IBM 1.13 zSecure Admin and Audit for RACF Getting Started
Below you will find brief information for zSecure Admin and Audit for RACF 1.13. This guide will help you get started using the zSecure Admin and Audit for RACF product suite. It covers the basic operations, managing users and profiles, using distributed and scoped administration functions, managing data with the setup functions, reporting, using the verify functions, auditing system integrity and security, querying SMF data, using resource-based reports on TCP/IP configuration, z/OS UNIX, CICS, IMS, and DB2, using CARLa commands, performing typical administration and audit tasks, and frequently asked questions.
PDF
Download
Document
Advertisement
Advertisement
Security zSecure Admin and Audit for RACF Version 1.13 Getting Started GI11-9162-00 Security zSecure Admin and Audit for RACF Version 1.13 Getting Started GI11-9162-00 Note Before using this information and the product it supports, read the information in Appendix B, “Notices,” on page 107. November 2011 This edition applies to version 1, release 13, modification 0 of IBM Security zSecure Admin for RACF (product number 5655-T01) and IBM Security zSecure Audit for RACF (product number 5655-T02) and to all subsequent releases and modifications until otherwise indicated in new editions. © Copyright IBM Corporation 1989, 2011. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents About this publication . . . . . . . . v Intended audience . . . . . . . . . . . . v What this publication contains . . . . . . . . v Related Documentation . . . . . . . . . . . v Release information . . . . . . . . . . . v Accessing terminology online . . . . . . . . vi Accessing publications online . . . . . . . . vi Ordering publications . . . . . . . . . . . vi Licensed publications . . . . . . . . . . vi Accessibility . . . . . . . . . . . . . . vii Tivoli technical training . . . . . . . . . . vii Tivoli user groups . . . . . . . . . . . . vii Support for problem solving . . . . . . . . vii Conventions used in this publication . . . . . . vii Typeface conventions . . . . . . . . . . viii Chapter 1. Overview . . . . . . . . . 1 CARLa auditing and reporting language . . Data sources . . . . . . . . . . . CKFREEZE data sets. . . . . . . . Using remote data and command routing. . . . . . . . . . . . . 2 3 4 4 Chapter 2. Learning basic operations . . 5 Before you begin . . . . . . . . . . Checking TSO logon parameters . . . . Setting ISPF & 3270 format . . . . . Starting the products . . . . . . . . Maintaining RACF profiles . . . . . . Displaying user profiles . . . . . . . User selection panel details . . . . . Using filters . . . . . . . . . . Selecting dates . . . . . . . . . Showing application segments . . . . Displaying group profiles. . . . . . . Using universal groups . . . . . . Connecting and removing users . . . Reviewing dataset profiles . . . . . . Finding profiles in warning mode . . . Displaying discrete profiles . . . . . Displaying the access control list (ACL) . Access control list formats . . . . . Changing the access list display settings . Using the Access command . . . . . . Managing access rights . . . . . . . Reporting digital certificates . . . . . . Comparing users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 . 5 . 5 . 5 . 6 . 7 . 10 . 12 . 12 . 12 . 13 . 14 . 15 . 16 . 19 . 19 . 20 . 21 . 23 . 24 . 24 . 25 . 26 Chapter 3. Managing users and profiles 29 Generating and confirming RACF commands Performing a mass update . . . . . . Copying a user . . . . . . . . . . Deleting a user with all references . . . . Recreating a profile . . . . . . . . . Merging profiles . . . . . . . . . . Displaying redundant profiles . . . . . © Copyright IBM Corp. 1989, 2011 . . . . . . . . . . . . . . . . . . . . . 29 30 31 33 33 33 33 Displaying data structure . . . . . . . . Running SETROPTS reports and viewing class settings . . . . . . . . . . . . . . . . 35 . . 37 Chapter 4. Using distributed and scoped administration functions . . . 41 Administering groups using RACF scope . Accessing the Quick Administration panel Using CKG scope for group administration. Accessing the single panel Helpdesk . . Using the Helpdesk . . . . . . . Tailoring the Helpdesk . . . . . . . . . . . . . . . . . . . . . . . . 41 41 42 43 44 45 Chapter 5. Managing data with the Setup functions . . . . . . . . . . . 47 Adding data . . . . . . . Adding new files . . . . . Refreshing and loading files . . Selecting the input set . . . . Using other Setup parameters . Setting up INSTDATA . . . Setting up View . . . . . Setting up Output . . . . Setting up Confirm . . . . Change values and verifying . Using line commands and the functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Overtype . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 47 50 50 51 51 51 52 52 54 . . . 55 Chapter 6. Reporting . . . . . . . . . 57 Using the Results panel . Archiving report output . Mailing report output . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 . 58 . 59 Chapter 7. Using the Verify functions 61 Chapter 8. Auditing system integrity and security . . . . . . . . . . . . 67 Chapter 9. Querying SMF data Defining input sets . . . . . SMF reports . . . . . . . Auditing types of users . . . Tracking configuration changes . Detecting library changes . . . . . . . . . . . . . . . . . 71 . . . . . . . . . . . . . . . . . . . . . . . . . 72 74 75 77 78 Chapter 10. Using resource-based reports on TCP/IP configuration, z/OS UNIX, CICS, IMS, and DB2 . . . . . . 81 IP Stack reports . . . . . . UNIX filesystem reports (RE.U). CICS region and resource reports CICS region reports . . . CICS transaction reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 83 86 86 87 iii CICS program reports . . . IMS region and resource reports IMS region reports . . . . IMS transaction reports . . IMS PSB reports . . . . . DB2 region reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Chapter 11. Using CARLa commands . . . . . . 88 89 89 90 91 92 95 Chapter 12. Performing typical administration and audit tasks . . . . 101 Removing a user . . . . . . . . . . Displaying which data sets a user can access . Auditing load libraries . . . . . . . . iv Version 1.13: Getting Started . . . . 101 . 101 . 101 Printing display panels . . . . . . Finding profiles based on search criteria Verifying a Protect All environment . . Using the Command function . . . . . . . . . . . . . . . . . . . . 101 102 102 102 Appendix A. Frequently asked questions . . . . . . . . . . . . . 103 Appendix B. Notices . . . . . . . . 107 Trademarks . . . . . . . . . . . . . . 109 Index . . . . . . . . . . . . . . . 111 About this publication IBM Security zSecure Admin and Audit for RACF® (Resource Access Control Facility) automates many of the recurring administrative tasks and audit reporting for RACF systems. These products rely on the zSecure Collect program to collect and analyze data from RACF and z/OS® systems, enabling you to easily monitor user access privileges, implement scoping to limit administrator privileges, and to audit user behavior. These products also enhance the administrative and reporting functions of RACF systems, facilitating security monitoring and decentralizing system administration. This document is intended to help you learn the basics of using IBM Security zSecure Admin and Audit for RACF. After working through this document, you should have a working understanding of these products and the ability to explore other product features. Intended audience The target audience for this book includes security administrators and mainframe system programmers. Readers of this book should have working knowledge of RACF systems administration and be comfortable using Interactive System Productivity Facility (ISPF). What this publication contains The purpose of this document is to help you quickly become familiar with IBM Security zSecure Admin and Audit for RACF. This document is not a full reference manual and does not cover all features. The material focuses on the interactive features (using ISPF panels) and highlights the major functions of IBM Security zSecure Admin and Audit for RACF. Except for a few introductory pages, this document is intended as a hands-on guide while you work with IBM Security zSecure Admin and Audit for RACF. The publication explains how to use IBM Security zSecure Admin and Audit for RACF to perform common administration tasks and how to audit and run reports on RACF systems. Related Documentation For more detailed information about the IBM Security zSecure Admin and Audit for RACF components, see the IBM Security zSecure Admin and Audit for RACF: User Reference Manual (document number LC14-7663-00). This publication is provided on the IBM Security zSecure: Documentation CD (LCD7-1387-09). You can download the documentation CD when you order and download IBM Security zSecure Admin and Audit for RACF from the ShopzSeries website or from the ESW download site. To obtain electronic or printed copies of these manuals, see the instructions in “Ordering publications” on page vi. Release information The zSecure Release Information topics include details on new features and enhancements, incompatibility warnings, and documentation update information © Copyright IBM Corp. 1989, 2011 v for your zSecure product. You can review the most current version of the release information in the zSecure Information Center: http://publib.boulder.ibm.com/ infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.zsecure.doc_1.13/ welcome.html. Accessing terminology online The IBM® Terminology website consolidates the terminology from IBM product libraries in one convenient location. You can access the Terminology website at http://www.ibm.com/software/globalization/terminology. Accessing publications online The IBM Security zSecure: Documentation CD contains the publications that are in the product library. The format of the publications is PDF, HTML, or both. IBM posts publications for this and all other Tivoli® products, as they become available and whenever they are updated, to the Tivoli Documentation Central website at http://www.ibm.com/tivoli/documentation. Note: If you print PDF documents on other than letter-sized paper, set the option in the File → Print window that allows Adobe Reader to print letter-sized pages on your local paper. Ordering publications You can order many Tivoli publications online at: http://www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss. You can also order by telephone by calling one of these numbers: v In the United States: 800-879-2755 v In Canada: 800-426-4968 In other countries, contact your software account representative to order Tivoli publications. To locate the telephone number of your local representative, perform the following steps: 1. Select http://www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss. 2. Select your country from the list and click Go. 3. Click About this site in the main panel to see an information page that includes the telephone number of your local representative. Licensed publications Licensed publications are indicated by a publication number that starts with L (LC14-7663-00, for example). To obtain PDF or printed copies of licensed publications, send an email requesting the publication to: [email protected] Include the following information: v IBM customer number v List of publication numbers that you want to order v Preferred contact information vi Version 1.13: Getting Started You will be contacted for further instructions for fulfilling your order. For details, see “Support for problem solving.” Accessibility Accessibility features help users who have a physical disability, such as restricted mobility or limited vision, to use software products successfully. For keyboard access in the Tivoli zSecure z/OS products, standard shortcut and accelerator keys are used by the product, where applicable, and are documented by the operating system. See the documentation provided by your operating system for more information. Visit the IBM Accessibility Center at http://www.ibm.com/alphaworks/topics/ accessibility/ for more information about IBM's commitment to accessibility. Tivoli technical training For Tivoli technical training information, see the IBM Tivoli Education website at: http://www-01.ibm.com/software/tivoli/education/. Tivoli user groups Tivoli user groups are independent, user-run membership organizations that provide Tivoli users with information to assist them in the implementation of Tivoli Software solutions. Through these groups, members can share information and learn from the knowledge and experience of other Tivoli users. Tivoli user groups include the following members and groups: v 23,000+ members v 144+ groups Access the link for the Tivoli Users Group at http://www.tivoli-ug.org. Support for problem solving If you have a problem with your IBM software, you want to resolve it quickly. IBM provides the following ways for you to obtain the support you need: Online Navigate to the IBM Software Support site at http://www.ibm.com/ software/support/probsub.html. IBM Support Assistant The IBM Support Assistant is a free local software serviceability workbench that helps you resolve questions and problems with IBM software products. The Support Assistant provides quick access to support-related information and serviceability tools for problem determination. To install the Support Assistant software, navigate to http://www.ibm.com/ software/support/isa. Conventions used in this publication This publication uses several conventions for special terms and actions and operating system-dependent commands and paths. About this publication vii Tivoli user groups Typeface conventions This publication uses the following typeface conventions: Bold v Lowercase commands and mixed case commands that are otherwise difficult to distinguish from surrounding text v Interface controls (check boxes, push buttons, radio buttons, spin buttons, fields, folders, icons, list boxes, items inside list boxes, multi-column lists, containers, choices, names, tabs, property sheets), labels (such as Tip:, and Operating system considerations:) v Keywords and parameters in text Italic v Citations (examples: titles of publications, diskettes, and CDs v Words defined in text (example: a nonswitched line is a point-to-point line) v Emphasis of words and letters (words as words example: "Use the word that to introduce a restrictive clause."; letters as letters example: "The LUN address must start with the letter L.") v New terms in text (except in a definition list): a view is a frame in a workspace that contains data. v Variables and values you must provide: ... where myname represents.... Monospace v Examples and code examples v File names, directory names, and path names v Message text and prompts addressed to the user v Text that the user must type v Values for arguments or command options viii Version 1.13: Getting Started Chapter 1. Overview IBM Security zSecure Admin for RACF and IBM Security zSecure Audit for RACF are two distinct but complementary products that you can use to administer and audit RACF systems. zSecure Admin provides RACF management and administration at the system, group, and individual levels along with RACF command generation. zSecure Audit provides RACF and z/OS monitoring, Systems Management Facility (SMF) reporting, z/OS integrity checking, change tracking, and library change detection. Both products provide displaying, reporting and verifying functionality for RACF profiles and show the z/OS tables that describe the Trusted Computing Base (TCB). Figure 1 shows the functionality available in each product and shows the complementary functionality provided in both products. zSecure Admin and zSecure Audit for RACF are licensed individually, but can be used together. Figure 1. zSecure Admin and zSecure Audit product functions The primary processing programs are large modules that can be used in batch or interactive mode. Interactive mode is most common, although batch mode can be useful for automated, periodic checks and for producing daily reports. zSecure Admin and zSecure Audit provide an interactive user interface implemented in ISPF using the panel, skeleton and message libraries supplied with zSecure. ISPF is the main program running during an interactive session, calling the zSecure application program as needed. The interactive panels call the CKRCARLA load module as needed. Figure 2 on page 2 illustrates the general data flow for zSecure Admin and zSecure Audit. The user works through ISPF panels, which generate commands that are © Copyright IBM Corp. 1989, 2011 1 sent to the CKRCARLA program. The program returns results that are displayed through ISPF panels. Figure 2. Conceptual data flow This general design, with separate interactive and noninteractive components, has several practical advantages: v It separates interactive interfaces from the application program. This separation gives you more flexibility in designing and using the interfaces and programs, especially when customizing the ISPF interface. v Any functions that can be run interactively can also be run in batch mode. v zSecure Admin and zSecure Audit for RACF can create customized reports using the CARLa Auditing and Reporting Language (CARLa) and run these reports from the ISPF panels. v The products can be used remotely, in cases where a TSO connection is not possible or practical, in NJE networks, for example. CARLa auditing and reporting language zSecure Audit for RACF is command-driven using the CARLa Auditing and Reporting Language (CARLa). The commands are explained in the IBM Security zSecure Admin and Audit for RACF: User Reference Manual (LC14-7663-00). A typical user, using ISPF, does not need to be concerned with CARLa. The commands are generated automatically and sent to the application program. Except for the few comments in this section, this guide does not discuss the CARLa command language and concentrates on the use of zSecure Admin and Audit through ISPF. The command language is generally used for the following reasons: v To generate customized reports v To use the product in batch mode 2 Version 1.13: Getting Started Because the standard reports are comprehensive, you might not ever need customized reports. Nevertheless, you can create customized reports. Batch use is attractive as part of a security monitoring function. For example, you can use a scheduled batch job to run monitoring checks and reports automatically. A comprehensive set of sample reports is available in a data set referred to as the CARLa library (low-level qualifier of SCKRCARL and often referred to with the default ddname CKRCARLA). Data sources zSecure Admin and zSecure Audit for RACF use several different types of data. Figure 3 provides an overview of the data sources and processing performed by the products. Figure 3. Data input sources zSecure Admin and zSecure Audit for RACF usually require RACF data. This data can come from the following sources: v The primary live RACF database v The backup live RACF database v Unloaded RACF data v A copy of a RACF database, or an active RACF database from another system zSecure produces unloaded RACF data by reading the live RACF database and creating a copy in a proprietary format suitable for high-speed searches. Chapter 1. Overview 3 If you are using zSecure Audit for RACF functions, the program might require SMF data. The SMF data can come from the live SMF data sets, SMF log streams, or from sequential SMF data sets produced with the IFASMFDP or IFASMFDL programs. These IBM programs unload SMF records from the live SMF data sets and SMF log streams respectively. Sequential SMF data sets can be on disk or tape, although many installations might not permit TSO users to mount tapes for interactive use. zSecure Audit cannot process pseudo-SMF files created by the RACF REPORT WRITER or the IRRADU00 SMF unload program. CKFREEZE data sets zSecure Audit for RACF uses DASD data provided by zSecure Collect. This program runs as a batch job and reads all online Volume Table Of Contents (VTOCs), VSAM Volume Data Set (VVDSs), catalogs, selected Partitioned Data Set (PDS) directories, and calculates digital signatures at the member and data set level when requested. It writes all this to a data set referred to as a CKFREEZE data set. zSecure Admin and zSecure Audit for RACF also use z/OS control block data. zSecure Collect gathers this data at the same time that it gathers DASD data. It uses APF-authorized functions to retrieve data from other address spaces and from read-protected common storage. Additionally, batch collection permits analysis of a remote system where the data was collected. You define input sets for zSecure Admin and zSecure Audit for RACF. For example, one set might consist only of the live RACF data. Another set might use live RACF data plus a CKFREEZE file. Another set might use unloaded RACF data, a CKFREEZE data set, and several SMF data sets. You can switch between input sets while in the ISPF environment. Using remote data and command routing Beginning with version 1.12, zSecure Admin and zSecure Audit support the use of remote data sets as input for creating reports and displays. Using this functionality, known as multi-system support, you can report on and manage multiple systems from a single session. This function is also integrated with zSecure Admin support for routing RACF commands using zSecure services or RACF Remote Sharing Facility (RRSF) services. Using remote data for creating reports is useful for ad hoc reporting about profiles or settings. However, this access method is less suited for queries that require processing of the entire security database or the entire CKFREEZE data set because it takes longer to access large amounts of remote data than to access the same data locally. To use the multi-system support functionality, your environment must have an active zSecure Server, which runs in a separate server address space. This server performs the necessary functions for communicating with remote systems to route commands and access RACF databases, SMF input files, CKFREEZE data sets, and other defined data sets. For more detailed information, see the IBM Security zSecure Admin and Audit for RACF: User Reference Manual. 