RACF Administration

This course introduces delegates to the concepts, terminology, commands, and procedures involved in administering an RACF secured system. All major aspects of RACF administration are covered, special attention is given to those facilities which will benefit the audit process.

Lecture content is supported by frequent online labs, using either your own system or accessing our online z/OS system.

This course will benefit RACF administrators, RACF auditors, help desk personnel, and anyone else who requires a knowledge of RACF administration principles and practices. It is of particular benefit to those new to RACF administration or RACF auditing.

Delegates should be fully familiar with the z/OS environment (e.g., by attending our z/OS for Beginners course) and have an understanding of TSO/E ISPF/PDF (e.g., by attending our z/OS TSO/ISPF Workshop).

No previous RACF experience is required.

Upon successful completion of this course, delegates will be able to:

• Identify the need for security in business information systems.
• Understand how RACF meets business information systems security needs.
• Design a group structure to meet their installations requirements.
• Describe the various ways in which RACF commands can be issued.
• Use the group related commands to administer the group structure.
• Describe the effect of the various group profile related parameters.
• Use the user related commands to administer user profiles.
• Use the various group authorities effectively.
• Explain the management and use of the various non-RACF segments in user profiles.
• Describe the effect of the various user profiles related parameters.
• Connect users to groups and manage the assigned group authorities.
• Describe the advantages and disadvantages of both discrete and generic data set profiles.
• Use the data set related commands to manage both discrete and generic profiles.
• Specify the appropriate auditing parameters for data set profiles. - Provide users with the appropriate access to protected data sets.
• Use the general resource commands to manage general resources.
• Describe how CICS transactions, load modules, secured sign-on, and the started task table can be protected and controlled.
• Describe how digital certificates, field level access checking, and RACF variables can be protected and controlled.
• Use the search command to locate specified profiles in the database.
• Use and explain the operation of the RVARY and SETROPTS management commands.
• Explain how RACF Remote Sharing operates and how it's use can be controlled.
• Identify how the operation of RACF changes when running in a parallel sysplex.
• Explain how to control RACF operation in a parallel sysplex.
• Describe how to use the RACF Report Writer product to format and print audit records.
• Identify how to process RACF audit records within a DB2 database.
• Use and interpret the output of the Data Security Monitor.
• Use the database unload utility, cross reference utility, remove userid utility, database verification utility, database split/merge/extend utility, and the database block update utility.

Introduction
Positioning RACF with SAF and Operating System.
Security past and present.
Security threats and the role of RACF.
RACF Structure: Profiles and Classes.
Review of available documentation.

Where to Start with Security
Policy statement production.
Identifying Resources and ownership.
Identifying the Users.
Relating Resources and Users.
Converting the policy to a Plan.

The Group Structure
Identifying Business Groups.
Relating Business Groups to RACF Groups.
Associating Users with Groups.
Group/Sub-group Hierarchy.
Privilege Status –Special vs. Group Special.
Group Ownership and Connection.

The RACF Commands
Entering RACF Commands.
RACF Commands and the Manuals.
Entering RACF Commands in Batch.
Online Help.

Defining and Deleting RACF Groups
Group Profile Commands.
Adding a Group (ADDGROUP).
Deleting a Group (DELGROUP).
Modifying an existing Group (ALTGROUP).
Obtaining Group information (LISTGRP).
Specifying the Superior Group.
Data set Profile Modelling.
RACF Remote Sharing Parameters.
Additional ADDGROUP Parameters.
Additional Group Segments.
Required authority levels for Group Commands.

Defining Users
User Profile Commands.
Adding a User profile (ADDUSER).
Deleting a User profile (DELUSER).
Modifying a existing user Profile (ALTUSER).
Obtaining user information (LISTUSER).
Specifying the Default Group.
Group and Class Authority.
Group Access Authority.
RACF Remote Sharing Parameters.
Data set Profile Modelling.
RACF Authorities and Attributes.
Security Levels and Security Categories.
Security Labels.
Defining the CICS Segments.
Defining the DCE Segments.
Defining the DFP Segment.
Defining the LANGUAGE Segment.
Defining the OMVS Segment and why.
Defining the NETVIEW Segments).
Defining the OPERPARM Segments.
Defining the TSO Segments and why.
Defining the WORKATTR Segments.
Parameters only applicable to ALTUSER.
Required authority levels for User Commands.
Basic PASSWORD.
Changing Other Users Passwords.
Full Syntax of PASSWORD.
Required authority levels Password Command.

Connecting Users to Groups
Connect and Remove Commands.
CONNECT a user to a Group.
REMOVE a user from a Group.
Relevance to deleting a Group.
Required authority levels for Connect/Remove.

