SECURITY & COMPLIANCE CONFERENCE 2016
Vanguard SecurityCenter
John Hilman
Vanguard Professional Services
VSS6
VANGUARD SECURITY & COMPLIANCE 2016
Legal Notice
Copyright
©2016 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license
to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly
prohibited.
Trademarks
The following are trademarks of Vanguard Integrity Professionals – Nevada:
©2016 Vanguard Integrity Professionals, Inc. 2
Vanguard Administrator
Vanguard Advisor
Vanguard Analyzer
Vanguard SecurityCenter
Vanguard Offline
Vanguard Cleanup
Vanguard PasswordReset
Vanguard Authenticator
Vanguard inCompliance
Vanguard IAM
Vanguard GRC
Vanguard QuickGen
Vanguard Active Alerts
Vanguard Configuration Manager
Vanguard Configuration Manager Enterprise Edition
Vanguard Policy Manager
Vanguard Enforcer
Vanguard ez/Token
Vanguard Tokenless Authenticator
Vanguard ez/PIV Card Authenticator
Vanguard ez/Integrator
Vanguard ez/SignOn
Vanguard ez/Password Synchronization
Vanguard Security Solutions
Vanguard Security & Compliance
Vanguard zSecurity University
VANGUARD SECURITY & COMPLIANCE 2016
The following are trademarks or registered trademarks of the International Business Machines Corporation: Java and all Java-based trademarks are trademarks of Oracle and/or its affiliates. UNIX is a registered trademark of The Open Group in the United States and other countries.
Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation.
Other company, product, and service names may be trademarks or service marks of others.
Trademarks
©2016 Vanguard Integrity Professionals, Inc. 3
CICS
CICSPlex
DB2
eServer
IBM
IBM z
IBM z Systems
IBM z13
S/390
System z
System z9
System z10
System/390
VTAM
WebSphere
z Systems
z9
z10
z13
z/Architecture
z/OS
z/VM
zEnterprise
IMS
MQSeries
MVS
NetView
OS/390
Parallel Sysplex
RACF
RMF
VANGUARD SECURITY & COMPLIANCE 2016
Session Topics
• Vanguard SecurityCenter™ Overview
• What is Vanguard SecurityCenter
• Navigating Through Vanguard SecurityCenter
• Customizing Vanguard SecurityCenter
• Using Vanguard SecurityCenter to Administer RACF®
©2016 Vanguard Integrity Professionals, Inc. 4
VANGUARD SECURITY & COMPLIANCE 2016
What is Vanguard SecurityCenter?
• Windows-GUI Based RACF Administration Tool
– Also Administers Native DB2® Security
• Client/Server Architecture
– Client is a Windows Application
– Server is an z/OS® Started Task and an MVS™ Data
Space
• RACF Data is “Live” – no Extract File needed
– Current Data is maintained in the MVS Data Space
• SecurityCenter/Workstation Connects to
SecurityCenter/RACF Via TCP/IP
©2016 Vanguard Integrity Professionals, Inc. 5
VANGUARD SECURITY & COMPLIANCE 2016
Starting Vangaurd SecurityCenter
• Click on SecurityCenter ICON on desktop
• Select from “All Programs/Vanguard/SecurityCenter”
©2016 Vanguard Integrity Professionals, Inc. 6
VANGUARD SECURITY & COMPLIANCE 2016
Adding Host Systems
©2016 Vanguard Integrity Professionals, Inc. 7
VANGUARD SECURITY & COMPLIANCE 2016
Adding a Host System
©2016 Vanguard Integrity Professionals, Inc. 8
VANGUARD SECURITY & COMPLIANCE 2016
Selecting a Host System
©2016 Vanguard Integrity Professionals, Inc. 9
VANGUARD SECURITY & COMPLIANCE 2016
Signing on to Vanguard SecurityCenter
©2016 Vanguard Integrity Professionals, Inc. 10
VANGUARD SECURITY & COMPLIANCE 2016
Navigating Through Vanguard SecurityCenter
• Menu Bar
– File, View, Insert, Action, Options, Help
• Tool Bar
• Status Bar
• Smart Icons
– Tool Bar, Tree Structures, and Worksheets
• Context Sensitive Shortcut Menus
• Drag and Drop; Copy and Paste
©2016 Vanguard Integrity Professionals, Inc. 11
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard SecurityCenter Workspace
©2016 Vanguard Integrity Professionals, Inc. 12
Tool Bar
Status Bar
Menu Bar
VANGUARD SECURITY & COMPLIANCE 2016
Using the Menu Bar
©2016 Vanguard Integrity Professionals, Inc. 13
• File - Contains commands for printing the active window, formatting reports,
opening the files, and more.
