SECURITY & COMPLIANCE CONFERENCE 2016
RACF Users
Doug Behrends
Vanguard Professional Services
BAS3
VANGUARD SECURITY & COMPLIANCE 2016
Legal Notice
Copyright
©2016 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license
to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly
prohibited.
Trademarks
The following are trademarks of Vanguard Integrity Professionals – Nevada:
©2016 Vanguard Integrity Professionals, Inc. 2
Vanguard Administrator
Vanguard Advisor
Vanguard Analyzer
Vanguard SecurityCenter
Vanguard Offline
Vanguard Cleanup
Vanguard PasswordReset
Vanguard Authenticator
Vanguard inCompliance
Vanguard IAM
Vanguard GRC
Vanguard QuickGen
Vanguard Active Alerts
Vanguard Configuration Manager
Vanguard Configuration Manager Enterprise Edition
Vanguard Policy Manager
Vanguard Enforcer
Vanguard ez/Token
Vanguard Tokenless Authenticator
Vanguard ez/PIV Card Authenticator
Vanguard ez/Integrator
Vanguard ez/SignOn
Vanguard ez/Password Synchronization
Vanguard Security Solutions
Vanguard Security & Compliance
Vanguard zSecurity University
VANGUARD SECURITY & COMPLIANCE 2016
The following are trademarks or registered trademarks of the International Business Machines Corporation: Java and all Java-based trademarks are trademarks of Oracle and/or its affiliates. UNIX is a registered trademark of The Open Group in the United States and other countries.
Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation.
Other company, product, and service names may be trademarks or service marks of others.
Trademarks
©2016 Vanguard Integrity Professionals, Inc. 3
CICS
CICSPlex
DB2
eServer
IBM
IBM z
IBM z Systems
IBM z13
S/390
System z
System z9
System z10
System/390
VTAM
WebSphere
z Systems
z9
z10
z13
z/Architecture
z/OS
z/VM
zEnterprise
IMS
MQSeries
MVS
NetView
OS/390
Parallel Sysplex
RACF
RMF
VANGUARD SECURITY & COMPLIANCE 2016
Session Topics
• RACF ® User ID Purpose
• Types of Users
• User Attributes
• Relating Users to Groups
• Auditing Users
• User Profile Naming Conventions
• RACF Commands for User Administration
• Using Vanguard Administrator™ to Administer Users
©2016 Vanguard Integrity Professionals, Inc. 4
VANGUARD SECURITY & COMPLIANCE 2016
The RACF User ID
RACF USER IDS PROVIDE: • USER IDENTIFICATION
• USER AUTHENTICATION
• INDIVIDUAL ACCOUNTABILITY
USER IDS CAN BE ASSOCIATED WITH:
• A SIGNON (TSO, CICS®, ...)
• A BATCH JOB
• A STARTED TASK
• SURROGATE USER ID
• UNDEFINED USERS (INTERNAL)
©2016 Vanguard Integrity Professionals, Inc. 5
Logon
Signon
Login
Submitted
Jobs
Started
Tasks
VANGUARD SECURITY & COMPLIANCE 2016
Types of Users
GENERAL USERS
• Access z/OS® System
• Access z/OS Resources
• USE Authority in all connected groups
©2016 Vanguard Integrity Professionals, Inc. 6
VANGUARD SECURITY & COMPLIANCE 2016
Types of Users
EXTRAORDINARY USERS
• SPECIAL User or Group Attribute
• AUDITOR User or Group Attribute
• OPERATIONS User or Group Attribute
• CREATE, CONNECT, or JOIN Authority in one or more groups
REVOKED USERS
• User Level
• Group Level
©2016 Vanguard Integrity Professionals, Inc. 7
VANGUARD SECURITY & COMPLIANCE 2016
User Profile Naming Conventions
A RACF USER ID MUST BE • One to eight characters in length • Any combination of alphabetic, numeric, #, $, or @ • Unique from other user IDs or group names
TSO/E USER IDS
• Can not exceed seven characters • Can not begin with a numeric
©2016 Vanguard Integrity Professionals, Inc. 8
VANGUARD SECURITY & COMPLIANCE 2016
User Profile Segments
BASE (or RACF) SEGMENT
• Contains basic user information
• User ID
• User Name
• Owner
• Default Group
• User Attributes
• Password
• Etc.
