Beruflich Dokumente
Kultur Dokumente
Robert S. Hansel
RACF Specialist - RSH Consulting, Inc.
R.Hansel@rshconsulting.com - 617-969-9050 - www.rshconsulting.com
RSH CONSULTING
ADMINISTRATION
Administrative Capabilities
System and Group Attributes
Profile Ownership
Group Connect Authorities
Class Authorization
FACILITY Class IRR Profiles
FIELD Class Profiles
Access Enabled Authority
Miscellaneous Authorities
Implementation Suggestions
RSH CONSULTING
ADMINISTRATIVE CAPABILITIES
SETROPTS
USER
GROUP
DATASET
GENRES
OTHER
LIST
LISTUSER
LISTGRP
LISTDSD
RLIST
DSMON
Set Options
ADDUSER
ADDGROUP
ADDSD
RDEFINE
IRRUT100
GLOBAL
REFRESH
ALTUSER
ALTGROUP
ALTDSD
RALTER
GENERIC
REFRESH
DELUSER
DELGROUP
DELDSD
RDELETE
RALTER
GLOBAL
ADDMEM
CATDSNS
ACCESS
RACLIST
REFRESH
PASSWORD
CONNECT
PERMIT
PERMIT
PROTECTALL ACCESS
REMOVE
DATASET
ACCESS
GENRES
ACCESS
TEMPDSN
ACCESS
Highlights:
- Green - yes
- Yellow - yes but with footnote caveats listed beneath each chart
RSH CONSULTING
SPECIAL
OPERATIONS
RSH CONSULTING
NAME=JOHN SMITH
DEFAULT-GROUP=USRGRPA
OWNER=SECGRP1
PASSDATE=00.351
CREATED=01.067
PASS-INTERVAL= 30
ATTRIBUTES=OPERATIONS
GROUP / CONNECT-Attribute
CO userid GROUP(groupid) attribute
GROUP=DASDMGT
CONNECTS=
AUTH=USE
00
CONNECT-OWNER=RJONES2
UACC=NONE
CONNECT-DATE=92.181
LAST-CONNECT=UNKNOWN
CONNECT ATTRIBUTES=SPECIAL
RSH CONSULTING
SCOPE-OF-GROUPS
Determines scope of authority for:
y Group-AUDITOR
y Group-SPECIAL
y Group-OPERATIONS
SCOPE-OF-GROUPS
Included:
Excluded:
y User and Group Profiles owned by
Users within the Scope-of-Groups
RSH CONSULTING
SCOPE-OF-GROUPS
#GRP0
#GRP1
#GRP2
#GRP3
#GRP4
#GRP5
#GRP6
@dataset
$USERA
#GRP7
#GRP8
$USERB
$USERC
@dataset
$USERD
@genres
#GRP9
$USERE
@genres
@dataset
@genres
@dataset
#GRP2
RSH CONSULTING
@dataset
$USERA
AUDITOR - System
SETROPTS
LIST
USER
LISTUSER
GROUP
DATASET
GENRES
OTHER
LISTGRP
LISTDSD
RLIST
DSMON
ADDGROUP
ADDSD
RDEFINE
IRRUT100
RALTER
GLOBAL
ADDMEM
CATDSNS
ACCESS
GLOBAL
REFRESH
ALTUSER(2)
ALTGROUP
ALTDSD(3)
RALTER(3)
GENERIC
REFRESH
DELUSER
DELGROUP
DELDSD
RDELETE
RACLIST
REFRESH
PASSWORD
CONNECT
PERMIT
PERMIT
PROTECTALL ACCESS
REMOVE
DATASET
ACCESS
GENRES
ACCESS
TEMPDSN
ACCESS
SAUDIT
OPERAUDIT
CMDVIOL
AUDIT
LOGOPTIONS SECLEVELAUDIT SECLABELAUDIT APPLAUDIT
AUDITOR - Group
SETROPTS
USER
GROUP
DATASET
GENRES
OTHER
LIST
LISTUSER(1)
LISTGRP(1)
LISTDSD(1)
RLIST(1)
DSMON
Set Options
ADDUSER
ADDGROUP
ADDSD
RDEFINE
IRRUT100
GLOBAL
REFRESH
ALTUSER(2)
ALTGROUP
ALTDSD(3)
RALTER(3)
GENERIC
REFRESH
DELUSER
DELGROUP
DELDSD
RDELETE
RALTER
GLOBAL
ADDMEM
CATDSNS
ACCESS
RACLIST
REFRESH
PASSWORD
CONNECT
PERMIT
PERMIT
PROTECTALL ACCESS
REMOVE
DATASET
ACCESS
GENRES
ACCESS
TEMPDSN
ACCESS
RSH CONSULTING
10
SPECIAL - System
SETROPTS
LIST(1)
USER
LISTUSER
GROUP
DATASET
GENRES
OTHER
LISTGRP
LISTDSD
RLIST
DSMON
ADDGROUP
ADDSD
