protecting datasets with racf



All about SAF, RACF, encryption, Firewall, Risk assessment and integrity concepts

protecting datasets with racf

Postby mosu » Sun Nov 14, 2010 2:46 pm

hi,

I have a few issues grasping some of the concepts behind protecting data sets.
For example, if for a group, say 'shop', i want all the data to be protected, I would say ADDSD SHOP.** UACC(NONE)
But then I want a group of users to be able to access/modify a part of the dataset. So I would do PERMIT SHOP.TEAMS.DEV.** ID(DEV) ACCESS(UPDATE)
now what i don't understand:
a) to be able to issue the second command I also need to do ADDSD SHOP.TEAMS.DEV.** UACC(NONE). Why is this since I already assigned UACC(NONE) to the SHOP?
b) is there an easy way to see who is on the PERMIT access list?

thanks :)
mosu
 
Posts: 3
Joined: Sun Nov 14, 2010 2:38 pm
Has thanked: 0 time
Been thanked: 0 time

Re: protecting datasets with racf

Postby steve-myers » Sun Nov 14, 2010 8:12 pm

Before you can insert an access list for a profile (using PERMIT) you have to create the profile using ADDSD. SHOP.** is a separate profile. It would cover the data sets covered by SHOP.TEAMS.DEV.** if the profile didn't exist, but since it does exist it's as though SHOP.** no longer exists.

You can list the profile with the LISTSDS command:

LISTDSD DATASET('SHOP.TEAMS.DEV.**') AUTHUSER GENERIC

Since the profile contains a wild card character you don't have to specify the GENERIC keyword, which you would have to specify if it were a complete data set name:

LISTDSD DATASET('SHOP.TEAMS.DEV.SOURCE') AUTHUSER

would not work because there is no profile for SHOP.TEAMS.DEV.SOURCE, but if you specified GENERIC in the command it would list the SHOP.TEAMS.DEV.** profile.

Hope this helps,
steve-myers
Global moderator
 
Posts: 2105
Joined: Thu Jun 03, 2010 6:21 pm
Has thanked: 4 times
Been thanked: 243 times

Re: protecting datasets with racf

Postby mosu » Mon Nov 15, 2010 4:01 am

Hi,

Thanks, that helped a lot!

One more issue:

I am trying to give a user (supposed to be an admin) the permission to change passwords, revoke and resume user ids. If I get this right, group-special attribute should do it (and for revoking the only way I know). However, this would give him other rights that he shouldn't have. So I was thinking about using IRR.PASSWORD.RESET for this user, however I get the error 'not authorized to use IRR.PASSWORD.RESET' (or something like that). I cannot find anywhere in the manual what attributes you need to have to be able to use this (I have group-special).

Thanks again!
mosu
 
Posts: 3
Joined: Sun Nov 14, 2010 2:38 pm
Has thanked: 0 time
Been thanked: 0 time

Re: protecting datasets with racf

Postby steve-myers » Mon Nov 15, 2010 5:27 am

Well, I did find a manual. My first thought when I read its description is IRR.PASSWORD.RESET gives too much authority, but after some thought I realized that you probably have to be able to "resume" a user when you change their password since the user was probably revoked when they need help.

The problem isn't too much authority, it's the authority is too wide. IRR.PASSWORD.RESET appears to allow any user to reset any other user.

Your immediate problem is you can't authorize its use. I think your problem is group-special can't PERMIT it, but the problem may also be that the profile was never established. You might also check if alternates might be more useful, though I think system-special might be required for any of them. See this topic.
steve-myers
Global moderator
 
Posts: 2105
Joined: Thu Jun 03, 2010 6:21 pm
Has thanked: 4 times
Been thanked: 243 times

Re: protecting datasets with racf

Postby mosu » Mon Nov 15, 2010 6:11 am

Hi,

In the end (and largely due to time constraints) I decided to give that user group-special and I will limit his data set access with a Permit command. I think this should be fine.

Thanks!
mosu
 
Posts: 3
Joined: Sun Nov 14, 2010 2:38 pm
Has thanked: 0 time
Been thanked: 0 time

Re: protecting datasets with racf

Postby steve-myers » Mon Nov 15, 2010 10:46 am

I agree that group-special is probably your better choice. That user can do password resets and resume only the users in the group.
steve-myers
Global moderator
 
Posts: 2105
Joined: Thu Jun 03, 2010 6:21 pm
Has thanked: 4 times
Been thanked: 243 times

Re: protecting datasets with racf

Postby kudsi_tabrez » Tue Jun 28, 2011 7:56 pm

Hi,

I believe the user should be granted access over facility class profile IRR.PAASWORD.RESET
kudsi_tabrez
 
Posts: 1
Joined: Sat Jun 25, 2011 4:48 pm
Has thanked: 0 time
Been thanked: 0 time

Re: protecting datasets with racf

Postby steve-myers » Tue Jun 28, 2011 9:16 pm

FACILITY/IRR.PASSWORD.RESET is a useful tool for help desk people to reset passwords. That's its intended use! However, it has nothing to do with protecting datasets.
steve-myers
Global moderator
 
Posts: 2105
Joined: Thu Jun 03, 2010 6:21 pm
Has thanked: 4 times
Been thanked: 243 times

Re: protecting datasets with racf

Postby angrybeaver » Thu Mar 15, 2012 10:45 pm

You can control the scope of the IRR.PASSWORD.RESET facility profiles to certain groups so it's not system-wide.

If link doesnt work google the full URI and they have a cached copy...

ftp://ftp.software.ibm.com/eserver/zser ... larity.pdf
angrybeaver
 
Posts: 11
Joined: Sat Jan 21, 2012 10:09 am
Has thanked: 0 time
Been thanked: 1 time


Return to Mainframe Security

 


  • Related topics
    Replies
    Views
    Last post