racf groups - cloud object storage | store & retrieve data ... · racf groups ©2016 vanguard...

SECURITY & COMPLIANCE CONFERENCE 2016

RACF Groups

John Hilman

Vanguard Professional Services

BAS2

VANGUARD SECURITY & COMPLIANCE 2016

Legal Notice

Copyright

©2016 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license

to view these materials for your organization’s internal purposes. Any unauthorized

reproduction, distribution, exhibition or use of these copyrighted materials is expressly

prohibited.

Trademarks

The following are trademarks of Vanguard Integrity Professionals – Nevada:

©2016 Vanguard Integrity Professionals, Inc. 2

Vanguard Administrator

Vanguard Advisor

Vanguard Analyzer

Vanguard SecurityCenter

Vanguard Offline

Vanguard Cleanup

Vanguard PasswordReset

Vanguard Authenticator

Vanguard inCompliance

Vanguard IAM

Vanguard GRC

Vanguard QuickGen

Vanguard Active Alerts

Vanguard Configuration Manager

Vanguard Configuration Manager Enterprise Edition

Vanguard Policy Manager

Vanguard Enforcer

Vanguard ez/Token

Vanguard Tokenless Authenticator

Vanguard ez/PIV Card Authenticator

Vanguard ez/Integrator

Vanguard ez/SignOn

Vanguard ez/Password Synchronization

Vanguard Security Solutions

Vanguard Security & Compliance

Vanguard zSecurity University


The following are trademarks or registered trademarks of the International Business Machines Corporation: Java and all Java-based trademarks are trademarks of Oracle and/or its affiliates. UNIX is a registered trademark of The Open Group in the United States and other countries.

Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation.

Other company, product, and service names may be trademarks or service marks of others.

Trademarks


CICS

CICSPlex

DB2

eServer

IBM

IBM z

IBM z Systems

IBM z13

S/390

System z

System z9

System z10

System/390

VTAM

WebSphere

z Systems

z9

z10

z13

z/Architecture

z/OS

z/VM

zEnterprise

IMS

MQSeries

MVS

NetView

OS/390

Parallel Sysplex

RACF

RMF


Session Topics

• RACF® Group Tree Structure

• Group Profile Naming Conventions

• RACF Commands for Group Administration

• Using Vanguard Administrator™ for Group

Administration

• Group Related User Attributes

• Group Authorities

• RACF Group Scoping



Group Structure


OWNER=EASTREG

NYC

OWNER

GROUP NAME

OWNER=SECADM

INTERNTL

OWNER=INTERNTL

INTERHQ

OWNER=INTERHQ

REGIONS

OWNER=SALES

EASTREG

OWNER=IBMUSER

SYS1

OWNER=SYS1

SECADM

OWNER=SECADM

LVPAYCLK

OWNER=SALES

WESTREG

OWNER=DOMESTIC

MANUFACT

OWNER=MANUFACT

PROD

OWNER=PROD

MAINT

OWNER=DOMESTIC

SALES

OWNER=SECADM

DOMESTIC

OWNER=DOMESTIC

OVERHEAD

SUPERIOR GROUP


RACF Groups


LVPAYCLK

RUSS

PATTY

MARK

Grouping of users makes administration of users

easier and more manageable

KAREN

COMBINES LIKE

ELEMENTS


Group Profile Naming Conventions

A RACF GROUP NAME MUST BE • One to eight characters in length

• Any combination of alphabetic, numeric, #, $, or @,

EXCEPT it may NOT start with a numeric

• Unique from other group names or user IDs

SYS1, SECADM, #STCGRP are all valid Group

names

1STGRP, IBMUSER are not valid Group

names

LOCAL NAMING STANDARDS SHOULD BE

CREATED TO AVOID ATTEMPTED USE OF THE

SAME GROUP NAME



Group Profile Segments

BASE (or RACF) SEGMENT

• Required segment

• Contains basic group information

• Group Name

• Owner

• Superior Group

• Installation Data

• Connected Users

• Subgroups

• Important keywords to explicitly specify:

OWNER

SUPGROUP



Group Profile Segments

OPTIONAL SEGMENTS

• DFP SEGMENT – Contains default Data Class, Storage Class, and Management

Class values for the Automatic Class Selection routines in

DFSMS

– Referred to by RESOWNER field in dataset profiles

• OMVS SEGMENT – Specifies the z/OS® UNIX® System Services Group Identifier

(GID)

• CSDATA SEGMENT – Specifies information to add a custom field for this group



Commands For Group Administration

ADDGROUP (AG) ADD A GROUP PROFILE

ALTGROUP (ALG) MODIFY A GROUP PROFILE

LISTGRP (LG) LIST A GROUP PROFILE

CONNECT (CO) CONNECT A USER TO A RACF

GROUP

REMOVE (RE) REMOVE A USER FROM A RACF

GROUP

DELGROUP (DG) DELETE A GROUP PROFILE



ADDGROUP Command Syntax

ADDGROUP (AG) group-name or (group-names . . .)

