racf groups - cloud object storage | store & retrieve data ... · racf groups ©2016 vanguard...
TRANSCRIPT
SECURITY & COMPLIANCE CONFERENCE 2016
RACF Groups
John Hilman
Vanguard Professional Services
BAS2
VANGUARD SECURITY & COMPLIANCE 2016
Legal Notice
Copyright
©2016 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license
to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly
prohibited.
Trademarks
The following are trademarks of Vanguard Integrity Professionals – Nevada:
©2016 Vanguard Integrity Professionals, Inc. 2
Vanguard Administrator
Vanguard Advisor
Vanguard Analyzer
Vanguard SecurityCenter
Vanguard Offline
Vanguard Cleanup
Vanguard PasswordReset
Vanguard Authenticator
Vanguard inCompliance
Vanguard IAM
Vanguard GRC
Vanguard QuickGen
Vanguard Active Alerts
Vanguard Configuration Manager
Vanguard Configuration Manager Enterprise Edition
Vanguard Policy Manager
Vanguard Enforcer
Vanguard ez/Token
Vanguard Tokenless Authenticator
Vanguard ez/PIV Card Authenticator
Vanguard ez/Integrator
Vanguard ez/SignOn
Vanguard ez/Password Synchronization
Vanguard Security Solutions
Vanguard Security & Compliance
Vanguard zSecurity University
VANGUARD SECURITY & COMPLIANCE 2016
The following are trademarks or registered trademarks of the International Business Machines Corporation: Java and all Java-based trademarks are trademarks of Oracle and/or its affiliates. UNIX is a registered trademark of The Open Group in the United States and other countries.
Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation.
Other company, product, and service names may be trademarks or service marks of others.
Trademarks
©2016 Vanguard Integrity Professionals, Inc. 3
CICS
CICSPlex
DB2
eServer
IBM
IBM z
IBM z Systems
IBM z13
S/390
System z
System z9
System z10
System/390
VTAM
WebSphere
z Systems
z9
z10
z13
z/Architecture
z/OS
z/VM
zEnterprise
IMS
MQSeries
MVS
NetView
OS/390
Parallel Sysplex
RACF
RMF
VANGUARD SECURITY & COMPLIANCE 2016
Session Topics
• RACF® Group Tree Structure
• Group Profile Naming Conventions
• RACF Commands for Group Administration
• Using Vanguard Administrator™ for Group
Administration
• Group Related User Attributes
• Group Authorities
• RACF Group Scoping
©2016 Vanguard Integrity Professionals, Inc. 4
VANGUARD SECURITY & COMPLIANCE 2016
Group Structure
©2016 Vanguard Integrity Professionals, Inc. 5
OWNER=EASTREG
NYC
OWNER
GROUP NAME
OWNER=SECADM
INTERNTL
OWNER=INTERNTL
INTERHQ
OWNER=INTERHQ
REGIONS
OWNER=SALES
EASTREG
OWNER=IBMUSER
SYS1
OWNER=SYS1
SECADM
OWNER=SECADM
LVPAYCLK
OWNER=SALES
WESTREG
OWNER=DOMESTIC
MANUFACT
OWNER=MANUFACT
PROD
OWNER=PROD
MAINT
OWNER=DOMESTIC
SALES
OWNER=SECADM
DOMESTIC
OWNER=DOMESTIC
OVERHEAD
SUPERIOR GROUP
VANGUARD SECURITY & COMPLIANCE 2016
RACF Groups
©2016 Vanguard Integrity Professionals, Inc. 6
LVPAYCLK
RUSS
PATTY
MARK
Grouping of users makes administration of users
easier and more manageable
KAREN
COMBINES LIKE
ELEMENTS
VANGUARD SECURITY & COMPLIANCE 2016
Group Profile Naming Conventions
A RACF GROUP NAME MUST BE • One to eight characters in length
• Any combination of alphabetic, numeric, #, $, or @,
EXCEPT it may NOT start with a numeric
• Unique from other group names or user IDs
SYS1, SECADM, #STCGRP are all valid Group
names
1STGRP, IBMUSER are not valid Group
names
LOCAL NAMING STANDARDS SHOULD BE
CREATED TO AVOID ATTEMPTED USE OF THE
SAME GROUP NAME
©2016 Vanguard Integrity Professionals, Inc. 7
VANGUARD SECURITY & COMPLIANCE 2016
Group Profile Segments
BASE (or RACF) SEGMENT
• Required segment
• Contains basic group information
• Group Name
• Owner
• Superior Group
• Installation Data
• Connected Users
• Subgroups
• Important keywords to explicitly specify:
OWNER
SUPGROUP
©2016 Vanguard Integrity Professionals, Inc. 8
VANGUARD SECURITY & COMPLIANCE 2016
Group Profile Segments
OPTIONAL SEGMENTS