• Required segment
• Important operands to explicitly specify
– OWNER
– DFLTGRP
©2016 Vanguard Integrity Professionals, Inc. 9
VANGUARD SECURITY & COMPLIANCE 2016
User Profile Segments
OPTIONAL SEGMENTS
• TSO Segment
– Contains TSO user attributes
– Replaces TSO User Attribute Data Set (SYS1.UADS)
• CICS Segment
– Contains CICS terminal user information for use during CICS
Signon
– Replaces CICS Signon Table
• OMVS Segment
– Required for a user to login to z/OS UNIX® System Services
– Contains the user’s initial directory, program, and UID
• CSDATA Segment
– Specifies information to add a custom field for this user
©2016 Vanguard Integrity Professionals, Inc. 10
VANGUARD SECURITY & COMPLIANCE 2016
Commands For User Administration
ADDUSER (AU) ADD A USER PROFILE
ALTUSER (ALU) MODIFY A USER PROFILE
LISTUSER (LU) LIST A USER PROFILE
DELUSER (DU) DELETE A USER PROFILE
©2016 Vanguard Integrity Professionals, Inc. 11
VANGUARD SECURITY & COMPLIANCE 2016
Command Syntax – Base Segment
ADDUSER (AU) user-id or (user-ids . . .)
[ OWNER(user-id or group-id) ]
[ DFLTGRP(group-id) ]
[ NAME(‘user name’) ]
[ DATA('installation data') ]
[ PASSWORD(password) |
NOPASSWORD ]
[ PHRASE ('password-phrase') ]
[ SPECIAL | NOSPECIAL ]
[ AUDITOR | NOAUDITOR ]
[ OPERATIONS | NOOPERATIONS ]
[ ROAUDIT | NOROAUDIT ]
[ CLAUTH(USER | classname) ]
[ RESTRICTED | NORESTRICTED ]
©2016 Vanguard Integrity Professionals, Inc. 12
ADDUSER
VANGUARD SECURITY & COMPLIANCE 2016
The SPECIAL Attribute
• Assigned by a user with “SPECIAL”
• Can be assigned at the group level by SPECIAL or
Group-Special
• Issue all RACF commands
within scope
• List all RACF profiles within scope
©2016 Vanguard Integrity Professionals, Inc. 13
VANGUARD SECURITY & COMPLIANCE 2016
The SPECIAL Attribute
• When PROTECTALL is active, authorized to access
data sets which are not protected by a RACF profile
• Operator prompt on invalid passwords (REVOKE)
for system-wide SPECIAL
au u00vip ow(…) dflt(…) special
alu u00vip special
co u01jed group(g01div) special
©2016 Vanguard Integrity Professionals, Inc. 14
VANGUARD SECURITY & COMPLIANCE 2016
The OPERATIONS Attribute
• Assigned by a user with “SPECIAL”
• Can be assigned at the group level by SPECIAL or
Group-Special
• Access to most RACF protected data sets within
scope
• Access to some general resources within scope
au u00vip ow(…) dflt(…) operations alu u00vip operations
co u01jed group(g01div) oper
©2016 Vanguard Integrity Professionals, Inc. 15
VANGUARD SECURITY & COMPLIANCE 2016
The AUDITOR Attribute
• Assigned by a user with “SPECIAL”
• Can be assigned at the group level
by user with SPECIAL or Group-
Special
• Can change logging options using
“GLOBALAUDIT”
©2016 Vanguard Integrity Professionals, Inc. 16
VANGUARD SECURITY & COMPLIANCE 2016
The AUDITOR Attribute
• Can list system wide logging
options
• Access to certain RACF utilities