4 Version 1.13: Getting Started Chapter 2. Learning basic operations Review the following procedures to learn how to start the zSecure Admin and Audit applications and to navigate, select, input, and manage RACF data. You can read about the following tasks: v Viewing, managing, and maintaining RACF profiles for user, groups, and data sets v Managing access rights v Reporting on digital certificates v Comparing users Before you begin Follow the procedures outlined in this section before you start using zSecure Admin and zSecure Audit for RACF. Checking TSO logon parameters Make sure that you are logged on to TSO with a large enough region size. zSecure Admin and zSecure Audit for RACF use virtual storage to reduce I/O and to improve the response time. The amount of virtual storage depends on the size of your installation and on the information you requested. A good region size value to start with is 32 MB. Setting ISPF & 3270 format zSecure Admin and zSecure Audit for RACF panels are designed to be used with 24-line and larger screens. To be most effective with 24-line screens, type PFSHOW OFF on the command line in any ISPF panel and press Enter to remove the program function key definition information that ISPF automatically places in the last one or two lines of the screen. Use the PFSHOW ON command to restore the PF key definitions. Starting the products After installing the products, you can start the zSecure Admin and Audit applications and perform typical tasks. To get started, perform the following steps: 1. Type 6 on the Option line, and then press Enter to open ISPF Command Shell. 2. Enter the command CKR and press Enter. This command starts the combined zSecure Admin and zSecure Audit for RACF products. After you enter the command, the Main menu opens as shown in Figure 4 on page 6. © Copyright IBM Corp. 1989, 2011 5 Menu Options Info Commands Setup ─────────────────────────────────────────────────────────────────────────────── zSecure Admin+Audit for RACF - Main menu Option ===> __________________________________________________________________ SE RA AU RE AM EV CO IN LO X Setup RACF Audit Resource Access Events Commands Information Local Exit Input complex: Options and input data sets RACF Administration Audit security and system resources Resource reports RACF Access Monitor Event reporting from SMF and other logs Run commands from library Information and documentation Locally defined options Exit this panel ACTIVE BKUP DB AND SMF Product/Release 5655-T01 IBM Security zSecure Admin 1.13.0 5655-T02 IBM Security zSecure Audit for RACF 1.13.0 Figure 4. zSecure Suite - Main menu The first time you enter this panel, only the major selection options are shown. (If necessary, use option SE.R to reset the Start panel to the Main panel.) To select an option, type the two-character abbreviation on the command line. Then, press Enter. Depending on the option selected, the menu either expands to show more detailed options or presents the submenu for the next selection. The following sections show you how to use some of the display functions to ensure that the product is working correctly. At this point, your live RACF database is being used for input. Normally, using zSecure with the live RACF database does not cause any noticeable effects on production operations. Maintaining RACF profiles You can maintain RACF profiles by displaying an overview of the profiles and then selecting one on which to perform an action. The profile selection panels have fields, also known as filters, to select or to exclude data. By default, everything is selected and nothing is excluded. To see an example, complete the following steps: 1. On the Main menu, type RA (RACF Administration) in the Option line, and press Enter to see the options for viewing and maintaining the RACF database. 2. Type G (Group) in the Option line, and press Enter without entering any parameters in the panel. 3. At the default prompt, press Enter again. After completing this procedure, zSecure Admin and zSecure Audit for RACF shows everything in the RACF database relevant to the function of the panel; group profile information in this example. You can reduce the amount of data shown in the panel by specifying one or two selection or exclusion parameters. Tip: You can use the FORALL primary command on a record-level display to specify a command to be applied to all profiles on the current display. Without a parameter, primary command FORALL displays a panel where a command can be entered. You can also enter the command directly on the FORALL command. This example uses the live RACF database to demonstrate the speed and non-interference of zSecure Admin and Audit when using the live RACF database. 6 Version 1.13: Getting Started “Adding data” on page 47 guides you through the creation of an unloaded RACF database. The unloaded database is used for the text and examples in the remainder of this guide. This section introduces the facilities offered by zSecure Admin to maintain the RACF database. The examples show how easy it is to use the zSecure ISPF interface and to control the RACF or CKGRACF commands that the product generates in response to the commands issued from the interface. zSecure Admin helps you maintain profiles at the group and user level as well as at the single-entry level. You can quickly find out about the structure of groups and users, and modify structures based on your organizational structure. After you learn how to use the interface and manage commands, you will learn about general maintenance functions, devolved maintenance and how the help desk can shift workload–by enabling password maintenance without having the special authority, for example. Displaying user profiles To open the User Selection panel to view and manage user profiles, complete the following steps: 1. If you are not in the Main menu, press PF3 to return to the Main menu. 2. Type RA (RACF Administration) in the Option line, and press Enter to see the options for viewing and maintaining the RACF database. 3. From the RA menu, select option U (User). Then press Enter to open the User Selection panel; see Figure 5 on page 8. This panel provides some of the most frequently used selections. It consists of the following parts: v Add new user or segment v Additional selection criteria v Output/run options Depending on the additional selection criteria or output/run options you choose (by placing a / in front of one of those options), you might be taken to another panel to specify additional selection criteria. After making your selection, press PF3 to return to the User Selection panel, or press Enter if you want to execute the query. Chapter 2. Learning basic operations 7 Menu Options Info Commands Setup ------------------------------------------------------------------------------zSecure Admin+Audit for RACF - RACF - User Selection Command ===> __________________________________________________ _ start panel _ Add new user or segment Show userids that Userid . . . . . Name . . . . . . Installation data Owned by . . . . Default group . . Connect group . . fit all of the following criteria . ________ (user profile key or filter) . ___________________________ (name/part of name, no filter) . ___________________________ (data scan, no filter except *) . ________ (group or userid, or filter) . ________ (group or filter) . ________ (group or filter) Additional selection criteria _ Other fields _ Attributes Output/run options _ Show segments _ Print format Background run _ All Customize title Full page form _ Segment presence _ Specify scope Send as e-mail Sort differently _ Absence Narrow print Figure 5. User Selection panel 4. In the Userid field, type your userid. Tip: The additional print options are available only if the Print format field is activated. To activate this field, type / in the Print format selection field. 5. Press Enter. zSecure Admin and Audit for RACF searches the RACF database and opens the user profile overview panel as shown in Figure 6. Figure 6. Overview display for selected user The message in the upper right line of the panel provides performance information indicating the elapsed and CPU time used to execute the query. This overview display shows each selected user profile on a single line. If applicable you can scroll up and down, left and right, to view additional information. Some of the field values can be edited: entries in the Name column, for example. Depending on your ISPF option settings and terminal type, fields that can be edited (modified) are indicated by underscores or might be shown in a color that is different from the color for fields that cannot be edited (the User field, for example). If you type a new value over a modifiable field, zSecure Admin generates the appropriate native RACF command to change the profile to the new value. Note: If desired, you can change the ISPF display colors in most panels using the following procedure: a. Select Options from the menu bar. 8 Version 1.13: Getting Started b. From the Options menu, select 1. Settings. c. Select the Colors from the bar. Then select 2. CUA attributes. After specifying the changes, press Enter to apply them. The changes become effective the next time you run a query. Due to limited space, the labels in the profile display are abbreviated as shown in Table 1. Table 1. Profile display label descriptions Label Description RIRP Flag fields that indicate if the profile is R Revoked, I Inactive, R Restricted, or P Protected SOA Shows the settings for the following attributes: S Special, O Operations, and Au Auditor gC Show g group Authorities Present and Class Authority Present LCX Indicates if the following conditions are true: RACLINK Present (L). User has a certificate (C). Password is expired (X). These field descriptions are also available on the integrated help panels available in the ISPF interface. You can access panel-level help and field-level help on most panels. Panel help and field-sensitive help are available on all security database displays, at both the record level and detail level. v For field help, position the cursor in the field of interest and press PF1. v For panel help, position your cursor on the command line. Then press PF1. Tip: Many of the zSecure data displays are wider than 80 characters. To scroll right or left, use the PF11 and PF10 keys. To display more detailed information about a profile, complete the following steps: 1. Move the cursor to the beginning of the displayed profile line (in the line command field). Then, press Enter. To select an entry in the panel, you can use either of the following methods: v Position the cursor on the line command field, and then press Enter. v Enter the S command and then press Enter. Additional line commands such as C (copy) and D (delete) are also available. These commands are covered later in this guide. Tip: If you are unsure about the available line commands on a certain profile, type a / and press Enter; this action opens a panel showing all applicable line commands. Tips: a. If you are unsure about the available line commands on a certain profile, type a / and press Enter; this action opens a panel showing all applicable line commands. b. You can use the FORALL primary command on a record-level display to specify a command to be applied to all profiles on the current display. Without a parameter, primary command FORALL displays a panel where a command can be entered. You can also enter the command directly on the FORALL command. Chapter 2. Learning basic operations 9 2. To return to the User Selection panel, press PF3. (Press it twice if you are in the detail overview.) Now try something a little more interesting, such as entering SYS* in the Userid field to display all user profiles that start with SYS*. You can inspect the details for these users by selecting any displayed user profile line. If you have appropriate authority for the RACF database, you can change many of these fields by editing the field value in the panel. When you specify a new value, zSecure performs checks to prevent accidental changes. For the purpose of the example, do not attempt to make any changes now. Note: When specifying selection criteria in a field, you can use the generic characters asterisk (*) and percent sign (%). User selection panel details The User Selection panel is split into the following sections: v Use the first section to add a new user or segment. v Use the second section to specify the most commonly used RACF management selection criteria. v Use the third section mostly to report on the RACF database using more advanced selection criteria. For example, you can report on all user profiles that have the SPECIAL and OPERATIONS attributes. v Use the fourth section to can customize the resulting output from your query. To select fields for the advanced selection criteria (third section) and output customization (fourth section), place a / next to the field desired. Then, press Enter. Note: Most of the fourth section of the panel can be modified only if the Print format field has been selected by placing a / in front of it and pressing Enter. Before you can use the Send as e-mail option in this section, you must specify SMTP configuration parameters in the Setup output definition panel, as described in “Setting up Output” on page 52. For now, continue without selecting the Print format option. zSecure displays any user profile that matches the criteria you enter in the User Selection panels. If nothing is specified for a particular field, that field is ignored during the search. Several fields accept /. The / means that the option is selected, and profiles matching the specified parameter or parameters are displayed (or an additional selection panel is displayed). Most fields also accept the S command to activate the selection option. Blank means that the option is ignored for selecting profiles. For example, typing / in the Attributes field opens the User Attributes panel illustrated in Figure 7 on page 11. 10 Version 1.13: Getting Started Menu Options Info Commands Setup ─────────────────────────────────────────────────────────────────────────────── zSecure Admin+Audit for RACF - RACF - User Attributes Command ===> _________________________________________________________________ All users Specify groups of criteria that the userids must meet: Systemwide and group authorizations OR _ Special _ Operations _ Auditor _ Class auth _ Group-special _ Group-oper _ Group-audit Logon status OR _ Revoked _ _ Revoked group _ _ When day/time _ Inactive Certificate ID mapping _ _ Protected Pass phrase _ _ Passw expired Phrase expired User properties OR _ Has RACLINK _ Restricted _ User audited _ Mixed case pwd CKGRACF features OR _ Queued cmds _ Schedules _ Userdata MultiAuthority Connect authority . __ _ 1. Use 2. Create 3. Connect _ 4. Join Figure 7. User Attributes panel To display all user profiles having system-wide authority, type / in the Operations field of the Systemwide and group authorizations section. Then, press Enter. This operation shows all user profiles that have system-wide Operations authority. In the Connect authority field, you can select a user based on the specified connect authority. Only users that have at least one group connection that satisfies the comparison operator applied to the connect authority will be shown. You can use the comparison operators shown in Table 2. Table 2. Comparison operators for Connect authority field Operator Description < Less than the access specified <= Less than or equal to (at most) the access specified > More than the access specified >= More than or equal to (at least) the access specified = Exact access ~= or <> All but the specified access Tips: zSecure Admin and zSecure Audit for RACF combine all the properties you specify with AND logic except when otherwise indicated. Besides using /, you can also use Y and N. By specifying the AND operator and using Y and N values in the input fields within a group, you can find users that have the attributes selected with Y that have none of the attributes selected with N. The Revoked option in the section Logon status checks for currently revoked users. The Password interval field checks for users who are subject to password expiration. This field is available on the panel that displays when you specify / in the Other fields field on the RA.U panel. After selecting this field, press Enter to open the User Attributes panel to specify the attributes for selecting data. Try Chapter 2. Learning basic operations 11 searching for users with a non-expiring password and SPECIAL authority, or for users with non-expiring passwords and Operations authority. If you find any such users, other than possibly IBMUSER, you might investigate why they are defined this way. As another example, you can type a / in the Specify scope field to examine the profiles within the scope of another userid or group. When you select this option, a panel opens for specifying the userid or group ID. Using filters In many panels, the input fields accept filters for selecting or excluding data. These are strings that can contain any of the following wildcard characters: % Match one nonblank character. * Match any number of characters within a single string but not a dot, such as a single data set name qualifier or a user name. ** Match any number of qualifiers at the end of a profile name. : Search for specified characters within a name, but not used for class names or data set qualifiers. zSecure Admin and zSecure Audit for RACF use Enhanced Generic Naming (EGN) notation, whether your RACF is in EGN mode or not. Selecting dates Several selection fields are meant for dates. You can use a variety of values and operators. However, all year values must be specified in four digits. Table 3 shows examples of date selection values and operators. Table 3. Date selection values and operator examples Operation Meaning = 04jul2004 July 4, 2004 < 04jul2004 Any day before July 4, 2004 = never A date was never set = today Activity happened today = today-3 Three days before today < today-30 More than thirty days ago >01jan2005 Any day after January 1, 2005 A date with the value DUMPDATE is the date your RACF database was unloaded. If you are using the live RACF database, specifying the value DUMPDATE is the same as using the value TODAY. Note: When entering dates in selection fields, you must specify an operator in the small, two-character input field and the date value in the larger field. Showing application segments To show application segments, enter the action command SE in front of a user profile. A panel opens with a list of application segments defined for this user. 12 Version 1.13: Getting Started Tip: Instead of using the SE action command, you can type a / in front of Show segments in the Output/run options Show segments section of the selection panel. This action opens a User Segments panel so that you can specify which segments you want to see. If you select Segment presence together with the Show segments field in the Additional selection criteria section, a panel opens with a list of segments. You can select a segment and specify additional selection criteria based on segment information. For example, you can select users based on output settings in the TSO segment. Displaying group profiles This section describes the procedure to display group profiles and query group profiles. To display group profiles, complete the following steps: 1. Return to the Main menu by pressing End or Return. 