racf users - amazon s3 · 2016-11-07 · ©2016 vanguard integrity professionals, inc. 10 ....

SECURITY & COMPLIANCE CONFERENCE 2016

RACF Users

Doug Behrends

Vanguard Professional Services

BAS3

VANGUARD SECURITY & COMPLIANCE 2016

Legal Notice

Copyright

©2016 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license

to view these materials for your organization’s internal purposes. Any unauthorized

reproduction, distribution, exhibition or use of these copyrighted materials is expressly

prohibited.

Trademarks

The following are trademarks of Vanguard Integrity Professionals – Nevada:

©2016 Vanguard Integrity Professionals, Inc. 2

Vanguard Administrator

Vanguard Advisor

Vanguard Analyzer

Vanguard SecurityCenter

Vanguard Offline

Vanguard Cleanup

Vanguard PasswordReset

Vanguard Authenticator

Vanguard inCompliance

Vanguard IAM

Vanguard GRC

Vanguard QuickGen

Vanguard Active Alerts

Vanguard Configuration Manager

Vanguard Configuration Manager Enterprise Edition

Vanguard Policy Manager

Vanguard Enforcer

Vanguard ez/Token

Vanguard Tokenless Authenticator

Vanguard ez/PIV Card Authenticator

Vanguard ez/Integrator

Vanguard ez/SignOn

Vanguard ez/Password Synchronization

Vanguard Security Solutions

Vanguard Security & Compliance

Vanguard zSecurity University


The following are trademarks or registered trademarks of the International Business Machines Corporation: Java and all Java-based trademarks are trademarks of Oracle and/or its affiliates. UNIX is a registered trademark of The Open Group in the United States and other countries.

Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation.

Other company, product, and service names may be trademarks or service marks of others.

Trademarks


CICS

CICSPlex

DB2

eServer

IBM

IBM z

IBM z Systems

IBM z13

S/390

System z

System z9

System z10

System/390

VTAM

WebSphere

z Systems

z9

z10

z13

z/Architecture

z/OS

z/VM

zEnterprise

IMS

MQSeries

MVS

NetView

OS/390

Parallel Sysplex

RACF

RMF


Session Topics

• RACF ® User ID Purpose

• Types of Users

• User Attributes

• Relating Users to Groups

• Auditing Users

• User Profile Naming Conventions

• RACF Commands for User Administration

• Using Vanguard Administrator™ to Administer Users



The RACF User ID

RACF USER IDS PROVIDE: • USER IDENTIFICATION

• USER AUTHENTICATION

• INDIVIDUAL ACCOUNTABILITY

USER IDS CAN BE ASSOCIATED WITH:

• A SIGNON (TSO, CICS®, ...)

• A BATCH JOB

• A STARTED TASK

• SURROGATE USER ID

• UNDEFINED USERS (INTERNAL)


Logon

Signon

Login

Submitted

Jobs

Started

Tasks


Types of Users

GENERAL USERS

• Access z/OS® System

• Access z/OS Resources

• USE Authority in all connected groups



Types of Users

EXTRAORDINARY USERS

• SPECIAL User or Group Attribute

• AUDITOR User or Group Attribute

• OPERATIONS User or Group Attribute

• CREATE, CONNECT, or JOIN Authority in one or more groups

REVOKED USERS

• User Level

• Group Level



User Profile Naming Conventions

A RACF USER ID MUST BE • One to eight characters in length • Any combination of alphabetic, numeric, #, $, or @ • Unique from other user IDs or group names

TSO/E USER IDS

• Can not exceed seven characters • Can not begin with a numeric



User Profile Segments

BASE (or RACF) SEGMENT

• Contains basic user information

• User ID

• User Name

• Owner

• Default Group

• User Attributes

• Password

• Etc.

