempts (Auditors only)
8
DISPLAY
Display profile contents
9
SEARCH
Search the RACF database for profiles
86
-------�
RACF - GENERAL RESOURCE SERVICES - DELETE
OPTION ===>
ENTER THE FOLLOWING PROFILE INFORMATION:
CLASS ===> SURROGAT
PROFILE ===> user-id.SUBMIT
<==end of data
USE A MODEL ===> YES or NO
Note: Embedded Blanks are not allowed in class or profile names.
(If working with a FILE or DIRECTORY name which contains blanks,
please return to the RACF - SERVICES OPTION MENU and select
either VM FILE PROFILES or VM DIRECTORY PROFILES option.)
RACF - DELETE GENERAL RESOURCE PROFILE
COMMAND ===>
CLASS:
PROFILE:
SURROGAT
user.id.SUBMIT
To confirm the delete request, press the ENTER key.
(The profile will be deleted.)
To cancel
the delete request, enter the END command.
Any user on the system will be granted the access which you specified in the profile's UACC.
If you want a user or all users of a particular RACF group to have a different level of access,
you must grant them that access. To grant access through the RACF profile, use the RACF
PERMIT (PE) command:
PE SUBMIT.user-id CLASS(SURROGAT) ACCESS(access level)
ID(User-ID, User-ID, group)
A separate PERMIT command is required for each access level you want to grant. For
example, to grant READ access to Jack and UPDATE access to Jill and all users of group Hill,
type the following commands:
PE user-id.SUBMIT CLASS(SURROGAT) ACCESS(READ) ID(Jack)
PE user-id. SUBMIT CLASS (SURROGAT) ACCESS(UPDATE) ID(Jill,Hill)
87
-------�
The PERMIT command is also used to deny access. For example, if John is a user on group
Hill, you can deny him access. (The other users of group Hill will not be affected.)
PE user-id.SUBMIT CLASS(SURROGAT) ACCESS(NONE) ID(John)
The PERMIT command is also used to remove someone from the access list. If you want to
remove Jack from the access list, type the following command:
PERMIT user-id.SUBMIT CLASS(SURROGAT) ID(Jack) DELETE
To remove all User-IDs and groups from the access list, type the following PERMIT command:
PERMIT user-id.SUBMIT CLASS(SURROGAT) RESET
The following sequence of RACFISPF panels is used to perform the preceding functions. Like
the interactive command, the panel sequence must be executed for each access level you want
to grant (only the add function is shown in the example).
RACF - SERVICES OPTION MENU
OPTION ===> 2
SELECT ONE OF THE FOLLOWING:
1 DATASET PROFILES
2 GENERAL RESOURCE PROFILES
3 GROUP PROFILES AND USER-TO-GROUP CONNECTIONS
4 USER PROFILES AND YOUR OWN PASSWORD
5 SYSTEM OPTIONS
8 VM MINIDISK PROFILES
9 VM FILE PROFILES
10 VM DIRECTORY PROFILES
98 TUTORIAL
99 EXIT
RACF
- GENERAL RESOURCE PROFILE SERVICES
OPTION
===> U
SELECT
ONE OF THE
FOLLOWING:
1
ADD
Add a profile
2
CHANGE
Change a profile
3
DELETE
Delete a profile
4
ACCESS
Maintain access list
5
AUDIT
Monitor access attempts (Auditors only)
8
DISPLAY
Display profile contents
9
SEARCH
Search the RACF database for profiles
88
-------�
RACF - GENERAL RESOURCE SERVICES - ACCESS
OPTION ===>
ENTER THE FOLLOWING PROFILE INFORMATION:
CLASS ===> SURROGAT
PROFILE ===> user-id.SUBMIT
<==end of data
USE A MODEL ===> YES or NO
Note: Embedded Blanks are not allowed in class or profile names.
(If working with a FILE or DIRECTORY name which contains blanks,
please return to the RACF - SERVICES OPTION MENU and select
either VM FILE PROFILES or VM DIRECTORY PROFILES option.)
RACF - MAINTAIN GENERAL RESOURCE ACCESS LIST
OPTION ===> 1
CLASS:
SURROGAT
PROFILE
user-id.SUBMIT
SELECT ONE OF
THE FOLLOWING:
1 ADD
Add users or groups.
Copy the access list fpom an existing profile.
2 REMOVE
Remove specified users and groups fron the access list.
3 RESET
Remove all users and groups from the access list.
RACF - MAINTAIN GENERAL RESOURCE ACCESS LIST - ADD
COMMAND ===>
CLASS:
PROFILE
SURROGAT
user-id.SUBMIT
ENTER YES FOR
EITHER OR BOTH OF THE FOLLOWING:
COPY
===> YES to copy the access list from another
profile.
SPECIFY
===> YES YES to specify the users and groups to be
added to the access list.
89
-------�
RACF -
MAINTAIN GENERAL RESOURCE ACCESS LIST
- ADD
COMMAND ===>
CLASS:
PROFILE
SURROGAT
user-id.SUBMIT
ENTER THE ACCESS
AUTHORITY TO BE GRANTED:
AUTHORITY
===> READ NONE, READ, UPDATE,
CONTROL, ALTER or
EXECUTE
ENTER THE USERS
OR GROUPS FOR WHICH ENTRIES ARE TO BE
ADDED:
===> JACK
A A A A
II II tl II
II II li II
II II II II
A A A A
II II li II
II II II II
II II II II
A A A A
II II II II
II II II II
II II II II
II II II II
II II II II
II II II II
V V V V
II II fl II
II II II II
II II II II
V V V V
II H II II
II II II II
II II II II
V V V V
II II II II
II II II II
II II II II
V V V V
II II II II
It II II II
II II II II
V V V V
II II II II
II II II II
II II II II
V V V V
TO ADD THESE ENTRIES TO A CONDITIONAL ACCESS LIST,
ENTER YES ===>
Use the RLIST (RL) command to display the RACF profile and its access list:
RL SURROGAT user-id.SUBMIT ALL
Use the following sequence of RACF ISPF panels to perform this function (sample output is
provided).
RACF - SERVICES OPTION MENU
OPTION ===> 2
SELECT ONE OF THE FOLLOWING:
1 DATASET PROFILES
2 GENERAL RESOURCE PROFILES
3 GROUP PROFILES AND USER-TO-GROUP CONNECTIONS
4 USER PROFILES AND YOUR OWN PASSWORD
5 SYSTEM OPTIONS
8 VM MINIDISK PROFILES
9 VM FILE PROFILES
10 VM DIRECTORY PROFILES
98 TUTORIAL
99 EXIT
90
-------�
RACF -
GENERAL RESOURCE PROFILE SERVICES
OPTION
===> 8
SELECT
ONE OF THE
FOLLOWING:
1
ADD
Add a profile
2
CHANGE
Change a profile
3
DELETE
Delete a profile
4
ACCESS
Maintain access list
5
AUDIT
Monitor access attempts (Auditors only)
8
DISPLAY
Display profile contents
9
SEARCH
Search the RACF database for profiles
RACF - GENERAL RESOURCE SERVICES - DISPLAY
OPTION ===>
ENTER THE FOLLOWING PROFILE INFORMATION:
CLASS ===> SURROGAT
PROFILE ===> user-id.SUBMIT
<==end of data
USE A MODEL ===> YES or NO
Note: Embedded Blanks are not allowed in class or profile names.
(If working with a FILE or DIRECTORY name which contains blanks,
please return to the RACF - SERVICES OPTION MENU and select
either VM FILE PROFILES or VM DIRECTORY PROFILES option.)
RACF - DISPLAY
GENERAL RESOURCE PROFILE
COMMAND ===>
CLASS:
SURROGAT
PROFILE
user-id.SUBMIT
For one or more
of the following
enter YES:
DISCRETE
===> YES
Discrete profiles
GENERIC
===>
Generic profiles
RESOURCE GROUP ===>
Group profiles that have the
resource as a member.
To select information to be displayed, enter YES:
ACCESS LIST
===> YES
Profile access list
HISTORY
A
II
II
II
Profile history
STATISTICS
===>
Profile use statistics
TVTOC
A
II
II
II
Tape Volume Table of Contents
SESSION
A
II
II
II
VTAM session segment
DLF DATA
===>
Data lookaside facility
NO RACF
===>
Limit the display to the selected
information.
91
-------�
BROWSE - RACF COMMAND OUTPUT
--- LINE
00000000 COL 001 080
COMMAND ===>
SCROLL = ==> PAGE
CLASS NAME
SURROGAT user-id.SUBMIT
LEVEL OWNER UNIVERSAL ACCESS YOUR ACCESS
WARNING
00 UUU READ ALTER
NO
INSTALLATION DATA
NONE
APPLICATION DATA
NONE
AUDITING
FAILURES(READ)
GLOBALAUDIT
NONE
AUTOMATIC SINGLE DATASET
N074 NO
NOTIFY
NO USER TO BE NOTIFIED
92
-------�
14.0 PROTECTING DATA IN YOUR COMPUTER TOBS
Computer job output waiting in the queues to be printed can be accessed and viewed by a user.
If your computer jobs contain data that you want to protect, you can use RACF to protect it.
Additionally you can use RACF to grant another user control over your output (e.g., print,
purge).
The RACF general resource panels and commands (the same panels used to create a surrogate
User-ID or to protect a tape volume) are used to protect your job output:
• Use JESSPOOL as the RACF class (instead of SURROGAT or TAPEVOL).
• The profile should be in the following format:
localnodeid. u ser-id. j obname. jobid. dsnumber. name
The local node ID is the computer node on which your job was executed. You should supply
&RACLNDE for this value. &RACLNDE is a RACF variable which is used by the system.
The system will place the appropriate local node ID in this variable for you.
The user-id you should supply should be your User-ID.
The jobname in the profile is the name of the job whose output you want to protect.
The jobid in the profile is the jobid assigned to your job by JES. It will not be known to you
prior to submission.
The dsnumber in the profile is a unique letter assigned by JES to the spool data set. This will
not generally be known to you prior to job execution.
The name in the profile is the name associated with the DSN parameter in your JCL and which
will be placed on the spool.
Since many of the variables in the profile will not be known to you prior to job submission, you
can use an asterisk (*) in the place of those variables unknown to you. The simplest- way in
which to protect your job output is to create a profile of the following format:
&RACLNDE.your user-id.*
To protect an individual job (e.g., xxxtest), create a profile of the following format:
&RACLNDE.your user-id.xxxtest.*
93
-------�
The PERMIT command or the appropriate RACF panels are used to grant another individual
access to your computer job output. The following access levels are allowed:
READ The individual can read your job output.
UPDATE The individual can update the contents of your job output.
CONTROL Same as UPDATE.
ALTER The individual is allowed full control over your job output (purge, print,
route, etc.).
94
-------�
15.0 APPLICATION RACF AUDITOR
Each application is responsible for ensuring that all the RACF security concepts documented in
this manual and adopted by the application are in place and used. Consequently, each
application's ADP management must appoint a responsible individual to audit the application's
RACF security. This individual should be as independent as far as possible from those audited
in the application. For example, an EPA employee can audit contractors, but an EPA employee
could not reasonably audit the person responsible for the performance appraisal of the auditor.
The application auditor will be granted the RACF Group-AUDITOR privilege. This privilege
allows the individual to view all RACF resource profiles belonging to the application.
Access to audit data and to the RACF report writer will be granted to the application RACF
auditor so that audit reports can be generated and viewed for the purpose of auditing security
events (e.g., bad passwords, unsuccessful data access attempts, etc.) associated with the
application.
An application certification audit as described in this manual should be conducted at least every
3 years and should be completed as part of the application's certification to OIRM. The results
of application certification audits should be documented in a written report and should be
available in the event of application audits by EPA's Office of Inspector General. Operational
audits should be performed daily.
The following subsections describe a basic application certification audit methodology and the
use of the RACF report writer. Additional information is presented on the use of a utility
provided by IBM for obtaining information from the RACF dataset. It should be noted that
neither audit methodology encompasses an audit of the application's internal controls; the
methodologies are limited to RACF and general security auditing.
15.1 TYPES OF AUDITS
There are two basic types of audits: certification and operational. A certification audit should
be conducted at least every 3 years as part of an application risk assessment or as a part of
OIRM required application security certification. This type of audit takes a detailed look at
various aspects of application security. For the purpose of this manual, this type pf audit
ensures that application policies and procedures exist.
95
-------�
15.2 APPLICATION CERTIFICATION AUDIT
15.2.1 Application Policies and Procedures
The application auditor should ask the application RS A for a copy of all application policies and
procedures. These should be reviewed for completeness and conformity with the concepts
described in this manual.