2. From the RA menu, select option G (Group). Then, press Enter to open the Group Selection panel. This panel, shown in Figure 8, provides some of the most frequently used selections applicable to group profiles. Like the User Selection panel, this panel has the following sections: v Add New Group or Segment, v The common selection criteria, v Additional selection criteria v Output/run options Depending on the additional selection criteria or output and run options you select with the / character, you might be taken to another panel to specify additional selection criteria. After making your selection, press PF3 to return to the Group Selection panel. Menu Options Info Commands Setup ------------------------------------------------------------------------------zSecure Admin+Audit for RACF - RACF - Group Selection Command ===> __________________________________________________ _ start panel _ Add new group or segment Show groups that fit all of the following criteria Group id . . . . . ________ (group profile key or filter) Owner . . . . . . . ________ (group or userid, or filter) Subgroup of . . . . ________ (group or filter) With subgroup . . . ________ (group or filter) Installation data . ___________________________ (data scan, no filter except *) Additional selection criteria _ Profile fields _ Connect fields Output/run options _ Show segments _ Print format Background run Print connects _ _ Segment presence _ Absence All _ Expand universal Customize title Send as e-mail Full detail form Sort differently Print names Print subgroups _ Specify scope Narrow print Figure 8. Group Selection panel 3. In the Group id field, type your default group or a group name string; for example, type ABC* for all group profiles starting with the string ABC in the Group id field. Chapter 2. Learning basic operations 13 4. Press Enter to search the RACF database and display the group profile(s) information in the Group Overview panel. The display, shown in Figure 9, looks very similar to the User selection overview except that it now shows different columns and Group profiles instead of User profiles. Figure 9. Group Overview panel Using universal groups All RACF profiles have a maximum size. The connect information for all connected users is stored in a normal Group profile. This implies that there is a maximum number of users that can be connected to a Group profile. The maximum number is approximately 6000 users. For very large RACF databases, this number might not be sufficient. This is the reason for the universal group. When the UNIVERSAL attribute is assigned to a Group profile, users with a default connection (connect to the group with USE authority and no connect attributes) are no longer stored in the Group profile. Only users that have a connect attribute like group-SPECIAL or group-OPERATIONS, or a connect authority exceeding USE, are stored in the Group profile. The advantage of the universal group is that an unlimited number of users can be connected to this universal Group without its reaching the maximum size of a Group profile. So in large RACF databases, it is no longer required to split a very large Group by making a copy of the Group and connecting additional users to this new Group. The disadvantage of the universal Group is that, when displaying the Group profile, you cannot determine which users are connected to the Group without searching all User profiles to find the users that are actually connected to this universal Group. In zSecure Admin and zSecure Audit you can automate this search using the Expand universal feature. Note: Using this feature implies a full database read, and can cause the response time to be much longer. There are two fields related to the UNIVERSAL attribute of Group profiles: Universal Group and Expand universal. If you enter a / before Profile fields, a panel similar to the one shown in Figure 10 on page 15 opens. 14 Version 1.13: Getting Started Menu Options Info Commands Setup ------------------------------------------------------------------------------zSecure Admin+Audit for RACF - RACF - Group Selection Command ===> All profiles Show groups that also fit all of the following criteria: Selection by date Creation date . . . __ ____________ (date: yyyy-mm-dd/ddMMMyyyy/ DUMPDATE/DUMPDATE-nnn/ TODAY/TODAY-nn/NEVER) Miscellaneous fields Complex . . . . . . ________ # connected users . __ ____ # subgroups . . . . __ ____ (complex name or filter) (operator: < <= > >= = <> = ¬=) Enter "/" to specify selection criteria _ Universal group _ Queued commands _ Userdata Figure 10. Group profile field selection panel To use the universal groups feature, perform one of the following actions: v On the panel shown in Figure 10, type a / in the Universal group field. This selection searches the RACF database for universal groups only. v Type a / in the Expand universal field in the Group Selection panel shown in Figure 8 on page 13. This selection causes all connected users, instead of just users with a non-default connect, to be displayed in the detail overview. Tip: To see how the Expand universal option works, list a universal group twice: First list the group with the option enabled, and then list the group with the option disabled. Notice the differences in the lists of connected users. Connecting and removing users There are several ways to connect Users to a Group: v Issue the CO line command (connect) in the Group or User profile overview panel. v Use a C (copy) or D (delete) line command in the Group or User profile detail panel preceding a line containing connect details of a User or Group. v Edit (overtype) the current values in the lines containing the connect information. This action generates a new connect command for the new value entered, and it generates a remove command for the overwritten value. If you do not want to execute the Remove command, delete it from the command confirmation panel before pressing Enter. When the line command CO is used on a user or group profile, a Connect panel opens as illustrated in Figure 11 on page 16. (For Group profiles, you can add connections for up to 10 users in one operation.) Chapter 2. Learning basic operations 15 Menu Options Info Commands Setup _______________________________________________________________________________ zSecure Suite - RACF - Add connect Command ===> _________________________________________________________________ Create new connect Userid . . . . . . . . CRMCKF1 Group . . . . . . . . . ________ Optional connect attributes Authority . . . . . . . ________ Default UACC . . . . . ________ Connect owner . . . . . ________ Future revoke date . . ________ Future resume date . . ________ _ Revoke _ Special _ Operations (group or filter) (USE ,CREATE ,JOIN or CONNECT) (N/R/U/C/A) (MM/DD/YY) (MM/DD/YY) _ Auditor Enter a group for a single connect. Leave the field blank or enter a filter (e.g. SYS*) to get a selection list. Figure 11. Add / copy connect panel Use the panel shown in Figure 11 to connect the User to another Group. In this panel, you cannot change the Userid field. When the CO command is issued for a Group profile, the Group name field cannot be modified instead. Optionally, you can specify connect attributes in the lower half of the panel. When using line command C instead of CO on a User or Group profile detail panel, you can connect the same User to another Group or connect another User to the same Group. It is even possible to modify both the Userid and the Group fields in the connect panel at the same time, connecting another User to another Group. Reviewing dataset profiles This section describes how to view dataset profiles, enable warning mode, and view and manage the access control list. To display dataset profiles, complete the following steps: 1. To return to the Main menu, press Exit (PF3) in the Group Selection panel. 2. Select Option D to open the Data set Selection panel. You are still in the RACF subselection. This panel, shown in Figure 12 on page 17, is normally used to inquire about dataset profiles. 16 Version 1.13: Getting Started Menu Options Info Commands Setup ------------------------------------------------------------------------------zSecure Admin+Audit for RACF - RACF - Data set Selection Command ===> __________________________________________________ _ start panel _ Add new DATASET profile or segment Show dataset profiles that fit all of the following criteria Dataset profile . . ____________________________________________ Owned by . . . . . ________ (group or userid, or filter) High level qual . . ________ (qualifier or filter) Installation data . ___________________________ (substring or *) 1 1 2 3 4 Additional selection criteria _ Profile fields _ Access list Output/run options _ Show segments _ Print format Background run Print ACL _ EGN mask Exact Match Any match _ Segment presence _ Absence All _ Customize title Full detail form Resolve to users Enable full ACL Send as e-mail Sort differently Incl operations _ Specify scope Narrow print Print names Figure 12. Data set Selection panel This panel is used in much the same way as the user profile panel. Specify criteria in as many or as few fields as you like. If nothing is entered in a field, then that field is not used as a selection or rejection criterion during the database search. If you press Enter without specifying any information, all existing dataset profiles are displayed, which usually results in too much data. Dataset profile is the most important field on the Data set Selection panel. If you know the name of the profile you are looking for, you can specify the Exact specification here. You can also specify an EGN mask that covers the profile, Match the name of a data set to the profile that covers it, or look for all matching profiles (Any match). For example: 1. Type SYS1.** and empty all other fields except 1 for EGN mask. Remember that in EGN, the name pattern SYS1.* (with one asterisk) matches any name with a single qualifier following SYS1. If you specify SYS1.** (with two asterisks), this value matches any name with any number of qualifiers behind SYS1. For example, you can look for any profile that begins with SYS by using a filter like SYS*.**. 2. Press Enter. A panel opens showing all the dataset profiles starting with SYS1, for example. This panel is like the panel shown in Figure 13 on page 18. Chapter 2. Learning basic operations 17 zSecure Admin+Audit for RACF DATASET Overview 1 s elapsed, 0.2 s CPU Command ===> _________________________________________________ Scroll===> CSR_ like SYS1.** 8 Apr 2005 00:25 Profile key Type UACC Owner S/F W __ SYS1.ACDS GENERIC NONE___ SYSPROG_ U_R _ __ SYS1.BRODCAST GENERIC UPDATE_ SYSPROG_ __R _ __ SYS1.CMDLIB GENERIC READ___ SYSPROG_ U_R _ __ SYS1.COMMDS GENERIC NONE___ SYSPROG_ U_R _ __ SYS1.C#M.LINKLIB GENERIC NONE___ SYSPROG_ U_R _ __ SYS1.CSSLIB GENERIC NONE___ SYSPROG_ U_R _ __ SYS1.DFQLLIB GENERIC NONE___ SYSPROG_ U_R _ __ SYS1.DGTLLIB GENERIC NONE___ SYSPROG_ U_R _ __ SYS1.DUMP*.** GENERIC NONE___ SYSPROG_ R_R _ __ SYS1.HASPACE GENERIC NONE___ SYSPROG_ R_R _ __ SYS1.IBM.PARMLIB GENERIC NONE___ SYSPROG_ U_R _ __ SYS1.IBM.PROCLIB GENERIC NONE___ SYSPROG_ U_R _ __ SYS1.ICEDGTL GENERIC NONE___ SYSPROG_ U_R _ __ SYS1.ICEISPL GENERIC NONE___ SYSPROG_ U_R _ __ SYS1.ISAMLPA GENERIC NONE___ SYSPROG_ U_R _ __ SYS1.ISP* GENERIC NONE___ SYSPROG_ __R _ __ SYS1.JESCKPT*.** GENERIC NONE___ SYSPROG_ R_R _ __ SYS1.LINKLIB GENERIC NONE___ SYSPROG_ U_R _ __ SYS1.LOCAL.LINKLIB GENERIC READ___ SYSPROG_ U_R _ __ SYS1.LOCAL.VTAMLIB GENERIC READ___ SYSPROG_ U_R Figure 13. Dataset profile Other selection criteria are available: v Best match result 1. To exit the data set overview and return to the Data set Selection panel, press PF3. 2. In the Dataset profile field, type SYS1.DUMP00 and select 3 for Match. 3. Press Enter. A panel similar to the one shown in Figure 14 opens showing the profile best matching SYS1.DUMP00. zSecure Admin+Audit for RACF DATASET Overview 1 s elapsed, 0.4 s CPU Command ===> _________________________________________________ Scroll===> CSR_ exact match SYS1.DUMP00 8 Apr 2005 00:25 Profile key Type UACC Owner S/F W __ SYS1.DUMP*.** GENERIC NONE___ SYSPROG_ R_R _ ******************************* BOTTOM OF DATA ******************************** Figure 14. Best match result v Any match result 1. To exit the data set overview and return to the Data set Selection Panel, press PF3. 2. In the Dataset profile field, leave the SYS1.DUMP00 value, and select 4 for Any match. 3. Press Enter. A panel similar to the one shown in Figure 15 on page 19 opens showing all profiles matching SYS1.DUMP00. The best-fitting profile is shown in the top line. In addition, less specific profiles are shown that could match the resource, if the top profile was deleted. 18 Version 1.13: Getting Started zSecure Admin+Audit for RACF RACF DATASET Overview 1 s elapsed, 0.5 s CPU Command ===> _________________________________________________ Scroll===> CSR_ any match SYS1.DUMP00 8 Apr 2005 00:25 Profile key Type UACC Owner S/F W __ SYS1.DUMP*.** GENERIC NONE___ SYSPROG_ R_R _ __ SYS1.*.** GENERIC NONE___ SYSPROG_ U_R _ ******************************* BOTTOM OF DATA ******************************** Figure 15. Any match result v In addition to the mask and matching selection options, other selection criteria are available. These can be very useful when you are searching for specific type of dataset profiles. For example: 1. Press PF3 to return to the Data set Selection panel. 2. Type / in the Profile fields in the Additional selection criteria area. This action opens another panel so that you can specify additional selection criteria. Finding profiles in warning mode Warning mode means that all accesses are permitted, but a warning message is issued if the access normally results in a violation. Warning mode is usually a temporary measure because it permits any action on data sets covered by the profile. To list all the profiles that are in warning mode, complete the following steps: 1. Make sure that there is a / next to the Warning mode field and remove the selection (/) next to the No warning field. 2. Press Enter. 3. 4. 5. 6. The display lists all profiles that are in warning mode. Your search can be more specific, such as HLQ=PAYROLL and Warn mode. Press PF3 to return to the Data set Selection panel. Then try entering PROD.** (or something meaningful for your installation) in the Dataset profile field and 2 (READ) in the UACC or ID(*) field. (This is found in the same panel where earlier you selected the warning mode.) Remember to reapply the / next to the No warning field in the inclusion criteria section. Press Enter. This action produces a list of production data sets that any user can read. Press PF11. This action shows additional fields such as the ERASE (E) field. If a profile has the RACF ERASE ON SCRATCH (EOS) attribute, then any dataset protected by the profile is physically erased to ensure data confidentiality when it is deleted. Use the S line command or move the cursor to the beginning of any displayed data line to obtain the details for that particular profile. Note: Remember that many lines in the displays can be expanded. Enter an S in the first field of the line or position the cursor in the first field and press Enter. Displaying discrete profiles To display discrete profiles, complete the following steps: 1. Return to the Data set Selection panel. 2. Erase the Dataset profile field. Chapter 2. Learning basic operations 19 3. Type a / before Profile fields in the Additional selection criteria section. Then press Enter. 4. Make sure that nothing is filled in for the UACC at least field. 5. Check that there is a / in the Discrete selection field in the Data set Selection panel. 6. Remove the / from the Generic selection field, and leave all other selection criteria as they are. 7. Press Enter. This action produces a list of all existing discrete dataset profiles. Tip: Remember that the zSecure Audit for RACF uses the AND function when you specify multiple properties. Displaying the access control list (ACL) The next steps open a list of dataset profiles from which you select a specific profile to obtain detailed information, like the access control list (ACL), as well as information related to each entry in the ACL and some of its characteristics. Select a dataset profile that you know has multiple, complex usage permissions in your RACF database. You can use wildcard characters to specify the selection criteria. The following examples select dataset profiles with a name pattern matching SYS1.** as an example, but use one that is appropriate for your installation. In the Data set Selection panel, complete the following steps: 1. Type the profile name in the Dataset profile field. 2. Type a / next to the Enable full ACL field in the Output/run options section. 3. Press Enter to open the list of all matching profiles. 4. Select the most complex dataset profile from the list, based on your knowledge. 5. Type an S line command for that line. Then press Enter. zSecure Admin+Audit for RACF DATASET Overview Line 1 of 33 Command ===> _________________________________________________ Scroll===> PAGE any matching SYS1.PROCLIB 6 Oct 2009 03:31 _ Identification Profile name Type Volume serial list _ Effective first qualifier _ Owner Installation data User _ -group_ -group- Access ACL id ALTER SYSPROG READ SYS1 SYS1 SYS1.PROCLIB GENERIC SYS1 MOST SUPERIOR GRO SYSPROG SYSTEM PROGRAMMIN _______________________________________________ When RI Name ________ __________ ________ __________ Safeguards Erase on scratch Audit access success/failures Global audit success/failures User to notify of violation Days protection provided # DfltGrp Other permissions No Allow all accesses WARNING No U R Universal access authority READ ___ Resource level 0 ________ _____ Figure 16. Normal ACL In Figure 16, you can see that in this case the ACL contains only group entries. 