• System wide AUDITOR required to
set system wide logging options
au u00vip ow(…) dflt(…) auditor alu u00vip auditor
co u01gad group(g01div) aud
©2016 Vanguard Integrity Professionals, Inc. 17
VANGUARD SECURITY & COMPLIANCE 2016
ROAUDIT Attribute
• Assigned by a user with “SPECIAL”
• Can list all profiles and system wide logging options
• Access to certain RACF utilities
au u00vip ow(…) dflt(…) roaudit alu u00vip roaudit
©2016 Vanguard Integrity Professionals, Inc. 18
New in
z/OS 2.2
VANGUARD SECURITY & COMPLIANCE 2016
PROTECTED User
au jes2 ow(…) dflt(…) nopassword alu jes2 nopassword
• Password cannot be used to
enter system
• Prevents unauthorized use of User ID
• Prevents user from being revoked by repeated
wrong passwords or inactivity
• Useful for started task users, applications, daemons,
surrogated users
©2016 Vanguard Integrity Professionals, Inc. 19
VANGUARD SECURITY & COMPLIANCE 2016
RESTRICTED User
• Purpose
– Restrict access for users from internet
• User has limited access to resources
– User ID or Group ID on access list
– OPERATIONS attribute
– Warning on resource profile
– No access via GAC, UACC, or ID(*) in access list
au dfltuser ow(…) dflt(…) restricted
alu dfltuser restricted
©2016 Vanguard Integrity Professionals, Inc. 20
VANGUARD SECURITY & COMPLIANCE 2016
The REVOKE Attribute
When assigned at the user level:
• A user ID is prevented from accessing the system
alu u01bec revoke
When assigned at a group level:
• A user ID is suspended from receiving access
and/or authority granted through the group
co u01ees group(g01div) revoke
©2016 Vanguard Integrity Professionals, Inc. 21
VANGUARD SECURITY & COMPLIANCE 2016
Wadaya mean I'm REVOKED??
The REVOKE Attribute
User IDs can be revoked by:
1. Inactivity
2.Excessive invalid password attempts
3. Intentionally (ALU command)
4.By date
©2016 Vanguard Integrity Professionals, Inc. 22
VANGUARD SECURITY & COMPLIANCE 2016
The CLAUTH Attribute
• Assigned by a user with the “SPECIAL” attribute or
“CLAUTH” attribute
• Allows a user to define user profiles and/or general
resources in a specific class
• Delegate authority on a class by class basis
au u22ajm ow(…) dflt(…) clauth(user tsoproc)
alu u22ajm clauth(user tsoproc)
©2016 Vanguard Integrity Professionals, Inc. 23
VANGUARD SECURITY & COMPLIANCE 2016
Command Syntax – TSO Segment
ADDUSER (AU) user-id or (user-ids . . .)
TSO(ACCTNUM(account-number)
COMMAND(command-issued-at-logon)
DEST(destination-id)
HOLDCLASS(hold-class)
JOBCLASS(job-class)
MAXSIZE(maximum-region-size)
MSGCLASS(message-class)
PROC(logon-procedure-name)
SECLABEL(security-label)
SIZE(default-region-size)
SYSOUTCLASS(sysout-class)
UNIT(unit-name)
USERDATA(user-data))
©2016 Vanguard Integrity Professionals, Inc. 24
ADDUSER
VANGUARD SECURITY & COMPLIANCE 2016
Command Syntax – Other Segments
©2016 Vanguard Integrity Professionals, Inc. 25
ADDUSER (AU) user-id or (user-ids . . .)