• Edit - Contains commands for searching, undoing actions, and manipulating field text, such as copying, pasting, deleting items, and more.
• View - Contains commands for displaying items, such as the SecurityCenter toolbar and tree structures. Includes options for opening the SecurityCenter administration windows, expanding and collapsing tree structures, and changing the order of the Group Tree.
• Insert - Contains commands for inserting, or adding, new RACF profiles for users, resources and groups.
• Action - Contains commands for sending the SecurityCenter generated commands (displayed in the Command Status window) to the host for processing.
• Options - Contains commands for dynamically setting RACF options related to resource protection and for changing system preferences, such as the location of the log file.
• Window - Contains commands for managing windows, such as opening a new window, tiling multiple windows, cascading windows, and more.
• Help - Contains commands for opening the help file, contacting technical support, viewing release notes, and obtaining information about SecurityCenter, such as copyright information, free disk space, and memory availability.
File Edit View Insert Action Options Window Help
VANGUARD SECURITY & COMPLIANCE 2016
Customize Tool Bar
©2016 Vanguard Integrity Professionals, Inc. 14
Select View,
Toolbars,
Customize
Select Appearance of Tool Bar
VANGUARD SECURITY & COMPLIANCE 2016
The Toolbar
©2016 Vanguard Integrity Professionals, Inc. 15
Group
Tree
Group and User Worksheet
and Resource Explorer
Group, User, Ghost, Resource
Administration
Create New
Group, User, Resource
Help Desk Administration,
Send Commands to Host,
Scratch Pad,
Command Status
Member Cross
Reference,
DB2 Administration
Copy, Paste
Undo, Redo
Filter
VANGUARD SECURITY & COMPLIANCE 2016
Filter Toolbar
Becomes Active when Using:
• Group Worksheet
• User Worksheet
• Resource Explorer
• Connections
• Access List
• Effective Access List
• Subgroups
• Owned Groups
• Owned Users
©2016 Vanguard Integrity Professionals, Inc. 16
Filter Characters:
+ Represents 0 to n characters.
% Represents a single character.
* Represents 0 to 8 characters
within a qualifier.
| Finds items that meet either
condition specified.
VANGUARD SECURITY & COMPLIANCE 2016
Working with Tree Structures
• Group Tree Explorer Window
– Opening Multiple Group Tree Windows
– Restructuring with Drag and Drop
• Group and User Worksheets
– Using the Filter Toolbar
• Resource Explorer Tree
– Class Families, Classes
• Access List and Owned
Resources Tabs
©2016 Vanguard Integrity Professionals, Inc. 17
VANGUARD SECURITY & COMPLIANCE 2016
Group Tree Explorer Window
©2016 Vanguard Integrity Professionals, Inc. 18
VANGUARD SECURITY & COMPLIANCE 2016
Group Tree Explorer Window
©2016 Vanguard Integrity Professionals, Inc. 19
VANGUARD SECURITY & COMPLIANCE 2016
Group Worksheet
©2016 Vanguard Integrity Professionals, Inc. 20
VANGUARD SECURITY & COMPLIANCE 2016
User Worksheet
©2016 Vanguard Integrity Professionals, Inc. 21
VANGUARD SECURITY & COMPLIANCE 2016
Adding a Field to the Worksheet
©2016 Vanguard Integrity Professionals, Inc. 22
1. Right Mouse Click on the header bar
3. Select the field(s) you want to add
2. Select Add Field(s)
VANGUARD SECURITY & COMPLIANCE 2016
New Field Added
©2016 Vanguard Integrity Professionals, Inc. 23
VANGUARD SECURITY & COMPLIANCE 2016
Resource Explorer Tree
©2016 Vanguard Integrity Professionals, Inc. 24
Specify Filter
Select Resource
VANGUARD SECURITY & COMPLIANCE 2016
Working With Profiles
• Administering Group Profiles
• Adding Group Connections
• Administering User Profiles
• Cloning User IDs
• Help Desk Administration
• Administering Resource Profiles
©2016 Vanguard Integrity Professionals, Inc. 25
©2016 Vanguard Integrity Professionals, Inc. 26
VANGUARD SECURITY & COMPLIANCE 2016
Adding a Group Profile