20 Version 1.13: Getting Started Access control list formats In RACF, you can easily have multiple, inconsistent access permissions for a resource. For example, you can have read permission through a group to data set XXX and you can also belong to another group that has update permission to XXX. RACF grants the user the highest access level available in such multiple permissions. In our example, the user would have update authority. Additionally, a specific user permit takes precedence. RACF resolves multiple access permissions to determine the operative permission. zSecure Admin and Audit can display resolved permissions, or it can display exploded permissions, showing all permissions that exist. The resolved permission is the only one that counts when granting access to a resource, but an exploded list is vital when trying to determine why a user has a certain level of access to a resource. By default, zSecure Admin and Audit displays the access control list exactly as RACF would display it, but ordered by groupid or userid and including the userid, programmer name, and installation data. To show a list of all users connected to these permitted groups and any user who has permission by other reasons, type ACL EXPLODE or ACL X in the command line. This command opens an exploded list (which might be more than one line per user) showing those users with access to this profile. The detailed display indicates which access control list entries provide what level of access for the users. All users with access to the data set are displayed, along with their connect group; see Figure 17. Even access through system-wide and group-OPERATIONS is indicated. zSecure Admin+Audit for RACF DATASET Overview Line 1 of 63 Command ===> _________________________________________________ Scroll===> PAGE any matching SYS1.PROCLIB 6 Oct 2009 03:31 _ Identification Profile name Type Volume serial list _ Effective first qualifier _ Owner Installation data _ _ _ _ _ _ User C#MBERT C#MBERT CRMBFT1 CRMBFT1 DEPT2 DFHSM Access ALTER READ ALTER-O ALTER READ READ ACL id When SYSPROG SYS1 - oper SYSPROG SYS1 SYS1 SYS1 SYS1.PROCLIB GENERIC SYS1 MOST SUPERIOR GRO SYSPROG SYSTEM PROGRAMMIN _______________________________________________ RI Name DfltGrp BERT JOHNSON SYSPROG BERT JOHNSON SYSPROG FRANK TRATORRIA SPEC. SYSPROG FRANK TRATORRIA SPEC. SYSPROG USR =QA OW=DEPT USR =QA CN Figure 17. Exploded ACL In Figure 17, the line: _ CRMBFT1 ALTER-O - oper - FRANK TRATORRIA SPEC. SYSPROG shows an example where access is granted because the user has OPERATIONS authority. The following line shows that the user DEPT2 is connected to group SYS1 and has READ access on the dataset profile. DEPT2 READ SYS1 USR =QA OW=DEPT USR =QA CN A user can have multiple access rights to the same dataset profile through different paths. A line is shown for each of a user's access rights and group connections. For Chapter 2. Learning basic operations 21 example, as Figure 17 on page 21 shows, user C#MBERT is displayed in two different lines because this user is connected to group SYS1 and has READ access and this user is also connected to group SYSPROG and has ALTER access. Tip: Avoid using the EXPLODE option. The SORT option is best for general use. To show only the highest level that a user has, complete the following steps: 1. Type ACL RESOLVE (R) in the command line. A list is displayed showing only one entry for each user, indicating exactly what access each user has. Be aware, however, that access by means of the system-wide and group-OPERATIONS attribute is not included in the resolved overview display. 2. Type ACL EFFECTIVE (F) in the command line. A list is displayed showing only one entry for each user, indicating exactly what access each user has. The list, however, also includes users who have access because they possess the OPERATIONS attribute. 3. Type ACL SORT ACCESS in the command line. A list is displayed showing the access control list by descending access level and for each access level by userid. See Figure 18. zSecure Admin+Audit for RACF DATASET Overview Line 1 of 44 Command ===> _________________________________________________ Scroll===> CSR like SYS1. ** 8 Apr 2005 12:17 Identification DEMO Profile name SYS1.PROCLIB Type GENERIC Volume serial list _ Effective first qualifier SYS1 MOST SUPERIOR GRO _ Owner SYSPROG SYSTEM PROGRAMMIN Installation data _______________________________________________ User Access ACL id When RI Name InstData _ C#MBERT ALTER SYSPROG BERT JOHNSON _ C#MBMR1 ALTER SYSPROG M RONTEL AAAAAAAAAA _ R##SLIN ALTER SYSPROG BERT JOHNSON SPEC. _ SYSPSTC ALTER SYSPROG STC USER SYSPROG _ CNRUNL READ SYS1 JUST A USER TO BE US _ DEPT READ SYS1 USR =QA OW=SYS1 USR =QA CN _ DEPT1 READ SYS1 USR =QA OW=DEPT USR =QA CN _ DEPT2 READ SYS1 USR =QA OW=DEPT USR =QA CN _ DFHSM READ SYS1 Figure 18. Effective ACL The ACL EFFECTIVE command shows you the effective access that individual users have, including access through system and group operations. If you also want to include ownership rights through owner, qualifier, or group-SPECIAL, you can toggle this on and off by using the commands ACL SCOPE and ACL NOSCOPE. If you want to see access rights and ownership rights separately but still resolved, you can specify ACL TRUST instead of ACL EFFECTIVE. Tip: To print a display, go to the command line and type PRT. This command prints the current display, including the full report width, which can be wider than the screen of the typical user, and the higher-level information leading to this panel. The printed output is placed in your ISPF LIST data set. When you exit ISPF, remember to print this data set. If you want to print the ISPF LIST data set without leaving ISPF, enter LIST in the command line and select your printing options in the resulting panel. 22 Version 1.13: Getting Started Changing the access list display settings This brief discussion of resolve and explode is an important feature for you to remember. You can change the layout of the access control list in these ways: v Use Option 5 from the Setup panel to access the Setup View panel. v Type SET in the Command area of an access control list display. v Type an ACL RESOLVE, ACL EXPLODE, or ACL EFFECTIVE command in the Command area of an access control list display. The first two methods remember the new mode for future use. The last method changes only the current display. To change the access list display settings from the Setup View panel, complete the following steps: 1. Type SETUP VIEW in the command line to open the Setup View panel shown in Figure 19. Menu Options Info Commands Setup ------------------------------------------------------------------------------zSecure Admin+Audit for RACF - Setup - View Command ===> _________________________________________________________________ Access list format . . . . 2 1. No 2. Sort 3. Explode 4. Resolve 5. Effective ACL/Connect sort . . . . . 2 1. Id 2. User 3. Access Show OS specific options z/OS _ / / _ / z/VM Add user/group info to view (Selecting this will use some additional storage - normally on ) Add summary to RA displays for multiple RACF sources (normally on) Add connect date and owner to RA.U connect group section Select view 3 1. View only profiles you are allowed to change (administrator view) 2. View only profiles you are allowed to change or list 3. View all profiles (normal view) Figure 19. Setup View panel 2. In the Access list format field, specify option 5. 3. Press PF3 to ACCEPT the new value. The value is in effect the next time you do a query. From now on, you see only one line for each user. This represents the effective access level for each user. The resolve or explode display level you set is in effect until you change it. The Setup View panel is one of the Setup panels. You can also access it through the Setup menus, which are described next. To change the access list display settings from the Setup panel, complete the following steps: 1. Return to the Main menu using PF3. 2. Select option SE (Setup). 3. Select option 5 (View). Tip: Instead of typing these commands, you can also type =SE.5 in the command line to go immediately to the Setup View panel. Chapter 2. Learning basic operations 23 4. To change the Access control list format back to SORT, type 2 in the Access list format field. The Sort format is the most appropriate format for general use. 5. Press PF3 to exit the panel. Using the Access command Note This command is applicable only for the zSecure Admin product. You can use the Access function RA.1 to see the data sets or resources (and by means of which RACF profile) that a specific user or group has access to. By typing a userid and a resource class and a data set name, general resource name, or RACF profile name, the Access function answers the question of which profile covers the resource and what the resulting access is for the user. Menu Options Info Commands Setup ------------------------------------------------------------------------------zSecure Admin - RACF - Access Check Command ===> __________________________________________________________________ Id . . . . . . . . IBMUSER_ Specify profile for Access Check Class . . . . . . DATASET_ (DATASET or class) Profile . . . . . SYS1.LOADLIB________________________________ (EGN mask) Figure 20. Access check entry panel To use the Access function, complete the following steps: 1. In the Id field, type the userid or group id. 2. Specify the resource class (dataset or a general resource class name) and the data set name, resource name, or profile name in the Profile field. 3. Press Enter. The Access check detail panel illustrated in Figure 21 opens to show you the access level that RACF grants to this ID, and where the access is coming from. Menu Utilities Compilers Help ------------------------------------------------------------------------------BROWSE IBMUSER.CKRACF1.SDEMO.CKXOUT Line 00000000 Col 001 080 Command ===> ________________________________________________ Scroll ===> CSR_ ********************************* Top of Data ********************************** CKGRACF ACCESS IBMUSER DATASET SYS1.LOADLIB CKG582I 00 IBMUSER has ALTER access to DATASET SYS1.LOADLIB profile DATASET SYS1.** ******************************** Bottom of Data ******************************** Figure 21. Access check detail panel Managing access rights There are several ways to administer the access control list of a dataset profile: v Issue line command PE (permit) in the Data set profile Overview panel. v Use a C (copy), D (delete), I (insert), R (repeat) or S (modify) line command in the dataset profile detail panel. 24 Version 1.13: Getting Started v To change a value, type over the current value in the access control list. When you change the values, Permit and Permit Delete commands are generated to add the new value and remove the value that was overwritten. If you do not want to execute the Permit Delete command, remove it from the command confirmation panel before you press Enter. Press Enter again in the next panel (zSecure Admin – Confirm command) to process your Permit command. Do not execute the RACF commands at this time. Reporting digital certificates Many companies use digital certificates to authenticate their authorized users. You can report on digital certificates that are currently stored in your RACF database. To report on digital certificates, complete the following steps: 1. Press PF3 until you are on the Main menu. 2. Select option DIGTCERT (RA.5) from the RA panel to open the DIGTCERT panel shown in Figure 22. Menu Options Info Commands Setup Startpanel -----------------------------------------------------------------------------zSecure Suite - RACF - DIGTCERT Command ===> _________________________________________________________________ Show certificates that Owner . . . . . . . . Start validity . . . . End validity . . . . . Trust fit all of the following criteria . _ Personal ________ _ Site _ Certauth . __ ____________ (operator: > >= < <= = >< ¬= ) . __ ____________ (date: yyyy-mm-dd/ddMMMyyyy/ TODAY/TODAY-nn/NEVER) . . . . . . . . . _ Output/run options _ Print format Background run / 1. TRUST 2. NOTRUST Customize title Full page form / 3. HIGHTRUST Send as e-mail Sort differently / 4. Ignore Narrow print Figure 22. To use this panel to report all digital certificates stored in the RACF database, leave all fields blank and press Enter. You can use this functionality to quickly identify digital certificates that are expired or due to expire. To find out which digital certificates are due to expire soon, complete the following steps: 1. Specify < TODAY+30 in the End validity field. This command reports only the digital certificates that are already expired or due to expire in the next 30 days. 2. Using the Trust field, you can restrict the output to contain only the certificates that are currently trusted (option 1), not trusted (option 2), or highly trusted (option 3). 3. Finally, using the Owner field, you can select certificates for one or more user IDs (PERSONAL), all certificate authority certificates (CERTAUTH), or all site certificates (SITE). For PERSONAL certificates, you can optionally use filters to select certificates for multiple user IDs. You can use the percent symbol (%) to select one character and you can use the asterisk symbol (*) to select zero or more characters. You cannot generate RACDCERT commands from this panel. Chapter 2. Learning basic operations 25 Comparing users Often users ask a question such as, “Why doesn’t this function work for me, while it does for my neighbor? I thought we were supposed to have the same access to that product?” You can use zSecure Admin and zSecure Audit for RACF for quick comparison of the access and connect status for up to four users. To compare the access and connect status of users, complete the following steps: 1. Press PF3 until you are on the Main menu. 2. From the Main menu, select option REPORTS (RA.3) from the RA panel. Select option G Compare users from the resulting to open the Compare users panel shown in Figure 23. Menu Options Info Commands Setup ------------------------------------------------------------------------------zSecure Admin+Audit for RACF - Reports – Compare users Command ===> Enter up to 4 userids to compare access and/or connects Userid . . . . ________ ________ ________ ________ Select report(s) / Compare access through user-specific permits _ Include group permits / Compare connects Figure 23. Compare users panel On this panel, you can specify up to four users, and the exact comparisons that you want to do. Up to two reports are generated: one for permits, and one for group connects. The Permit report is presented in three layers: 1. The classes for which permits are present with the highest access of each user to any profile in that class. 2. The profiles in the selected class, once again those with the highest access 3. A list with all permits for the selected users on a specific profile. This detailed display also shows the information from the higher layers for this one specific entry, as shown in Figure 24. Compare PERMITs for users Line 1 of 2 Command ===> _________________________________________________ Scroll===> CSR 10 Oct 2006 00:07 Class Profiles C#MBDV1 C#MBDV2 DATASET 32 ALTER ALTER Profile key C#MBDV1 C#MBDV2 C#MA.D.HLLDV1.PADS.** READ ALTER Scope of Access Via When __ C#MBDV1 READ CR#BDV1 PROGRAM CKRCARLA __ C#MBDV2 ALTER CR#BDV2 ******************************* Bottom of Data ******************************** Figure 24. Compare permits detail panel The connect report shows a matrix of all groups to which at least one of the users is connected, as shown in Figure 25 on page 27: 26 Version 1.13: Getting Started Compare CONNECTs for users Line 1 of 6 Command ===> _________________________________________________ Scroll===> CSR 10 Oct 2006 00:07 Group C#MBDV1 C#MBDV2 __ C#MARACF No Yes __ C#MB Yes Yes __ C#MBREAD Yes Yes __ C#MBZDEV Yes Yes __ C#MCKG No Yes __ C#MGRACF Yes Yes ******************************* Bottom of Data ******************************** Figure 25. Compare connects matrix Chapter 2. Learning basic operations 27 28 Version 1.13: Getting Started Chapter 3. Managing users and profiles Note This section is applicable only for the zSecure Admin product. Using zSecure Admin, you can change RACF data in the following ways: v You can change a value by typing over the existing value in a field on a profile display. v You can use line commands in a profile display, like C (Copy), D (Delete), R (Recreate), L (list), and SE (Segments). v You can use the Mass Update panels. v You can submit foreground or background RACF commands that are automatically generated by various Report and Verify functions. v You can use the distributed functions, described in Chapter 4, “Using distributed and scoped administration functions,” on page 41. The first three methods (typing over a value, line commands, and Mass Update) are controlled by the Confirm panel in the Setup panel. See “Generating and confirming RACF commands.” The Confirm panel enables or disables the Overtype function and determines what verification is required before running a RACF command that changes the database. You can set this confirmation control as you desire. However, until you are quite familiar with routine product usage, use the ALL or PASSWORDS setting. Generating and confirming RACF commands To generate and confirm RACF commands, complete the following steps: 1. Select option SE (Setup). 2. Select option 4 (Confirm) to open the Confirm panel showing the current settings, as shown in Figure 26 on page 30. © Copyright IBM Corp. 1989, 2011 29 Menu Options Info Commands Setup ------------------------------------------------------------------------------zSecure Admin+Audit for RACF - Setup - Confirm Command ===> _________________________________________________________________ Action on command . . 2 1. Queue 2. _ Execute display Confirmation . . . . 4 1. None 2. Command Routing . . . 3 1. Ask 2. Execute commands Deletes Normal 3. Not allowed (for option 1 only) 3. Passwords 4. All 3. Local only Command generation Enter "/" to select option(s) / Overtype fields in panels / Change generated commands / Specify start/end date / Generate SETROPTS REFRESH commands / Issue prompt before generating SETROPTS REFRESH commands Commands to generate / RACF commands / CKGRACF commands / CKGRACF ASK for later execution / CKGRACF REQUEST for later execution _ CKGRACF WITHDRAW queued commands _ CKGRACF RDELETE queued commands Figure 26. Confirm panel 3. Set the Action on command field to 2 (Execute). 4. Set the Confirmation field to 4 (All). 5. Set the Command Routing field to 3 (Local only). 6. Set Overtype fields in panels to /. This option is used in the following examples. Leave all other settings as they are, especially in the Commands to generate section. Tip: You can also switch modifiable fields on and off by entering the MODIFY command (or just M) in the command line of any profile display. 7. Press PF3 to accept the changed parameters. 8. Press PF3 again to return to the Main menu. Tip: You can always reach the Confirm panel by typing SETUP CONFIRM or =SE.4 in the command line of any panel. If you want to manage the RACF database from zSecure Admin using your user ID, you must have the correct authority for the RACF database. The required authority is usually RACF SPECIAL, although group-SPECIAL might serve if you are selective about attempted changes. An alternative is to use the CKGRACF program, which has its own security scheme, instead of SPECIAL authority; see “Using CKG scope for group administration” on page 42. Performing a mass update To perform a mass update, complete the following steps: 1. Select option RA (RACF Administration). 2. Select option 4 (MASS UPDATE) to open the Mass update panel shown in Figure 27 on page 31. Using Options 0 to 5 from the Mass Update panel, you can manage profiles at the entity level, like user and group. For example, when you delete a user, you delete not only the user profile, but also all profiles related to the original userid. 