• Required segment

• Important operands to explicitly specify

– OWNER

– DFLTGRP



User Profile Segments

OPTIONAL SEGMENTS

• TSO Segment

– Contains TSO user attributes

– Replaces TSO User Attribute Data Set (SYS1.UADS)

• CICS Segment

– Contains CICS terminal user information for use during CICS

Signon

– Replaces CICS Signon Table

• OMVS Segment

– Required for a user to login to z/OS UNIX® System Services

– Contains the user’s initial directory, program, and UID

• CSDATA Segment

– Specifies information to add a custom field for this user



Commands For User Administration

ADDUSER (AU) ADD A USER PROFILE

ALTUSER (ALU) MODIFY A USER PROFILE

LISTUSER (LU) LIST A USER PROFILE

DELUSER (DU) DELETE A USER PROFILE



Command Syntax – Base Segment

ADDUSER (AU) user-id or (user-ids . . .)

[ OWNER(user-id or group-id) ]

[ DFLTGRP(group-id) ]

[ NAME(‘user name’) ]

[ DATA('installation data') ]

[ PASSWORD(password) |

NOPASSWORD ]

[ PHRASE ('password-phrase') ]

[ SPECIAL | NOSPECIAL ]

[ AUDITOR | NOAUDITOR ]

[ OPERATIONS | NOOPERATIONS ]

[ ROAUDIT | NOROAUDIT ]

[ CLAUTH(USER | classname) ]

[ RESTRICTED | NORESTRICTED ]


ADDUSER


The SPECIAL Attribute

• Assigned by a user with “SPECIAL”

• Can be assigned at the group level by SPECIAL or

Group-Special

• Issue all RACF commands

within scope

• List all RACF profiles within scope



The SPECIAL Attribute

• When PROTECTALL is active, authorized to access

data sets which are not protected by a RACF profile

• Operator prompt on invalid passwords (REVOKE)

for system-wide SPECIAL

au u00vip ow(…) dflt(…) special

alu u00vip special

co u01jed group(g01div) special



The OPERATIONS Attribute


• Can be assigned at the group level by SPECIAL or

Group-Special

• Access to most RACF protected data sets within

scope

• Access to some general resources within scope

au u00vip ow(…) dflt(…) operations alu u00vip operations

co u01jed group(g01div) oper



The AUDITOR Attribute


• Can be assigned at the group level

by user with SPECIAL or Group-

Special

• Can change logging options using

“GLOBALAUDIT”



The AUDITOR Attribute

• Can list system wide logging

options

• Access to certain RACF utilities

• System wide AUDITOR required to

set system wide logging options

au u00vip ow(…) dflt(…) auditor alu u00vip auditor

co u01gad group(g01div) aud



ROAUDIT Attribute


• Can list all profiles and system wide logging options

• Access to certain RACF utilities

au u00vip ow(…) dflt(…) roaudit alu u00vip roaudit


New in

z/OS 2.2


PROTECTED User

au jes2 ow(…) dflt(…) nopassword alu jes2 nopassword

• Password cannot be used to

enter system

• Prevents unauthorized use of User ID

• Prevents user from being revoked by repeated

wrong passwords or inactivity

• Useful for started task users, applications, daemons,

surrogated users



RESTRICTED User

• Purpose

– Restrict access for users from internet

• User has limited access to resources

– User ID or Group ID on access list

– OPERATIONS attribute

– Warning on resource profile

– No access via GAC, UACC, or ID(*) in access list

au dfltuser ow(…) dflt(…) restricted

alu dfltuser restricted



The REVOKE Attribute

When assigned at the user level:

• A user ID is prevented from accessing the system

alu u01bec revoke

When assigned at a group level:

• A user ID is suspended from receiving access

and/or authority granted through the group

co u01ees group(g01div) revoke



Wadaya mean I'm REVOKED??

