racf database with vanguard cleanup · security & compliance conference 2016 ernie englehart senior...

SECURITY & COMPLIANCE CONFERENCE 2016

Ernie Englehart

Senior QA Analyst

VSS15

“Spring Cleaning” your RACF Database with

Vanguard Cleanup

VANGUARD SECURITY & COMPLIANCE 2016

Legal Notice

Copyright

©2016 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license

to view these materials for your organization’s internal purposes. Any unauthorized

reproduction, distribution, exhibition or use of these copyrighted materials is expressly

prohibited.

Trademarks

The following are trademarks of Vanguard Integrity Professionals – Nevada:

©2016 Vanguard Integrity Professionals, Inc. 2

Vanguard Administrator

Vanguard Advisor

Vanguard Analyzer

Vanguard SecurityCenter

Vanguard Offline

Vanguard Cleanup

Vanguard PasswordReset

Vanguard Authenticator

Vanguard inCompliance

Vanguard IAM

Vanguard GRC

Vanguard QuickGen

Vanguard Active Alerts

Vanguard Configuration Manager

Vanguard Configuration Manager Enterprise Edition

Vanguard Policy Manager

Vanguard Enforcer

Vanguard ez/Token

Vanguard Tokenless Authenticator

Vanguard ez/PIV Card Authenticator

Vanguard ez/Integrator

Vanguard ez/SignOn

Vanguard ez/Password Synchronization

Vanguard Security Solutions

Vanguard Security & Compliance

Vanguard zSecurity University


The following are trademarks or registered trademarks of the International Business Machines Corporation: Java and all Java-based trademarks are trademarks of Oracle and/or its affiliates. UNIX is a registered trademark of The Open Group in the United States and other countries.

Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation.

Other company, product, and service names may be trademarks or service marks of others.

Trademarks


CICS

CICSPlex

DB2

eServer

IBM

IBM z

IBM z Systems

IBM z13

S/390

System z

System z9

System z10

System/390

VTAM

WebSphere

z Systems

z9

z10

z13

z/Architecture

z/OS

z/VM

zEnterprise

IMS

MQSeries

MVS

NetView

OS/390

Parallel Sysplex

RACF

RMF


Vanguard Cleanup



Vanguard Cleanup


Why use Vanguard Cleanup™?

Performance Smaller RACF® DB, faster authorization checking

Fewer Audit Findings Clean Access Lists Fewer profiles to review

RACF Administration Productivity Smaller RACF database eases, shortens maintenance

tasks, reduces errors

Security Unused profiles are removed, eliminating security

exposures


Vanguard Cleanup


AGENDA

Technical Overview

Maintenance Tasks and Status

Reports and Command Generation

Summary and Questions

TECHNICAL OVERVIEW


Vanguard Cleanup


What is Vanguard Cleanup

Vanguard Cleanup provides reports and generates commands to clean up and restore “unreferenced”:

User Profiles

Group Profiles

Data Set Profiles

General Resource Profiles

Standard Access List Permissions

Conditional Access List Permissions


Vanguard Cleanup


To use Vanguard Cleanup, you must have authorization to FACILITY class profiles:

IRR.RADMIN.** - to access Manage Exclusions

and Manage User Correlation Features

VCL$.REPORTS – to create Vanguard Cleanup

reports

VCL$.VCLCMND – to generate RACF

commands

VRA$.VRAEXTR – to create VRA extract files


Vanguard Cleanup Process Flow



Vanguard Cleanup Components


The Capture Component: Exits

Standard RACF Post-Processing Exits are used to capture authorization requests

ICHRCX02 (AUTH) ICHRFX02 (FASTAUTH) ICHRFX04 (FASTAUTH) ICHRIX02 (VERIFY(x))

Dynamically installed when the Vanguard Cleanup Started Task initializes and remain active until the next IPL.

Deactivated when the Vanguard Cleanup Started task terminates.

Existing exits are front-ended and remain active in the system.


Vanguard Cleanup Components


The Started Task:

Gathers data in real time, which is buffered into a common data space and passed to a Vanguard Cleanup History Master File by an asynchronous collection process.

Moves the data collected in the Vanguard Cleanup data space to the Vanguard Cleanup History Master File. This automated process is called the Offload Process.

Updates the Vanguard Offline History Master File if Vanguard Offline is activated.

Filters data through use of VCLFILTR member in VANOPTS.


Vanguard Cleanup Started Task Operator

Commands



Vanguard Cleanup Started Task Current Status

Report



Vanguard Cleanup Started Task Current Totals

Report



Vanguard Cleanup Components VCLFILTR

member of VANOPTS



Vanguard Cleanup Components VCLFILTR

member of VANOPTS (cont.)



Vanguard Cleanup Components History Master

File


The Vanguard Cleanup History Master File:

Contains all normalized profile authorization requests.

Normalization allows Vanguard Cleanup to reduce the amount of duplicated data.