15.2.2 Application Worksheets
The application auditor should ask the RSA for the completed worksheets for the application
from Appendix A of this document. The RSA should complete these worksheets if a prepared
copy is not available. The worksheet contents should be examined for conformity with the
concepts in this manual (for example, resource access based on need or job role/function) and
with application policies and procedures. Any problem areas should be addressed with the RSA.
The RSA should rectify any problem areas before the next stage of the audit.
15.2.3 Application Dataset Protection and Access
The application auditor should execute the necessary RACF commands to search for and display
the contents of all application RACF dataset profiles. The resulting listings should be compared
against the worksheets, and any discrepancies and/or problems resolved with the application
RSA. Close attention should be given to audit criteria specified in the profiles to ensure that
adequate audit criteria is being specified.
15.2.4 User-IDs with CREATE and GRPACC Authorities
The application auditor should issue the appropriate RACF commands to list all application
User-IDs. The results of these listings should be compared with the worksheets obtained from
the RSA. Any discrepancies and/or problems should be resolved with the RSA.
15.3 OPERATIONAL AUDITS
Operational audits are performed through the processing of System Facility Management (SMF)
data by IBM's RACF report writer. SMF data is generated by the system and is based on audit
criteria specified by (1) the NCC auditor and (2) the application in RACF resource profiles. The
application auditor must, therefore, ensure in the application certification audit that adequate
audit criteria are specified in all application resource profiles.
96
-------�
15.3.1 RACF Report Writer
More detailed information than that presented in this manual regarding the use of the RACF
report writer can be obtained from the Resource Access Control Facility, RACF Auditor's Guide,
which is available from the IBM Corporation.
The RACF report writer is best executed in an overnight batch job because of the amount of
time required to process SMF data. The following JCL should be used to execute the RACF
report writer:
//UUURW JOB (AAAAUUUID,XXXX),' % %RACF REPORT WRITER',NOTIFY=UUU,
// PRTY=2,CLASS =I,MSGCLASS =P,UME=2
/*JOBPARM LINES=9999, FORMS = 8381
//*
//STEP 1 EXEC PGM=IKJEFT01,DYNAMNBR=75,COND=(0,NE,STEP0)
//RSMFIN DD DSN=JSSA.SMF.RACF.DATA,DISP=SHR
//SYSOUT DD SYSOUT=A
//SYSPRINT DD SYSOUT=A
//SYSTSPRT DD SYSOUT=A
//SORTWKOl DD UNIT=SYSDA,SPACE=(CYL,(100,20),RLSE)
//SORTWK02 DD UNIT=SYSDA,SPACE=(CYL,(100,20),RLSE)
//SORTWK03 DD UNIT=SYSDA,SPACE=(CYL,(100,20),RLSE)
//SYSTSIN DD *
RACFRW SAVE('AAAA.RACFRW.DAILY.OUTPUT)
SELECT PROCESS
END
RACFRW TITLE('RACF COMMAND USAGE BY SPECIAL USERS')
NOFORMAT DSNAME('AAAA.RACFRW.DAILY.OUTPUT)
UST SORT(USER DATE TIME) ASCEND
SELECT PROCESS AUTHORITY (SPECIAL)
SUM COMMAND BY(USER)
END
RACFRW TITLE('RESOURCE AND COMMAND VIOLATIONS')
NOFORMAT DSNAMEfAAAA.RACFRW.DAILY.OUTPUT)
SELECT PROCESS VIOLATIONS
EVENT ALLCOMMAND
EVENT ALLSVC CLASS(DATASET) DSQUAL(ZZZZ)
SUM USER BY (RESOURCE)
SUM COMMAND BY(USER)
UST SORT(USER DATE TIME) ASCEND
END
97
-------�
RACFRW TITLEfUSER PASSWORD CHANGES')
NOFORMAT DSNAME('AAAA.RACFRW.DAILY.OUTPUT)
SELECT PROCESS SUCCESSES
EVENT PASSWORD
SUM USER
UST SORT(USER DATE TIME) ASCEND
END
RACFRW TITLE (USER LOGON PROBLEM REPORT') GENSUM
NOFORMAT DSNAME('AAAA. RACFRW. DAILY. OUTPUT')
SELECT PROCESS VIOLATIONS
EVENT LOGON
SUM USER
UST SORT(DATE TIME USER) ASCEND
END
/*
The auditor should change the following:
~ All occurrences of UUU to his/her User-ID.
- All occurrences of AAAA to his/her account number.
- All occurrences of UUUID to his/her FIMAS ID.
- All occurrences of XXXX to his/her box number.
- All occurrences of ZZZZ to the data set high-level qualifier(s) for audit reports desired.
The JCL will produce the following reports'.
• RACF Command Usage bv SPECIAL Users (commands issued by application RSAs
who have the Group-SPECIAL privilege). The report should be viewed daily to
establish a pattern of use by the RSAs. Once this has been done, subsequent use of this
report would be to detect issuance of commands by RSAs which are inconsistent with
RSA responsibilities (e.g., connecting anouther User-ID to an account with the RACF
Group-SPECIAL privilege) or outside the normal pattern of behavior. Any detected
problems should be addressed with the responsible RSA, with-follow-up as required for
unresolved problems with ADP management.
• Resource and Command Violations (unsuccessful attempts by application users to issue
RACF commands or to access application resources). This report should be presented
to the application RSA, who should rule out any problems resulting from an insufficient
level of access granted to the user. The application auditor should contact any user for
whom the RSA cannot make such determination. The application auditor should pursue
any unresolved problems, or uncooperative users, with appropriate ADP management.
98
-------�
• User Password Changes (password changes by application customers). This report will
indicate whether or not application users are recycling their passwords (changing them
10 times in a row) to circumvent password change requirements. The user should be
contacted. If he/she is uncooperative or continues to circumvent password change
requirements, his/her system access should be revoked by the RSA until appropriate
ADP management administrative action can be brought to bear.
• User Logon Problem Report (application users who are experiencing system logon
problems-bad accounts or bad paswords). This report should be provided to the RSA
responsible for password resets. The RSA should contact each user (if the user has not
already contacted the RSA) and offer assistance in resolving the problem. The RSA
should refer any problems encountered to the application auditor for research and
resolution (e.g., a user says that he has no problem and that someone must have been
trying to use the User-ID).
15.3.2 RACF Audit Report Examples
On the following pages are examples of RACF Audit Reports.
99
-------�
92.269 11:34:59
RACr REPORT
PAGE 1
RACF COMMAND USAGE BY SPECIAL USERS
COMMAND GROUP ENTERED -
RACTRH TITLEf 'RACF COMMAND USAGE BY SPECIAL USERS'( NOFORMAT DSNAME('J5SA.RACFRH.DAILY.OUTPUT' >
LIST SORTfUSER DATE TIME 1 ASCEND
SELECT PROCESS AUTHORITY!SPECIAL(
SUM COMMAND BY* USER I
END
EVENT/QUALIFIER KEY
EVENT QUALIFIER MEANING
1 JOB INITIATION / TSO LOGON/LOGOrF
0 SUCCESSFUL INITIATION
1 INVALID PASSWORD
2 INVALID GROUP
5 INVALID OIDCARD
<• INVALID TERMINAL/CONSOLE
5 INVALID APPLICATION
6 REVOKED USERID ATTEMPTING ACCESS
7 USERID AUTOMATICALLY REVOKED
8 SUCCESSFUL TERMINATION
9 UNDEFINED USERID
ID INSUFFICIENT SECURITY LABEL AUTHORITY
11 NOT AUTHORIZED TO SECURITY LABEL
12 SUCCESSFUL RACINIT INITIATION
15 SUCCESSFUL RACINIT DELETE
14 SYSTEM NOW REQUIRES MORE AUTHORITY
15 REMOTE JOB ENTRY - JOB NOT AUTHORIZED
16 SURROGAT CLASS IS INACTIVE
17 SUBMITTER IS NOT AUTHORIZED BY USER
18 SUBMITTER IS NOT AUTHORIZED TO SECURITY LABEL
19 USER IS NOT AUTHORIZED TO SUBMIT JOB
20 WARNING-INSUFFICIENT SECURITY LABEL AUTHORITY
21 WARNING-SECURITY LABEL MISSING FROM JOB, USER, OR PROFILE
22 WARNING-NOT AUTHORIZED TO SECURITY LABEL
23 SECURITY LABELS NOT COMPATIBLE
24 WARNING-SECURITY LABELS NOT COMPATIBLE
25 CURRENT PASSWORD HAS EXPIRED
26 INVALID NEW PASSWORD
27 VERIFICATION FAILED BY INSTALLATION
28 GROUP ACCESS HAS BEEN REVOKED
29 OIDCARD IS REQUIRED
JO NETWORK JOB ENTRY - JOB NOT AUTHORIZED
51 WARNING-UNKNOWN USER FROM TRUSTED NODE PROPAGATED
2 RESOURCE ACCESS
0 SUCCESSFUL ACCESS.
1 INSUFFICIENT AUTHORITY
2 PROFILE NOT FOUND - RACFIND SPECIFIED ON MACRO
5 ACCESS PERMITTED DUE TO WARNING
4 FAILED DUE TO PROTECTALL
5 WARNING ISSUED DUE TO PROTECTALL
6 INSUFFICIENT CATEGORY/SECLFVEL
7 INSUFFICIENT SECURITY LABEL AUTHORITY
8 NARNING-SECURI1Y LABEL MISSING FKOM JOB, USER, OR PROFILE
-------�
59
9
10
11
12
13
0
1
2
5
0
1
2
5
<*
5
6
7
8
9
10
11
12
13
1«
15
16
17
0
1
2
0
0
1
2
3
4
5
6
7
8
9
10
11
12
RACF REPORT
PAGE Z
RACF COMMAND USAGE BY SPECIAL USERS
HARMING-INSUFFICIENT SECURITY LABEL AUTHORITY
HARNIMG-DATA SET NOT CATALOGED
DATA SET NOf CATALOGED
PROFILE NOT FOUND - REQUIRED FOR AUTHORITY CHECKING
WARNING: INSUFFICIENT CATEGORY/SECLEVEL
ADOVOL/CHGVOL
SUCCESSFUL PROCESSING OF NEW VOLUME
INSUFFICIENT AUTHORITY
INSUFFICIENT SECURITY LABEL AUTHORITY
LESS SPECIFIC PROFILE EXISTS WITH DIFFERENT SFCLABEL
RENAME RESOURCE
SUCCESSFUL RENAME
INVALID GROUP
USER NOT IN GROUP
INSUFFICIENT AUTHORITY
RESOURCE NAME ALREADY DEFINED
USER NOT DEFINED TO RACF
RESOURCE NOT PROTECTED
HARNING- RESOURCE NOT PROTECTED
USER IN SECOND QUALIFIER IS NOT RACF DEFINED
LESS SPECIFIC PROFILE EXISTS NITH DIFFERENT SECLABEL
INSUFFICIENT SECURITY LABEL AUTHORITY
RESOURCE NOT PROTECTED BY SECURITY LABEL
NEM NAME NOT PROTECTED BY SECURITY LABEL
NEW SECLABEL MUST DOMINATE OLO SECLABEL V
HARNINGs INSUFFICIENT SECURITY LABEL AUTHORITY
WARNING! RESOURCE NOT PROTECTED BY SECURITY LABL
WARNING: NEW NAME NOT PROTECTED BY SECURITY LABL
HARNING: NEW SECLABEL MUST DOMINATE OLD SECLABEL
DELETE RESOURCE
SUCCESSFUL SCRATCH
RESOURCE NOT FOUND
INVALID VOLUME
«
DELETE ONE VOLUME OF A MULTIVOLUME RESOURCE
SUCCESSFUL DELETION
DEFINE RESOURCE
SUCCESSFUL DEFINITION
GROUP UNDEFINED
USER NOT IN GROUP
INSUFFICIENT AUTHORITY
RESOURCE NAME ALREADY DEFINED
USER NOT DEFINED TO RACF
RESOURCE NOT PROTECTED
WARNING- RESOURCE NOT PROTECTED
WARNING-SECURITY LABEL HISSING FROM JOB, USER, OR PROFILE
WARNING-INSUFFICIENT SECURITY LABEL AUTHORITY
USER IN SECOND QUALIFIER IS NOT RACF OEFINFD
INSUFFICIENT SECURITY LABEL AUTHORITY
LESS SPECIFIC PROFILE EXISTS WITH DIFFERENT SECURITY LABE
-------�
02.269 13:34:59
RACF REPORT
PAGE
RACF COMMAND USAGE BY SPECIAL USERS
9
10
11
12
13
1*
15
16
17
18
19
20
21
22
23
24
25
ADDGROUP COMMAND
ADDUSER COMMAND
ALTDSD COMMAND
ALTGROUP COMMAND
ALTUSER COMMAND
CONNECT COMMAND
DELDSD COMMAND
DELGROUP COMMAND
DELUSER COMMAND
PASSWORD COMMAND
PERMIT COMMAND
RALTER COMMAND
RDEFINE COMMAND
RDELETE COMMAND
REMOVE COMMAND
5ETR0PTS COMMAND
RVARY COMMAND
NO VIOLATIONS DETECTED
INSUFFICIENT AUTHORITY
KEYWORD VIOLATIONS DETECTED
SUCCESSFUL LISTING OF DATA SETS
SYSTEM ERROR IN LISTING OF DATA SETS
O
N>
26 APPCLU
0 PARTNER VERIFICATION WAS SUCCESSFUL
1 SESSION ESTABLISHED WITHOUT VERIFICATION
2 LOCAL LU KEY WILL EXPIRE IN <= 5 DAYS
3 PARTNER LU ACCESS HAS BEEN REVOKED
4 PARTNER LU KEY DOES NOT MATCH THIS LU KEY
5 SESSION TERMINATED FOR SECURITY REASON
6 REQUIRED SESSION KEY NOT DEFINED
7 POSSIBLE SECURITY ATTACK BY PARTNERLU
8 SESSION KEY NOT DEFINED FOR PARTNER LU
9 SESSION KEY NOT DEFINED FOR THIS LU
10 SNA SECURITY RELATED PROTOCOL ERROR
11 PROFILE CHANGE DURING VERIFICATION
12 EXPIRED SESSION KEY
REPORT KEY
.AN PREFIXED TO A USER OR GROUP NAME INDICATES THE NAME IS ACTUALLY A JOB OR STEP NAME, RESPECTIVELY
•THE PHRASE 'UNDEFINED USER" REFERS TO THOSE TSO LOGONS WHICH SPECIFIED USERIDS THAT WERE NOT DEFINED TO RACF,
AND TO BATCH JOBS WHICH DID NOT SPECIFY THE ,USER=" OPERAND ON THEIR JOB STATEMENTS
¦ A PREFIXED TO A RESOURCE NAME INDICATES THAT A GENERIC PROFILE WAS ACCESSED
¦ A MG>' APPENDED TO A RESOURCE NAME MEANS THAT THE RESOURCF NAME IS GENERIC
.A APPENDED TO A VMEVENT DESCRIPTION MEANS THAT THE EVENT CONTINUFS ON THE NEXT LINE
.A '(T)' APPENDED TO A DATASET IN LIST OF DATASET NAMES AFFECTED BY A SECLABEL CHANGE MEANS THAT THE DATASET IS A TAPE DATASET.