[ OWNER(user-id or group-name) ]

[ SUPGROUP(group-name) ]

[ DATA('installation data') ]

[ CSDATA(custom-field-name (custom-field-value)) ]

[ DFP(class-names) ]

[ OMVS(GID(group-identifier)) ]

[ UNIVERSAL ]


ADDGROUP (MVS™, CICS®) OWNER(TECHSUPP) SUPGROUP(TECHSUPP)

AG MVSGRP OW(MVS) SUP(MVS) DATA(‘FUNCTIONAL GROUP FOR SYS PROGS’)

ADDGROUP


Syntax Rules and Defaults

• If OWNER is group name,

– must be its superior group

• If no owner specified,

– you are the owner

• If SUPGROUP omitted,

– your current connect group becomes superior group


OWNER determines

administration

SUPGROUP determines

structure


UNIX Group Identifiers


Each UNIX group must have a

group identification number (GID).

GID - how the UNIX system

internally identifies each group.

AG OMVSGRP OW(MVS) SUP(MVS) OMVS(GID(200))


Universal Groups


UNIVERSAL

Group

AG UNIGRP OW(MVS) SUP(MVS) UNIVERSAL


Adding A Group – RACF Panels



Specify the Group Name



Specify Owner and Superior Group



Specify the GID



Profile Added



Adding a GROUP with Vanguard Administrator



Select Group – Option 2



Enter the Group Name



Enter Owner and Superior Group


Enter E for Installation Data

Enter Owner and Superior Group


Enter Installation Data


Press End (F3)


Enter GO to Generate Commands



VRAEXEC to Execute Now



Auditing Groups

AT THE GROUP PROFILE LEVEL

• No auditing available

AT THE SYSTEMWIDE LEVEL

• All additions, changes to, or deletions of group profiles

SETR AUDIT(GROUP)



ALTGROUP Command Syntax


ALTGROUP (ALG) group-name or (group-names . . .)

[ OWNER(user-id or group-name) ]

[ SUPGROUP(group-name) ]

[ DATA('installation data') ]

[CSDATA(custom-field-name

(custom-field-value)) ]

[ DFP(class-names) ]

[ OMVS(GID(group-identifier)) ]

[ NOOMVS ]

ALG UNIXGRP OMVS(GID(2015))

ALTGROUP


LISTGRP Command Syntax

LISTGRP (LG) group-name or (group-names …)

or

*

[ CSDATA ]

[ DFP ]

[ OMVS ]


LISTGRP TSADMIN

LG UNIXGRP OMVS

LG (TECHSUPP MVS CICS)

LISTGRP


Group Profile Contents



Display a Group Profile – RACF Panels



Select Optional Segment Information



Group Profile Display



Display a GROUP with Administrator



Select Group Profiles – Option 2



Select Masking Criteria for Group Report



Three Ways to List a Group



Using the LR Command



Output of the LR Command



Using the LV Command



Output of the LV Command



Output of the LV Command – 2



Output of the LV Command – 3



Using the VRC Command



Listing or Changing a Group



Connecting Users to Groups

CONNECT (CO) user-id or (user-ids . . .)

[ GROUP(group-id) ]

[ OWNER(user-id or group-id ]

[ AUTHORITY( use, create, connect, join) ]

[ SPECIAL | NOSPECIAL ]

[ OPERATIONS | NOOPERATIONS ]

[ AUDITOR | NOAUDITOR ]

[ RESUME [ (date)] | NORESUME ]

[ REVOKE [ (date)] | NOREVOKE ]


CONNECT U25RTH GROUP(CICSGRP) OWNER(CICSGRP)

CO (U25JED, U17JED) GROUP(TECHSUPP)

CO U25JPM GROUP(MVSGRP) REVOKE(mm/dd/yy)

CONNECT


Connect Attributes / Group Authorities


PATTY

LVPAYCLK

Connect Attributes

SPECIAL

OPERATIONS

AUDITOR

REVOKE

Group Authorities

JOIN

CONNECT

CREATE

USE


Connect Attributes


GROUP RELATED USER ATTRIBUTES APPLY TO USERS, GROUPS, AND RESOURCES WITHIN THE SCOPE OF THE GROUP GROUP-SPECIAL Gives the user the authority to issue all RACF commands within the scope of a group GROUP-AUDITOR Gives the user the authority for auditing resources and users within the scope of a group GROUP-OPERATIONS Gives the user the authority to access RACF protected resources within the scope of a group

co patty group(lvpayclk) special auditor operations


Group Authorities


CREATE

CONNECT

JOIN

USE

Each level is inclusive of lower level authorities

Add DS Profile

Allocate New DS

CONNECT

Users to Group

REMOVE

Users from Group

Add Sub-Group

Add New User ID

If CLAUTH(USER)


Removing Users From Groups

REMOVE (RE) user-id or (user-ids . . .)