CICS(OPIDENT(operator-id) OPCLASS(operator-class1,operator-class2,....) OPPRTY(operator-priority) RSLKEY(rslkey … | 0 | 99) TIMEOUT(timeout-value) TSLKEY(tslkey … | 0 | 1 | 99) XRFSOFF(FORCE | NOFORCE))
CSDATA(custom-field-name(custom-field-value))
OMVS(UID(user-identifier) | AUTOUID HOME('initial-directory-name') PROGRAM('program-name') SHARED ASSIZEMAX(address-space-size) CPUTIMEMAX(cpu-time) FILEPROCMAX(files-per-process) MMAPAREAMAX(memory-map-size) PROCUSERMAX(processes-per-UID) THREADSMAX(threads-per-process))
ADDUSER
VANGUARD SECURITY & COMPLIANCE 2016
ADDUSER Command Examples
ADDUSER U25AHM OWNER(TECHSUPP) DFLTGRP(TECHSUPP)
DATA(‘SYSTEMS PROGRAMMING GROUP LEADER’)
NAME(‘ART A. CHOKE’) CLAUTH(USER)
TSO(ACCTNUM(ABCDEF) PROC(ISPROC))
OMVS(UID(78678) HOME('/u/u25ahm') PROGRAM('/bin/sh'))
AU U78DJS NAME(‘DON J SMITH’) PASSWORD(DNTFRGT)
DFLTGRP(PGMRDEPT) OWNER(PGMRDEPT)
DATA(‘NEW PROGRAMMER TRAINEE ’)
TSO(ACCTNUM(123456) PROC(TSPROC1))
CSDATA(PHONE(7027940014))
©2016 Vanguard Integrity Professionals, Inc. 26
VANGUARD SECURITY & COMPLIANCE 2016
ADDUSER Command Example
Create a PROTECTED user for CICS default user:
ADDUSER CICSUSER NAME(‘CICS DEFAULT USER’)
DFLTGRP(CICSDFLT) OWNER(CICSDFLT)
CICS(OPCLASS( ) OPIDENT ( ) OPPRTY( ) TIMEOUT( ) XRFSOFF( ))
DATA(‘CICS DEFAULT USER - PROTECTED’)
NOPASSWORD
©2016 Vanguard Integrity Professionals, Inc. 27
VANGUARD SECURITY & COMPLIANCE 2016
Adding a User Profile – RACF Panels
©2016 Vanguard Integrity Professionals, Inc. 28
VANGUARD SECURITY & COMPLIANCE 2016
RACF User Panel
©2016 Vanguard Integrity Professionals, Inc. 29
VANGUARD SECURITY & COMPLIANCE 2016
RACF User Panel
©2016 Vanguard Integrity Professionals, Inc. 30
VANGUARD SECURITY & COMPLIANCE 2016
RACF User Panel
©2016 Vanguard Integrity Professionals, Inc. 31
VANGUARD SECURITY & COMPLIANCE 2016
Optional Information Panel
©2016 Vanguard Integrity Professionals, Inc. 32
VANGUARD SECURITY & COMPLIANCE 2016
Installation Data
©2016 Vanguard Integrity Professionals, Inc. 33
VANGUARD SECURITY & COMPLIANCE 2016
TSO Segment Data
©2016 Vanguard Integrity Professionals, Inc. 34
VANGUARD SECURITY & COMPLIANCE 2016
Using Administrator to Add a User
©2016 Vanguard Integrity Professionals, Inc. 35
VANGUARD SECURITY & COMPLIANCE 2016
Define a New User Profile
©2016 Vanguard Integrity Professionals, Inc. 36
VANGUARD SECURITY & COMPLIANCE 2016
Enter the New User ID
©2016 Vanguard Integrity Professionals, Inc. 37
VANGUARD SECURITY & COMPLIANCE 2016
Enter the User Profile Information
©2016 Vanguard Integrity Professionals, Inc. 38
Enter ‘E’ to edit data field
VANGUARD SECURITY & COMPLIANCE 2016
Edit Installation Data
©2016 Vanguard Integrity Professionals, Inc. 39
Press End (F3)
VANGUARD SECURITY & COMPLIANCE 2016
Press F8 to Scroll Down
©2016 Vanguard Integrity Professionals, Inc. 40
Press F8 for next page
VANGUARD SECURITY & COMPLIANCE 2016
TSO Segment Information
©2016 Vanguard Integrity Professionals, Inc. 41
Enter TSO information
VANGUARD SECURITY & COMPLIANCE 2016
VRAEXEC will Execute Now
©2016 Vanguard Integrity Professionals, Inc. 42
Review Commands
Enter VRAEXEC to execute
VANGUARD SECURITY & COMPLIANCE 2016
Clone a User with Administrator
©2016 Vanguard Integrity Professionals, Inc. 43
VANGUARD SECURITY & COMPLIANCE 2016
Clone a User
©2016 Vanguard Integrity Professionals, Inc. 44
VANGUARD SECURITY & COMPLIANCE 2016
Enter the New User ID Information
©2016 Vanguard Integrity Professionals, Inc. 45
Enter the information for the new User
Press ENTER
VANGUARD SECURITY & COMPLIANCE 2016
VRAEXEC to Execute Now
©2016 Vanguard Integrity Professionals, Inc. 46
Review Commands
Enter VRAEXEC to execute
VANGUARD SECURITY & COMPLIANCE 2016
ALTUSER Command Syntax
©2016 Vanguard Integrity Professionals, Inc. 47
Syntax same as ADDUSER with following additional operands:
ALTUSER (ALU) user-id or (user-ids . . .)