-------�
92.269 13:34:59
RACF REPORT - LISTING OF PROCESS RECORDS
PAGE <4
RACF COMMAND USAGE BY SPECIAL USERS
•JOB/USER wSTEP/
DATE TIME SYSIO NAME GROUP
— TERMINAL-
ID LVL
92.268 13:38:45 EPA2 EHI JIDS
4MI.LIZ
T24BK056 0 13
JOBID-IFHI 92.268 12:37:11 I,USERDATA=< 1,0WNER=SECTY1
AUTII-I SPECIAL t.REASONS CLASS.SPECIAL/OPERATIONS I
TOKFN STAl US - ( CREA1 ED BY PRE 1.9 RACF CALL I,TERM1NAL=T24BK056
ALTUSER UOG PASSWORD! ***» t RESUI1E
92.268 13:38:54 EPA2 EHI JIDS
T24BK056 0 13 0
JOniO-IEMI 92.268 12:37:11 I,USEROATA = M,OWNER=SECTYl
AUIH=lSPECIAL 1,REASONS CLASS,SPECIAL/OPERATIONS >
TOKEN STATU5=(CREATED BY PRE 1.9 RACT CALL I,TERMINAL=T24BK056
AI.TUSFR UOG PASSWORD 1****1 RESUME
92.268 13:39:16 EPA2 EHI JIDS
4M.LIZ
T24BK056 0 13 0
JoniD = (EHI 92.268 12:37:11 I ,USERDATA = I I ,OWNER=SECTYl
AU1H=!SPECIA! I,REASON=lCLASS,SPECIAL/OPERATIONS»
TOKEN STATIJS = < CREATED BY PRE 1.9 RACF CALL ) ,TERMINAL=T24BK056
ALTUSER UDG PASSHORDl****1 RESUME
O
T24BK056 0 13 0
JOBID=lEHI 92.268 12:37:11(,USERDATA=< ),OWNER=SECTYl
AUTH = (SPECIAL ) ,RFASON=< CLASS,SPECIAL/OPERATIONS)
TOKFN STATUS=
TOKEN STATUS = fCREATED BY PRE 1.9 RACF CALL I,TERMINAL=T24BK056
ALTUSER LOL RESUME
T24BIJ056 0 13 0
JOBID=(EHI 92.268 12:37:11 I,USERDATA=f ),0WNER=SECTY1
AUTH-tSPECIAL !,REASON^tCLASS,SPECIAL/OPERATIONS )
TOKEN STATUS = ( CREATED BY PRE 1.9 RACF CALL ) ,TERMINAL=TZ4BK056
ALTUSER LOL RESUME
T24BK056 0 13
JOBID = IEHI 92.268 12:37:11 I ,USERDATA=( (,OWNER=SECTYl
AUTH=ISPECIAL 1,REASONS CLASS,SPECIAL/OPERATIONS)
TOKEN STATUS=< CREATED BY PRE 1.9 RACF CALL),TERMINAL=T24BK056
ALTUSER LOL RESUME
T24BK056 0 13 D
JOBID=(EHI 92.268 12:37:11),USERDATA=( t,OWNER=SECTYl
AUTH=* SPECIAL l,REASON=(CLASS,SPECIAL/OPERATIONS I
TOKEN STATUS=( CREATED BY PRE 1.9 RACF CALL>,TERMINAL=T24BK056
ALTUSER MCD RESUME
92.268 14:04:51 EPA2 EHI JIDS
3MMRLIZ
T24BK056 0 13 0
JOBID = (EHI 92.268 12:37:11 I ,USERDATA=( ),0WNER=SECTY1
AUTH = t SPECIAL ),REASONS CLASS.SPECIAL/OPERATIONS)
TOKEN STATUS=(CREATED BY PRE 1.9 RACF CALL ) ,TERMINAL=T24BK056
ALTl/SER MCD RESUME
-------�
•»2.269 15 :55: 32
RACF REPORT
PAGE 1
NCC RESOURCE AND COMMAND VIOLATIONS
commm group fntfred -
Riser KM TITLE!'NCC RESOURCE AND COMMAND VIOLATIONS*) NOFORMAT DSNAMEf 'JSSA.RACFRW.DAILY.OUTPUT' ?
srixcr process violations
EVCIir AUCOHMAND
EVENT ALl S'-'C CLASS! D6TA3ET) OSUUAU SYS1 SYS2 SYS5 SYS* EPA )
SUM USER BYtRESOURCE 1
sun command byiuseri
LIST SORT(USER DATE TIME) ASCEND
END
-b*
event/qualifier key
EVENT QUALIFIER MEANING
1 JOB INITIATION / TSO LOGON/LOGOFF
0 SUCCESSFUL INITIATION
1 INVALID PASSWORD
2 INVALID GROUP
5 INVALID OIDCARD
INVALID TERMINAL/CONSOLE
5 INVALID APPLICATION
— 6 REVOKED USERID ATTEMPTING ACCESS
O 7 USERID AUTOMATICALLY REVOKED
8 SUCCESSFUL TERMINATION
9 UNDEFINED USERID
10 INSUFFICIENT SECURITY LABEL AUTHORITY
11 NOT AUTHORIZED TO SECURITY LABEL
12 SUCCESSFUL RACINIT INITIATION
15 SUCCESSFUL RACINIT DELETE
14 SYSTEM NOW REQUIRES MORE AUTHORITY
15 REMOTE JOB ENTRY - JOB NOT AUTHORIZED
16 SURROGAT CLASS IS INACTIVE
17 SUBMITTER IS NOT AUTHORIZED BY USER
18 SUBMITTER IS NOT AUTHORIZED TO SECURITY LABEL
19 USER IS NOT AUTHORIZED TO SUBMIT JOB
20 WARNING-INSUFFICIENT SECURITY LABEL AUTHORITY
21 WARNING-SECURITY LABEL MISSING FROM JOB, USER, OR PROFILE
22 WARN1NG-NOT AUTHORIZED TO SECURITY LABEL
23 SECURITY LABELS NOT COMPATIBLE
24 WARNING-SECURITY LABELS NOT COMPATIBLE
25 CURRENT PASSWORD MAS EXPIRED
26 INVALID NEW PASSWORD
27 VERIFICATION FAILED BY INSTALLATION
28 GROUP ACCESS HAS BEEN REVOKED
29 OIDCARD IS REQUIRED
30 NETWORK JOB ENTRY - JOB NOT AUTHORIZED
31 WARNING-UNKNOWN US.ER FROM TRUSTED NODF PROPAGATED
2 RESOURCE ACCESS
0 SUCCESSFUL ACCESS
1 INSUFFICIENT AUTHORITY
2 PROFILE NOT FOUND - RACFIND SPECIFIED ON MACRO
3 ACCESS PERMITTED DUE TO WARNING
-------�
32
6
7
a
9
10
11
12
13
0
1
2
3
0
1
2
3
5
6
7
a
9
10
n
12
13
14
15
16
17
0
1
2
0
0
1
2
3
4
5
6
7
S
9
19
RACF REPORT
PAGE 2
NCC RESOURCE AND COMMAND VIOLATIONS
INSUFFICIENT CATEGORY/SECLEVEL
INSUFFICIENT SECURITY LABEL AUTHORITY
HARNING-SECIJRITY LABEL MISSING FR0I1 JOB, USER, OR PROFILE
WARNING-INSUFFICIENT SECURITY LABEL AUTHORITY
WARNING-DATA SET NOT CATALOGED
DATA SET NOT CATALOGED
PROFILE NOT FOUND - REQUIRED FOR AUTHORITY CHECKING
WARNING: INSUFFICIENT CATEGORY/SECLEVEL
ADOVOL/CHGVOL
SUCCESSFUL PROCESSING OF NEW VOLUME
INSUFFICIENT AUTHORITY
INSUFFICIENT SECURITY LABEL AUTHORITY
LESS SPECIFIC PROFILE EXISTS WITH DIFFERENT SECLABEL
RENAME RESOURCE
SUCCESSFUL RENAME
INVALID GROUP
USER NOT IN GROUP
INSUFFICIENT AUTHORITY
RESOURCE NAME ALREADY DEFINED
USER NOT DEFINED TO RACF
RESOURCE NOT PROTECTED
HARNING- RESOURCE NOT PROTECTED
USER IN SECOND QUALIFIER IS NOT RACF DEFINED
LESS SPECIFIC PROFILE EXISTS WITH DIFFERENT SECLABEL
INSUFFICIENT SECURITY LABEL AUTHORITY
RESOURCE NOT PROTECTED BY SECURITY LABEL
NEH NAME NOT PROTECTED BY SECURITY LABEL
NEW SECLABEL MUST DOMINATE OLD SECLABEL
HARNING: INSUFFICIENT SECURITY LABEL AUTHORITY
WARNING: RESOURCE NOT PROTECTED BY SECURITY LABL
WARNING: NEW NAME NOT PROTECTED BY SECURITY LABL
WARNING: NEW SECLABEL MUST DOMINATE OLD SECLABEL
DELETE RESOURCE
SUCCESSFUL SCRATCH
RESOURCE NOT FOUND
INVALID VOLUME
DELETE ONE VOLUME OF A MULTIVOLUME RESOURCE
SUCCESSFUL DELETION
DEFINE RESOURCE
SUCCESSFUL DEFINITION
GROUP UNDEFINED
USER NOT IN GROUP
INSUFFICIENT AUTHflRITY
RESOURCE NAME ALREADY DEFINED
USER NOT DEFINEO TO RACF
RESOURCE NOT PROTECTED
WARNING- RESOURCE NOT PROTECTED
WARNING-SECURITY LABEL MISSING FROM JOB, USER, OR PROTILE
WARNING-INSUFFICIENT SECURITY LABEL AUTHORITY
y?JP..IN.SECOHO_g}JALrFIER_JS NOJ..RACF .DEFINEO
-------�
"2.26" 13:55:12
RACF REPORT
PAGE 3
MCC RESOURCE MID COMMAND VIOLATIONS
12 LESS SPECIFIC PROFILE EXISTS WITH DIFFERENT SECURITY LABE
8 ADDSD COMMAND
9 ADDOROUP COMMAND
10 ADDUSER COMMAND
11 ALTOSD COMMAND
12 ALTGROUP COMMAND
13 ALTUSER COMMAND
K. CONNECT COMMAND
15 DELDSD COMMAND
16 DELGROUP COMMAND
17 DELUSER COMMAND
10 PASSWORD COMMAND
19 PERMIT COMMAND
20 RALTER COMMAND
21 RDEFINE COMMAND
22 RDELETE COMMAND
23 REMOVE COMMAND
Z<« SETROPTS COMMAND
25 RVARY COMMAND
0 NO VIOLATIONS DETECTED
1 INSUFFICIENT AUTHORITY
— 2 KEYWORD VIOLATIONS OETECTED
O 3 SUCCESSFUL LISTING OF DATA SETS
SYSTEM ERROR IN LISTING OF DATA SETS
26, . APPCLU
0 PARTNER VERIFICATION WAS SUCCESSFUL
1 SESSION ESTABLISHED WITHOUT VERIFICATION
2 LOCAL LU KEY HILL EXPIRE IN <= 5 DAYS
3 PARTNER LU ACCESS HAS BEEN REVOKED
-------�
1/.: 35:32
RAcr rcpori - LirniNG or ppoccr.r. rlcords
PAGE 4
NCC RESOURCE AND COHMANO VIOLATIONS
*JOB/USER *STEP/
DATE TIME SYSIO NAME GROUP
E
V
E
-TERMINAL-- N
ID LVL T
92.268 14:01:01 EPA2 CVD JNC1
I.DON
H0411230
JOBID=ICVD 92.268 13:35:15 1 ,USER0ATA=l I ,OHNFR=CRE
AUTH=( NORMAL I ,REASON=( T:NTITY OR FAILSOFT PROCESSING)
TOKEN SIATU3-I CREATED BY PRE 1.9 RACF CALL ) ,TERMINAL=H0411230
DAIADE1-SYS1.ADABAS.EPA2.LOAD,GENPR0r=SY51.A0ABA5.EPA2.LOAD.VOLUME=
PLIB02,LEVEL=00,INrENr=RCAD,ALLOWED-NONE
92.268 14:01:02 EPA2 CVD JNC1
I.DON
H0411230
JOBID-ICVD 92.260 13:35:13),U0ERDATA=! ) ,OWNER=CRE
AUTH-INORMAL I,RCASON=l ENTITY OR FAILSOFT PROCESSING)
TOKEN STATUS-! CREATED BY PRE 1.9 RACF CALL I ,TERMINAL=H0411230
DATAr,ET = SYSl . ADABAS. LOAD ,GENPROF =SYS1. ADABAS. LOAD ,VOLUME=PLIB05,
LEVEL=00,INTENT=READ,ALLOWED=NONE
O
92.268 14:01:04 EPA2 CVD JNC1
~.DON
92.268 14:01:08 EPA2 CVD JNC1
I.DON
H0411230 0 2 1
H0411230
JOBTD = C CVD 92.268 13:35:13 I,USERDATA = ! I,OMNER=CRE
AUTH = INORMAL I ,REASON=( ENTITY OR FAILSOFT PROCESSING)
TOKEN STATU3MCREATED BY PRE 1.9 RACF CALL ) ,TERMINAL=H0411230
DATASET-SYS1.ADABAS.DEV.LOAD,GENPR0F=SYS1.ADABAS.DEV.LOAD,VOLUME=
PLIB01,LEVEL=00,INTENT =REA0,ALLOWED=NONE
JOBID-tCVD 92.268 13:35:13 ) ,USERDATA=! 1 ,OWNER=JMQ
AUTH=! NORMAL ),REASONS ENTITY OR FAILSOFT PROCESSING)
TOKEN STATUS=ICREATED BY PRE 1.9 RACF CALL).TERMINAL=H0411230
0ATASET=5YS1.SASC.LINKLIB,GENPR0F=SYS1.SASC.LINKLIB,VOLUME=PLIB05,
LEVEL=00,INTENT=REA0,ALLOHED=NONE
92.268 09:57:42 EPA2 IZF
SEIS T0600512 0 8 1 J0B1D = ! IZF 92.268 09:44:46I,USER0ATA=!),OHNER=EXC
. LORA AUTH=(NORMAL I,REASONS VIOLATION)
TOKEN STATUo = (CREATED BY PRE 1.9 RACF CALL ) ,TERMINAL=T0600512
ADDSD EXC.A026.RG02RLOG OWNER!EXC> UACC(REAO) LEVEL!00 I AUDIT!
r AILURES!READ I > NOSET GENERIC NOTIFY!EXC)
92.268 11:07:02 EPA2 JHB
ASMD
T24BP008
JOBID = (JHB 92.268 09:29:59),USERDATA=! ),OWNER=CRE
AUTIIM NORMA' ),REASONS ENTITY OR FAILSOFT PROCESSING I
TOKEN STATUS^!CREATED BY PRE 1.9 RACF CALL ) ,TERMINAL=T24BP008
DATASET=SYS2.ADABAS.DEV.LOAD,GENPROF=SYS2.ADABAS.*.LOAD,VOLUME=
ADALIB,LEVEL=00,INTENT=READ,ALLOHED=NONE
T24BA029 0 19 1
JOBIO = IOMT 92.268 07:33:20),USERDATA=! ),OHNER=VDN
AUTH=!NORMAL I,REASON=!VIOLATION)
TOKFN STATUS=!CREATED BY PRE 1.9 RACF CALL ) ,TERMINAL=T24BA029
PERMIT JPMF.OPMAN.* CLASSIDATASET) ID(OMT) ACCESS!ALTER( GENERIC
92.268 08:45:49 EPA2 TFX K2DB
4B. JEAN
T06AA022 0 21 1
JOBID = !TFX 92.268 08:45:41 ) ,USERDATA = ! ),OWNER=TFX ;