• DFP SEGMENT – Contains default Data Class, Storage Class, and Management
Class values for the Automatic Class Selection routines in
DFSMS
– Referred to by RESOWNER field in dataset profiles
• OMVS SEGMENT – Specifies the z/OS® UNIX® System Services Group Identifier
(GID)
• CSDATA SEGMENT – Specifies information to add a custom field for this group
©2016 Vanguard Integrity Professionals, Inc. 9
VANGUARD SECURITY & COMPLIANCE 2016
Commands For Group Administration
ADDGROUP (AG) ADD A GROUP PROFILE
ALTGROUP (ALG) MODIFY A GROUP PROFILE
LISTGRP (LG) LIST A GROUP PROFILE
CONNECT (CO) CONNECT A USER TO A RACF
GROUP
REMOVE (RE) REMOVE A USER FROM A RACF
GROUP
DELGROUP (DG) DELETE A GROUP PROFILE
©2016 Vanguard Integrity Professionals, Inc. 10
VANGUARD SECURITY & COMPLIANCE 2016
ADDGROUP Command Syntax
ADDGROUP (AG) group-name or (group-names . . .)
[ OWNER(user-id or group-name) ]
[ SUPGROUP(group-name) ]
[ DATA('installation data') ]
[ CSDATA(custom-field-name (custom-field-value)) ]
[ DFP(class-names) ]
[ OMVS(GID(group-identifier)) ]
[ UNIVERSAL ]
©2016 Vanguard Integrity Professionals, Inc. 11
ADDGROUP (MVS™, CICS®) OWNER(TECHSUPP) SUPGROUP(TECHSUPP)
AG MVSGRP OW(MVS) SUP(MVS) DATA(‘FUNCTIONAL GROUP FOR SYS PROGS’)
ADDGROUP
VANGUARD SECURITY & COMPLIANCE 2016
Syntax Rules and Defaults
• If OWNER is group name,
– must be its superior group
• If no owner specified,
– you are the owner
• If SUPGROUP omitted,
– your current connect group becomes superior group
©2016 Vanguard Integrity Professionals, Inc. 12
OWNER determines
administration
SUPGROUP determines
structure
VANGUARD SECURITY & COMPLIANCE 2016
UNIX Group Identifiers
©2016 Vanguard Integrity Professionals, Inc. 13
Each UNIX group must have a
group identification number (GID).
GID - how the UNIX system
internally identifies each group.
AG OMVSGRP OW(MVS) SUP(MVS) OMVS(GID(200))
VANGUARD SECURITY & COMPLIANCE 2016
Universal Groups
©2016 Vanguard Integrity Professionals, Inc. 14
UNIVERSAL
Group
AG UNIGRP OW(MVS) SUP(MVS) UNIVERSAL
VANGUARD SECURITY & COMPLIANCE 2016
Adding A Group – RACF Panels
©2016 Vanguard Integrity Professionals, Inc. 15
VANGUARD SECURITY & COMPLIANCE 2016
Specify the Group Name
©2016 Vanguard Integrity Professionals, Inc. 16
VANGUARD SECURITY & COMPLIANCE 2016
Specify Owner and Superior Group
©2016 Vanguard Integrity Professionals, Inc. 17
VANGUARD SECURITY & COMPLIANCE 2016
Specify the GID
©2016 Vanguard Integrity Professionals, Inc. 18
VANGUARD SECURITY & COMPLIANCE 2016
Profile Added
©2016 Vanguard Integrity Professionals, Inc. 19
VANGUARD SECURITY & COMPLIANCE 2016
Adding a GROUP with Vanguard Administrator
©2016 Vanguard Integrity Professionals, Inc. 20
VANGUARD SECURITY & COMPLIANCE 2016
Select Group – Option 2
©2016 Vanguard Integrity Professionals, Inc. 21
VANGUARD SECURITY & COMPLIANCE 2016
Enter the Group Name
©2016 Vanguard Integrity Professionals, Inc. 22
VANGUARD SECURITY & COMPLIANCE 2016
Enter Owner and Superior Group
©2016 Vanguard Integrity Professionals, Inc. 23
Enter E for Installation Data
Enter Owner and Superior Group
VANGUARD SECURITY & COMPLIANCE 2016
Enter Installation Data
©2016 Vanguard Integrity Professionals, Inc. 24
Press End (F3)
VANGUARD SECURITY & COMPLIANCE 2016
Enter GO to Generate Commands
©2016 Vanguard Integrity Professionals, Inc. 25
VANGUARD SECURITY & COMPLIANCE 2016
VRAEXEC to Execute Now
©2016 Vanguard Integrity Professionals, Inc. 26
VANGUARD SECURITY & COMPLIANCE 2016
Auditing Groups
AT THE GROUP PROFILE LEVEL
• No auditing available
AT THE SYSTEMWIDE LEVEL
• All additions, changes to, or deletions of group profiles
SETR AUDIT(GROUP)
©2016 Vanguard Integrity Professionals, Inc. 27
VANGUARD SECURITY & COMPLIANCE 2016
ALTGROUP Command Syntax
©2016 Vanguard Integrity Professionals, Inc. 28
ALTGROUP (ALG) group-name or (group-names . . .)