30 Version 1.13: Getting Started Additionally, the PERMITS and CONNECTS are removed, as well as the ALIAS in the master catalog. All information is managed at one time. Menu Options Info Commands Setup StartPanel ------------------------------------------------------------------------------zSecure Admin+Audit for RACF - RACF - Mass update Option ===> _________________________________________________________________ 0 1 2 3 4 5 6 7 8 9 C Copy user Copy group Copy dataset Copy resource Delete user Delete group Recreate user Recreate grp Recreate ds Recreate res Copy CICS Copy existing user(s) to new user(s) Copy existing group(s) to new group(s) Copy dataset profile(s) to another high level qualifier Copy general resource profile(s) to another class Delete user(s) Delete group(s) Recreate user(s) Recreate group(s) Recreate data set profile(s) Recreate general resource profile(s) Copy CICS prefixed profile(s) or member(s) Product/release: IBM Security zSecure Admin and Audit for RACF 1.9.0 Figure 27. Mass update The Mass Update panels provide many functions that are difficult to do with regular RACF commands. Some especially important points are highlighted. Copying a user You can clone an existing user using the Copy user option (Option 0). Besides copying the user profile, this command also copies the permits and connects of the model user. zSecure Admin also provides the option to create a user ALIAS in the master catalog. To copy a user, complete the following steps: 1. Select option 0 (Copy user) from the Mass Update panel to open the User Multiple copy panel, shown in Figure 28 on page 32. Chapter 3. Managing users and profiles 31 Menu Options Info Commands Setup ------------------------------------------------------------------------------zSecure Admin+Audit for RACF - RACF - User Multiple copy Command ===> _________________________________________________________________ Create new user(s) like existing user(s): _ Specify password phrases Model User IBMUSER_ =_______ ________ ________ ________ ________ ________ ________ ________ ________ New user NEWUSER1 NEWUSER2 ________ ________ ________ ________ ________ ________ ________ ________ Password PSWD1___ PSWD2___ ________ ________ ________ ________ ________ ________ ________ ________ Name PERSON_1____________ PERSON_2____________ ____________________ ____________________ ____________________ ____________________ ____________________ ____________________ ____________________ ____________________ Owner C#MB____ =_______ ________ ________ ________ ________ ________ ________ ________ ________ Dfltgrp ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ Data _____________ _____________ _____________ _____________ _____________ _____________ _____________ _____________ _____________ _____________ Enter = to copy value from preceding line, leave blank to copy from model. Press ENTER to specify optional parameters. Figure 28. User multiple copy panel You can clone up to 10 users at a time, but for the evaluation, complete only the first line. 2. If you want to specify password phrases, type / in the Specify password phrases selection field. After you press Enter, a follow-up panel is displayed so that you can enter the password phrases for the user IDs. You cannot use the protected option if you specify password phrases. 3. Specify the model user: type your userid, the new userid, the name, and a password. Tip: You can use * in the password column to make the new user protected. 4. Press Enter. 5. Press Enter in the next panel. This panel provides the option to perform the following functions for the new user: v Omit or add additional group connections. v Copy user data. v Revoke the new user or users. v Create one or more catalog aliases. v Copy one or more data set and general resource profiles. v Copy one or more members of RACF variables (RACFVARS) for the new user. Any command necessary to create the new user from the model profile is generated. After a few moments, a PDF edit panel is displayed with a complete set of RACF commands. You can scroll using PF8 and PF7 to go forward and backward and make changes if applicable. 6. Press PF3 to quit the editor. 7. Press PF3 to skip the Result panel. The Result panel is described in Chapter 6, “Reporting,” on page 57. 8. Press PF3 until you are back on the Mass Update panel. 32 Version 1.13: Getting Started If the commands had been executed, the new user would have been defined exactly as the model user. You can also keep the generated commands in a data set for delayed execution. Deleting a user with all references You can completely remove a user with option RA.4.4 (Delete user), which is a tedious operation if done with regular RACF commands. Completely removing a user removes the userid from all access control lists and owner and notify fields, in addition to removing the profile. If you have allocated a CKFREEZE file, this operation also deletes the catalog alias and existing data sets for the user if you select the required options. See Figure 43 on page 49. Recreating a profile You can recreate profiles with options RA.4.6 through RA.4.9 based on data in the unloaded RACF data set or a backup copy of the RACF database itself. This action can be used to repair profiles damaged by errors or deleted by mistake. Merging profiles There are several other interesting features for merging RACF databases or comparing RACF databases. Merging is done by making an unloaded copy of one RACF database and using it to change and add profiles in another RACF database. For confirming or editing, all RACF commands to be used for merging the RACF profiles are listed. This command list is a comparison of the relevant profiles in the RACF and unloaded data set. A complete merge is more complex than described here and is fully documented in the IBM Security zSecure Admin and Audit for RACF: User Reference Manual. Displaying redundant profiles It is a good practice to regularly take a close look at the dataset profiles defined in your RACF database. To determine which dataset profiles are, or might be, obsolete, you can use the RA.3.3 function. This function opens the Reports Redundant panel shown in Figure 29. Menu Options Info Commands Setup ------------------------------------------------------------------------------zSecure Admin+Audit for RACF - RACF - Reports REDUNDANT Command ===> _________________________________________________________________ Show profiles that fit all of the following criteria: Profile pattern . . _____________________________________________ (EGN mask) High level qual . . SYSA____ (qualifier or EGN mask; reduces time) Complex . . . . . . ________ (complex name or filter) Enter "/" to select option(s) _ Show data sets covered by each profile _ Including data sets on scratch tapes _ Output in print format _ Start each user or group on a new page _ Remove redundant profiles Figure 29. Reports Redundant panel In the panel shown in Figure 29, you can specify which dataset profiles or High Level Qualifier (HLQ) you want to include in the report. If these fields are left Chapter 3. Managing users and profiles 33 blank, all dataset profiles are automatically processed. You can also specify whether you want to include the names of all data sets that are covered by the dataset profiles in the report. The Report Redundant function compares dataset profile security definitions such as UACC, access control list, audit settings, and erase on scratch setting, to those of the next less specific generic dataset profile. When the security settings are not significantly different, the profile is reported as -redundant-. This value indicates that when this more specific dataset profile is deleted, the protection of the data sets is automatically taken over by the less specific generic dataset profile (indicated as -candidate-) without causing any changes in the security definitions for the corresponding data sets. Redundancy analysis of dataset profiles Line 61 of 445 Command ===> _________________________________________________ Scroll===> CSR_ 8 Apr 2005 15:57 Complex Timestamp Profiles Non-redundant DEMO 8 Apr 2005 15:57 445 364 Qual Profiles Non-redundant SYSA 445 364 Type Volume Profile name First reason __ GENERIC SYSA.D.CCW*.** - candidate __ GENERIC SYSA.D.CCW*.** Extra group __ GENERIC SYSA.D.CCWSCH.** User privileged __ GENERIC SYSA.D.CCW300.*.BASELIST - redundant __ GENERIC SYSA.D.CCW300.** - candidate __ GENERIC SYSA.D.CCW300.** Access __ GENERIC SYSA.D.CCW301.** Access __ GENERIC SYSA.D.CCW302.** Extra group __ GENERIC SYSA.D.CCW303.** Access __ GENERIC SYSA.D.CCW305*.** Access __ GENERIC SYSA.D.CCW310.** Access __ GENERIC SYSA.D.CCW311.** Access __ GENERIC SYSA.D.CCW312.** Extra group Figure 30. Report redundant details panel In Figure 30, the following line shows an example of a profile that can take over protection of data sets when the profile marked as -redundant- is deleted. __ GENERIC SYSA.D.CCW*.** - candidate - The following line shows an example of a profile that can be deleted because the security settings are similar to those of the candidate profile that automatically takes over protection. __ GENERIC SYSA.D.CCW300.*.BASELIST - redundant - The output of the report on redundancy is an overview of all dataset profiles with an indicator in the column headed by First reason. The first reason column can contain any of the following values: -redundantWith the current security definitions, this profile is not required and can be removed. Protection of the data sets covered by the redundant profile is automatically taken over by a less specific dataset profile (marked with -candidate-) that is displayed in the same report somewhere above the profile being reported as a -redundant- profile. 34 Version 1.13: Getting Started -candidateThis profile takes over the protection of data sets that are currently protected by a more specific generic dataset profile, when the latter is deleted. reason This field provides a textual description to indicate why this profile differs significantly from the less specific generic dataset profile and therefore is not considered redundant. Sample reason values are: Extra group, User privileged, and Access. When multiple differences exist, only the first reason is reported. The report on redundancy can help you determine which dataset profiles have become obsolete over time in the current RACF database. Optionally, you can generate RACF commands to delete the profiles that are reported as -redundant-. Be aware, however, that you might not want to delete all profiles marked -redundant-. It is possible that a mistake was made at the time this dataset profile was defined; that is, you or another RACF administrator has forgotten to activate erase on scratch or change the audit setting as intended. Tip: The redundancy analysis can be useful to indicate any mistakes that you might have made during dataset profile definition. Displaying data structure Another very useful report when managing your RACF database is the Group tree report. In native RACF, the only way to display the RACF database structure is by processing the Group tree report using the DSMON utility. For each requested group, this report lists all of its subgroups, all of the subgroups' subgroups, and so on. In addition, the report lists the owner of each group listed in the report, if the owner is not the superior group. Only users that have the AUDITOR attribute can use the DSMON utility. However, no AUDITOR attribute is required to process the Group tree report. In zSecure Admin, there is a standard function for processing a Group tree report. The group tree visualizes the group tree structure, similarly to how a browser displays the contents of your hard disk or network drive. To process the Group tree report, complete the following steps: 1. Select option RA (RACF Administration). 2. Select option 3.8 (Group tree) to open the Reports Group tree panel shown in Figure 31 on page 36. Chapter 3. Managing users and profiles 35 Menu Options Info Commands Setup ------------------------------------------------------------------------------zSecure Admin+Audit for RACF - RACF - Reports Group tree Command ===> ____________________________________________________ _ start panel Show structured Group id . . . Start at . . . Scope of . . . Exclude . . . . Complex . . . . group tree display: . . ________ (group profile key or filter) . . ________ (group or filter, show only groups below) . . ________ (group special, show only groups in scope) . . ________ (group or filter) . . ________ (complex name or filter) Enter "/" to include data in output / Installation data / Users/Subgroups Enter "/" to select option _ Output in print format ’Start at’ is only allowed with an unload as data source, not a live database Figure 31. Group tree selection panel You display only a particular branch of the RACF group tree by entering a group name (or filter) in the Start at field. This option is permitted only when running with an unloaded data source. If all fields are left blank, the entire group tree for your RACF database is displayed. Optionally, you can indicate that you want to include the Installation data in the group tree report by entering a / in front of Installation data. The Installation data is generally used to store the group description. Furthermore, to include detailed information regarding subgroups and connected users in a detail level panel, type a / in front of the Users/Subgroups field. 3. Press Enter to open the Group tree report panel, which shows all groups in your current RACF database. See Figure 32. zSecure Admin+Audit for RACF GROUP TREE DISPLAY 1 s elapsed, 0.5 s CPU Command ===> _________________________________________________ Scroll===> CSR_ 8 Apr 2005 16:57 Complex Groups DEMO 267 Group structure Lvl Subgrp Connct SupGroup Owner X __ SYS1 1 19 11 ........ IBMUSER_ X __ BOOKS 2 0 0 SYS1____ SYS1____ __ C# 2 7 1 SYS1____ SYS1____ __ C#ADMIN 3 0 10 CR______ CR______ __ C#M 3 9 2 CR______ CR______ __ C#MBCCW 4 0 5 C#M_____ C#M_____ __ C#MCKG 4 0 33 C#M_____ C#M_____ __ C#MPC2E 4 0 9 C#M_____ C#M_____ __ C#MPC4R 4 0 0 C#M_____ C#M_____ __ C#MQ 4 23 0 C#M_____ C#M_____ __ C#MQA 5 8 241 C#MQ____ C#MQ____ __ C#MBQAHW 6 2 1 C#MQA___ C#MBWTK_ X __ C#MBQAHU 7 0 0 C#MBQAHW C#MBQAHW __ C#MBQAH2 7 0 1 C#MBQAHW C#MBWTK_ X __ C#MBQALU 6 0 1 C#MQA___ C#MQA___ __ C#MBQAMC 6 0 12 C#MQA___ C#MQA___ __ C#MQA#HI 6 0 0 C#MQA___ C#MQA___ __ C#MQAT#1 6 0 0 C#MQA___ R##SLIN_ X Figure 32. Group tree report panel 36 Version 1.13: Getting Started In the Group tree report panel shown in Figure 32 on page 36, the X in the X column indicates a scope break for group special users because owner is not equal to the superior group. 4. If you requested Installation data, press PF11 to review the information. 5. Press PF8 a few times to look at more parts of the group tree structure. 6. If detailed information was included in the report and you want to view it, enter the S line command in front of a group to open the Group tree report detail panel shown in Figure 33. zSecure Admin+Audit for RACF RACF GROUP TREE DISPLAY Line 1 of 11 Command ===> _________________________________________________ Scroll===> CSR_ 8 Apr 2005 16:58 Group structure Lvl Subgrp Connct SupGroup Owner X C#MCDEMO 4 1 5 C#MC C#MC User Auth R SOA AG Uacc Name InstData _ C#MCCW1 USE _ ___ __ NONE /CCW + VIEW WORKSHOP HANDS-ON USER _ C#MCCW2 USE _ ___ __ NONE /CCW + VIEW WORKSHOP HANDS-ON USER _ C#MCCW3 USE _ ___ __ NONE /CCW + VIEW WORKSHOP HANDS-ON USER _ C#MCCW4 USE _ ___ __ NONE /CCW + VIEW WORKSHOP HANDS-ON USER _ C#MCCW5 USE _ ___ __ NONE /CCW + VIEW WORKSHOP HANDS-ON USER SubGroup _ C#MCDEM2 Figure 33. Group tree report detail panel Running SETROPTS reports and viewing class settings To take a close look at or administer the current system-wide RACF options or the Class Descriptor Table (CDT), using zSecure Admin, you can use either the RA.S or AU.S functions. This section provides information about the RA.S function. Details on the AU.S version of the SETROPTS and RACFCLAS reports are discussed in Chapter 8, “Auditing system integrity and security,” on page 67.For more detailed information, see Figure 55 on page 68 and Figure 57 on page 69. To run SETROPTS reports and view class settings, complete the following steps: 1. Select option RA (RACF Administration). 2. Select option S (Settings) to open the SETROPTS and class settings panel shown in Figure 34. zSecure Admin+Audit for RACF Display Selection 1 s elapsed, 0.6 s CPU Command ===>_________________________________________________ Scroll===> CSR_ Name Summary Records Title _ SETROPTS 1 1 RACF SETROPTS system settings _ RACFCLAS 208 208 RACF class settings _ RRSFNODE 0 0 RACF remote sharing facility nodes ******************************* Bottom of Data ******************************** Figure 34. SETROPTS and class settings panel As you can see in Figure 34, the SETROPTS and RACFCLAS reports are automatically generated. 3. In the SETROPTS selection field, type the S command to open the SETROPTS report shown in Figure 35 on page 38. Chapter 3. Managing users and profiles 37 RACF SETROPTS system settings Line 1 of 68 Command ===>_________________________________________________ Scroll===> CSR_ 15 Apr 2005 11:19 Complex DEMO System DEMO General RACF properties Access Control active Force storage below 16M Check all connects GRPLIST Check genericowner for create NOADDCREATOR is active Dynamic CDT active RACF local node RRSF propagate RACF commands RRSF propagate applications RRSF propagate passwords RRSF honour RACLINK PWSYNC Application ID mapping stage Level of KERB processing Primary Language Secondary Language Yes No Yes Yes Yes No DEMO No No No Yes 0 0 ENU ENU Data set protection options Prevent duplicate datasets Protectall Automatic Dataset Protect Enhanced Generic Naming Prefix one-level dsns Prevent uncataloged dsns GDG modelling USER modelling GROUP modelling No Yes/fail No Yes ONEQUAL Yes/fail No No No Figure 35. RACF settings SETROPTS report You can use this report to investigate the RACF system-wide settings. You can use PF7 and PF8 for scrolling the report up and down. Note: This report is available only in zSecure Admin. Additionally, you can administer the majority of the SETROPTS options from this panel by typing over the current value with the desired value for the SETROPTS setting you want to change. This action automatically generates the appropriate SETROPTS command to apply the change. Press PF3 to return to the SETROPTS and Class Settings Panel. To view the class settings report, complete the following steps: a. Enter the S command in the RACFCLAS report selection field to open the RACF class settings panel shown in Figure 36. RACF class settings Line 1 of 197 Command ===>_________________________________________________ Scroll===> CSR_ 15 Apr 2005 11:19 Class Active Description _ ACCTNUM Active TSO account numbers _ ACICSPCT Active CICS program control table _ AIMS Active IMS application group names (AGN) _ ALCSAUTH Supports the Airline Control System/MVS (ALCS/MVS) product _ APPCLU Active Verify ID of partner logical units during VTAM session estab _ APPCPORT Active Controls which user IDs can access the system from a given L _ APPCSERV Active Controls whether a program being run by user can act as a se _ APPCSI Controls access to APPC side information files _ APPCTP Controls the use of APPC transaction programs _ APPL Active Controls access to applications _ BCICSPCT Active Resource group class for ACICSPCT class _ CACHECLS Profiles for saving and restoring cache contents _ CBIND Controls the client’s ability to bind to the server _ CCICSCMD Active Used to verify that user is permitted to use CICS syst prog _ CIMS IMS command resource group _ CONSOLE Active Controls access to MCS consoles _ CPSMOBJ Used by CICSPlex SysMgr for operational controls Figure 36. RACF settings RACFCLAS report b. To view the full detail settings of the involved resource class, enter the S line command in the Class selection field. 