AUTH = (NORMAL I ,REASON=!VIOLATION I r
TOKEN STATUS=!CREATED BY PRE 1.9 RACF CALL I,TERMINAL=T06AA022
RDEFINE OUTPUT TTX» OWNER!TTX I UACCIREAO) LEVEL!00) NONOTIFY
92.268 15:02:41 EPA2 TFX K2DB
T06AA022 0 21 1
JOBID = ! TFX 92.268 15:02 : 32 ) ,USF.RDATA-< ),OWNER-TFX
AUTH=(NORMAL),REASON=( VIOLATION I
TOKEN STATUS=!CREATED BY PRE 1.9 RACF CALL I,TERMINAL=T06AA022
uncrTMC nnrniiT tcvm nuMctii tiu i nArrfDCAni iciictinni MnMnrrcv
-------�
92.269 15:56:06
RACF REPORT
PAGE 1
USER PAS5H0RD CHANGES
COMMAND GROUP ENTERED -
RACFRN TITLE! 'USER PASSHORD CHANGES'» NOFORMAT DSNAHEt*JSSA.RACFRN.DAILY.OUTPUT'1
SELECT PROCESS SUCCESSES
EVENT PASSWORD
SU11 USER
LIST SQHTCUSER DATE TIME I ASCEND
END
event/qualifier key
EVENT QUALIFIER MEANING
1 JOB INITIATION / TSO LOGON/LOGOFF
0 SUCCESSFUL INITIATION
1 INVALID PASSWORD
2 INVALID GROUP
3 INVALID OIDCARD
4 INVALID TERMINAL/CONSOLE
5 INVALID APPLICATION
6 REVOKED USERID ATTEMPTING ACCESS
7 USERID AUTOMATICALLY REVOKED
_ 8 SUCCESSFUL TERMINATION
O 9 UNDEFINED USERID
00 10 INSUFFICIENT SECURITY LABEL AUTHORITY
11 NOT AUTHORIZED TO SECURITY LABEL
12 SUCCESSFUL RACINIT INITIATION
15 SUCCESSFUL RACINIT DELETE
14 SYSTEM NOW REQUIRES MORE AUTHORITY
15 REMOTE JOB ENTRY - JOB NOT AUTHORIZED
16 SURROGAT CLASS IS INACTIVE
17 SUBMITTER IS NOT AUTHORIZED BY USER
18 SUBMITTER IS NOT AUTHORIZED TO SECURITY LABEL
19 USER IS NOT AUTHORIZED TO SUBMIT JOB
20 WARNING-INSUFFICIENT SECURITY LABEL AUTHORITY
21 WARNING-SECURITY LABEL MISSING FROM JOB, USER, OR PROFILE
22 WARNING-NOT AUTHORIZED TO SECURITY LABEL
25 SECURITY LABELS NOT COMPATIBLE
24 WARNING-SECURITY LABELS NOT COMPATIBLE
25 CURRENT PASSWORD HAS EXPIRED
26 INVALID NEW PASSWORD
27 VERIFICATION FAILED BY INSTALLATION
28 GROUP ACCESS HAS BEEN REVOKED
29 01DCARC IS REQUIRED
50 NETWORK JOB ENTRY - JOB NOT AUTHORIZED
51 WARNING-UNKNOW USER FROM TRUSTED NODE PROPAGATED
2 RESOURCE ACCESS .
0 SUCCESSFUL ACCESS
1 INSUFFICIENT AUTHORITY
2 PROFILE NOT FOUND - RACFIND SPECIFIED ON MACRO
J ACCESS PERMITTED DUE TO WARNING
4 FAILED DUE TO PROTECTALL
5 WARMING ISSUED DUE TO PROTECTALL
6 INSUFFICIENT CATEGORY/SECLEVEI.
7 INSUFFICIENT SECURITY LABEL AUTHORITY
-------�
06
8
Q
10
11
12
IS
0
1
z
3
0
1
2
3
<*
5
6
7
8
9
10
11
12
IS
14
15
16
17
0
1
2
0
0
1
2
3
4
5
6
7
6
9
10
11
12
RACr REPORT
PAGE 2
USER PASSWORD CHANGES
WARNING-SECURITY LABEL HISSING FROM JOB, UCER, OR PROFILE
WARNING-INSUFFICIENT SECURITY LABEL AUTHORITY
WARNING-OAT A SET NOT CATALOGED
DATA SET NOT CATALOGED
PROFILE NOT FOUND - REQUIRED FOR AUTHOHTTY CHECKING
WARNING: INSUFFICIENT CATEGORY/SECLEVF.L
ADD VOL/C HI5V0L
SUCCESSFUL PROCESSING OF NEW VOLUME
INSUFFICIENT AUTHORITY
INSUFFICIENT SECURITY LABEL AUTHORITY
LESS SPECIFIC PROFILE EXISTS WITH DIFFERENT SECLABEL
RENAME RESOURCE
SUCCESSFUL RENAME
INVALID GROUP
USER NOT IN GROUP
INSUFFICIENT AUTHORITY
RESOURCE NAME ALREADY DEFINED
USER NOT DEFINED TO RACF
RESOURCE NOT PROTECTED
WARNING- RESOURCE NOT PROTECTED
USER IN SECOND QUALIFIER IS NOT RACF DEFINED
LESS SPECIFIC PROFILE EXISTS HITM DIFFERENT SECLABFL
INSUFFICIENT SECURITY LABEL AUTHORITY
RESOURCE NOT PROTECTED BY SECURITY LABEL
NEW NAME NOT PROTECTED BY SECURITY LABEL
NEW SECLABEL MUST DOMINATE OLD SECLABEL
WARNING: INSUFFICIENT SECURITY LABEL AUTHORITY
WARNING: RESOURCE NOT PROTECTED BY SECURITY LABL
WARNING: NEW NAME TOT PROTECTED BY SECURITY LABL
WARNING: NEW SECLABEL MUST DOMINATE OLD SECLABEL
DELETE RESOURCE
SUCCESSFUL SCRATCH
RESOURCE NOT FOUND
INVALID VOLUME
DELETE ONE VOLUME OF A MULTIVOLUME RESOURCE
SUCCESSFUL DELETION
DEFINE RESOURCE
SUCCESSFUL DEFINITION
GROUP UNDEFINED
USER NOT IN GROUP
INSUFFICIENT AUTHORITY
RESOURCE NAME ALREADY DEFINED
USER NOT DEFINED'TO RACF
RESOURCE NOT PROTECTED
WARNING- RESOURCE NOT PROTECTED
WARNING-SECURITY LABEL MISSING FROM JOB, USER, OR PROFILE
WARNING-INSUFFICIENT SECURITY LABEL AUTHORITY
USER IN SECOND QUALIFIER IS NOT RACF DEFINED
INSUFFICIENT SECURITY LABEL AUTHORITY
LESS SPECIFIC PROFILE EXISTS WITH DIFFERENT SECURITY LABE
-------�
92.269 13:36:06
RACT REPORT
PAGE
USER PASSWORD CHANGES
0 ADOSO COMMAND
9 ADDGROUP COMMAND
10 ADDUSER COMMAND
11 ALTDSD COMMAND
12 ALTGROUP COMMAND
13 ALTUSER COMMAND
1<» CONNECT COMMAND
15 DELDSD COMMAND
16 DELGROUP COMMAND
17 DELUSER COMMAND
18 PASSWORD COMMAND
19 PERMIT COMMAND
20 RALTER COMMAND
21 RDEFINE COMMAND
22 RDELETE COMMAND
23 REMOVE COMMAND
24 SETROPTS COMMAND
25 RVARY COMMAND
0 NO VIOLATIONS DETECTED
1 INSUFFICIENT AUTHORITY
2 KEYWORD VIOLATIONS DETECTED
3 SUCCESSFUL LISTING OF DATA SETS
<* SYSTEM ERROR IN LISTING OF DATA SETS
26 APPCLU
0 PARTNER VERIFICATION HAS SUCCESSFUL
1 SESSION ESTABLISHED WITHOUT VERIFICATION
2 LOCAL LU KEY WILL EXPIRE IN <= 5 DAYS
3 PARTNER LU ACCESS HAS BEEN REVOKED
<* PARTNER LU KEY DOES NOT MATCH THIS LU KEY
5 SESSION TERMINATED FOR SECURITY REASON
6 REQUIRED SESSION KEY NOT DEFINED
7 POSSIBLE SECURITY ATTACK BY PARTNERLU
8 SESSION KEY NOT DEFINED FOR PARTNER LU
9 SESSION KEY NOT DEFINED FOR THIS LU
10 SNA SECURITY RELATED PROTOCOL ERROR
11 PROFILE CHANGE DURING VERIFICATION
12 EXPIRED SESSION KEY
REPORT KEY
.AN •«' PREFIXED TO A USER OR GROUP NAME INDICATES THE NAME IS ACTUALLY A JOB OR STEP NAME, RESPECTIVELY
¦THE PHRASE 'UNDEFINED USER' REFERS TO THOSE TSO LOGONS WHICH SPECIFIED USERIDS THAT WERE NOT DEFINED TO RACF,
AND TO BATCH JOBS WHICH DID NOT SPECIFY THE 'USER=' OPERAND ON THEIR JOB STATEMENTS
¦ A 1 PREFIXED TO A RESOURCE NAME INDICATES THAT A GENERIC PROrlI.E WAS ACCESSED
.A '(G)' APPENDED TO A RESOURCE NAME MEANS THAT THE RESOURCE NAME IS GENERIC
