RACF Administration and Auditing

Prerequisites:

Attendees should have a clear understanding of zOS at a conceptual level and also have a basic understanding of RACF that can be gained by attending the RSM course Understanding RACF. A working knowledge of TSO/ISPF and JCL is also required.

Course Description:

It introduces the concepts, terminology, commands, and procedures involved in administering and auditing RACF. All major aspects of day-to-day RACF administration and auditing are covered.

This course is suitable for RACF Administrators and Auditors, Systems Programmers and any other technicians requiring a knowledge of RACF administration principles and practices.

On successful completion of this course, attendees will be able to:

• Explain the need for security in business information systems
• Describe how RACF meets business information systems security needs
• Design a group structure to meet their installation's requirements
• Explain & use RACF commands
• Describe the effect of the various group profile related parameters
• Explain the management and use of the various non-RACF segments in user profiles
• Connect users to groups and manage the assigned group authorities
• Use the dataset related commands to manage both discrete and generic profiles
• Manage general resources
• Use and explain the operation of the setropts management commands Use and interpret the output of the Data Security Monitor
• Use the database unload utility, cross reference utility, remove id utility, database verification utility,
• Database split/merge/extend utility, and the database block update utility.

This course includes the following modules:

Introduction

• What is RACF?; Why do we need Security?; Security in the Old Days; Security These Days; What security do we need?; Where are the dangers?; How can RACF help?; RACF Profiles; How RACF operates; The RACF Database; Resource Classes.

The RACF Manuals

• The Manual Library; RACF Security Administrators Guide; RACF Command Language Reference; BookManager.

Planning for security

• The Security Policy; Resource Ownership; How to protect Resources?; Grouping Resources and Users; Document the Plan.

Group structure

• What are Groups?; Why have Groups?; Users and Groups; The Initial Group Structure; The Group Hierarchy; System Special and Group Special; Group Profile Ownership; Group Connections.

The RACF commands

• Entering RACF Commands; RACF Commands and the Manuals; Entering RACF Commands in Batch; Online Help.

Defining RACF Groups

• Group Profile Commands; Basic ADDGROUP; Specifying the Superior Group & Owner; Dataset Profile Modeling; RACF Remote Sharing Parameters; Other ADDGROUP Parameters; Non-RACF Segments - DFP, OMVS and OVM; Non-RACF Segments TME; Full ADDGROUP Syntax; Full ALTGROUP Syntax; Full LISTGRP Syntax; LISTGRP Output; Full DELGROUP Syntax; Group Command Authority.

Defining Users

• User Profile Commands; Basic ADDUSER; Specifying the Default Group; Group Authority; Class Authority; Group Access Authority; RACF Remote Sharing Parameters; Dataset Profile Modeling; RACF Authorities; RACF Attributes; Security Levels and Security Categories; Security Level Checking; Security Category Checking; Security Labels; Other ADDUSER Parameters; Non-RACF Segments (CICS); Non-RACF Segments (DCE); Non-RACF Segments (DFP, LANGUAGE); Non-RACF Segments (KERB, LNOTES, NDS); Non-RACF Segments (NETVIEW); Non-RACF Segments (USS, zVM); Non-RACF Segments (OPERPARM); Non-RACF Segments (TSO); Non-RACF Segments (WORKATTR); Full ADDUSER Syntax; Basic ALTUSER; ALTUSER Only Parameters; Full ALTUSER Syntax; Full LISTUSER Syntax; LISTUSER Output; Full DELUSER Syntax; User Command Authority; Basic PASSWORD; Changing Other Users Passwords; Full Syntax of PASSWORD; Password Command Authority.

Connecting Users to Groups

• Connect and Remove Commands; Basic CONNECT; Full CONNECT Syntax; Basic REMOVE; Full REMOVE Syntax; Connect/Remove Command Authority.

Dataset profiles

• Dataset Profile Commands; Basic ADDSD; Discrete Dataset Profiles; Discrete Profile Parameters; Generic Dataset Profiles; Generic Wildcard Characters - %; Generic Wildcard Characters - *; Generic Wildcard Characters - **; Specifying Dataset Attributes; Access Levels; Auditing Access Attempts; Profile Copying; RACF Remote Sharing Parameters; Security Level & Category Checking; Other Profile Attributes; Non-RACF Segments DFP; Non-RACF Segments TME; Full ADDSD Syntax; Basic ALTDSD; ALTDSD Only Parameters; Full ALTDSD Syntax; Basic LISTDSD; Listing Many Dataset Profiles; Listing Generic or Discrete Profiles; Specifying What To List; Full LISTDSD Syntax; LISTDSD Output; Full DELDSD Syntax; Dataset Command Authority; Basic PERMIT; Conditional Access Lists; Permitting Many Users Access; Removing Users and Groups; Deleting Access Lists; Full PERMIT Syntax; PERMIT Command Authority.

General Resource profiles

• General Resource Profile Commands; Basic RDEFINE; Common RDEFINE Parameters; Adding Additional Profile Information; Non-RACF Segment TME; When the Class is DLFCLASS; When the Class is APPCLU; When the Class is REALM; When the Class is PTKTDATA; When the Class is ROLE; When the Class is STARTED; When the Class is SYSMVIEW; When the Class is TAPEVOL; When the Class is TERMINAL; Full RDEFINE Syntax; Resource Grouping Classes; Protecting CICS Transactions; Protecting Load Modules; Protecting SDSF; Basic RALTER; RALTER Only Parameters; Full RALTER Syntax; Basic RLIST; Common RLIST Parameters; Listing Non-RACF Segments; Special RLIST Features; Full RLIST Syntax; RLIST Output; Full RDELETE Syntax; Remember PERMIT?; General Resource Command Authority.

Special RACF features

• SEARCH command and control parameters.

The SETROPTS command

• Basic SETROPTS; Dataset Related Parameters; General Parameters; In-Storage Profile Parameters; B1 Security Parameters; JES Parameters; Userid & Password Parameters; Auditor Parameters; SETROPTS LIST Examples; SETROPTS Command Authority.

Auditing RACF

• RACF Auditing; RACF Report Writer; Basic RACFRW Commands; Full RACFRW Syntax; Full SELECT Syntax; Basic EVENT Command; Full EVENT Syntax; Full LIST Syntax; RACFRW Output Example; Full SUMMARY Syntax; RACF SMF Data Unload Utility; SMF Unload Utility JCL; Using the Unloaded RACF SMF Data; Processing the RACF SMF Data with DB2; Standard DB2 Tables; Data Security Monitor; System & Group Tree Reports; Pgm Properties & Auth Caller Table Reports; Class Descriptor Table & RACF Exits Report; Global Access Table Report; Started Procedures Table Report; Selected User Attribute Reports; Selected Data Sets Report.

RACF utility programs

• Database Unload Utility; Database Cross Reference Utility; Database Cross Reference Utility Output; RACF Remove ID Utility; Database Verification Utility; Database Verification Utility Output; Database Split/Merge/Extend Utility; Database Block-Update Utility Command.