[ OWNER(user-id or group-name) ]
[ SUPGROUP(group-name) ]
[ DATA('installation data') ]
[CSDATA(custom-field-name
(custom-field-value)) ]
[ DFP(class-names) ]
[ OMVS(GID(group-identifier)) ]
[ NOOMVS ]
ALG UNIXGRP OMVS(GID(2015))
ALTGROUP
VANGUARD SECURITY & COMPLIANCE 2016
LISTGRP Command Syntax
LISTGRP (LG) group-name or (group-names …)
or
*
[ CSDATA ]
[ DFP ]
[ OMVS ]
©2016 Vanguard Integrity Professionals, Inc. 29
LISTGRP TSADMIN
LG UNIXGRP OMVS
LG (TECHSUPP MVS CICS)
LISTGRP
VANGUARD SECURITY & COMPLIANCE 2016
Group Profile Contents
©2016 Vanguard Integrity Professionals, Inc. 30
VANGUARD SECURITY & COMPLIANCE 2016
Display a Group Profile – RACF Panels
©2016 Vanguard Integrity Professionals, Inc. 31
VANGUARD SECURITY & COMPLIANCE 2016
Select Optional Segment Information
©2016 Vanguard Integrity Professionals, Inc. 32
VANGUARD SECURITY & COMPLIANCE 2016
Group Profile Display
©2016 Vanguard Integrity Professionals, Inc. 33
VANGUARD SECURITY & COMPLIANCE 2016
Display a GROUP with Administrator
©2016 Vanguard Integrity Professionals, Inc. 34
VANGUARD SECURITY & COMPLIANCE 2016
Select Group Profiles – Option 2
©2016 Vanguard Integrity Professionals, Inc. 35
VANGUARD SECURITY & COMPLIANCE 2016
Select Masking Criteria for Group Report
©2016 Vanguard Integrity Professionals, Inc. 36
VANGUARD SECURITY & COMPLIANCE 2016
Three Ways to List a Group
©2016 Vanguard Integrity Professionals, Inc. 37
VANGUARD SECURITY & COMPLIANCE 2016
Using the LR Command
©2016 Vanguard Integrity Professionals, Inc. 38
VANGUARD SECURITY & COMPLIANCE 2016
Output of the LR Command
©2016 Vanguard Integrity Professionals, Inc. 39
VANGUARD SECURITY & COMPLIANCE 2016
Using the LV Command
©2016 Vanguard Integrity Professionals, Inc. 40
VANGUARD SECURITY & COMPLIANCE 2016
Output of the LV Command
©2016 Vanguard Integrity Professionals, Inc. 41
VANGUARD SECURITY & COMPLIANCE 2016
Output of the LV Command – 2
©2016 Vanguard Integrity Professionals, Inc. 42
VANGUARD SECURITY & COMPLIANCE 2016
Output of the LV Command – 3
©2016 Vanguard Integrity Professionals, Inc. 43
VANGUARD SECURITY & COMPLIANCE 2016
Using the VRC Command
©2016 Vanguard Integrity Professionals, Inc. 44
VANGUARD SECURITY & COMPLIANCE 2016
Listing or Changing a Group
©2016 Vanguard Integrity Professionals, Inc. 45
VANGUARD SECURITY & COMPLIANCE 2016
Connecting Users to Groups
CONNECT (CO) user-id or (user-ids . . .)