The REVOKE Attribute

User IDs can be revoked by:

1. Inactivity

2.Excessive invalid password attempts

3. Intentionally (ALU command)

4.By date



The CLAUTH Attribute

• Assigned by a user with the “SPECIAL” attribute or

“CLAUTH” attribute

• Allows a user to define user profiles and/or general

resources in a specific class

• Delegate authority on a class by class basis

au u22ajm ow(…) dflt(…) clauth(user tsoproc)

alu u22ajm clauth(user tsoproc)



Command Syntax – TSO Segment


TSO(ACCTNUM(account-number)

COMMAND(command-issued-at-logon)

DEST(destination-id)

HOLDCLASS(hold-class)

JOBCLASS(job-class)

MAXSIZE(maximum-region-size)

MSGCLASS(message-class)

PROC(logon-procedure-name)

SECLABEL(security-label)

SIZE(default-region-size)

SYSOUTCLASS(sysout-class)

UNIT(unit-name)

USERDATA(user-data))


ADDUSER


Command Syntax – Other Segments



CICS(OPIDENT(operator-id) OPCLASS(operator-class1,operator-class2,....) OPPRTY(operator-priority) RSLKEY(rslkey … | 0 | 99) TIMEOUT(timeout-value) TSLKEY(tslkey … | 0 | 1 | 99) XRFSOFF(FORCE | NOFORCE))

CSDATA(custom-field-name(custom-field-value))

OMVS(UID(user-identifier) | AUTOUID HOME('initial-directory-name') PROGRAM('program-name') SHARED ASSIZEMAX(address-space-size) CPUTIMEMAX(cpu-time) FILEPROCMAX(files-per-process) MMAPAREAMAX(memory-map-size) PROCUSERMAX(processes-per-UID) THREADSMAX(threads-per-process))

ADDUSER


ADDUSER Command Examples

ADDUSER U25AHM OWNER(TECHSUPP) DFLTGRP(TECHSUPP)

DATA(‘SYSTEMS PROGRAMMING GROUP LEADER’)

NAME(‘ART A. CHOKE’) CLAUTH(USER)

TSO(ACCTNUM(ABCDEF) PROC(ISPROC))

OMVS(UID(78678) HOME('/u/u25ahm') PROGRAM('/bin/sh'))

AU U78DJS NAME(‘DON J SMITH’) PASSWORD(DNTFRGT)

DFLTGRP(PGMRDEPT) OWNER(PGMRDEPT)

DATA(‘NEW PROGRAMMER TRAINEE ’)

TSO(ACCTNUM(123456) PROC(TSPROC1))

CSDATA(PHONE(7027940014))



ADDUSER Command Example

Create a PROTECTED user for CICS default user:

ADDUSER CICSUSER NAME(‘CICS DEFAULT USER’)

DFLTGRP(CICSDFLT) OWNER(CICSDFLT)

CICS(OPCLASS( ) OPIDENT ( ) OPPRTY( ) TIMEOUT( ) XRFSOFF( ))

DATA(‘CICS DEFAULT USER - PROTECTED’)

NOPASSWORD



Adding a User Profile – RACF Panels



RACF User Panel



Optional Information Panel



Installation Data



TSO Segment Data



Using Administrator to Add a User



Define a New User Profile



Enter the New User ID



Enter the User Profile Information


Enter ‘E’ to edit data field


Edit Installation Data


Press End (F3)


Press F8 to Scroll Down


Press F8 for next page


TSO Segment Information


Enter TSO information


VRAEXEC will Execute Now


Review Commands

Enter VRAEXEC to execute


Clone a User with Administrator



Clone a User



Enter the New User ID Information


Enter the information for the new User

Press ENTER


VRAEXEC to Execute Now


Review Commands

Enter VRAEXEC to execute


ALTUSER Command Syntax


Syntax same as ADDUSER with following additional operands:

ALTUSER (ALU) user-id or (user-ids . . .)