Data Set Profiles
Data set Profile Commands.
Discrete Data set Profiles.
Generic Data set Profiles.
Adding a data set profile (ADDSD).
Discrete Profile Parameters.
Generic Wildcard Characters - %.
Generic Wildcard Characters - *.
Generic Wildcard Characters - **.
Specifying Data set Attributes.
Access Levels.
Auditing Access Attempts.
Profile Copying.
RACF Remote Sharing Parameters.
Security Level & Category Checking.
Other Profile Attributes.
Deleting a data set profile (DELDSD).
Modifying an existing data set profile (ALTDSD).
Parameters only applicable to ALTDSD.
Obtaining data set profile information (LISTDSD).
Listing multiple data set Profiles.
Listing Generic or Discrete Profiles.
Required authority levels for data set Commands.
Allowing other users/groups access (PERMIT).
Conditional Access Lists.
Permitting Many Users access.
Denying Users and Groups access.
Deleting Access Lists.
Required authority levels for Permit Command.

General Resource Profiles
General Resource Profile Commands.
Defining additional resources (RDEFINE).
Common RDEFINE Parameters.
Providing extra Profile Information.
TME Segment.
Controlling DLF use - DLFCLASS.
Controlling APPX use - APPCLU.
Controlling PassTickets - PTKTDATA.
Interfacing with Tivoli Products - ROLE.
Controlling STCs - STARTED.
Controlling access to SystemView - SYSMVIEW.
Why not to use - TAPEVOL.
Controlling access by screen - TERMINAL.
The use of GTERMINL.
Using TCICSTRN/GCICSTRN to protect CICS Transactions.
Using WHEN(PROGRAM) to Protect Load Modules.
RACF rather than ISFPARMS to Protect SDSF.
Deleting a resource profile (RDELETE).
Modifying resource profiles (RALTER).
Parameters only applicable to RALTER.
Obtaining information about resources (RLIST).
Common RLIST Parameters.
Listing Non-RACF Segments.
Special RLIST Features.
General resources and the PERMIT command.
Required authority levels for General Resource Command.

Special RACF Features
The Started Task Table.
Using ICHRIN03.
Using the STARTED Class.
The Global Access Checking Table.
Using the Global Access Checking Table.
RACF Variables.
Using the RACFVARS Class.
Using RACF Variables.
Field Level Access Checking.
Using the FIELD Class.
FIELD Class Examples.
The FACILITY Class.
Digital Certificates.
Basic RACDCERT.
Full RACDCERT Syntax.
RACDCERT Command Authority.
SEARCH Command Basics.
SEARCH Control Parameters.
The FILTER & MASK Parameters.
FILTER & MASK Examples.
The Backup RACF Database.
The RACF Database Name Table.
The RVARY Command.

The SETROPTS Command
Why have SETROPTS?
Parameters associated with data set profiles.
Parameters for general operation.
Dynamic implementations (GENLIST & RACLIST).
US D-o-D requirements.
Parameters related to JES.
General Userid and Password options.
Parameters applicable to AUDITOR authority.
Required authority level for SETROPTS Command.

RACF Remote Sharing Facility
The RACF Remote Sharing Facility.
RACF Command Direction.
RACF Password Synchronisation.
Managed User Associations.
Controlling RACLINK Use.
Controlling Password Synchronisation.
Controlling the AT Keyword.
Automatic RACF Command Direction.
Controlling Automatic RACF Command Direction.
Combined RACF Command Direction.
Use of ONLYAT Keyword.
Automatic Password Synchronisation.
Controlling Automatic Password Synchronisation.
Password Synchronisation by Command.
Combined RACF Command Direction.
Defining RRSF Nodes.
The RACF Subsystem & Parameter Library.

RACF and Sysplex
Types of Sysplex.
Basic Sysplex.
Parallel Sysplex.RACF and Sysplex.
RACF Communication.
RACF Data Sharing.
RACF Data Sharing Problems.
The Four Sysplex Modes.
The RACF Database Name Table.
Coupling Facility Structures.
Defining Coupling Facility Structures.
In-Storage Profiles.
RACLISTed profiles via RACROUTE.
In-Storage Profiles and Sysplex.
Introducing RACGLIST.
RACGLIST and REFRESH.
Using RACGLIST.

Auditing RACF
Auditing data collection.
RACF Report Writer Overview.
RACFRW Command summaries.
Extracting RACF records from SMF.
IRRADU00.
IFASMFDP.
Using DB2 to process RACF SMF data.
IRRADUTB.
IRRUDULD.
IRRADUQR.
DSMON - Data Security Monitor.
Overview of report types.

RACF Utility Programs
IRRDBU00 - Unload Utility.
IRRUT100 - Cross Reference Utility.
IRRRID00 - The RACF Remove Userid Utility.
IRRUT200 - Verification Utility.
IRRUT400 - Split/Merge/Extend Utility.
BLKUPD - Block-Update Utility Command.