[ PASSWORD(password) |
NOPASSWORD ]
[ PHRASE('passphrase') | NOPHRASE ]
[ PWCLEAN | PWCONVERT ] [ RESUME [(date)] | NORESUME ] [ REVOKE [(date)] | NOREVOKE ] mm/dd/yy format
[ EXPIRED | NOEXPIRED ] [ UAUDIT | NOUAUDIT ]
ALU U25JPM REVOKE(mm/dd/yy) RESUME(mm/dd/yy)
ALU FTPSEC NOEXPIRED PASSWORD(H0WDD0D) RESUME
ALU U25AHM EXPIRED
ALTUSER
VANGUARD SECURITY & COMPLIANCE 2016
NORESUME and NOREVOKE
USER=U25JPM NAME=MILLER, JIM OWNER=USERADM CREATED=06.028 DEFAULT GROUP=LVPAYCLK PASSDATE=10.139 PASS-INTERVAL=30 ATTRIBUTES=REVOKED REVOKE DATE=mm/dd/yy RESUME DATE=mm/dd/yy LAST-ACCESS=10.142/06:22:29 CLASS AUTHORIZATIONS=NONE INSTALLATION-DATA=MMN-JONES 123-45-6789 NO-MODEL-NAME LOGON ALLOWED (DAYS) (TIME) ------------------------------------------------------- ANYDAY ANYTIME GROUP=LVPAYCLK AUTH=USE CONNECT-OWNER=LVPAYCLK CONNECTS= 9524 UACC=NONE LAST-CONNECT=10.142/06:22:29 CONNECT ATTRIBUTES=NONE REVOKE DATE=NONE RESUME=NONE SECURITY-LEVEL=NONE SPECIFIED CATEGORY-AUTHORIZATION NONE SPECIFIED SECURITY-LABEL=NONE SPECIFIED
©2016 Vanguard Integrity Professionals, Inc. 48
ALU U25JPM RESUME
ALU U25JPM NOREVOKE NORESUME
VANGUARD SECURITY & COMPLIANCE 2016
Auditing Users
AT THE USER PROFILE LEVEL
• All additions, changes to, and deletions of RACF profiles
by a User
• All accesses to RACF protected resources by a User
alu user01 uaudit
©2016 Vanguard Integrity Professionals, Inc. 49
SMF Data
CAUTION:
CAN GENERATE EXCESSIVE
SMF RECORDS BY USERID
VANGUARD SECURITY & COMPLIANCE 2016
Auditing Users
AT THE SYSTEMWIDE LEVEL
• All additions, changes to, and deletions of RACF User
profiles
• All RACF command violations
• Access to resources as a result of having the
OPERATIONS or Group-OPERATIONS attribute
• Issuance of all RACF commands by the User with the
SPECIAL or Group-SPECIAL attribute (except List
commands and the SEARCH command)
setr audit(user) cmdviol operaudit saudit
©2016 Vanguard Integrity Professionals, Inc. 50
VANGUARD SECURITY & COMPLIANCE 2016
LISTUSER Command Syntax
LISTUSER (LU) user-id or (user-ids...) or * TSO CICS CSDATA OMVS WORKATTR : NORACF
©2016 Vanguard Integrity Professionals, Inc. 51
LU
LU U25JPM
LU (U25AHM U25RTH U25SDY) TSO
LU U25AHM TSO NORACF
LU U78DJS CSDATA
LISTUSER
VANGUARD SECURITY & COMPLIANCE 2016
User Profile – RACF Segment
©2016 Vanguard Integrity Professionals, Inc. 52
VANGUARD SECURITY & COMPLIANCE 2016
User Profile – TSO Segment
©2016 Vanguard Integrity Professionals, Inc. 53
VANGUARD SECURITY & COMPLIANCE 2016
Displaying a User – RACF Panels
©2016 Vanguard Integrity Professionals, Inc. 54
VANGUARD SECURITY & COMPLIANCE 2016
Select User Segments to Display
©2016 Vanguard Integrity Professionals, Inc. 55
VANGUARD SECURITY & COMPLIANCE 2016
User Profile – RACF Segment
©2016 Vanguard Integrity Professionals, Inc. 56
