Notesale: Turn your study into money

Document Preview

Extracts from the notes are below, to see the PDF you'll receive please use the links above

---

MVS ADMINISTRATION

Unit 1
...


What You Should Be Able to Do
After completing this unit, you should be able to:
• Explain the role RACF plays in data security
• List the four major functions of RACF
• Given a diagram of RACF's resource authorization checking
process, explain how RACF allows or denies a user access to a
resource
• Define the terms UACC, access list, user profile, and resource
profile
• Describe the role of the security administrator and the auditor

Private & Confidential
Course materials may not be produced in whole or in part Without the prior written permission of
Debajyoti Nath

1

MVS ADMINISTRATION

Objectives
• Explain the role RACF plays in data security
• List the four major functions of RACF
• Given a diagram of RACF's resource authorization checking process, explain
how RACF allows or denies a user access to a resource
• Define the terms UACC, access list, user profile, and resource profile
• Describe the role of the security administrator and the auditor

Private & Confidential
Course materials may not be produced in whole or in part Without the prior written permission of
Debajyoti Nath

2

MVS ADMINISTRATION

Private & Confidential
Course materials may not be produced in whole or in part Without the prior written permission of
Debajyoti Nath

3

MVS ADMINISTRATION

• Security is concerned with the safeguarding of v a r i o u s types of resources
...

• This course is concerned with data resources, which can also be termed
information assets
...

• C a r e l e s s n e s s on the part of system users can inadvertently expose or destroy
v a l u a b l e information
...

• Note also that this definition says nothing about the form in which the information
r e s ou r c e s exist --- printed, hand-written, typed, graphs, magnetic tape or disk, or
other electronic media
...
"

Private & Confidential
Course materials may not be produced in whole or in part Without the prior written permission of
Debajyoti Nath

5

MVS ADMINISTRATION

Ge n e r a ll y, there are four types of individuals who are involved with information
assets
...

• OWNER - The manager or representative who is responsible for making and
communicating judgments and decisions with re ga r d to identification,
classification, and protection of the company's information assets
...

• SUPPLIER OF SERVICE - Provider of information processing services to others in
s uppor t of the company's business operations
...


Private & Confidential
Course materials may not be produced in whole or in part Without the prior written permission of
Debajyoti Nath

6

MVS ADMINISTRATION

• It is the job of management to set down an information asset protection policy
...

• Security is a management issue not a technological issue
...

• A Security Policy should be brief and to the point
...

• A good Security Policy should drive the security p r o g r a m
...

• Perhaps the most important thing that management can establish is the proper attitude of
everyone in the organization toward information asset protection
...


• R e s o u r c e Access Control, which is provided by RACF
...


This c o u r s e is concerned with RACF, which provides resource access control
...


Private & Confidential
Course materials may not be produced in whole or in part Without the prior written permission of
Debajyoti Nath

8

MVS ADMINISTRATION

Private & Confidential
Course materials may not be produced in whole or in part Without the prior written permission of
Debajyoti Nath

9

MVS ADMINISTRATION

• We have several general users of our system
...

• Without an access control mechanism, they can access any r e s ou r c e s they wish
...

• Resources could be accessed accidentally or intentionally
...
The first of these is the identification and verification of
users
...

• The name of a user profile is the user ID
...

• The password entry is encrypted
...

If a user forgets or otherwise has problems with a password, the administrator cannot
tell the user the password
...


• Most users will not possess any user attributes
...

The AUDITOR attribute allows a user to look at all RACF profiles and specify
Any logging
...


• Security classification is optional and is an additional way to control a user's authority to
access sensitive resources
...
Users can be connected several groups
...

• The RACF user profile is made up of a base segment, and can have several other segments,
such as a TSO, DFP, CICS, OPERPARM, WORKATTR, OMVS, NETVIEW, DCE, or
LANGUAGE segment
...
A user can be an active member of any number of
additional groups
...
One of these
groups will have been defined as the u s e r ' s "default1" group
...

For now, we will consider only the functional group, which is named because all of the
members of the group perform the same job function, and therefore need access to the
same resources
...


13

MVS ADMINISTRATION

The second of RACF's prime tasks is r e s o u r c e authorization checking?
• When a user attempts to access a specific r e s o u r c e , RACF is called to determine
whether this user should be allowed to access the r e s o u r c e
...