RDEFINE
IRRUT100
RALTER
GLOBAL
ADDMEM
CATDSNS
ACCESS
GLOBAL
REFRESH
ALTUSER(2)
ALTGROUP
ALTDSD(3)
RALTER(3)
GENERIC
REFRESH
DELUSER
DELGROUP
DELDSD
RDELETE
RACLIST
REFRESH
PASSWORD
CONNECT
PERMIT
PERMIT
PROTECTALL ACCESS
REMOVE
DATASET
ACCESS
GENRES
ACCESS
TEMPDSN
ACCESS
RSH CONSULTING
11
SPECIAL - Group
SETROPTS
USER
GROUP
DATASET
LIST(1)
LISTUSER(2)
LISTGRP(2)
LISTDSD(2,3)
Set Options
ADDUSER(2,4,
ADDGROUP(2 ADDSD(12)
GENRES
OTHER
RLIST(2,3)
DSMON
RDEFINE(9,12)
IRRUT100
RALTER(3,10)
RALTER
GLOBAL
ADDMEM
CATDSNS
ACCESS
5,6)
GLOBAL
REFRESH
GENERIC
REFRESH
DELUSER
DELGROUP
DELDSD
RDELETE
RACLIST
REFRESH
PASSWORD
CONNECT(6)
PERMIT(12)
PERMIT(12)
PROTECTALL ACCESS
REMOVE
DATASET
ACCESS
GENRES
ACCESS
TEMPDSN
ACCESS
7,11)
12
OPERATIONS - System
SETROPTS
USER
GROUP
DATASET
GENRES
OTHER
LIST
LISTUSER
LISTGRP
LISTDSD(1)
RLIST(1)
DSMON
Set Options
ADDUSER
ADDGROUP
ADDSD(2)
RDEFINE
IRRUT100
GLOBAL
REFRESH
ALTUSER
ALTGROUP
ALTDSD
RALTER
GENERIC
REFRESH
DELUSER
DELGROUP
DELDSD
RDELETE
RALTER
GLOBAL
ADDMEM
CATDSNS
ACCESS
RACLIST
REFRESH
PASSWORD
CONNECT
PERMIT
PERMIT
PROTECTALL ACCESS
REMOVE
DATASET
ACCESS(3,4)
GENRES
ACCESS(3,5)
TEMPDSN
ACCESS
13
OPERATIONS - Group
SETROPTS
USER
GROUP
DATASET
GENRES
OTHER
LIST
LISTUSER
LISTGRP
LISTDSD(1)
RLIST(1)
DSMON
Set Options
ADDUSER
ADDGROUP
ADDSD(2)
RDEFINE
IRRUT100
GLOBAL
REFRESH
ALTUSER
ALTGROUP
ALTDSD
RALTER
GENERIC
REFRESH
DELUSER
DELGROUP
DELDSD
RDELETE
RALTER
GLOBAL
ADDMEM
CATDSNS
ACCESS
RACLIST
REFRESH
PASSWORD
CONNECT
PERMIT
PERMIT
PROTECTALL ACCESS
REMOVE
DATASET
ACCESS(3,4)
GENRES
ACCESS(3,5)
TEMPDSN
ACCESS
14
SYS1
$$dept
$$dept
$$dept
Group
AUDITOR
@deptusr
Group
SPECIAL
RSH CONSULTING
#deptrole
$deptres
dsn-hlq
$$deptmisc
CONNECT
15
PROFILE OWNERSHIP
Authority depends on type of profile owned
y User
y Group
y Dataset
y General Resource
16
USER
GROUP
DATASET
GENRES
OTHER
LIST
LISTUSER(1)
LISTGRP
LISTDSD
RLIST
DSMON
Set Options
ADDUSER
ADDGROUP
ADDSD
RDEFINE
IRRUT100(2)
GLOBAL
REFRESH
ALTUSER(1)
ALTGROUP
ALTDSD
RALTER
GENERIC
REFRESH
DELUSER
DELGROUP
DELDSD
RDELETE
RALTER
GLOBAL
ADDMEM
CATDSNS
ACCESS
RACLIST
REFRESH
PASSWORD
CONNECT
PERMIT
PERMIT
PROTECTALL ACCESS
REMOVE
DATASET
ACCESS
GENRES
ACCESS
TEMPDSN
ACCESS
RSH CONSULTING
17
USER
GROUP
LIST
LISTUSER
LISTGRP(1)
Set Options
ADDUSER(2,3)
GLOBAL
REFRESH
DATASET
LISTDSD
GENRES
OTHER
RLIST
DSMON
ADDGROUP(1 ADDSD
RDEFINE
IRRUT100
ALTUSER
ALTGROUP(1) ALTDSD
RALTER
GENERIC
REFRESH
DELUSER
DELGROUP
DELDSD
RDELETE
RALTER
GLOBAL
ADDMEM
CATDSNS
ACCESS
RACLIST
REFRESH
PASSWORD
CONNECT(4)
PERMIT
PERMIT
PROTECTALL ACCESS
REMOVE
DATASET
ACCESS
GENRES
ACCESS
TEMPDSN
ACCESS
18
USER
GROUP
DATASET
GENRES
OTHER
LIST
LISTUSER
LISTGRP
LISTDSD(1)
RLIST
DSMON
Set Options
ADDUSER
ADDGROUP
ADDSD
RDEFINE
IRRUT100
GLOBAL
REFRESH
ALTUSER
ALTGROUP
ALTDSD(1)
RALTER
GENERIC