[ PASSWORD(password) |

NOPASSWORD ]

[ PHRASE('passphrase') | NOPHRASE ]

[ PWCLEAN | PWCONVERT ] [ RESUME [(date)] | NORESUME ] [ REVOKE [(date)] | NOREVOKE ] mm/dd/yy format

[ EXPIRED | NOEXPIRED ] [ UAUDIT | NOUAUDIT ]

ALU U25JPM REVOKE(mm/dd/yy) RESUME(mm/dd/yy)

ALU FTPSEC NOEXPIRED PASSWORD(H0WDD0D) RESUME

ALU U25AHM EXPIRED

ALTUSER


NORESUME and NOREVOKE

USER=U25JPM NAME=MILLER, JIM OWNER=USERADM CREATED=06.028 DEFAULT GROUP=LVPAYCLK PASSDATE=10.139 PASS-INTERVAL=30 ATTRIBUTES=REVOKED REVOKE DATE=mm/dd/yy RESUME DATE=mm/dd/yy LAST-ACCESS=10.142/06:22:29 CLASS AUTHORIZATIONS=NONE INSTALLATION-DATA=MMN-JONES 123-45-6789 NO-MODEL-NAME LOGON ALLOWED (DAYS) (TIME) ------------------------------------------------------- ANYDAY ANYTIME GROUP=LVPAYCLK AUTH=USE CONNECT-OWNER=LVPAYCLK CONNECTS= 9524 UACC=NONE LAST-CONNECT=10.142/06:22:29 CONNECT ATTRIBUTES=NONE REVOKE DATE=NONE RESUME=NONE SECURITY-LEVEL=NONE SPECIFIED CATEGORY-AUTHORIZATION NONE SPECIFIED SECURITY-LABEL=NONE SPECIFIED


ALU U25JPM RESUME

ALU U25JPM NOREVOKE NORESUME


Auditing Users

AT THE USER PROFILE LEVEL

• All additions, changes to, and deletions of RACF profiles

by a User

• All accesses to RACF protected resources by a User

alu user01 uaudit


SMF Data

CAUTION:

CAN GENERATE EXCESSIVE

SMF RECORDS BY USERID


Auditing Users

AT THE SYSTEMWIDE LEVEL

• All additions, changes to, and deletions of RACF User

profiles

• All RACF command violations

• Access to resources as a result of having the

OPERATIONS or Group-OPERATIONS attribute

• Issuance of all RACF commands by the User with the

SPECIAL or Group-SPECIAL attribute (except List

commands and the SEARCH command)

setr audit(user) cmdviol operaudit saudit



LISTUSER Command Syntax

LISTUSER (LU) user-id or (user-ids...) or * TSO CICS CSDATA OMVS WORKATTR : NORACF


LU

LU U25JPM

LU (U25AHM U25RTH U25SDY) TSO

LU U25AHM TSO NORACF

LU U78DJS CSDATA

LISTUSER


User Profile – RACF Segment



User Profile – TSO Segment



Displaying a User – RACF Panels



Select User Segments to Display



User Profile – RACF Segment



User Profile – TSO Segment



Using Administrator to List a User



Select User Profile Reports



Specify the UserID in Masking Fields



Three Ways to List a UserID



Using the LR Command



The LR Display



Using the LV Command



The LV Display



User Attributes



Connect Groups



Using the VRC Command



Listing or Changing a User


Press F8 for More


Listing the TSO Segment Data



DELUSER Command Syntax

DELUSER (DU) user-id or (user-ids ....)


Automatically removes user from group connections RACF Restrictions: No User Dataset Profiles

Can NOT be the owner of any

Group Dataset Profiles RACF Considerations: Access Lists, Profile Ownership,

TSO UADS

DU U25GWX


Deleting a User from Reports



Administrator - Deleting a User



Using the Delete User Command



Delete User Command



Generated Commands



User Commands Summary


ADDUSER (AU)

ALTUSER (ALU)

LISTUSER (LU)

DELUSER (DU)

racf users - amazon s3 · 2016-11-07 · ©2016 vanguard integrity professionals, inc. 10 ....

Documents