• A APPENDED TO A VMEVENT DESCRIPTION MEANS THAT THE EVENT CONTINUES ON THE NEXT LINE
• A MTf APPENDED TO A DATASET IN LIST OF DATASET NAMES AFFECTED BY A SECLABEL CHANGE MEANS THAT THE DATASET IS A TAPE DATASET.
-------�
15:16:06
RACF REPORT - LISTING OF PROCESS RECORDS
PAGE 4
USER PASSWORD CHANGES
DATE
TIME
*JOB/USER »STEP/
SVSIO NAME GROUP
E
V ,TERMINAL=T05UF7E
PASSWORD PASSWORD I•««»,»»»»)
-------�
**2 . 269 13 :36:06 RACF REPORT - SHORT USCR SUMMARY PAGE
USER PASSWORD CHANGES
R e 5 0 U R C E S T A T I S T I C S
USER/ NAME JOB/LOGON INTENTS
*JOB SUCCESS VIOLATION SUCCESS HARNING VIOLATION ALTER CONTROL UPDATE READ TOTAL
ACCUMULATED TOTALS - OOOOOOOOOO
PERCENTAGE OF TOTAL ACCESSES - 0 7 0 7 0 7. 0 7 0 7 0 V. 0 V.
UNOEFINED USERS (JOBS( ONLY
ACCUMULATED TOTALS - OOOOOOOOOO
PERCENTAGE OF TOTAL ACCESSES - 0* 0 0 7. 0 '/. 0 /. 0 7. 0 7
K>
-------�
•>2.269 15:56:52
RACF REPORT
PARE 1
USER LOGON PROBLEM REPORT
COMMAND GROUP ENJERFD -
RACFPH lITtri 'Ur.ER LOGON PROBLEM REPORT't GENSUM NOTORMAT OSNAHEI 'JSSA.RACFRW,DAILY.OUTPUT' 1
r-FLECT PROCrSS VIOLATIONS
IVT.HT LOGON
sun USER
IISr SORT!DATE TIME USER) ASCEND
BIO
EVENT/QUALIFIER KEY
EVENT QUALIFIER MEANING
1 JOB INITIATION / TSO LOGON/LOGOFF
0 SUCCESSFUL INITIATION
1 INVALID PASSWORD
2 INVALID GROUP
5 INVALID OlDCARD
4 INVALID TERMINAL/CONSOLE
5 INVALID APPLICATION
6 REVOKED USERID ATTEMPTING ACCESS
7 USERIO AUTOMATICALLY REVOKED
8 SUCCESSFUL TERMINATION
9 UNDEFINED USERID
10 INSUFFICIENT SECURITY LABEL AUTHORITY
11 NOT AUTHORIZED TO SECURITY LABEL
12 SUCCESSFUL RACINIT INITIATION *
13 SUCCESSFUL RACINIT DELETE
14 SYSTEM NOH REQUIRES MORE AUTHORITY
15 REMOTE JOB ENTRY - JOB NOT AUTHORIZED
16 SURROGAT CLASS IS INACTIVE
1? SUBMITTER IS NOT AUTHORIZED BY USER
18 SUBMITTER IS NOT AUTHORIZED TO SECURITY LABEL
19 USER IS NOT AUTHORIZED TO SUBMIT JOB
20 WARNING-INSUFFICIENT SECURITY LABEL AUTHORITY
21 WARNING-SECURITY LABEL HISSING FROM JOB, USER, OR PROFILE
22 WARNING-NOT AUTHORIZED TO SECURITY LABEL
25 SECURITY LABELS NOT COMPATIBLE
WARNING-SECURITY LABELS NOT COMPATIBLE
25 CURRENT PASSWORD HAS EXPIRED
26 INVALID NEN PASSWORD
27 VERIFICATION FAILED BY INSTALLATION
28 GROUP ACCESS HAS BEEN REVOKED
29 OlDCARD IS REQUIRED
50 NETWORK JOB ENTRY - JOB NOT AUTHORIZED
31 HARNING-UNKNOHN USER FROM TRUSTED NODE PROPAGATED
Z RESOURCE ACCESS
0 SUCCESSFUL ACCESS
1 INSUFFICIENT AUTHORITY
2 PROFILE NOT FOUND - RACFIND SPECIFIED ON MACRO
3 ACCESS PERMITTED DUE TO WARNING
4 FAILEO DUE TO PROTECTALL
5 WARNING ISSUED DUE TO PROTECTALL
6 INSUFFICIENT CATEGORY/SECIEVEL
7 TNSllFFrr IFMT «:Fri(BI IY IARFI AUTHORITY
-------�
:52
8
9
10
11
12
13
0
1
2
3
0
1
2
3
4
5
6
7
S
9
10
11
12
13
14
15
16
17
0
1
2
0
0
1
2
3
4
5
6
7
8
9
10
11
12
RACF REPORT
PARE 2
USER LOGON PROBLEM REPORT
WARNING-SECURITY LABEL MISSING FROM JOB, UWR, OR PROFILE
WARNING-INSUFFICIENT SECURITY LABEL AUTHORITY
WARNING-DAT A SET NOT CATALOGED
DATA SET NOT CATALOGED
PROFILE NOT rpUNO - REQUIRED FOR AUTHORITY CHECKING
WARNING: INSUFFICIENT CATEGORY/SECLEVEL
AODVOL/CHGVOL
SUCCESSFUL PROCESSING OF NEW VOLUME
INSUFFICIENT AUTHORITY
INSUFFICIENT SFCURITY LABEL AUTHORITY
LESS SPECIFIC PROFILE EXISTS WITH DIFFERENT SECLABEL
RENAME RESOURCE
SUCCESSFUL RENAME
INVALID GROUP
USER NOT IN GROUP
INSUFFICIENT AUTHORITY
RESOURCE NAME ALREADY DEFINED
USER NOT DEFINED TO RACF
RESOURCE NOT PROTECTED
WARNING- RESOURCE NOT PROTECTEO
USER IN SECONO QUALIFIER IS NOT RACF DEFINEO
LESS SPECIFIC PROFILE EXISTS HITH DIFFERENT SECLABEL
INSUFFICIENT SECURITY LABEL AUTHORITY
RESOURCE NOT PROTECTED BY SECURITY LABEL
NEW NAME NOT PROTECTED BY SECURITY LABEL
NEW SECLABEL MUST DOMINATE OLD SECLABEL 1
WARNING: INSUFFICIENT SECURITY LABEL AUTHORITY
WARNING: RESOURCE NOT PROTECTED BY SECURITY I ABL
WARNING: NEW NAME NOT PROTECTED BY SECURITY LABL
WARNING: NEW SECLABEL MUST DOMINATE OLD SECLABEL
DELETE RESOURCE
SUCCESSFUL SCRATCH
RESOURCE NOT FOUND
INVALID VOLUME
DELETE ONE VOLUME OF A MULTIVOLUME RESOURCE
SUCCESSFUL OELETION
DEFINE RESOURCE
SUCCESSFUL DEFINITION
GROUP UNDEFINED
USER NOT IN GROW
INSUFFICIENT AUTHORITY
RESOURCE NAME ALREADY DEFINED
USER NOT DEFINED TO RACF
RESOURCE HOT PROTECTEO
WARNING- RESOURCE NOT PROTECTED
WARNING-SECURITY LABEL MISSING FROM JOB, USER, OR PROFILE
WARNING-INSUFFICIENT SECURITY LABEL AUTHORITY
USER IN SECOND QUALIFIER IS NOT RACF DEFINED
INSUFFICIENT SECURITY LABEL AUTHORITY
LESS SPECIFIC PROFILE EXISTS WITH DIFFERENT SECURITY LABE
-------�
92.26° 13:36:52
RACF REPORT
PAGE
USER LOGON PROBLEM REPORT
8 ADDSD COMMAND
9 ADDGROUP COMMAND
10 ADDUSER COMMAND
11 ALTDSD COMMAND
] 2 ALTGROUP COMMAND
13 ALTUSER COMMAND
l' APPENDED TO A RESOURCE NAME MEANS THAT THE RESOURCE NAME IS GENERIC
.A APPENDED TO A VMEVENT DESCRIPTION MEANS THAT TIIE FVENT CONTINUES OM THE NEXT LINE
¦ A UTI' APPENDED TO A DATASET IN LIST OF DATASET NAMES AFFECTED BY A SECLABFL CHANGE MEANS THAT THE DATASET IS A TAPE DATASET.
-------�
92.269 13:36:52
RACF REPORT - GENERAL SUMtlARY
PAGE 4
USER LOGON PROBLEM REPORT
READ
SELECTED
^-SELECTED
STATUS RECORDS
PROCESS RECOROS
TOTAL PROCESS RECORDS FOR DEFINED USERS
TOTAL PROCESS RECORDS FOR UNDEFINED USERS
0
77,836
77,479
3*57
0
1 ,254
1 ,253
1
0 X
2 X
2 '/. t OF ALL PROCESS RECORDS*
0 * (OF ALL PROCESS RECOflDS 1
JOB / LOGON STATISTICS —
TOTAL
JOB/LOGON/LOGOFF
42,845
TOTAL
JOB/LOGON SUCCESSES
20 >861
49
OF
TOTAL
ATTEMPTS
TOTAL
JOB/LOGON VIOLATIONS
1,254
3
7,
OF
TOTAL
ATTEMPTS
TOTAL
JOB/LOGON A11EMPTS BY UNDEFINED USERS
179
0
7.
OF
TOTAL
ATTEMPTS
TOTAL
JOB/LOGON SUCCESSES BY UNOEFINED USERS
178
0
7.
OF
TOTAL
ATTEMPTS
TOTAI.