©2016 Vanguard Integrity Professionals, Inc. 27
1. Select New Group button
2. Fill In the blanks – Click OK
VANGUARD SECURITY & COMPLIANCE 2016
Group Installation Data
©2016 Vanguard Integrity Professionals, Inc. 28
3. Fill In the Installation Data – Press Enter
VANGUARD SECURITY & COMPLIANCE 2016
Add a Group Connection
©2016 Vanguard Integrity Professionals, Inc. 29
4. Click Connections Tab, enter the
User ID you wish to connect to group
VANGUARD SECURITY & COMPLIANCE 2016
Send Commands to Host
©2016 Vanguard Integrity Professionals, Inc. 30
5. Review commands in Command Status Tab
6. Click Send button
©2016 Vanguard Integrity Professionals, Inc. 31
VANGUARD SECURITY & COMPLIANCE 2016
Adding a User Profile
©2016 Vanguard Integrity Professionals, Inc. 32
1. Select New User button
2. Fill In the blanks – Click OK
VANGUARD SECURITY & COMPLIANCE 2016
TSO Segment Information
©2016 Vanguard Integrity Professionals, Inc. 33
3. Select the TSO tab
and fill in the
information
VANGUARD SECURITY & COMPLIANCE 2016
Connect User to Groups
©2016 Vanguard Integrity Professionals, Inc. 34
4. Select the Connections
tab and enter the group
name
VANGUARD SECURITY & COMPLIANCE 2016
Send to Host
©2016 Vanguard Integrity Professionals, Inc. 35
5. Review Commands in Command Status Tab
6. Click Send button
VANGUARD SECURITY & COMPLIANCE 2016
Cloning a User Profile
©2016 Vanguard Integrity Professionals, Inc. 36
1. Select New User button
2. Enter the User ID
3. Click Clone User
4. Enter the Clone ID
5. Fill In the User
Name and
Password
6. Select the segments
to clone
VANGUARD SECURITY & COMPLIANCE 2016
Send to Host
©2016 Vanguard Integrity Professionals, Inc. 37
7. Review Commands in Command Status Tab
8. Click Send button
VANGUARD SECURITY & COMPLIANCE 2016
Define Alias Command
©2016 Vanguard Integrity Professionals, Inc. 38
Option to add Define Alias
VANGUARD SECURITY & COMPLIANCE 2016
Command Generation Tab
©2016 Vanguard Integrity Professionals, Inc. 39
VANGUARD SECURITY & COMPLIANCE 2016
Side-by-Side Administration
©2016 Vanguard Integrity Professionals, Inc. 40
Click the Tab
and Pull Down
VANGUARD SECURITY & COMPLIANCE 2016
Side-by-Side Administration
©2016 Vanguard Integrity Professionals, Inc. 41
Select groups to copy
VANGUARD SECURITY & COMPLIANCE 2016
Side-by-Side Administration
©2016 Vanguard Integrity Professionals, Inc. 42
Drag and drop
VANGUARD SECURITY & COMPLIANCE 2016
Delete a User Profile - from Worksheets
©2016 Vanguard Integrity Professionals, Inc. 43
1. Click the User
2. Press the Delete Key
VANGUARD SECURITY & COMPLIANCE 2016
Delete a User Profile - from User Admin
©2016 Vanguard Integrity Professionals, Inc. 44
1. Click the User
Administration button
2. Enter User ID to delete
3. Right mouse click above the tabs
4. Select Delete Item
VANGUARD SECURITY & COMPLIANCE 2016
Delete With Cleanup Wizard
©2016 Vanguard Integrity Professionals, Inc. 45
VANGUARD SECURITY & COMPLIANCE 2016
Generated Commands to Delete User ID
©2016 Vanguard Integrity Professionals, Inc. 46
Review Commands in Command Status Tab
Click Send button
©2016 Vanguard Integrity Professionals, Inc. 47
VANGUARD SECURITY & COMPLIANCE 2016
Help Desk Administration
©2016 Vanguard Integrity Professionals, Inc. 48
Click Help Desk button
Enter User ID
VANGUARD SECURITY & COMPLIANCE 2016
Help Desk Administration
©2016 Vanguard Integrity Professionals, Inc. 49
Enter New Password
and Verify, Uncheck
the Revoked box,
then press OK
Used to Establish a
Future Revoke or
Resume Date
VANGUARD SECURITY & COMPLIANCE 2016
What is a Hard Revoke?
• Purpose - Revoke a user in a way that the Help Desk cannot resume the user
• When a user is Hard Revoked, the user is revoked and a bit is set in the Userdata field of the user profile
• The Hard Revoke bit is looked at only
by the Identity Manager function and
Help Desk Administration
• Who can use Hard Revoke?