38 Version 1.13: Getting Started c. Optionally, you can enter the R line command to refresh the involved resource class or type over the existing value in the Active column. You can type: Y, A, or Active to activate a resource class that is currently inactive. Type N or blanks to deactivate a resource class that is currently active. Note: This functionality is available only in zSecure Admin. Chapter 3. Managing users and profiles 39 40 Version 1.13: Getting Started Chapter 4. Using distributed and scoped administration functions This section describes the distributed administration functions, which are only a selected subset of the administrative functions available. This section also provides information about the group auditor view. Administering groups using RACF scope Note This function is available only in zSecure Admin. To limit functionality to a group administrator’s natural RACF scope, the program must be run in restricted mode. You can achieve this requirement by using any of the following methods: Method 1 Create an XFACILIT profile CKR.READALL with UACC(NONE) and give only central administrators READ permits. This method is the easiest and most suited for an evaluation. Method 2 Access the RACF database through Program Access to Data Sets (PADS). This can be overridden by issuing a READ permit on the XFACILIT profile CKR.READALL. This method is the safest but can be difficult to set up. Method 3 Use a SIMULATE RESTRICT command in SETUP PREAMBLE. This method works only to test your own scope. Method 4 Issue the command SETUP VIEW and select 1 or 2 under Select view: 1. Enables you to view only profiles you are authorized to change (administrator view). 2. Enables you to view only profiles you are authorized to change or list. This method provides an additional scope restriction. However, this scope restriction is not called restricted mode, but administrator view. Like method 3, this method works only to test your own scope. It prevents you from displaying profiles that you have only READ access to, and it ignores system-wide privileges, so it is even more restrictive than the natural RACF scope. Accessing the Quick Administration panel Note This function is available only in zSecure Admin. © Copyright IBM Corp. 1989, 2011 41 You can access the Quick Admin function using one of the following two methods: Method 1 v Select option X (Exit) from the Main menu. v Type CKR,STARTTRX(MENU(RA.Q)) in the command line under ISPF Option 6 to start the Quick Admin application. See Figure 37. Method 2 Select RA.Q from the Main menu to open the Quick Admin panel shown in Figure 37. You can use the Quick Admin panel to access the most frequently used functions required by a central or decentralized user administrators, hiding the details. The Quick Admin panel relies on the system or group-SPECIAL attribute of the administrator. The options in the panel can be hidden by CKR.OPTION.RA.Q... profiles, but otherwise the menu works as shown. Menu Options Info Commands Setup StartPanel ------------------------------------------------------------------------------zSecure Admin – RACF - Quick admin Command ===> _________________________________________________________________ 1 2 3 4 5 6 7 8 Password Resume Display Modify Connect Add user Add user copy Phrase Userid . . . . New password . Verify password Group . . . . . . . . Set new password for user Make sure user can work List user definition Change user definition Add group to a user Create new userid from scratch Create new userid like existing model Set new password phrase for user . ________ . . . ________ (type (type (type (type userid and press enter) new password, option 1 only) new password again, option 1 only) connect group, option 5 only) Figure 37. Quick Admin Using CKG scope for group administration Note This function is available only in zSecure Admin. zSecure Admin provides the CKGRACF program as the base for distributed RACF control; that is, Helpdesk and Group Admin. The CKGRACF program is designed to provide the following functionality: v Access to commonly used Helpdesk functions such as password reset through menus. v Access to commonly used Group Admin functions such as permits and connects through menus. v Access to Helpdesk and admin functions without granting group-SPECIAL authority. v Granular controls over user authorization to use CKGRACF functions. 42 Version 1.13: Getting Started CKGRACF differs from the main CKRCARLA program in that it performs most of its tasks through APF-authorized interfaces, whereas the main program generates normal RACF commands whenever possible. Because APF-authorization is required, the user of the main CKRCARLA program must have sufficient administrative RACF authority to execute the generated RACF commands. These commands are generated when you overtype a parameter, or use line commands to change profiles. The main zSecure Admin ISPF panels sometimes call the CKRCARLA program to make RACF changes when no standard RACF command can be generated to make the required change. Updating user data fields is the best example of this. The CKGRACF user does not require any special RACF authority such as the SPECIAL or group-SPECIAL attribute. The CKGRACF program, using APF interfaces, adopts whatever authority it needs for a task. Therefore, you must control who can use the CKGRACF program by putting each CKGRACF user or group of users in the access control lists of several XFACILIT class profiles. By creating these profiles and PERMITing selected users, you can control who can perform specific functions through CKGRACF. This section addresses two categories of CKGRACF users: v Help desk users issuing commands such as password reset and resume. v Decentralized administrators issuing permits or connects. The Helpdesk functions are performed from a separate panel, while the group administrator’s functions are available through the normal zSecure Admin panels. You can tailor the menus by adding RACF profiles in the XFACILIT class. Each profile represents a function. Access is granted using the usual access rules. By default all options are shown, but after you have implemented a tailored menu, only the granted functions are shown to the zSecure Admin user. For your evaluation, give yourself full authority for all CKGRACF functions and then explore the functions. Setting up the XFACILIT class controls for a realistic group of distributed administrators should be a one-time job, but it can be tedious. It involves the following steps: 1. Defining exactly which RACF groups are associated with which administrators 2. Defining which CKGRACF functions are to be given to which administrators 3. Creating the necessary RDEFINE and PERMIT commands to create this environment Because of the amount of time required to define the class controls, complete your initial product evaluation without attempting to establish granular controls. To give yourself full CKGRACF authority, you or someone with RACF SPECIAL authority must issue the following RACF command: permit ckg.** class(xfacilit) acc(update) id(yourid) Accessing the single panel Helpdesk Note This function is available only in zSecure Admin. You can access the Helpdesk function using one of the following methods: Method 1 Chapter 4. Using distributed and scoped administration functions 43 v Select option X (Exit) from the Main menu. v Type CKR,STARTTRX(MENU(RA.H)) in the command line under ISPF Option 6 to start the Helpdesk functions. See Figure 38. Method 2 Select RA.H from the Main menu to open the Helpdesk panel shown in Figure 38. Use this panel to perform the most frequently used functions required by a central or decentralized Helpdesk employee. To see how the Helpdesk function works, complete the following steps: 1. Type a userid in the Userid field. 2. Press Enter to open the Helpdesk panel displaying the selected information about the userid as shown in Figure 38. Menu Options Info Commands Setup StartPanel ------------------------------------------------------------------------------zSecure Admin – RACF - Helpdesk Option ===> ________________________________________________________________ 1 2 3 4 5 6 7 8 List Password Default Previous Resume Disable Enable Set default Userid . . . . New password . Verify password Reason . . . . Workflow option . . . . . List RACF profile information Set a new password Set the password to the user’s default value Set the password to the previous value Resume a userid after too many password attempts Temporarily disable logon for a userid Allow user to logon after a Disable Define a default password for a userid . ________ (type userid and press enter) . (type new password) . (type new password again) . _________________________________________________________ . 1 1. Request 2. Withdraw 3. Approve 4. Deny Figure 38. Single panel Helpdesk 3. To see the user details, select 1 in the Helpdesk panel. Now that you have checked the status of the userid, you can make changes, such as setting a new password (option 2). In the initial configuration, you see the CKGRACF command before it is executed. To suppress this confirmation prompt for individual administrators, type setup confirm in the command line or use the Set default option (option 8) to suppress the prompt for all administrators. Using the Helpdesk Note This function is available only in zSecure Admin. Perhaps the most important CKGRACF functions for the Helpdesk are related to passwords, and revoke or resume. The following table lists the available functions and describes how they work. 44 Version 1.13: Getting Started Table 4. Helpdesk password-related functions Helpdesk function Description Set a new password (option 2) Set a new password, and enter it twice. zSecure Admin and zSecure Audit for RACF do not use RACF to update the user profile. CKGRACF authority is used instead. The user is also resumed. Enable a default password (option 3) The password is set to the default password for the user. A central administrator must have previously set the personal default password for the user. The Helpdesk administrator does not see the password. The user is also resumed. Enable the previous password (option 4) The previous password is enabled again. In this case, the administrator does not see the password. The previous password is automatically marked as expired; the user can use it only one more time for the next logon. The user is also resumed. Set default (option 8) Define a default password for a userid. The concept of a default password (Option 3) is new to RACF. The intention is that a simple (and perhaps low-quality) password be defined for each user, with each user selecting a word or number that can be remembered indefinitely. Only the central RACF administrator sees this word when it is established using CKGRACF. Other administrators do not see it when it is called. If a normal password for the user becomes unavailable for some reason, any Helpdesk administrator can enable the default password for the user. The user is expected to create a new normal password as soon as possible. This approach is better than using system-wide reset passwords, such as SYS1, SECRET, PSWPSW, for example. Tailoring the Helpdesk You can tailor the Helpdesk panel for the installation in either of the following ways: v Through XFACILIT profiles starting with CKR.OPTION.RA.H, you can selectively enable and disable options in the Helpdesk . v Using SETUP NLS, you can modify the text and options in the panel. Some functions, like setting the default password or a new password, or setting authority levels, are user management functions and should be available to a limited number of people. You can define CKR.OPTION profiles in the XFACILIT class to restrict the use of management functions. Thus, the installation can specify which options are shown in the Helpdesk panel for each user and selectively delegate responsibilities in the organization. If the access control list of the corresponding profile grants a user access, the user is allowed to perform the function. Otherwise the line command is not shown in the action list and its use is prohibited. Figure 39 on page 46 shows an example of a tailored Helpdesk panel that does not contain the options 2, 6 and 8 because the user lacks the required access in the applicable CKR.OPTION.RA.H profiles. Chapter 4. Using distributed and scoped administration functions 45 Menu Options Info Commands Setup Startpanel ------------------------------------------------------------------------------zSecure Admin – RACF - Helpdesk Option ===> __________________________________________________________________ 1 3 4 5 7 List Default Previous Resume Enable Userid List RACF profile information Set the password to the user’s default value Set the password to the previous value Resume a userid after too many password attempts Allow user to logon after a Disable . . . . . . ________ (type userid and press Enter) Reason . . . . . . _________________________________________________________ Workflow option . . 1 1. Request 2. Withdraw 3. Approve 4. Deny Figure 39. Tailored Helpdesk panel 46 Version 1.13: Getting Started Chapter 5. Managing data with the Setup functions The Setup functions control which data is used by zSecure Admin and zSecure Audit for RACF, and enable you to switch data sources while using them. Other Setup functions set global switches and parameters. You have already seen some of these with the Resolve and Explode options. Adding data So far, you have used only your live RACF data to display various profiles. This section teaches you how to create and use the following additional data sources: v An unloaded RACF database. v A CKFREEZE data set that contains extracted information from all your DASD and from various internal z/OS tables. To begin this process, complete the following steps: 1. Return to the Main menu, using PF3, as necessary. 2. Select option SE (Setup) to open the Setup panel shown in Figure 40. 3. If you are on a 24-line display, press PF8 and PF7 to scroll up and down in the panel. Tip: Before continuing, you can select Options 0 through 5 (one at a time) in the Setup panel to obtain a general overview of the various setup options. Menu Options Info Commands Setup ------------------------------------------------------------------------------zSecure Admin+Audit for RACF - Setup Command ===> _________________________________________________________________ 0 1 2 3 4 5 6 7 8 U C N T D R I Run Input files New files Preamble Confirm View Instdata Output Command files User defined Change Track NLS Trace Default Reset Installation Specify run options Select and maintain sets of input data sets Allocate new data sets for UNLOAD and CKFREEZE Carla commands run before every query Specify command generation options Specify view options Customize installation data appearance Specify output options Select and maintain command library User defined input sources Maintain Change Tracking parameters National language support Set trace flags and CARLa listing for diagnostic purposes Set system defaults Reset to system defaults Specify installation defined names Figure 40. Setup Adding new files To input new files, complete the following steps: 1. From the initial Setup panel, shown in Figure 40, select Option 2 (New files) to open the New files panel shown in Figure 41 on page 48. © Copyright IBM Corp. 1989, 2011 47 Menu Options Info Commands Setup ------------------------------------------------------------------------------zSecure Admin+Audit for RACF - Setup - New files Command ===> _________________________________________________________________ Create new unload file from the RACF database, and/or CKFREEZE file Data set with unload from RACF database, use UNLOAD as last qualifier Unload . . . . . . ______________________________________________ I/O configuration file, use CKFREEZE as last qualifier Ckfreeze . . . . . ______________________________________________ Description for this set of input files Description . . . __________________________________________________________ Enter data set names and description and press ENTER Figure 41. New files panel 2. Type a data set name in the Unload line. An input set can contain multiple coherent files. When entering the data set names, use quotation marks if necessary; that is, if the dataset names should not have your userid as the high-level qualifier. It does not matter whether these data sets exist yet. However, if they do exist, they must be cataloged. 3. Type a data set name in the CKFREEZE line, using quotation marks if necessary. 4. Type a short, unique description of the files in the Description line. For example, UNLOAD and CKFREEZE data sets created on 8 Apr 2005. Tip: It is a good practice to use the input file Description field to indicate what kind of data sets are part of this set. In the future, this can prevent the need to open the set in browse or edit mode to examine which data sets are included. 5. Press Enter. If one or both of the data set names you have specified do not exist, the allocation entry panel shown in Figure 42 on page 49 opens to allocate and catalog the new data sets. 48 Version 1.13: Getting Started Menu Options Info Commands ------------------------------------------------------------------------------zSecure Suite - Setup - New files Command ===> __________________________________________________________________ CKFREEZE file not found. Change dataset name, or specify allocation parameters Dataset name . . . MYNAME.CKFREEZE________________________________ Allocation parameters to create Volume serial . . ______ Generic unit . . ________ Space units . . . _____ Primary quantity ________ Secondary quantity ________ Record format . . VBS__ Block size . . . 27998__ Logical Record Len X______ new dataset: (Blank for authorized default volume) (Generic group name) (KB, TRKS, or CYLS) (In above units, press HELP for suggestion) (In above units) (VB or VBS) (X or maximum record length) Press ENTER to allocate dataset, press END to stop processing Figure 42. Typical allocation panel 6. Type the appropriate allocation parameters, but do not change the DCB attributes. 7. Press Enter. You see the allocation panel a second time if both named data sets are new. Running these panels allocates and catalogs your new data sets using dynamic allocation. The first time you create an unloaded RACF copy and a CKFREEZE data set, you must specify ample disk space. For RACF unloads, allow as much space as used by your live RACF database. For CKFREEZE files, allow at least 2 MB for each online volume, plus space for catalog and HSM information. Do not alter the DCB parameters. Until you are familiar with the disk space required, specify a large secondary allocation quantity (such as 100 MB). Tip: After creating your first unloaded RACF copy and CKFREEZE data sets, use ISPF to examine them to determine how much disk space was actually used. This information makes estimating future usage easier. After the files have been allocated, the panel shown in Figure 43 opens. Menu Options Info Commands Setup ------------------------------------------------------------------------------zSecure Audit for RACF - Setup - Input fi Row 2 from 3 Command ===> ________________________________________________ Scroll ===> CSR_ Enter REFRESH on command line and press ENTER to generate UNLOAD job Description . . . . Unload_and_CKFREEZE_data_sets_created_8_Apr_2005____________ Complex . . . . . . ________ Version . . . . ____ RRSF node . . . . . ________ Local node for RRSF Enter data set names and types. Enter dsname with .* to get a list Valid line commands: E I R D Type END or press PF3 when complete. Type SAVE to save set, CANCEL to quit. Type REFRESH to submit unload job. Data set name or DNSPREF=, or Unix file name Type NJE node _ ’HLQ.CKR.SDEMO.UNLOAD’ UNLOAD ________ _ ’HLQ.CKR.SDEMO.CKFREEZE’ CKFREEZE ________ ******************************* Bottom of data ******************************** Figure 43. Input file panel to define data set definition Chapter 5. Managing data with the Setup functions 49 Refreshing and loading files The data sets listed constitute one input set. An input set can contain multiple CKFREEZE data sets, multiple SMF files, and multiple HTTP log files. However, an input set can contain only one RACF unload, or one or more RACF data sets (from one split database). To refresh and load files, complete the following steps: 1. In the Input file panel (Figure 43 on page 49), type REFRESH in the command line. Then press Enter to open the Job submission panel. 