• When a user attempts to access a r e sour c e , RACF is c a l led to determine whether
this user should be allowed to access the resource
...


Private & Confidential
Course materials may not be produced in whole or in part Without the prior written permission of
Debajyoti Nath
...

• The user requests access to a r e s o u r c e that is protected by RACF
...

• RACF re fe rs to the RACF database or in-storage RACF tables to make a
decision to allow or deny access to the resource
...


Private & Confidential
Course materials may not be produced in whole or in part Without the prior written permission of
Debajyoti Nath
...

• The owner of a profile has complete control over the profile
...
This is sometimes called the
"default level of access
...

• Security classification is optional
...


Private & Confidential
Course materials may not be produced in whole or in part Without the prior written permission of
Debajyoti Nath
...

• The u s e r ' s security classification is compared to the r e s ou r c e 's security
classification
...


17

MVS ADMINISTRATION

Private & Confidential
Course materials may not be produced in whole or in part Without the prior written permission of
Debajyoti Nath
...
The level of access the user requests is what we call the "access
intent
...
If an entry in the global
access table does not allow access, then RACF continues with its authorization
checking process
...
It may have to do I/O to the
RACF database or the profile may already be in memory
...

• If the user is listed in the access list of the resource profile, then access is
determined by the access level specified in the access list
...
RACF checks all the groups
a user are connected to if a RACF option called "list-of-groups" is active
...
If the UACC is equal to or greater than the user's access intent,
then the user will be allowed access
...
A user who
has the OPERATIONS attribute will be allowed access to all MVS data sets and
VM r e s ourc e s
...

We will learn about later in this course
...


19

MVS ADMINISTRATION

• We will use this diagram together with the previous visual to explain how RACF
performs resource authorization checking
...


20

MVS ADMINISTRATION

The third major function RACF performs is logging and reporting of attempts to
access resources
...
Auditing can be
specified by the security administrator or the auditor
...

• Additionally, a message is sent to the system console when a violation
occurs
...

• The SMF data can be processed to produce reports
...


21

MVS ADMINISTRATION

• There are s e v e r a l users in a system that needs to have e xtr a or di na ry
capabilities
...

• The RACF AUDITOR is r e s p onsibl e for auditing the security aspects of the
system
...

• The AUDITOR cannot make changes to the profiles except to specify logging
...


Private & Confidential
Course materials may not be produced in whole or in part Without the prior written permission of
Debajyoti Nath
...

• The user with the RACF SPECIAL attribute is able to a dmi ni s t er security for the
system
...

• The SPECIAL attribute does not give access to the resources
...


Private & Confidential
Course materials may not be produced in whole or in part Without the prior written permission of
Debajyoti Nath
...
This capability is very different from
SPECIAL or AUDITOR
...
After profiles have been defined to control access
to the data on the system, the user(s) who need to dump DASD volumes will have
to be granted access
...

The OPERATIONS attribute gives the ability to access all MVS data sets
...

The OPERATIONS attribute is good from an operational point-of-view
...


Private & Confidential
Course materials may not be produced in whole or in part Without the prior written permission of
Debajyoti Nath
...
These options will be covered during the course
...


-

General Resources
...


-

Authorization Checking
...


-

Multi-Level Security
...
log SPECIAL or OPERATIONS users, log changes
to profiles, log resource access

force all batch users to identify themselves to RACF

Private & Confidential
Course materials may not be produced in whole or in part Without the prior written permission of
Debajyoti Nath
...

• The backup RACF database can be configured to be identical to the primary
RACF database
...

• Also shown here are the commands that we use to administer the profiles in the
RACF database
...

• In this course, you will learn how to use the commands a n d / o r panels to
administer RACF
...


26

MVS ADMINISTRATION

This visual summarizes the major functions of RACF
...
Thi s p r o c e s s is called user
identification and verification or user authentication
...
Access events are logged to SMF, based upon the auditing specified in
the resource profile and the RACF options
...

• The AUDITOR is responsible for auditing the security system, and does this by
looking at the profiles, specifying logging, and running reports
...

• The profi les are stored in the RACF database
...


27



---