[ GROUP(group-id) ]

[ OWNER(user-id or group-id ]


REMOVE U25RTH GROUP(CICSGRP)

RE (U25JED, U17JED) GROUP(TECHSUPP)

RE U25JPM GROUP(MVSGRP) OWNER(MVSGRP)

REMOVE


Group Connections – RACF Panels



Specify User and Connect Owner



Specify Group Attributes



Administrator – Connect Manager



Add a Group Connection


Enter the Group ID and Connect Owner


Remove a Group Connection


Enter R next to the group to remove – press enter


DELGROUP Command Syntax

DELGROUP (DG) group-name

or (group-names....)


RACF Restrictions: No Subgroups,

No Connected Users,

No Group Data Set Profiles

RACF Considerations: Access Lists,

Profile Ownership

DG MVSRS


Steps to Deleting Groups

1. Remove all users from group

2. Identify all data sets associated with group and take appropriate action

3. Any subgroups of group must be changed to another group

4. If group is owner of profiles, change ownership to another group

5. Remove group name from any resource access lists



Administrator - Deleting a Group



Delete Group Command



Generated Commands



Centralized Administration


SECADM

Jim

SPECIAL

LVCSTSRV LVPAYCLK

Owner=Jim

Owner=Jim

Owner=Jim Owner=Jim

Owner=Jim

Owner=Jim

Russ Mark

Patty

Mary Tom

Sue


Delegate Profile Ownership


Bob

SECADM

LVCSTSRV LVPAYCLK

Owner=Bob

Owner=Bob

Owner=Bob Owner=Bob

Owner=Bob

Owner=Bob

Russ Mark

Patty

Mary Tom

Sue

Jim

SPECIAL


Using Group-Special


SECADM

LVCSTSRV LVPAYCLK

Owner=RACFADM

Russ Mark

Patty

Mary Tom

Sue

RACFADM Group

Special

Owner=RACFADM Owner=RACFADM Owner=RACFADM

Owner=RACFADM Owner=RACFADM

Bob

Jim

SPECIAL


Delegating Group-Special


SECADM

LVCSTSRV LVPAYCLK

Mark

Russ

Mary

Sue

RACFADM Group

Special

LVPAYCLK LVCSTSRV

LVCSTSRV LVPAYCLK

Bob

Jim

SPECIAL

RACFADM RACFADM

Group

Special

Patty

Tom

Group

Special


Scope of the Group Rules

THE "SCOPE OF THE GROUP "

IS DETERMINED BY THE

GROUP OWNERSHIP

STRUCTURE

GROUP OWNERSHIP CAN

ONLY OCCUR BETWEEN A

SUPERIOR GROUP AND ITS

SUBGROUPS



Scope of the Group Rules


THE SCOPE WILL CONTINUE

AS LONG AS "GROUPS OWN

GROUPS"

THE SCOPE ENDS WHEN

A GROUP IS OWNED BY A

USER ID

OWNER=PDUKE

INTERNTL

OWNER=INTERNTL

INTERHQ

OWNER=INTERHQ

REGIONS

OWNER=SYS1

SECADM

OWNER=SECADM

RACFADM

OWNER=RACFADM

LVPAYCLK

OWNER=RACFADM

LVCSTSRV

BILL

Group-Special


Within the Scope of the Group

USERS AND RESOURCES ARE WITHIN THE SCOPE OF A GROUP WHEN THEY ARE:

• OWNED BY A GROUP DIRECTLY

• OWNED BY SUBGROUPS THAT ARE OWNED BY A GROUP

• OWNED BY SUBGROUPS THAT ARE OWNED BY SUBGROUPS OWNED BY A GROUP AND SO ON ......


Where did I lose that

SCOPE?


Within the Scope of the Group

RESOURCES ARE WITHIN THE SCOPE OF A GROUP WHEN THEY ARE:

• OWNED BY USERS OWNED BY A GROUP ANYWHERE IN THE HIERARCHY

• DATASETS, WHOSE HIGH-LEVEL-QUALIFIER IS A GROUP NAME WITHIN THE SCOPE OF GROUPS


Where did I lose that

SCOPE?


Group Commands Summary


ADDGROUP (AG)

ALTGROUP (ALG)

LISTGRP (LG)

DELGROUP (DG)

CONNECT (CO)

REMOVE (RE)

racf groups - cloud object storage | store & retrieve data ... · racf groups ©2016 vanguard...

Documents