2. In the Job submission panel, type a valid job card in the Job statement information section. 3. Use the Edit JCL Option (2) to open the normal ISPF editor to customize the JOB statement and make any other necessary changes to the job. For example, you might need a JOBLIB or STEPLIB statement to access zSecure Admin and zSecure Audit for RACF. If you copied zSecure Collect for z/OS (CKFCOLL) to an authorized library in the LNKLST, you do not need a JOBLIB or STEPLIB statement for it. Assign a job class with a large or unlimited region size. 4. Submit the job. Wait until the job runs. If there is a long queue of jobs waiting to run, you can exit from zSecure Admin and zSecure Audit for RACF while the job completes. The job itself takes only a few minutes to run, unless you have a very large configuration. You can add a NOTIFY=yourid in the job card. If the job fails, the problem is usually that there is not enough storage. A region size of 64 MB is usually sufficient to run zSecure Collect for z/OS. After the job is completed, continue with the next procedure. Selecting the input set To select the input set, complete the following steps: 1. To open the Input file panel, type SE.1 (Option 1 on the Setup panel) in the Command line. The Input file panel should look like the input set you just created, with the description you entered for the input files. An example is shown in Figure 44. Menu Options Info Commands Setup ------------------------------------------------------------------------------zSecure Admin+Audit for RACF - Setup - I Row 1 from 4 Command ===> ________________________________________________ Scroll ===> CSR_ (Un)select (U/S) set of input files or work with a set (B, E, R, I, D or F) Description Complex _ UNLOAD and CKFREEZE data sets created 8 Apr 2005 selected _ Active backup RACF data base DEMO selected _ Active primary RACF data base DEMO _ Active backup RACF data base and live SMF data sets DEMO selected ******************************* Bottom of data ******************************** Figure 44. Input file selection In Figure 44, the input file sets marked as selected indicate that zSecure Admin and zSecure Audit for RACF are now using these input sets for the input data. The other input sets (Active primary RACF data base, Active 50 Version 1.13: Getting Started backup RACF data base, Active backup RACF data base and live SMF data sets) are always present. You can switch to any input set defined in this display. For example, you can switch between the unloaded files you just created and the live RACF databases by going to this panel and selecting the appropriate input set. To select an input set, type S in the entry field for that input set. You can change input selections many times during a session, although this is not typical usage. 2. Type U to remove the selection from Active backup RACF data base and live SMF data sets that is currently selected. Using other Setup parameters The Setup panel sets a number of allocation and formatting characteristics for zSecure Admin and zSecure Audit for RACF. Inspect these settings and make any necessary changes; the default settings are appropriate for most users. The most used Setup options are the Confirm and View options. Setting up INSTDATA Use the INSTDATA parameter to define the layout of the installation data field so that it can be displayed in business-oriented terms in the standard panels. Setting up View Information about the View options is available in “Changing the access list display settings” on page 23. The following sections describe the remaining settings of the View options and the Confirm options. The ACL/Connect sort selection defines the access control list and connects sort order. It performs the following types of sorts: v By ID (user or group in the access control list) if you select option 1. v By Userid (after exploding) if you select option 2. v By descending access level (Alter-None) or connect authority (Join-Use) if you select option 3. These sort options make scanning the ACL and connect easy and help you to find what you are looking for quickly. You can use the Show OS specific options selection to switch between z/OS and z/VM® specific options, or tag both to see all options. When you select the Add summary to RA displays for multiple complexes option, an extra summary section is added to the display panels for options RA.U, RA.G, RA.D, and RA.R. The summary information shows profile differences when multiple complexes are selected. This setting is not saved in your ISPF profile. This option is enabled by default. Use the Add connect date and owner to RA.U connect group section option to add the connect date and connect owner to the RA.U connect group section. The Add user/group info to view parameter specifies whether to display information about users and groups (including connect groups) on ACLs. Although this setting provides more complete information, it causes zSecure Admin and zSecure Audit for RACF to use much more virtual storage, which requires a larger TSO region. Chapter 5. Managing data with the Setup functions 51 In the selection field for a parameter, type a / to set a switch on, or blank to set the switch off. Setting up Output The Output panel (Option 7 on the Setup panel) contains the SMTP options. You must specify these options if you want to e-mail reports through the Send as e-mail panel options or the M (E-mail report) action command in the Results panel. Ask your system programmer for the correct settings. Menu Options Info Commands Setup ------------------------------------------------------------------------------zSecure Admin+Audit for RACF - Setup Command ===> _________________________________________________________________ Report options for following runs Pagelength . . . . _____ Linelength . . . . _____ _ Convert all printed output to uppercase Print options Destination . . . Sysout class . . Writer id . . . . Copies . . . . . Character set . . FCB . . . . . . . Forms . . . . . . Output descriptor Forms overlay . . SMTP options _________________ SMTP node . . . . ________ _ SMTP sysout . . . _ ________ SMTP writer . . . ________ ___ ____ ____ ____ ________ __ Figure 45. Setup output definition panel In the Setup Output panel shown in Figure 45, the SMTP node field specifies the job entry subsystem (JES) destination to which e-mails are routed for final processing. If the SMTP server is running on your local system, this field can be left blank or you can specify local. The SMTP sysout field specifies the JES output class to be used for the SMTP output processing of e-mails. The SMTP writer field specifies a name for use in SMTP selecting an e-mail SYSOUT data set. The external writer name is equal to the SMTP address space name. Usually this is SMTP. Defining these SMTP options is required when using email as the output source. Setting up Confirm The Confirm panel (Option 4 of the Setup panel) is important. Note: See “Generating and confirming RACF commands” on page 29 for additional information about the Confirm panel. The first two parameters apply to zSecure Admin and refer to line commands (such as D (for delete) or C (for copy or clone) and field Overtype when displaying various profiles. These line commands generate RACF commands. You can control the steps and execution of commands by selecting your desired values in the Confirm panel. Type a / before a profile, and then press Enter to see the available commands. 52 Version 1.13: Getting Started Table 5 shows the Action on command option settings and descriptions. Table 5. Action on command option settings and descriptions Action on command Description 1. Queue RACF change commands (automatically generated when you use a line command) are written to the CKRCMD file. 2. Execute The automatically generated RACF commands are immediately executed, after confirmation, in RACF. 3. Not allowed No update line commands (like C and D) are permitted in the profile detail panel. Any line commands that are issued are denied. Execute display commands (for option 1 only) This option is valid only if you specify option 1 (Queue) for the Action on command field. If you specify this option, list commands like LISTUSER, PING, TRACERTE, and RLIST are executed even though Action on command is set to Queue. This option applies only to the commands generated by the program as list commands. If you change or add commands yourself, it does not apply. For example, FORALL treats all sorts of commands as ordinary commands even if you typed in LISTUSER. The confirmation setting indicates the disposition of the RACF commands generated by zSecure Admin. Table 6 shows the confirmation option settings and descriptions. Table 6. Confirmation settings and descriptions Confirmation Description 1. None No RACF change commands must be confirmed. None disables the verification prompt; use it only when you understand how to use zSecure Admin. 2. Deletes Only Delete commands must be confirmed. 3. Passwords Commands containing a readable RACF password are not confirmed. All other commands must be confirmed. 4. All The user must confirm all change commands. Tip: Regardless of the preceding settings, you cannot use the facilities described here to alter the RACF database without having the required authority, such as group-SPECIAL, to change the RACF profiles. The Command routing option determines how generated commands are processed. Table 7 describes the available command routing options. Table 7. Command routing settings and descriptions Confirmation Description 1. Ask Ask is the maximum prompting level. For all commands or command files, the user is prompted for command routing information. This setting applies to commands generated for the local system, as well as for commands generated from data sources that are known to be from other systems. Chapter 5. Managing data with the Setup functions 53 Table 7. Command routing settings and descriptions (continued) Confirmation Description 2. Normal Normal is the default prompting level for command routing. Both internally generated commands and bulk commands that are always queued are run without prompting for command routing options. Confirmation prompting and command queuing are done based on the settings for the user. If the RACF data source applies to the local system, commands are routed to the local system. The user can specify any of the following remote options for a local data source RRSFNODE, ZSECNODE or JESNODE. These remote indicators are ignored for a local data source. If the commands are not for the local system, they are routed to one of the following systems in order of preference: 1. The ZSECNODE or the ZSECSYS as specified on the RACF data source used for this profile. 2. The RRSFNODE node associated with the RACF data source used for this profile. The command uses the AT keyword, specifying either the associated userid if the terminal user has an association with a userid on the target RRSFNODE, or the current userid. 3. The NJE node specified for the RACF data source If a specific routing mechanism is selected and fails, there is no automatic fallback to another routing mechanism. 3. Local only Independent of the input source, this option routes the command to the local system. If the local system is part of an RRSF autocommand environment, RRSF processing might route this command to other RRSF nodes. The Overtype fields in panels option in the Command generation section of the panel enables you to modify many fields while displaying profiles, if you are running zSecure Admin. Based on the modifications, zSecure Admin and zSecure Audit for RACF automatically generate the RACF commands necessary to make the desired changes. These change commands are also subject to the action on command and confirmation settings described above. The ability to modify fields is one of the most important usability features, as it provides a very easy way to make minor changes in existing RACF profiles. All zSecure Admin and zSecure Audit for RACF setup parameters are saved in your personal ISPF profile data set. Therefore, each user can have different setup parameters. If you access zSecure Admin and zSecure Audit for RACF using multiple userids, you might have different setup parameters for each userid. Change values and verifying This example uses the RA.U function that you are already familiar with to illustrate the ability to change values using the Overtype function and verify options. To demonstrate these options, complete the following steps: 1. Go to the Main menu. (Press PF3 as necessary.) 2. From the Main menu, select option RA (RACF Administration). 3. Select option U (User). 54 Version 1.13: Getting Started 4. Type a value for Userid or type a value for Default group (SYS1, for example) to obtain a display with multiple profiles. You can type over a value in any underlined field. For example, to change the password interval for one of the profiles, type a new value in the PwInt column. Tip: If no fields are underlined, type SET in the command line and press Enter. Verify that the Overtype fields in panels option is selected (/ in front of the option). If this does not work, complete the following steps: a. Type SETUP in the Command field to go to the Setup panel. b. In the Setup panel, select Options from the bar. Press Enter, and then select 1. Settings. c. Select Colors from the bar, and then select 2. CUA attributes. d. For all entry field rows change the Highlight column to the value USCORE. e. Reissue the query. If you still do not see underlines, you probably have, or emulate, a terminal type without extended data stream support. 5. Press Enter. zSecure Admin generates the appropriate RACF command to change the password interval of the involved user and asks you to verify the command before execution. Remember to scroll left and right using the standard ISPF function keys, and to issue an S (Select) line command for more details. 6. Press PF3 to reject (not execute) the RACF command, or press Enter to submit the RACF command. If you elected to submit the command, zSecure Admin for RACF submits the command as though you had entered the command in the TSO command line. You must have appropriate authority (for example, SPECIAL or ownership) before RACF accepts the command. If you do not have appropriate authority, you receive a RACF violation error message. You can type over the value in the installation data field in a profile, changing only the characters you want to change. Alternatively, you can issue the MI (manage userid information) line command to edit the whole field. You can also work with user-defined subfields within the installation data. Using line commands and the Overtype functions When displaying a profile, you can issue line commands by typing a letter in the first character position of the displayed profile line and pressing Enter. The most common functions are as follows: C for copy D for delete L for list S for select When you issue a line command, zSecure Admin and zSecure Audit for RACF generate the appropriate RACF commands to perform the requested function. A Chapter 5. Managing data with the Setup functions 55 common technique is to use the Copy line command to reproduce a profile, and then type over the values in the fields that you want to be different in the new profile later. The L line command executes a RACF list command in the primary RACF database for the profile you issue the L for. You can also use this command in a detail display. Note: The L line command always reports from the primary RACF database. To view a list of the line commands available in a profile overview display, type the / line command. For the RA.U function, you must scroll down (PF8) to see all of the application line commands. 56 Version 1.13: Getting Started Chapter 6. Reporting All reports, and several other functions, generate the Results panel. From the IBM Security zSecure Admin and Audit for RACF Main menu, complete the following steps: 1. Select option RA (RACF Administration). 2. Select option 3 (Reports). On the next panel, you can select one of the predefined reports. 3. Select option 4 (Permit/Scope). On the Report panel, create a report that shows you the scope of the specified user: 1. Type a userid. (For this exercise, it does not matter whose userid you enter.) 2. Specify 3 (type of authorization is Scope – Access or administrative authority by any means). 3. Type a / in front of Output in print format in the Specify output options section of the screen and press Enter. 4. Press Enter in the next panel. On this panel, you can exclude some of the ways that the entered Group or User can have access to certain resources. During this evaluation, however, do not exclude any of the options so that you can explore all the methods by which a Group or User can have access to a resource. zSecure Admin and Audit for RACF searches the input RACF data. The report results are displayed on an overview panel that lists the classes and scope of access for the specified userid. To view detailed information about any class, type a / in the input entry field and press Enter. The panel shown in Figure 46 is displayed, with more detailed information about the selected class. BROWSE - IBMUSER.C2R10FE.REPORT –—-------------- LINE 0000 0.8 s CPU, RC=0 COMMAND ===> _________________________________________________ SCROLL ===> PAGE ********************************* Top of Data ********************************** U S E R A U T H O R I Z A T I O N F O R I D IBMUSER IBM DEFAULT USER Class ACCTNUM APPCTP CONSOLE DATASET DATASET DATASET DATASET DATASET DATASET DATASET DATASET DATASET DATASET DATASET DATASET DATASET DATASET DATASET Type Profile name GENERIC ** GENERIC ** SDSF GLOBAL &RACUID*.** GENERIC ANF.*.** GENERIC ANF.SANFLOAD GENERIC AOP.*.** GENERIC API.*.** GENERIC ASM.*.** GENERIC ASM.SASMMOD1 GENERIC ASM.SASMMOD2 GENERIC ASM.SASMSAM1 GENERIC ASMA.*.** GENERIC ASMA.V1R2M0.SASMMOD1 GENERIC ASMA.V1R3M0.SASMMOD1 GENERIC ASMA.V1R3M0.SASMSAM1 GENERIC ASMT.*.