Besides the RACF Administrator, Who else needs the Special



All about SAF, RACF, encryption, Firewall, Risk assessment and integrity concepts

Besides the RACF Administrator, Who else needs the Special

Postby danielgp89 » Sat Mar 16, 2019 2:13 am

Hello Everyone!

I'm learning RACF, and I'm exploring the zSecure tool, but making a report of who has the Special attribute in the System, I figured out that more than one user that is not the system RACF administrator has the attribute.

For example, I don't know if tasks of the system needs to have the Special attribute like Tivoli or Control-M or groups that are part of the CICS subsystem or a group with default access to TSO.

Best Regards!
danielgp89
 
Posts: 18
Joined: Fri Feb 15, 2019 5:41 am
Has thanked: 8 times
Been thanked: 0 time

Re: Besides the RACF Administrator, Who else needs the Speci

Postby Robert Sample » Sat Mar 16, 2019 3:20 am

The SPECIAL attribute allows a user to enter RACF commands (including adding users, giving users permission to access resources, and work with certificates). I wouldn't think Tivoli or Control-M or CICS groups or default ANYTHING should have SPECIAL. SPECIAL grants a lot of access and most sites don't want more than one (or a few in the security group) person or people having that kind of authority.

These users thanked the author Robert Sample for the post:
danielgp89 (Wed Mar 20, 2019 12:00 am)
Robert Sample
Global moderator
 
Posts: 3719
Joined: Sat Dec 19, 2009 8:32 pm
Location: Dubuque, Iowa, USA
Has thanked: 1 time
Been thanked: 279 times

Re: Besides the RACF Administrator, Who else needs the Speci

Postby steve-myers » Sat Mar 16, 2019 5:56 am

Mr. Sample is basically correct. One thing an auditor should be doing is to find out who has RACF SPECIAL and flag anyone who is not a RACF admin. The real RACF admins should remove the attribute from people that don't need it.

Actually, in some ways I regard OPERATIONS as more dangerous as they can access essentially any data set. Obviously the storage management group requires OPERATIONS, as does the userid assigned to tasks like HSM or whatever your site uses for automated storage management.

These users thanked the author steve-myers for the post:
danielgp89 (Wed Mar 20, 2019 12:00 am)
steve-myers
Global moderator
 
Posts: 2105
Joined: Thu Jun 03, 2010 6:21 pm
Has thanked: 4 times
Been thanked: 243 times

Re: Besides the RACF Administrator, Who else needs the Speci

Postby expat » Mon Mar 18, 2019 12:49 pm

When I was doing a security admin role many years ago, there were two "Emergency" users with the special attribute.
These were fully audited, and the person wishing access to either id had to physically report to the site security office and sign for the envelope containing the id & password, showing their id badge too, just to keep it all legal.
Access was restricted to the sysprogs and the operations area, with all permitted names being held on a list for the site security people to check too.
For in hours requests, us security bods were there, eager and willing to please our customers

These users thanked the author expat for the post:
danielgp89 (Wed Mar 20, 2019 12:00 am)
expat
 
Posts: 459
Joined: Sat Jun 09, 2007 3:21 pm
Has thanked: 0 time
Been thanked: 8 times


Return to Mainframe Security

 


  • Related topics
    Replies
    Views
    Last post