– System-SPECIAL
– User who is not System-SPECIAL must
be authorized by FACILITY class profiles
©2016 Vanguard Integrity Professionals, Inc. 50
VANGUARD SECURITY & COMPLIANCE 2016
Hard Revoke
©2016 Vanguard Integrity Professionals, Inc. 51
Click Hard Revoke
VANGUARD SECURITY & COMPLIANCE 2016
Help Desk View
©2016 Vanguard Integrity Professionals, Inc. 52
VANGUARD SECURITY & COMPLIANCE 2016
Help Desk View
©2016 Vanguard Integrity Professionals, Inc. 53
VANGUARD SECURITY & COMPLIANCE 2016
Help Desk Administration Security
FACILITY Class profiles control:
• What User Profile fields may be viewed?
• What actions may be performed for which types of users?
$RIO.HDA.item.action.owner.userid
©2016 Vanguard Integrity Professionals, Inc. 54
Help Desk Administration
View User Info
Revoke
Resume
Reset Password
FACILITY
Profiles
©2016 Vanguard Integrity Professionals, Inc. 55
VANGUARD SECURITY & COMPLIANCE 2016
Resource Administration
©2016 Vanguard Integrity Professionals, Inc. 56
1. Click the Resource
Administration button
VANGUARD SECURITY & COMPLIANCE 2016
Data Set Administration
©2016 Vanguard Integrity Professionals, Inc. 57
2. Select Class Family and Class
3. Enter Data Set Profile Name
VANGUARD SECURITY & COMPLIANCE 2016
Working with the Access List
©2016 Vanguard Integrity Professionals, Inc. 58
5. Enter the Group or User ID
6. Select the Access level
4. Select the Access List Tab
VANGUARD SECURITY & COMPLIANCE 2016
Review the Commands – Send to Host
©2016 Vanguard Integrity Professionals, Inc. 59
7. Review Commands in Command Status Tab
8. Click Send button
VANGUARD SECURITY & COMPLIANCE 2016
Optional Generic Refresh
©2016 Vanguard Integrity Professionals, Inc. 60
RACF Preferences can
automatically issue Generic
Refresh
VANGUARD SECURITY & COMPLIANCE 2016
Finding the Best Fitting Profile
©2016 Vanguard Integrity Professionals, Inc. 61
1. Select View,
Data Set Protection Analysis |
Profile That Protects a Data Set
2. Enter the Full Data Set Name in the Pop Up Window
VANGUARD SECURITY & COMPLIANCE 2016
Profile Found
©2016 Vanguard Integrity Professionals, Inc. 62
3. Double Click the Profile to Display
VANGUARD SECURITY & COMPLIANCE 2016
Profile Displayed
©2016 Vanguard Integrity Professionals, Inc. 63
4. Click Effective Access
List Tab
VANGUARD SECURITY & COMPLIANCE 2016
Find Data Sets Protected by Profile
©2016 Vanguard Integrity Professionals, Inc. 64
1. Right Mouse Click next to Profile Name
2. Select Data Sets Protected By
VANGUARD SECURITY & COMPLIANCE 2016
Data Set Names Displayed
©2016 Vanguard Integrity Professionals, Inc. 65
VANGUARD SECURITY & COMPLIANCE 2016
Clone Dataset Profile
©2016 Vanguard Integrity Professionals, Inc. 66
1. Right Mouse Click next to Profile Name
2. Select Clone
VANGUARD SECURITY & COMPLIANCE 2016
Clone Dataset Profile
©2016 Vanguard Integrity Professionals, Inc. 67
1. Enter New Dataset Profile Name
2. Click OK
VANGUARD SECURITY & COMPLIANCE 2016
Add BUDDY to Access List
©2016 Vanguard Integrity Professionals, Inc. 68
VANGUARD SECURITY & COMPLIANCE 2016
Upload Commands to File
©2016 Vanguard Integrity Professionals, Inc. 69
VANGUARD SECURITY & COMPLIANCE 2016
Specify PDS and Member Name
©2016 Vanguard Integrity Professionals, Inc. 70
VANGUARD SECURITY & COMPLIANCE 2016
Commands Uploaded
©2016 Vanguard Integrity Professionals, Inc. 71
VANGUARD SECURITY & COMPLIANCE 2016
Thanks for Attending
©2016 Vanguard Integrity Professionals, Inc. 72