[ GROUP(group-id) ]
[ OWNER(user-id or group-id ]
[ AUTHORITY( use, create, connect, join) ]
[ SPECIAL | NOSPECIAL ]
[ OPERATIONS | NOOPERATIONS ]
[ AUDITOR | NOAUDITOR ]
[ RESUME [ (date)] | NORESUME ]
[ REVOKE [ (date)] | NOREVOKE ]
©2016 Vanguard Integrity Professionals, Inc. 46
CONNECT U25RTH GROUP(CICSGRP) OWNER(CICSGRP)
CO (U25JED, U17JED) GROUP(TECHSUPP)
CO U25JPM GROUP(MVSGRP) REVOKE(mm/dd/yy)
CONNECT
VANGUARD SECURITY & COMPLIANCE 2016
Connect Attributes / Group Authorities
©2016 Vanguard Integrity Professionals, Inc. 47
PATTY
LVPAYCLK
Connect Attributes
SPECIAL
OPERATIONS
AUDITOR
REVOKE
Group Authorities
JOIN
CONNECT
CREATE
USE
VANGUARD SECURITY & COMPLIANCE 2016
Connect Attributes
©2016 Vanguard Integrity Professionals, Inc. 48
GROUP RELATED USER ATTRIBUTES APPLY TO USERS, GROUPS, AND RESOURCES WITHIN THE SCOPE OF THE GROUP GROUP-SPECIAL Gives the user the authority to issue all RACF commands within the scope of a group GROUP-AUDITOR Gives the user the authority for auditing resources and users within the scope of a group GROUP-OPERATIONS Gives the user the authority to access RACF protected resources within the scope of a group
co patty group(lvpayclk) special auditor operations
VANGUARD SECURITY & COMPLIANCE 2016
Group Authorities
©2016 Vanguard Integrity Professionals, Inc. 49
CREATE
CONNECT
JOIN
USE
Each level is inclusive of lower level authorities
Add DS Profile
Allocate New DS
CONNECT
Users to Group
REMOVE
Users from Group
Add Sub-Group
Add New User ID
If CLAUTH(USER)
VANGUARD SECURITY & COMPLIANCE 2016
Removing Users From Groups
REMOVE (RE) user-id or (user-ids . . .)
[ GROUP(group-id) ]
[ OWNER(user-id or group-id ]
©2016 Vanguard Integrity Professionals, Inc. 50
REMOVE U25RTH GROUP(CICSGRP)
RE (U25JED, U17JED) GROUP(TECHSUPP)
RE U25JPM GROUP(MVSGRP) OWNER(MVSGRP)
REMOVE
VANGUARD SECURITY & COMPLIANCE 2016
Group Connections – RACF Panels
©2016 Vanguard Integrity Professionals, Inc. 51
VANGUARD SECURITY & COMPLIANCE 2016
Specify User and Connect Owner
©2016 Vanguard Integrity Professionals, Inc. 52
VANGUARD SECURITY & COMPLIANCE 2016
Specify Group Attributes
©2016 Vanguard Integrity Professionals, Inc. 53
VANGUARD SECURITY & COMPLIANCE 2016
Administrator – Connect Manager
©2016 Vanguard Integrity Professionals, Inc. 54
VANGUARD SECURITY & COMPLIANCE 2016
Add a Group Connection
©2016 Vanguard Integrity Professionals, Inc. 55
Enter the Group ID and Connect Owner
VANGUARD SECURITY & COMPLIANCE 2016
Remove a Group Connection
©2016 Vanguard Integrity Professionals, Inc. 56
Enter R next to the group to remove – press enter
VANGUARD SECURITY & COMPLIANCE 2016
DELGROUP Command Syntax
DELGROUP (DG) group-name
or (group-names....)