For example, if Vanguard Cleanup identified 20 authorization requests for a profile by a particular User ID and access intent level, it reduces that amount down to 1 record for the most recent access.


Vanguard Cleanup Report Component


The Report Component: Interfaces with a Vanguard Administrator Extract

File to generate usage reports.

History Collection Detail Unreferenced Datasets Unreferenced Resources Unreferenced Groups Unreferenced Userids Unreferenced Access Permissions Unreferenced Connects History Collection Verify(x) Access

Can Generate: Cleanup Commands Restore Commands


Invoking Vanguard Cleanup



Vanguard Cleanup Available Options Members



Vanguard Cleanup Main Menu



Initialize Cleanup Options



Batch Job Defaults



Batch Job Parameter Defaults


MAINTENANCE TASKS

AND STATUS


Status and Counters



Vanguard Cleanup Status and Counters Panel



Maintenance Tasks



Manage Exclusions



Manage Exclusion Criteria – Users



Manage User Exclusion Criteria



Manage Exclusion Criteria – Groups



Manage Group Exclusion Criteria



Manage Exclusion Criteria – Dataset Profiles



Manage Dataset Exclusion Criteria



Manage Exclusion Criteria – Classes



Manage Class Exclusion Criteria



Manage Exclusion Criteria – General Resource

Profiles



Manage Profile Exclusion Criteria



Manage User Correlations



List User IDs By Correlation Sets



Excluded Classes


The following classes are excluded from Vanguard Cleanup reporting:

• CDT • CFIELD • DIGTCERT • DIGTCRIT • DIGTNMAP • All Grouping classes

• DIGTRING • GLOBAL • KERBLINK • KEYSMATR • PROGRAM

• PTKTDATA • REALM • STARTED • VMSEGMT


Excluded General Resource Profiles


Excluded Resource Profiles • FACILITY BPX.DEFAULT.USER. BPX.NEXT.USER, BPX.UNIQUE.USER, BPX.MAINCHECK, BPX.SAFFASTPATH, BPX.SMF • UNIXPRIV CHOWN.RESTRICTED,

FILE.GROUPOWNER.SETGID, RESTRICTED.FILESYS.ACCESS, SHARED.IDS

• (ALL) * and **

Excluded Resource Profiles by HLQ • OPERCMDS VCL$ • FACILITY All Vanguard (VRA$, VRC$, VSR$, …)

REPORTS AND COMMAND

GENERATION


Report & Command Generation



History Collection Detail



JCL Submit Processing Panel



History Collection Detail Report



History Collection Verify(x) Access



History Collection Verify(x) Access Report



Unreferenced Datasets



Unreferenced Datasets Report – Page 1



Unreferenced Datasets Report – Command

Datasets



Unreferenced Datasets Report – RACF Delete

Commands



Unreferenced Datasets Report – RACF Recovery

Commands



Unreferenced Datasets Report – Enhanced

Masking




Masking Fields




Masking Fields (cont.)



Unreferenced Resources



Unreferenced Resources Report



Unreferenced Resources Report – Enhanced

Masking



Unreferenced Groups



Unreferenced Groups Report



Unreferenced Groups Report – Enhanced Masking



Unreferenced Userids



Unreferenced Userids Report



Unreferenced Userids Report – Enhanced Masking



Unreferenced Userids Report – Enhanced Masking

(cont.)



Unreferenced Userids Report – Additional

Parameter


OWNER_NOTIFY

Specifies the ID to be used in OWNER and NOTIFY keywords if the obsolete user ID is the owner of any resources or is defined to be notified of anything. If not specified, the old user ID is used with question marks.

NOTE: RACF commands with question marks in user or group IDs will fail.


Unreferenced Access Permissions



Unreferenced Group Access Permissions Report



Unreferenced User Access Permissions Report



Obsolete IDs Access Report



Unreferenced Access Permissions Report –

Enhanced Masking



Unreferenced Access Permissions Report –

Redesigned (Q416)



Unreferenced Connects



Unreferenced Connects Report



Unreferenced Connects Report – Enhanced

Masking


SUMMARY AND

QUESTIONS


Vanguard Cleanup Summary


What’s the Value?

Performance Smaller RACF database, fewer profiles loaded into

main storage, faster authorization checking

Fewer Audit Findings Clean Access Lists Fewer profiles to review

RACF Administration Productivity Smaller RACF database eases, shortens

maintenance tasks, reduces errors

Security Unused profiles are removed, security exposures

are reduced


Conclusion


Questions?

VANGUARD SECURITY & COMPLIANCE 2016 ©2016 Vanguard Integrity Professionals, Inc. 87

SECURITY & COMPLIANCE CONFERENCE 2016

Thank you!

Ernie Englehart

[email protected]

(702) 794-0014

racf database with vanguard cleanup · security & compliance conference 2016 ernie englehart senior...

Documents