REFRESH
DELUSER
DELGROUP
DELDSD
RDELETE
RALTER
GLOBAL
ADDMEM
CATDSNS
ACCESS
RACLIST
REFRESH
PASSWORD
CONNECT
PERMIT
PERMIT
PROTECTALL ACCESS
REMOVE
DATASET
ACCESS
GENRES
ACCESS
TEMPDSN
ACCESS
RSH CONSULTING
19
USER
GROUP
DATASET
GENRES
OTHER
LIST
LISTUSER
LISTGRP
LISTDSD
RLIST(1)
DSMON
Set Options
ADDUSER
ADDGROUP
ADDSD
RDEFINE
IRRUT100
GLOBAL
REFRESH
ALTUSER
ALTGROUP
ALTDSD
RALTER(1,2)
GENERIC
REFRESH
DELUSER
DELGROUP
DELDSD
RDELETE
RALTER
GLOBAL
ADDMEM
CATDSNS
ACCESS
RACLIST
REFRESH
PASSWORD
CONNECT
PERMIT
PERMIT
PROTECTALL ACCESS
REMOVE
DATASET
ACCESS
GENRES
ACCESS
TEMPDSN
ACCESS
RSH CONSULTING
20
GROUP AUTHORITIES
USE
CREATE
CONNECT
JOIN
RSH CONSULTING
21
CLASS AUTHORIZATION
Class Authorization - CLAUTH
y Allows creation of profiles and protection of undefined resources
without System-SPECIAL
y User profile attribute - ALU userid CLAUTH(class)
y Can be used for all classes except GROUP and DATASET
22
CLASS AUTHORIZATION
GENERICOWNER SETROPTS Option
y Owner of General Resource generic profile retains control over
profile protected resources
y Restricts ability of other users with CLAUTH to create undercutting
profiles (e.g., cannot create AB* undercutting A*)
y Only owner and users who also have Group-SPECIAL where profile
is within Scope-of-Groups can create undercutting profiles
y Does not apply to PROGRAM class
23
RSH CONSULTING
24
RSH CONSULTING
25
- examine
- change
RSH CONSULTING
26
27
RSH CONSULTING
28
GRPACC AUTHORITY
GRPACC - Group Access
y When a User creates a Group dataset profile, the Group itself is
automatically granted UPDATE access
User creates profile PAY.MAST.FILE
Group PAY is automatically added to access list with UPDATE access
y System-level Attribute
Applies to all Group dataset profiles created by the user
Supercedes Group-GRPACC
y GROUP-level Attribute
To enable its use, user must specifically log on to the Group where the
user's group connect has this authority
Applies to any Group in the user's administrative scope, even those
outside of the normal GRPACC Scope-of-Groups
RSH CONSULTING
29
MISCELLANEOUS AUTHORITY
Prevent automatic grant of ALTER access to creators USERID
during profile creation
y RACF SETROPTS option
y ADDCREATOR
y NOADDCREATOR
30
IMPLEMENTATION SUGGESTIONS
Ownership by Group only (except TSO users & their datasets)
Group Ownership follow Group Hierarchy
Avoid mixing Group Usage; Segregate Resource Owning
Groups from Access Granting Groups
Limit assignment of SPECIAL, OPERATIONS, and CLAUTH
Restrict OPERATIONS access with Exclusion Group
Limit use of Discrete Dataset Profiles
Limit use of Discrete General Resource Profiles with ALTER
access
Activate GENERICOWNER and NOADDCREATOR
Avoid ADSP, GRPACC, and Group UACC
Monitor all use of authorities - OPERAUDIT, SAUDIT, AUDIT(*)
RSH CONSULTING
31