©2016 Vanguard Integrity Professionals, Inc. 57
RACF Restrictions: No Subgroups,
No Connected Users,
No Group Data Set Profiles
RACF Considerations: Access Lists,
Profile Ownership
DG MVSRS
VANGUARD SECURITY & COMPLIANCE 2016
Steps to Deleting Groups
1. Remove all users from group
2. Identify all data sets associated with group and take appropriate action
3. Any subgroups of group must be changed to another group
4. If group is owner of profiles, change ownership to another group
5. Remove group name from any resource access lists
©2016 Vanguard Integrity Professionals, Inc. 58
VANGUARD SECURITY & COMPLIANCE 2016
Administrator - Deleting a Group
©2016 Vanguard Integrity Professionals, Inc. 59
VANGUARD SECURITY & COMPLIANCE 2016
Administrator - Deleting a Group
©2016 Vanguard Integrity Professionals, Inc. 60
VANGUARD SECURITY & COMPLIANCE 2016
Delete Group Command
©2016 Vanguard Integrity Professionals, Inc. 61
VANGUARD SECURITY & COMPLIANCE 2016
Generated Commands
©2016 Vanguard Integrity Professionals, Inc. 62
VANGUARD SECURITY & COMPLIANCE 2016
Centralized Administration
©2016 Vanguard Integrity Professionals, Inc. 63
SECADM
Jim
SPECIAL
LVCSTSRV LVPAYCLK
Owner=Jim
Owner=Jim
Owner=Jim Owner=Jim
Owner=Jim
Owner=Jim
Russ Mark
Patty
Mary Tom
Sue
VANGUARD SECURITY & COMPLIANCE 2016
Delegate Profile Ownership
©2016 Vanguard Integrity Professionals, Inc. 64
Bob
SECADM
LVCSTSRV LVPAYCLK
Owner=Bob
Owner=Bob
Owner=Bob Owner=Bob
Owner=Bob
Owner=Bob
Russ Mark
Patty
Mary Tom
Sue
Jim
SPECIAL
VANGUARD SECURITY & COMPLIANCE 2016
Using Group-Special
©2016 Vanguard Integrity Professionals, Inc. 65
SECADM
LVCSTSRV LVPAYCLK
Owner=RACFADM
Russ Mark
Patty
Mary Tom
Sue
RACFADM Group
Special
Owner=RACFADM Owner=RACFADM Owner=RACFADM
Owner=RACFADM Owner=RACFADM
Bob
Jim
SPECIAL
VANGUARD SECURITY & COMPLIANCE 2016
Delegating Group-Special
©2016 Vanguard Integrity Professionals, Inc. 66
SECADM
LVCSTSRV LVPAYCLK
Mark
Russ
Mary
Sue
RACFADM Group
Special
LVPAYCLK LVCSTSRV
LVCSTSRV LVPAYCLK
Bob
Jim
SPECIAL
RACFADM RACFADM
Group
Special
Patty
Tom
Group
Special
VANGUARD SECURITY & COMPLIANCE 2016
Scope of the Group Rules
THE "SCOPE OF THE GROUP "
IS DETERMINED BY THE
GROUP OWNERSHIP
STRUCTURE
GROUP OWNERSHIP CAN
ONLY OCCUR BETWEEN A
SUPERIOR GROUP AND ITS
SUBGROUPS
©2016 Vanguard Integrity Professionals, Inc. 67
VANGUARD SECURITY & COMPLIANCE 2016
Scope of the Group Rules
©2016 Vanguard Integrity Professionals, Inc. 68
THE SCOPE WILL CONTINUE
AS LONG AS "GROUPS OWN
GROUPS"
THE SCOPE ENDS WHEN
A GROUP IS OWNED BY A
USER ID
OWNER=PDUKE
INTERNTL
OWNER=INTERNTL
INTERHQ
OWNER=INTERHQ
REGIONS
OWNER=SYS1
SECADM
OWNER=SECADM
RACFADM
OWNER=RACFADM
LVPAYCLK
OWNER=RACFADM
LVCSTSRV
BILL
Group-Special
VANGUARD SECURITY & COMPLIANCE 2016
Within the Scope of the Group
USERS AND RESOURCES ARE WITHIN THE SCOPE OF A GROUP WHEN THEY ARE:
• OWNED BY A GROUP DIRECTLY
• OWNED BY SUBGROUPS THAT ARE OWNED BY A GROUP
• OWNED BY SUBGROUPS THAT ARE OWNED BY SUBGROUPS OWNED BY A GROUP AND SO ON ......
©2016 Vanguard Integrity Professionals, Inc. 69
Where did I lose that
SCOPE?
VANGUARD SECURITY & COMPLIANCE 2016
Within the Scope of the Group
RESOURCES ARE WITHIN THE SCOPE OF A GROUP WHEN THEY ARE:
• OWNED BY USERS OWNED BY A GROUP ANYWHERE IN THE HIERARCHY
• DATASETS, WHOSE HIGH-LEVEL-QUALIFIER IS A GROUP NAME WITHIN THE SCOPE OF GROUPS
©2016 Vanguard Integrity Professionals, Inc. 70
Where did I lose that
SCOPE?
VANGUARD SECURITY & COMPLIANCE 2016
Group Commands Summary
©2016 Vanguard Integrity Professionals, Inc. 71
ADDGROUP (AG)
ALTGROUP (ALG)
LISTGRP (LG)
DELGROUP (DG)
CONNECT (CO)
REMOVE (RE)