JOB/LOGON VIOLATIONS BY UNDEFINED USERS
1
0
v,:
OF
TOTAL
ATTEMPTS
TOTAL
JOB/LOGON SUCCESSFUL TERMINATION
20,730
JOB/LOGON VIOLATIONS BY HOUR -
0-1
1-Z 2-3
3-4
4-5
5-6
6-7
7-8
7
3 1
3
4
1
9
49
8-9
9-10 10-11
11-12
12-13
13-14
14-15
15
-16
79
125 112
138
104
133
134
160
16-17
17-18 18-19
19-20
20-21
21-22
22-23
23
-24
108
34 23
10
12
3
1
1
—
RESOURCE STATISTICS
—
TOTAL
RESOURCE
ACCESSES (ALL EVEMTS)
34,797
TOTAL
RESOURCE
ACCESS SUCCESSES
34 ,32 7
99
X
OF
TOTAL
ACCESSES
TOTAL
RESOURCE
ACCESS WARNINGS
t
19
0
*
OF
TOTAL
ACCESSES
TOTAL
RESOURCE
ACCESS VIOLATIONS
451
1
7.
OF
TOTAL
ACCESSES
TOTAL
RFSOURCE
ACCESSES (ALL EVENTS > BY UNDEFINED USERS
0
0
7.
OF
TOTAL
ACCESSES
TOTAL
RESOURCE
ACCESS SUCCESSES BY UNDEFINED
USERS
0
0
7.
OF
TOTAL
ACCESSES
TOTAL
RESOURCE
ACCESS WARNINGS BY UNDEFINED USERS
0
0
7.
OF
TOTAL
ACCESSES
TOTAL
RESOURCE
ACCESS VIOLATIONS BY UNDEFINED
' USERS
0
0
7.
OF
TOTAL
ACCESSES
TOTAL
RESOURCE
ACCESSES USING GENERIC PROFILE
12,621
36
7.
OF
TOTAL
ACCESSES
TOTAL
RESOURCE
ACCESS SUCCESSES USING GENERIC
PROFILE
12,174
35
7.
OF
TOTAL
ACCESSES
TOTAL
RESOURCE
ACCESS WARNINGS USING GENERIC
PROFILE
19
0
7.
OF
TOTAL
ACCESSES
TOTAL
RESOURCE
ACCESS VIOLATIONS USING GENERIC PROFILE
428
1
7.
or
TOTAL
ACCESSES
RESOURCE ACCESS VIOLATIONS BY HOUR -
0-1
1-2 2-3
3-4
4-5
5-6
6-7
7-8
0
1 0
0
0
0
0
3
8-9
9-10 10-11
11-12
12-13
13-14
14-15
15
-16
7
18 15
20
18
23
26
28
16-17
17-18 18-19
19-20
20-21
21-22
22-23
23-
-24
281
2 9
0
0
0
0
0
-------�
92.26"> 13:36:52
RACF REPORT - LISTING OF PROCESS RECORDS
PAGE
USER LOGON PROBLEM REPORT
»JOB/USER "STEP/
DATE TIME SYSID NAME GROUP
E
V
E
-TERMINAL-- N
ID LVL T
92.268 00:01:51 EPAG AD2 JDMS
J0BID=(JES2 92.267 08:43:03 I .USEROATA-( >
AUTM=(NONE I ,REASON=(RACINIT FAILURE 1
SESSION^INTERNAL READER BATCH JOB,JE5INPUT=INTRDR.EXENODE=NCCIBM1
SUBMITTING USER=AD2,SUBMITTING N0DE=NCCIBM1.SUBMITTING GR0UP=JDM3
92.268 00:04:26 EPA2 FVF IFMS
M.MARY
0 12 J0BID=IJES2 92.267 08:29:25t,USERDATA=(I
AUTH = INONE I .REASONSRACINIT FAILURE)
SrSSION^INTFRNAL READER BATCH JOB.JFSINPUT- INTRDR.EXENODE^NCCIBMl
SUBMITTING USER = FYF .SUBMITTING NODE =NCCIBM1.SUBMITTING GROUP=SX05
92.268 00:05:04 EPA2 HZZ SMOM
1MM.HASNUZ
0 16 JOBIO-I ffBDT 92.267 08:44:27),USERDATA=<
AUTH=(NONE),REASON=tRACINIT FAILURE )
TOKEN STATUS=ICREATED BY PRE 1.9 RACF CALL)
92.268 00:26:14 EPA2 RSJ IFMS
92.268 00:30:47 EPA2 RSJ IFMS
92.268 00:35:07 EPA2 RSJ IFMS
JOBID=f JCS? 92.267 08: 29: 25 ) ,L)SERDATA = f >
AUTH = (NONE ) .REASONSRACINIT FAILURE I
SESSION"INTERNAL READER BATCH JOB,JESINPUT=INTRDR,EXEN0DE=NCCIBM1
SUBMITTING USER=RSJ.SUBMITTING NODE=NCCIBM1.SUBMITTING GROUP=FM29
J0BID = (JES2 92.267 08:29:25 I ,USER0ATA=< >
AUTH = (NONE I ,REASON=lRACINIT FAILURE)
SESSI0N=INTERNAL READER BATCH JOB,JESINPUT=INTRDR,EXENODE=NCCIBM1
SUBMITTING U3ER=RSJ,SUBMITTING NODE=NCCIBM1.SUBMITTING GR0UP=FM29
J0BID = IJES2 92.267 08:29:25>,USERDATA=< )
AUTH = (NONE ),REASONS RACINIT FAILURE)
SESSION^INTERNAL READER BATCH JOB, JESINPUT=INTRDR .EXENODE =NCCIBM1
SUBMITTING USER=RSJ.SUBMITTING NODE=NCCIBM1,SUBMITTING GR0UP=FMZ9
92.268 00:54:58 EPA2 TJH JSYT
92.268 01:00:38 EPA2 FYF IFMS
^MtMARY
J0BID-IJES2 92.267 08:29:25),USERDATA=( )
AUTH=(NONE ),REASONS RACINIT FAILURE )
SESSION=INTERNAL READER BATCH JOB,JESINPUT=INTROR, EXEN00E=NCCI6M1
SUBMITTING USER=TJH.SUBMITTING NODE=NCCIBM1.SUBMITTING GROUP=JIPS
JOBID=,USERDATA=< )
AU f H - I NONE I.RFAr>ON=( RACINIT FAILURE )
-------�
APPENDIX A
Application Worksheets
On the following pages are application worksheets. On the back of each worksheet is
information about its use.
(
A-l
-------�
A-2
-------�
APPLICATION DATASETS LIST
APPLICATION NAME •
Dataset
Name
Owner
UACC
READ
UPDATE
ALTER
NONE
A-3
-------�
APPLICATION DATASETS LIST
This form is used by the RSA to identify all application datasets, who the owner of the
RACF dataset profile is or should be, the UACC (world access) to be assigned to the
dataset, and what User-IDs or RACF access groups should have READ, UPDATE,
ALTER, or NONE access to the dataset.
The owner should be supplied here from the Application Administrative Groups form. The
entry in the READ, UPDATE, ALTER, ALTER, and NONE columns should be obtained
from the Application RACF Access Groups form.
The information required for completion of the dataset name can be obtained from option
3.4 of ISPF (Data Set List Utility). Supply the group for which you want to find datasets on
the DSNAME LEVEL line. After obtaining the list of dataset names, enter "SAVE listid"
on the command line (where listid is any value you want) to save the results in a dataset for
later viewing or printing. The dataset will be named iiiaaaa.iii.listid.datasets (where iiiaaaa
is your User-ID and account).
A-4
-------�
APPLICATION USER-ID LIST
APPLICATION NAME
User-ID
Name
Job/Role/Function
RACF Owner (Group)
A-5
-------�
APPLICATION USER-ID LIST
This form is used to assist the RSA in determining application User-IDs for which the
application RSA will assume RACF control. The form is also used to record data which will
be used by the RSA to determine application data access requirements and to determine which
RACF administrative groups will own the User-IDs.
Each application's RSA(s) is/are required to assume RACF ownership of application User-IDs
in order for the RSA to reset passwords for these User-IDs and to configure the Use-TDs in
RACF to meet application and OIG requirements. For example, the OIG has cited the Agency
for too much use of the RACF CREATE privilege, which is assigned to a User-ID and which
allows that User-ID to create RACF dataset profiles to protect (or expose) application data.
An individual RSA will not own a User-ID. Rather, an administrative group established by the
RSA will be the User-ID owner. The administrative group can be defined on this form and then
recorded on the Application RACF Administrative Groups form, or the group can be recorded
on that form first and then placed on this form.
Access to application data must be predicated on user need or job role or function. For
example, a data entry clerk should have no requirement to create a dataset—only to update an
existing one. Also, personnel responsible for developing and testing programs should not be
allowed to move these programs into production. Personnel responsible for the production
environment should perform that function. Once access is determined, application access groups
can be defined on the Application RACF Access Groups form, and User-IDs can be connected
to appropriate access groups based on access requirements.
A-6
-------�
APPLICATION BILLABLE ACCOUNT LIST
APPLICATION NAME
Account
RACF Owner (Group)
<
•
A-7
-------�
APPLICATION BILLABLE ACCOUNT LIST
Each application's RSA(s) must assume RACF ownership of the billable accounts associated with
the application in order for the RSA to be able to connect a User-ID to a billable account.
Connection to a billable account is required for system logon. Since obligation of EPA funds
can only be done by EPA, control over billable accounts must be restricted to those RSAs who
are EPA employees.
An individual RSA cannot be the owner of a billable account. The RSA must establish a RACF
administrative group which will become the owner of the billable account. The name of this
administrative group can be defined on this form and then transferred to the Application RACF
Administrative Groups form, or the name can be first defined on that form and then placed on
this one.
A-8
-------�
APPLICATION RACF ADMINISTRATIVE GROUPS
APPLICATION NAME
Group Name
RSA
Purpose
%
•
A-9
-------�
APPLICATION RACF ADMINISTRATIVE GROUPS
This form is used by the RSA to define RACF administrative groups to be used by the
application. Administrative groups will own (within RACF) application resources (e.g., other
groups, User-IDs, dataset profiles, etc.). RSAs connected to the administrative group will have
RACF authority and control over the resources owned by the group.
The RSA will use this list of RACF administrative groups to determine which RSAs will control
application resources. These administrative groups will be placed on the Application Billable
Account List and the Application User-ID List forms as required.
A-10
-------�
APPLICATION RACF ACCESS GROUPS
APPLICATION NAME
Group Name
RSA
Purpose
User-IDs
•
A-ll
-------�
APPLICATION RACF ACCESS GROUPS
This form is used by the RSA to define RACF groups to which User-IDs will be connected in
order to gain access to application resources (e.g., datasets). Under RACF decentralization,
granting of access to a resource by User-ID is discouraged due to the burden placed on the RSA
in administering resource access lists.
The User-ID of the RSA to be connected to the group with the RACF Group-SPECIAL
privilege, and who will connect User-IDs to the group, must be defined on this form.
The purpose of the group should be documented. Careful planning and naming of the individual
groups will assist the RSA in tracking the purpose of the group (e.g., DATAUPD could indicate
a group used for data updates to application files).
The User-IDs to be granted access under the group should be listed on the form. This form
should be used in conjunction with the Application User-ID List form. The RSA responsible
for the group must connect the appropriate User-IDs to the group within RACF once the group
has been established by TSSMS.
A-12
-------�
APPLICATION RACF DATASET PROFILES LIST
APPLICATION NAME
Profile
Name
Owner
UACC
READ
UPDATE
ALTER
NONE
t
"
.
A-13
-------�
APPLICATION RACF DATASET PROFILES LIST
This form is used by the RS A to identify and examine existing application RACF dataset profiles
and their access lists. These profiles can be found through execution of the RACF commands
documented in this manual. The RACF dataset profiles found should be compared against the
list of application datasets on the Application Datasets List to ensure that all application datasets
are protected. You should use the DSNS option of the LISTDSD command to display all
datasets which are protected by the profile. The search for dataset profiles should be done by
generic and discrete categories. The objective should be to eliminate all discrete profiles and
to replace them with generic profiles.
A-14
-------�
APPLICATION RACF USER-ID CREATE/GRPACC LIST
APPLICATION NAME
User-ID
Account
CREATE/NO CREATE
GRPACC/NO GRPACC
.
A-15
-------�
APPLICATION USER-ID CREATE/GRPACC LIST
This form is used by the RSA to evaluate all application User-IDs for the purpose of determining
which User-IDs should be allowed to protect application datasets with RACF dataset profiles
(RACF CREATE authority). Those User-IDs allowed to retain CREATE authority should
additionally be evaluated as to whether or not GRPACC will be retained by the User-ID.