VANGUARD SECURITY & COMPLIANCE 2016
User Profile – TSO Segment
©2016 Vanguard Integrity Professionals, Inc. 57
VANGUARD SECURITY & COMPLIANCE 2016
Using Administrator to List a User
©2016 Vanguard Integrity Professionals, Inc. 58
VANGUARD SECURITY & COMPLIANCE 2016
Select User Profile Reports
©2016 Vanguard Integrity Professionals, Inc. 59
VANGUARD SECURITY & COMPLIANCE 2016
Specify the UserID in Masking Fields
©2016 Vanguard Integrity Professionals, Inc. 60
VANGUARD SECURITY & COMPLIANCE 2016
Three Ways to List a UserID
©2016 Vanguard Integrity Professionals, Inc. 61
VANGUARD SECURITY & COMPLIANCE 2016
Using the LR Command
©2016 Vanguard Integrity Professionals, Inc. 62
VANGUARD SECURITY & COMPLIANCE 2016
The LR Display
©2016 Vanguard Integrity Professionals, Inc. 63
VANGUARD SECURITY & COMPLIANCE 2016
TSO Segment Information
©2016 Vanguard Integrity Professionals, Inc. 64
VANGUARD SECURITY & COMPLIANCE 2016
Using the LV Command
©2016 Vanguard Integrity Professionals, Inc. 65
VANGUARD SECURITY & COMPLIANCE 2016
The LV Display
©2016 Vanguard Integrity Professionals, Inc. 66
VANGUARD SECURITY & COMPLIANCE 2016
User Attributes
©2016 Vanguard Integrity Professionals, Inc. 67
VANGUARD SECURITY & COMPLIANCE 2016
Connect Groups
©2016 Vanguard Integrity Professionals, Inc. 68
VANGUARD SECURITY & COMPLIANCE 2016
TSO Segment Information
©2016 Vanguard Integrity Professionals, Inc. 69
VANGUARD SECURITY & COMPLIANCE 2016
Using the VRC Command
©2016 Vanguard Integrity Professionals, Inc. 70
VANGUARD SECURITY & COMPLIANCE 2016
Listing or Changing a User
©2016 Vanguard Integrity Professionals, Inc. 71
Press F8 for More
VANGUARD SECURITY & COMPLIANCE 2016
Listing the TSO Segment Data
©2016 Vanguard Integrity Professionals, Inc. 72
VANGUARD SECURITY & COMPLIANCE 2016
DELUSER Command Syntax
DELUSER (DU) user-id or (user-ids ....)
©2016 Vanguard Integrity Professionals, Inc. 73
Automatically removes user from group connections RACF Restrictions: No User Dataset Profiles
Can NOT be the owner of any
Group Dataset Profiles RACF Considerations: Access Lists, Profile Ownership,
TSO UADS
DU U25GWX
VANGUARD SECURITY & COMPLIANCE 2016
Deleting a User from Reports
©2016 Vanguard Integrity Professionals, Inc. 74
VANGUARD SECURITY & COMPLIANCE 2016
Administrator - Deleting a User
©2016 Vanguard Integrity Professionals, Inc. 75
VANGUARD SECURITY & COMPLIANCE 2016
Using the Delete User Command
©2016 Vanguard Integrity Professionals, Inc. 76
VANGUARD SECURITY & COMPLIANCE 2016
Delete User Command
©2016 Vanguard Integrity Professionals, Inc. 77
VANGUARD SECURITY & COMPLIANCE 2016
Generated Commands
©2016 Vanguard Integrity Professionals, Inc. 78
VANGUARD SECURITY & COMPLIANCE 2016
User Commands Summary
©2016 Vanguard Integrity Professionals, Inc. 79
ADDUSER (AU)
ALTUSER (ALU)
LISTUSER (LU)
DELUSER (DU)