GRPACC indicates to RACF that the group should automatically be granted UPDATE access
to the dataset profile.
OIG audit reports have cited the Agency for indiscriminate use of CREATE and GRPACC
authorities.
A-16
-------�
APPENDIX B
Work Example
Given: Application Payroll
Billable Groups (accounts): PAYS
TAAP
PAYT
PAYD
User-IDs: PAY - Main Production Control ID
DEI - Data entry clerk
DE2 - Data entry clerk
PGT - Programmer for Test environment
PGD - Programmer for Development environment
EPA - EPA manager
Assumptions: EPA application management will maintain high-level control.
Production Control ID password will not be shared.
Data entry clerks need no access other than UPDATE.
Controls will be in place to ensure that the integrity of Test, Development, and
Production environments is preserved. Programmers from Test can access
Development; programmers from Test cannot access Production. Only EPA
application management can access production files.
B-l
-------�
APPLICATION USER-ID LIST
APPLICATION NAME
User-ID
Name
J ob/Role/Function
RACF Owner
(Group)
PAY
John Doe
Production Control ID
PAYUSER
DEI
Sally
Data entry clerk
PAYUSER
DE2
Jane
Data entry clerk
PAYUSER
PGT
Mike
Programmer for Test
PAYUSER
PGD
A1
Programmer for Development
PAYUSER
EPA
Jim
EPA application manager
PAYUSER
•
B-2
-------�
APPLICATION BILLABLE ACCOUNT LIST
APPLICATION NAME
Account
RACF Owner (Group)
PAYS
PAYBILL
TAAP
PAYBILL
PAYT
PAYBILL
PAYD
PAYBILL
•
B-3
-------�
APPLICATION RACF ADMINISTRATIVE GROUPS
APPLICATION NAME
Group Name
RSA
Purpose
PAYBILL
JIM
Holder of billable accounts
PAYUSER
JIM
Holder of application IDs
PAYADMIN
JIM
Overall administrative group
PAYDSN
JIM
Owner of application dataset profiles
B-4
-------�
APPLICATION RACF ACCESS GROUPS
APPLICATION NAME
Group Name
RSA
Purpose
User-IDs
PAYTALT
Jim
ALTER access to Test files
PGT, EPA
PAYTRD
Jim
READ access to Test files
PGD
PAYTUPD
Jim
UPDATE access to Test files
PAYDALT
Jim
ALTER access to Development files
PGD, EPA
PAYDRD
Jim
READ access to Development files
PAYDUPD
Jim
UPDATE access to Development files
PAYRD
Jim
READ access to Production files
PAYUPD
Jim
UPDATE access to Production files
DEI, DE2
PAYALT
Jim
ALTER access to Production files
EPA
B-5
-------�
APPLICATION DATASETS LIST
APPLICATION NAME
Dataset
Name
Owner
TJACC
READ
UPDATE
ALTER
NONE
Test 1
PAYDSN
NONE
PAYTRD
PAYTU-
PD
PAYTALT
Devell
PAYDSN
NONE
PAYDRD
PAYDU-
PD
PAYDALT
Prodi
PAYDSN
NONE
PAYRD
PAYUPD
PAYALT
•
B-6
-------�
APPLICATION RACF DATASET PROFILES LIST
APPLICATION NAME
Profile
Name
Owner
UACC
READ
UPDATE
ALTER
NONE
Test%.*
PAYDSN
NONE
PAYTRD
PAYTUPD
PAYTALT
Devel %. *
PAYDSN
NONE
PAYDRD
PAYDUPD
PAYDALT
Prod%.*
PAYDSN
NONE
PAYRD
PAYUPD
PAYALT
*
•
B-7
-------�
APPLICATION RACF USER-ID CREATE/GRPACC LIST
APPLICATION NAME
User-ID
Account
CREATE/NO CREATE
GRPACC/NO GRPACC
EPA
PAYS
CREATE, NOGRPACC
PAYT
CREATE, NOGRPACC
PAYD
CREATE, NOGRPACC
TAAP
CREATE, NOGRPACC
PGDDE1
All accounts
NO CREATE, NOGRPACC
DE2
All accounts
NO CREATE, NOGRPACC
PGT
All accounts
NO CREATE, NOGRPACC
PGD
All accounts
NO CREATE, NOGRPACC
«
B-8
-------�
RACF Decentralization Structure
0
1
Systems
APPL11
EPA RSAs
ADP1
APPL12
EPA RSAs
TSSMS &
Customer
Support
SYS1
l
APPL21
EPA RSAs
ADP2
APPL22
EPA RSAs
APPL23
EPA RSAs
70
>
n
a
n
n
n
3
r*
£L
N*
CJ
r*
a
O
3
>
-0
-0
m
z
~
X
n
BA
NA USERS
Customed
Customer2
Customer3
Customer4
NA
A PPL# = Application
ADP# = ADP Coordinator
EPA RSAs = EPA RACF Security Administrators
BA = Billable Accounts
NA = Non-Accounts
Customer# = Customer User-IDs owned by Application
-------�
RACF Decentralization Notes
EPA/FM Security will have System-SPECIAL.
Systems will have Group-SPECIAL. Some, under RACF policy provisions, will have
System-SPECIAL for resolution of RACF system problems.
TSSMS and the Customer Support RACF Specialist (i.e., not to exceed four and only
those who have attended RSA training) will have Group-SPECIAL, join authority, and
RACF acct/user admin commands. Customer Support RACF Specialists will have
authorities for listing, but not changing, RACF entries after completion of the
decentralization effort.
TSSMS will add new User-IDs, new billable, and non-account groups to RACF. TSSMS
will also ALTER the billable and non-account groups in RACF.
EPA RSAs will have Group-SPECIAL, but will be limited to password resets and
revokes, connecting, changing, and removing existing User-IDs on their billable accounts,
and those non-account groups under their control.
If an ADP has not been trained as an RSA, he will not have Group-SPECIAL.
If a customer is experiencing a RACF problem, he will be referred to his RSA and
ADP. Informational calls on the RACF product (i.e., how do I protect a data set?)
from a customer will be answered by Customer Support.
TSSMS will add all new and existing User-IDs to a holding pen account. When a new
User-ID is added to the holding pen account, the owner of the User-ID is the
Application that made the request. It is then the responsibility of the EEA RSA to
connect the User-ID to the appropriate billable account(s).
Example: Customerl calls and needs his password reset.
After the Customer Call Center has determined that APPL11 has claimed
ownership of Customerl, Customerl will be given the names and numbers of
the EPA RSAs in APPL11 and ADP1.
C-2
-------�
When a User-ID is connected or removed from a billable/logon account, an ALIAS must be
defined or deleted. The ALIAS Command Processor will provide the application's RSA with
the means of adding or deleting ALIAS entries indirectly to the master catalog via a transaction
file. The transaction file will contain the RSA's User-ID and the ALIAS to be defined or
deleted. RACF will be checked to make sure that the User-ID/account combination is correct,
that it is under the RSA's control, and that the account is a billable/logon account. Before an
ALIAS is added via the ALIAS Command Processor, the User-ID must be connected to the
account. The RSA must issue the following command via ISPF option 6 to add the ALIAS:
@ALIAS iiiaaaa,ADD
(iii=User-ID aaaa=account)
When a User-ID is removed from a billable/logon account, all resources associated with the
removed User-ID must be deleted, renamed, or changed.
To obtain a listing of online datasets and tapes associated with a User-ID/account combination,
the RSA can execute the following CLIST via ISPF option 6:
EX 'JMAS. UACCT. CLIST(USERLIST)'
The CLIST will prompt you for the User-ID and the account of the User-ID to be removed and
your bin number. The CLIST will submit a job under your User-ID for viewing online via ISPF
option E.S.
After all resources are removed and the Jser-ID has been removed from the account, the RSA
must issue the following command via ISPF option 6 to delete the ALIAS:
@ALIAS iiiaaaa, DELETE
(iii=User-ID aaaa=account)
There is a delay in adding the ALIAS to the catalog. The RSA can issue the following
command to see if the ALIAS is on the system:
LISTC ENT('iiiaaaa')
C-3
-------�
APPENDIX D
TSSMS-RACF Decentralization Request
and
Email RACF Forms
Note: Two manuals that you will need to reference for the functions
in this appendix are these:
1. Appli cation RACF Security Administrator's Guide (listed in
the tables as RSA Guide).
2. Customer's Guide to NCC's Registration System (listed in the
tables as TSSMS Registration).
The following abbreviations are used in the tables:
ADP = database entry
MGR = database entry
RSA = RACF entry
TSSMS = both RACF and database
TSSMPENx = TSSMPEN and a number
D-l
-------�
TSSMS-
RACF DECENTRALIZATION REQUEST
Completed By
Functlon.
ADP
MGR
RSA
TSSMS
1.0
Establish Application for RACF
Decentralization.
1.1
Complete RACF_REQUEST_I (see App. D,
RSA Guide). {Note: NDPD Security
approves RSAs.)
A
X
1.2
Complete RACF REQUEST II (see App. D,
RSA Guide).
A»M
X
1.3
RACF updated to include application
hierarchy.
X
1.4
Ownership updated in RACF for accounts
and IDs.
X
1.5
Notice of completion attached to Email
and Mail.
X
1.6
Notify customer of ownership claim.
X
2.0
Add New Billable Account.
2.1
Request entered in TSSMS online data
base (TSSMS Registration).
A
2.2
Add to RACF in nightly processing.
X
2.3
ALIAS added for system catalog.
X
2.4
RACF ownership is claimed with Email
form II (see App. D, RSA Guide).
X
2.5
Ownership entered in RACF.
X
2.6
Account manager will be added as user
in nightly processing (both in
database and RACF).
X
2.7
Add group-level profile in RACF.
X
2.8
Add users (see "add user11 and
"existing user")
X
D-2
-------�
TSSMS
-RACF DECENTRALIZATION REQUEST (cont.)
Completed By
Function
ADP
MGR
RSA
TSSMS
3.0
Add New Non-Account Group.
3.1
Request completed with Email form II
(See App. D, RSA Guide).
X
3.2
Request completed in TSSMS.
3.3
Connect existing users when needed.
X
4.0
Add New User-ID.
4 .1
Request entered in TSSMS online data-
base (TSSMS Registration).
A/M
4.2
Add to RACF in nightly processing.
X
4.3
Add to TSSMPENx nightly processing.
X
4.4
Ownership request for User-ID through
Email form II (see App. D, RSA Guide).
X
4.5
Ownership entered into RACF. -
X
4.6
Change password and connect to account
and notify user. (User must be
connected to a billable account to log
on.)
X
4 . 7
ALIAS added for system catalog (see
App. D, RSA Guide).
X
5.0
Connect Existing User-ID to Existing
Account Group (RSA Guide).
5.1
Connect the User-ID to the account in
RACF.
X
•
5.2
ALIAS added for system catalog for
billable account/User-ID only.
X
5.3
Added to the TSSMS online system from
RACF with nightly processing.
X
D-3
-------�
TSSMS
-RACF DECENTRALIZATION REQUEST (cont.)
Completed By
Function
ADP
MGR
RSA
TSSMS
6.0
Delete Existing User-ID from One
Account Group (RSA Guide).
6.1
List User-ID in RACF.
X
6.2
Change default group of User-ID if
needed.
X
6.3
Run IRRUT100 (gives list of RACF
profiles).
X
6.4
Run CLIST to receive a listing of
tapes, datasets, etc. (see App. C).
X
6.5
Remove User-ID from access list.
X
6 . 6
Delete or rename datasets.
X
6.7
Remove User-ID from account.
X
6 . 8
Delete ALIAS to remove from system
catalog.
X
6.9
Nightly processing will update the
TSSMS online database from RACF
entries.
X
7.0
Revoke/Delete Billable Account Group.
7.1
Request entered in TSSMS online
database (TSSMS Registration).
A
7.2
Revoked in RACF for 45 days (accounts
and users).
-
X
7.3
Run IRRUT100 (listing sent to the ADP
Coordinator).
X
7.4
Data management and DPSS run CLIST to
get datasets and tapes (listing sent
to the ADP Coordinator).
X
7.5
Any datasets and profiles are cleaned
up.
A/M
*
D-4
-------�
TSSMS
-RACF DECENTRALIZATION REQUEST (cont.)
Completed By
Function
ADP
MGR
RSA
TSSMS
7.6
Request entered in TSSMS online
database to delete the account (TSSMS
Registration).
A
7.7
After 45 days the account is deleted
from RACF.
X
7.8
ALIAS is removed for the account and
User-ID.
X
8.0
Delete a Non-Account Group.
8.1
Run IRRUT100 to clean up access lists
and profiles.
X
8.2
All users removed from account (RSA
Guide).
X
8.3
Request is entered on Email form II
(see App. D, RSA Guide).
X
8.4
Non-account group removed from system.
X
9.0
Delete a User-ID Completely from RACF
(RSA Guide).
9 .1
List User-ID in RACF.
X
9.2
Change default of User-ID to TSSMPENx.
X
9.3
Run IRRUT100.
X
9.4
Run CLIST to receive a listing of
tapes, datasets, etc. (see App. C).
•
X
9.5
Remove user from access list.
X
•
9.6
Delete or rename datasets.
X
9.7
Remove User-ID from account. (The
only account the User-ID will remain
on is TSSMPENx.)
X
D-5
-------�
TSSMS
-RACF DECENTRALIZATION REQUEST (cont.)
Completed By
Function
ADP
MGR
RSA
TSSMS
9.8
Delete ALIAS to remove from system
catalog (see App. C).
X
9.9
Nightly processing will update the
TSSMS online database.
X
9 .10
List User-ID in RACF.
X
9 .11
Remove User-ID from TSSMPENx.
X
10.0
Password Resets, Resumes, at User-ID
Level.
10 .1
If customer calls CCC...
10 .2
...CCC determines owner of User-ID and
provides RSA/ADP information to cus-
tomer.
10.3
...Customer will contact the RSA/ADP.
10 .4
...The RSA will reset/resume customer
(RSA Guide).
X
11.0
Revoking Billable Account/Group (Re-
voking Account for a Period of Time
Only; not to be Deleted).
11.1
Contact TSSMS and Request the account
be revoked.
A
11.2
Account is revoked in the database.
X
11.3
Account is revoked in RACF with
installation data (revoke only per
ADP) .
X
11.4
Contact TSSMS to resume account.
A
11.5
Account is resumed in the TSSMS data-
base .
X
11.6
Account is resumed in RACF.
X
D-6
-------�
TSSMS
-RACF DECENTRALIZATION REQUEST (cont.)
Completed By
Function
ADP
M6R
RSA
TSSMS
12.0
Revoke/Resume User-ID at the
Group/Account Level (RSA Guide).
12 .1
List User-ID in RACF. {Note: Change
default group if needed.)
X
12 .2
Revoke User-ID at group level.
X
13 .0
Revoke/Resume User-ID at the User-ID
Level (RSA Guide)
13.1
List User-ID in RACF.
X
13 .2
Revoke/resume User-ID.
X
D-7
-------�
Email RACF Forms
Note: Information about accounts and User-IDs to be included on these forms may be
obtained from the ADP Coordinator and/or the Account Manager.
To access the RACF forms on ALL-IN-1, do the following:
A. REQUEST (Enter request at the EM Menu a^' press
RETURN.)
B. Choose one of the four forms below and type the name at the prompt:
1. RACF_REQUEST_I (Enter the name of the form and press RE-
TURN.)
This form is used to establish an application within RACF.
2. RACF_REQUEST_II (Enter the name of the form and press RE-
TURN.)
This form is used to establish ownership of User-IDs and accounts.
3. RACF_REQUEST_III (Enter the name of the form and press
RETURN.)
This form is used to update a decentralized application.
4. RACF_REQUEST_IV (Enter the name of the form and press RE-
TURN.)
This form is used to update RSA information on an application.
D-8
-------�
EMAIL RACF FORMS
RACFREQUESTI
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
RACF REQUEST FORM 1
I. The system acronym of your application registered in EPA
Information Systems Inventory (ISI).
II. The four Primary RACF Security Administrators (RSA) (no more
than four per application will be tracked by TSSMS).
User-ID Name
1.
2.
3.
4.
At I, enter the ISI and press the TAB key.
At n, enter the User-ID and name of RSA(s) and press the TAB key.
RACF REQUEST FORM 1 (cont.)
III. The ADP Coordinator associated with the billable accounts for
your application and whether the ADP is to serve as an RSA.
(Note: The RSA training is a requirement.)
PLEASE MARK Y=YES OR N-NO FOR RSA~*PPROVAL.
User-ID Name RSA approval
1.
This is one of two 2 ALL-IN-1 Email forms required for
a RACF decentralization request. APPROVAL FROM NDPD SECURITY IS
REQUIRED FOR ALL RSA'S.
(NOTE: THE BILLABLE ACCOUNTS, NON-ACCOUNTS, AND USERS FOR YOUR
APPLICATION WILL NEED TO BE COMPLETED ON ALL-IN-1 EMAIL FORM
RACF_REQUEST_II TO COMPLETE THIS RACF REQUEST.)
If you have any questions, call Customer Support at 919-541-7862
or 1-800-344-2405.
Are you satisfied with the above information (Y/N)?
At IE, enter User-ID and other information. Use the TAB key to move around.
Answer Y if everything is correct to send the message.
Answer N if something is incorrect; the system will return you to the top of the form.
D-9
-------�
EMAIL RACF FORMS (cont.)
RACFREQUESTII
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
RACF REQUEST FORM 2
(NOTE: THE RSA'S AND ADP FOR YOUR APPLICATION, WHICH YOU COMPLETED
ON ALL-IN-1 EMAIL RACF REQUEST I FORM, WILL BE SENT TO TSSMS WHEN
APPROVED.)
I. The system acronym of your application registered in EPA's
Information Systems Inventory (ISI).
(NOTE: SAME AS ENTRY ON ALL-IN-1 RACF_REQUEST_1 FORM)
II. List all billable accounts that will be OWNED by your
application; includes all IBM accounts registered with TSSMS for
your application.
NOTE ALL BILLABLE ACCOUNTS ARE 4 CHARACTERS IN LENGTH.
At I, enter the ISI and press the TAB key.
At n, enter an account and press RETURN. If you have only one account, press TAB after you
enter the account to move to section HI. If you have more than one account, press RETURN
between accounts to go to the next line. After you have all your accounts on the form, press
TAB to move to section HI.
RACF REQUEST FORM 2 fcont.)
III. List the non-account group (6-8 characters) that will be the
OWNER of your applications User-IDs and a description (up to
50 characters) of what the non-account is for.
(NOTE: IF MORE THAN 1 ACCOUNT IS NEEDED PLEASE INCLUDE IN THIS
LIST; HOWEVER, THE FIRST NON-ACCOUNT LISTED WILL BE THE OWNER
OF ALL USER-IDS FOR YOUR APPLICATION.)
Non-account Description
At HI, enter the account name and TAB to the Description field to enter the information there.
Use the TAB key to move through this section.
D-10
-------�
EMAIL RACF FORMS (cont.)
RACF REQUEST FORM 2 (cont.)
IV. List all users (User-ID and lastname.firstname) that the
application will be OWNER of.
User-ID Name
If you have any questions, call Customer Support at
919-541-7862 or 1-800-334-2405.
Are you satisfied with the above information (Y/N)?
At IV, enter the User-ID; then space over to the name field. (If you have more than one name,
use the RETURN key to go to the next line. After all names have been entered, press TAB to
move to the next question.)
Answer Y if everything is correct to send the message.
Answer N if something is incorrect; the system will return you to the top of the form.
D-ll
-------�
EMAIL RACF FORMS (cont.)
RACFREQUESTHI
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
RACF REQUEST FORM 3
Complete this form to request one of the following updates. Your
request will be sent to the TSSMS office for processing.
Select one of the following choices:
1 = Establishing a non-account
2 = Change non-account
V
3 = Delete non-account
4 = Change billable account
' 4
5 = Assign new User-ID OWNER
Choice:
^0
%
4
D-12
-------�
EMAIL RACF FORMS (cont.)
RACF REQUEST FORM 3 (cont'd)
Application acronym:
(check one)
Requester User-ID: Name: ADP: RSA:_
Establish a non-account group (6 to 8 characters); give a
brief description (up to 50 characters) of what the
non-account group is for end a OWNER for this account.
Non-account OWNER Description
Are you satisfied with the above information (Y/N)?
Enter the application acronym and TAB to the Requester field.
Enter the requester's User-ID and name; then TAB to the ADP or RSA field and mark it with
anX
Enter the non-account and TAB to the Owner field.
Enter the owner information and TAB to the Description field.
Enter the Description information and press ENTER.
Answer Y if everything is correct to send the message.
Answer N if something is incorrect; the system will return you to the top of the form.
D-13
-------�
EMAIL RACF FORMS (cont.)
RACF REQUEST FORM 3 (cont'd)
Application acronvm:
Requester User-ID: Name:
(check one)
ADP: RSA:
Change non-account: OWNER to:
Are you satisfied with the above information
(Y/N)?
Enter the application acronym and TAB to the Requester field.
Enter the requester's User-ID and name; then TAB to the ADP or RSA field and mark it with
an X.
Enter the non-account group name and TAB to the Owner field.
Enter the owner information and press ENTER.
Answer Y if everything is correct to send the message.
Answer N if something is incorrect; the system will return you to the top of the form.
D-14
-------�
EMAIL RACF FORMS (cont.)
RACF REQUEST FORM 3 (cont'd)
Application acronym:
(check one)
Reauester User-ID: Name:
ADP: RSA:
Delete non-account:
Are you satisfied with the above information
(Y/N)?
Enter the application acronym and TAB to the Requester field.
Enter the requester's User-ID and name; then TAB to the ADP or RSA field and mark it with
an X.
Enter the non-account name you want to delete and press ENTER.
Answer Y if everything is correct to send the message.
Answer N if something is incorrect; the system will return you to the top of the form.
D-15
-------�
EMAIL RACF FORMS (cont.)
RACF REQUEST FORM 3 (cont'd)
ADDlication acronvm:
Reauester User-ID: Name:
(check one)
ADP: RSA:
Change billable account: OUNER to:
Are you satisfied with the above information
U/N)?
Enter the application acronym and TAB to the Requester field.
Enter the requester's User-ID and name; then TAB to the ADP or RSA
field and mark it with an X.
Enter the account name and TAB to the Owner field.
Enter the owner information and press ENTER.
Answer Y if everything is correct to send the message.
Answer N if something is incorrect; the system will return you to the top of the form.
D-16
-------�
EMAIL RACF FORMS (cont.)
RACF REQUEST FORM 3 (cont'd)
Application acronym:
Requester User-ID: Name:
(check one)
ADP: RSA:
Assisn new User-ID OWNER to:
Are you satisfied with the above information
(Y/N)?
Enter the application acronym and TAB to the Requester field.
Enter the requester's User-ID and name; then TAB to the ADP or RSA field and mark it with
an X.
Enter the new owner's information and press ENTER.
Answer Y if everything is correct to send the message.
Answer N if something is incorrect; the system will return you to the top of the form.
D-17
-------�
EMAIL RACF FORMS (cont.)
RACF REQUEST IV
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
RACF REQUEST FORM 4
Application acronym:
(check one)
Requester User-ID: Name: ADP: RSA:
User-ID Name Non-Account RSA ADD/DELETE
1 .
2 .
3 .
4.
Are you satisfied with the above information (Y/N>?
Enter the Application acronym and TAB to the Requester field.
Enter the requester's User-ID and name; then TAB to the ADP or RSA field and mark it with
an X.
Enter the User-ID and the name; then TAB to the Non-account field.
Enter the non-account; then enter a 'P' or 'N' in the RSA field—'P' for Primary and 'N' for
Non-primary. Then enter 'A' for Add or 'D' for Delete in the Add/Delete field.
Answer Y if everything is correct to send the message.
Answer N if something is incorrect; the system will return you to the top of the form.
D-18
-------�
APPENDIX E
Certification Agreement
Certification Agreement
I have attended the RACF Security Administrator (RSA) certification course jointly
sponsored by OIRM and NDPD on .
(date)
I understand that upon successful completion of the certification course I will be
granted RACF administrative privileges. I understand that those privileges are to be used
for the sole purpose of establishing and maintaining the RACF-controlled security of the
system/application for which I have been designated RACF Security Administrator.
I have received a copy of the Application RACF Security Administrator's Guide. I
understand that the guide (and any future revisions to the guide) and the NDPD NCC IBM
Mainframe Security Policy (210.08) constitute the agreement between me and the EPA
concerning my use of RACF administrative privileges. Specifically, I agree that I will not
grant RACF administrative privileges to any non-RSA certified User-ID which I may
connect to any of the RACF groups under my administrative control.
I understand that if I violate my agreement with EPA I am subject to the removal of
my RACF administrative privileges and any administrative action deemed proper and
necessary by EPA ADP management.
Printed Name:
Signature:
E-l
-------� |