** GENERIC ASMT.V1R2M0.SASMMOD2 Volume Access ALTER READ ALTER ALTER READ READ READ READ READ READ READ READ READ READ READ READ READ READ Via IBM - U - W - U - U - U - U - U - U - U - U - U - U - U - U - U - U - U Figure 46. SCOPE report © Copyright IBM Corp. 1989, 2011 57 After examining the report, press PF3 to produce the Results panel. See Figure 47. Tip: If you want to produce a scope report that shows only the access a user has through his or her userid and group connects, select option 2 - Direct permit or Connect (Id or Connect Group on access list). Using the Results panel This panel is presented after many queries or functions; familiarize yourself with its operation. You can use the panel to review results in several different ways and save useful material from the functions. Useful material can include RACF commands generated by zSecure Admin and zSecure Audit for RACF while processing the last functions. Reports overwrite the same files every time. That is, the files SYSPRINT, REPORT, CKRCMD, and so on, are rewritten every time the primary modules are called, so save any important results (using the W line command provided by the Results panel) before invoking another query or function. Menu Options Info Commands Setup ------------------------------------------------------------------------------zSecure Admin+Audit for RACF - Results Command ===> _________________________________________________________________ The following selections are supported: B Browse file S Default action (for each file) E Edit file R Run commands P Print file J Submit Job to execute commands V View file M E-mail report W Write file into seq. or partitioned data set Enter a selection in front of a highlighted line below: _ SYSPRINT messages _ REPORT printable reports _ CKRTSPRT output from the last TSO command(s) _ CKRCMD queued TSO commands _ CKR2PASS queued commands for IBM Security zSecure Admin _ COMMANDS zSecure Admin input commands from last query _ SPFLIST printable output from PRT primary command _ OPTIONS set print options Figure 47. Results panel The names of some of the files listed on the display are highlighted to indicate that the last operation generated data in these files. When applicable, you can browse, edit, save, run, or submit any of these files by using one of commands described in the top part of the Results panel, as appropriate. Tip: You can use the RESULTS primary command in the command line of most panels to obtain the current Results panel. To print DISPLAY results, use the PRT command. Archiving report output When you enter a W in front of the REPORT keyword in the Results panel, a panel opens where you can specify the data set name of an archive data set. The archive data set can be a sequential or a partitioned data set. For a sequential data set, you can write over the content by selecting disposition Overwrite, or append to the end of the current content by selecting disposition Append. For a partitioned data 58 Version 1.13: Getting Started set, you can specify a member name and the dispositions Overwrite or Append, or choose disposition of Generate and leave the member name blank. Generate assigns a unique member name to each report, so you do not need to choose a member name. Menu Options Info Commands Setup ------------------------------------------------------------------------------zSecure Admin+Audit for RACF - Results of last query Command ===> _________________________________________________________________ Write the zSecure Data set name . . Member . . . . . Disposition . . . Admin+Audit for RACF report file to the following dataset: . . . ____________________________________________ . . . ________ . . . _________ (Append, Overwrite, or Generate) Processing option after Write completed: Go into Edit . . . . . N__ (Yes/No) Figure 48. Archive output to a data set If you specify a data set name that does not exist, zSecure Admin and zSecure Audit for RACF prompts you for allocation parameters: 1. Type the correct parameters and press Enter to create a new data set. 2. Press PF3 to exit from the Results panel. The Results panel exists after any search. However, it is automatically displayed only if files other than SYSPRINT contain output. Tip: The next function you run overwrites these result data sets. If you want to save any of the data sets, do it before executing the next search. Mailing report output When you enter an M in front of the REPORT keyword in the Results panel, the email panel shown in Figure 49 opens so that you can specify to whom you want the report mailed. Menu Options Info Commands Setup ------------------------------------------------------------------------------zSecure Admin+Audit for RACF - E-mail Command ===> _________________________________________________________________ Specify e-mail data From . . . . &jobname at &system <mbox@domain>_______________________________ Mail to . . . ________________________________________________________________ CC . . . . . ________________________________________________________________ BCC . . . . . ________________________________________________________________ Reply to . . ________________________________________________________________ Output format 1 1. Normal (MIME/HTML) 2. Plain text (formatting may be lost) Font size . . _ Subject . . . ________________________________________________________________ Additional data (e.g. signature) ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ Figure 49. Email specification panel Chapter 6. Reporting 59 The Mail option is valid only if you have specified SMTP configuration options in Setup Output definition panel (SE.7), as described in “Setting up Output” on page 52. 60 Version 1.13: Getting Started Chapter 7. Using the Verify functions The Verify functionality helps you to analyze RACF and z/OS integrity and security data. For example, many of the functions compare RACF data with what actually exists on your disks (as seen by zSecure Collect for z/OS). In addition, most functions automatically generate RACF commands to correct problems found during the analysis phase. These commands are not automatically executed. They are merely presented for your review or use. The first time you use Verify functions, you might receive more output than you expect, especially if you have a large installation that has been somewhat relaxed in DASD and RACF cleanup policies. There is a default limit of 50 messages per disk volume, but optionally you can override this limit through a lower-level panel. Product messages generated are concise and exact, but might take a little study to absorb. Also, do not assume that your installation must correct all the anomalies reported by all of the various Verify functions. Your installation, for example, might not agree with the security policies implicit in some reports. Use the information as appropriate, but do not accept it blindly. After a Verify function completes, the results are presented (using the Results panel). Generally if RACF commands were generated, these commands are displayed first. Sometimes, the SYSPRINT output is presented directly after the completion of the Verify function. The SYSPRINT file contains additional information about the problems found during analysis done by a Verify function such as concise descriptions of the anomalies and problems found during the analysis done by a Verify function. When you enter the command find ‘v e r i f y’ (a space between the characters is required, as are the delimiting single quotation marks) in the command line, you go directly to the M E S S A G E S V E R I F Y section of the SYSPRINT file. To use the Verify function, complete the steps that follow: 1. Select option AU (Audit) from the Main menu. 2. Select option V (Verify) to open the Verify selection panel shown in Figure 50 on page 62. © Copyright IBM Corp. 1989, 2011 61 Menu Options Info Commands Setup StartPanel ------------------------------------------------------------------------------zSecure Admin+Audit for RACF - Audit - Verify Command ===> _________________________________________________________________ Enter "/" to select one or more options _ Permit Find undefined users and groups and their profiles _ User permit Find and remove redundant permits to userids _ Connect Compare USER, GROUP and CONNECT profiles _ PADS Programs on conditional access list have PROGRAM profile _ Group tree Loops in grouptree _ Password Userids with trivial passwords (not from an unloaded db) _ Protect all All datasets are protected by a (discr or gen) profile _ On volume Datasets defined by discrete profiles actually exist _ Not empty Generic profile has matching disk or tape datasets _ All not empty As above, even ’outer’ generic profiles _ Indicated Discrete profile exists for RACF-indicated datasets _ Program Datasets as members in PROGRAM profile exist on disk _ Pgm exists PROGRAM profiles cover actual load modules _ Started task Check that procedures can indeed be started, etc. _ TSO all RACF All TSO users should have RACF password and TSO segment _ Sensitive Sensitive datasets not protected properly Figure 50. Verify selection panel You can select one or more of the Verify functions for execution, although it would be unusual to select more than three at a time. Before trying any of the Verify functions, review the function descriptions in Table 8 and Table 9 on page 63. Table 8. Verify functions 62 Function Description Permit Reports on any IDs (Users or Groups) used in RACF access control lists, or ownership fields, that are not currently defined as valid IDs. If these invalid IDs are defined again (made valid again), perhaps with a new user, this new user instantly inherits all the authorities of the former owner of that user ID. This can be a severe exposure. A more severe exposure is that anyone with group-SPECIAL or JOIN authority can create a group with the same name as the ID in the access control list, and in this way obtain the authority of the ID. User Permit Reports on any resource profile that contains a userid in the access control list, while that user is also connected to one or more groups that are also in the same access control list. The access levels of both the userid and the group or groups are compared. If the access for that specific userid is equal to the highest access of any connected group, the userid entry is redundant and is eligible for removal. Connect Verifies that connect information in user and group profiles is consistent. PADS PADS administration is often complicated, and several Verify functions address it. This function verifies that every program appearing on a RACF conditional access control list has a corresponding Program profile. Group tree Detects loops in your group definitions. These loops usually happen where RACF administration is not well centralized, or where administrators change frequently. RACF prevents loops from occurring by checking whether an ALU or ALG command would cause a loop. Password Checks every user password in the RACF database with several trivial values. The Password function cannot be performed on an Unload file, because the passwords are not unloaded. Version 1.13: Getting Started The Verify functions described in Table 9 require a CKFREEZE data set. Table 9. Verify functions requiring a CKFREEZE data set Function Description Protect all Lists all disk data sets that are not protected by a generic or discrete RACF profile. If your installation is using a RACF PROTECT ALL environment, try this function. If you are not in a PROTECT ALL environment, be prepared for a large amount of output. On Volume Verifies that each discrete RACF profile has a corresponding data set on DASD. Often old discrete profiles remain in RACF long after the data set has been deleted. Not empty Identifies obsolete generic profiles. This function verifies that generic dataset profiles that protect subsets of more general generic profiles have, in fact, existing data sets being protected by the generic profile. (Take care when using this function because profiles meant to protect future or periodic allocations might be empty (no data sets exist under the profile) at the time the Verify check is made.) All not empty This function is a more general case of the Not empty check. It verifies that all generic profiles are being used to protect real data sets. It can be used to find unneeded generic profiles. RACF and z/OS have no mechanism for automatically removing generic profiles, and large numbers of obsolete profiles can accumulate over time. Indicated Verifies that all RACF-indicated data sets (with RACF indicator bit set in the DSCB or catalog) have a corresponding discrete profile. Program Verifies that each data set listed as a member in a Program profile does exist. Pgm exists Verifies that each Program profile covers at least one load module in a data set, as specified by the profile. If modules are moved from one library to another, there is no automatic update of RACF Program profiles and the modules are no longer protected. The Program and Pgm exists functions help you to maintain a clean PADS environment. Started task Checks the consistency of the started procedure table (ICHRIN03) with various RACF user, group, and STARTED class profile definitions and with procedure members defined for JES2 and MSTR. TSO all RACF and Sensitive are available only in zSecure Audit. TSO all RACF Checks the users defined in the SYS1.UADS data set with the user definitions in RACF and reports any UADS IDs that can logon bypassing the control of RACF. Sensitive Checks the protection of z/OS sensitive data sets against a baseline policy. If the protection is insufficient, it generates a RACF command to fix the situation: either by adding a correct profile or by fixing or improving the offending profile. Some of the Verify functions are more important than others. The Permit and Protect All functions might be the most important, especially if you are not in a PROTECT ALL environment. To use the Verify function for the first time, complete these steps: 1. Type / in the INDICATED line. 2. Proceed through the next panel by pressing Enter. The CKRCMD command file shown in Figure 51 on page 64 automatically opens. Chapter 7. Using the Verify functions 63 File Edit Confirm Menu Utilities Compilers Test Help ------------------------------------------------------------------------------EDIT IBMUSER.C2R10FE.CKRCMD Columns 00001 00072 Command ===> ________________________________________________ Scroll ===> CSR_ Press PF3, Enter R at the cursor location, press ENTER to run these commands 000001 /* CKRCMD file CKR1CMD complex YESTERDY NJE JES2TEST generated 000002 /* Commands generated by VERIFY INDICATED */ 000003 addsd ’IBMUSER.DISCRETE.DSN1’ vol(TSTUS1) unit(3390) noset from( 000004 deldsd ’IBMUSER.DISCRETE.DSN1’ vol(TSTUS1) 000005 addsd ’IBMUSER.DISCRETE.DSN2’ vol(TSTUS1) unit(3390) noset from( 000006 deldsd ’IBMUSER.DISCRETE.DSN2’ vol(TSTUS1) ****** **************************** Bottom of Data **************************** Figure 51. Verify the indicated CKRCMD file In this example, the installation contains two data sets that are RACF indicated while the corresponding discrete dataset profile is missing from the RACF database. If necessary, use the ISPF functions PF7, PF8, PF10, and PF11 to scroll the panel so that you can view all the data. As you can see, the generated commands can be run to fix the inconsistencies found by the Verify Indicated function. 3. Press PF3 to open the Results panel. 4. Select the SYSPRINT file if you want to view the details of the Verify function. The additional information is provided in the section headed by MESSAGES VERIFY INDICATED shown in Figure 52. 5. Type find ‘v e r i f y’ command on the command line to jump to the messages section of the SYSPRINT file instead of scrolling down several panels. Alternatively, you can scroll to the bottom of the file and, if applicable, scroll back up one or two pages. Figure 52 shows an example of the MESSAGES VERIFY INDICATED section. File Edit Confirm Menu Utilities Compilers Test Help ------------------------------------------------------------------------------EDIT IBMUSER.C2R10FE.CKRCMD Columns 00001 00072 Command ===> ________________________________________________ Scroll ===> CSR_ Press PF3, Enter R at the cursor location, press ENTER to run these commands 000001 /* CKRCMD file CKR1CMD complex YESTERDY NJE JES2TEST generated 000002 /* Commands generated by VERIFY INDICATED */ 000003 addsd ’IBMUSER.DISCRETE.DSN1’ vol(TSTUS1) unit(3390) noset from( 000004 deldsd ’IBMUSER.DISCRETE.DSN1’ vol(TSTUS1) 000005 addsd ’IBMUSER.DISCRETE.DSN2’ vol(TSTUS1) unit(3390) noset from( 000006 deldsd ’IBMUSER.DISCRETE.DSN2’ vol(TSTUS1) ****** **************************** Bottom of Data **************************** Figure 52. Verify the indicated CKRCMD file Note: The SYSPRINT file contains additional information about VERIFY messages is stored in. 6. To return to the Verify Selection panel, press PF3 twice. 7. Type a / in the Permit line. 8. Remove the / from the Indicated line. Step through the next panels until zSecure Admin and zSecure Audit for RACF executes the function. Unless you maintain a very clean database, zSecure Admin and zSecure Audit for RACF probably finds invalid userids in the database. If there are many of these userids, you can print the report and study it offline. Invalid userids can present complex problems that are not suitable for on-the-fly repairs. 64 Version 1.13: Getting Started Tip: When RACF commands are generated by one of the Verify functions, the solution suggested by zSecure Admin and zSecure Audit for RACF might not be appropriate or might require adjustment to your environment. Always look at the commands closely. If necessary, look in the SYSPRINT file for additional information before executing them. Chapter 7. Using the Verify functions 65 66 Version 1.13: Getting Started Chapter 8. Auditing system integrity and security The current SETROPTS settings can be displayed using the AU.S function. A range of z/OS integrity and security checks is available under the AU.S option in the primary menu. For example, you can view the current SETROPTS settings using this function. To use the AU.S function, complete the following steps: 1. Select option AU (Audit) from the Main menu. 2. Select option S (Status) to open the Audit Status panel. You can use this panel to select one to five report categories. First, explore the RACF control (RACF-oriented tables) category. Menu Options Info Commands Setup ------------------------------------------------------------------------------zSecure Admin+Audit for RACF - Audit - Status Command ===> _________________________________________________________________ Enter / to select report categories _ MVS tables MVS oriented tables (reads first part of CKFREEZE) _ MVS extended MVS oriented tables (reads whole CKFREEZE) / RACF control RACF oriented tables _ RACF user User oriented RACF tables and reports _ RACF resource Resource oriented RACF tables and reports Select options for reports: / Select specific reports from selected categories _ Include audit concern overview in overall prio order _ Only show reports that may contain audit concerns __ Minimum audit priority for audit concerns (1-99) _ Print format _ Concise (short) report _ Background run Audit policy / zSecure _ C1 _ C2 _ B1 Figure 53. Audit Status 3. Select the category RACF control and type a / before Select specific reports from selected categories. Press Enter. Note: The Audit policy can be set. The C1, C2, and B1 policies are security standards described by the U.S. Department of Defense in a document known as the Orange book. The default policy is a standard that is a practical and achievable security level that is applicable to most companies. The policy defines what is classified as an exposure. 4. Select the report SETROPTS to generate a report of the current RACF system options of this installation and the report RACFCLAS to report in the class descriptor table and number of profiles. 5. Press Enter to generate the requested reports. The panel shown in Figure 54 on page 68 opens so that you can select and view the reports. © Copyright IBM Corp. 1989, 2011 67 zSecure Admin+Audit for RACF Display 1 s elapsed, 0.6 s CPU Command ===> _________________________________________________ Scroll===> CSR_ Name Summary Records Title _ SETROPTS 1 1 RACF system, ICHSECOP, and general SETROPTS settings _ SETROPAU 1 3 SETROPTS settings - audit concerns _ RACFCLAS 1 168 RACF CDT, SETROPTS class info and number of profiles ******************************* BOTTOM OF DATA ******************************** Figure 54. Audit report overview 6. Select the SETROPTS report. Then press Enter to open the SETROPTS setting panel shown in Figure 55. RACF system, ICHSECOP, and general SETROPTS settings Line 1 of 58 Command ===> _________________________________________________ Scroll===> CSR_ 8 Apr 2005 08:46 Complex System Collect timestamp DEMO DEMO 8 Apr 2005 00:50 Current SETROPTS settings can be displayed using the AU.S function. General RACF properties Data set protection options Access Control active Yes Prevent duplicate datasets Force storage below 16M No Protectall Check all connects GRPLIST Yes Automatic Dataset Protect Check genericowner for create Yes Enhanced Generic Naming NOADDCREATOR is active Yes Prefix one-level dsns Dynamic CDT active No Prevent uncataloged dsns RACF local node DEMO GDG modelling RRSF propagate RACF commands No USER modelling RRSF propagate applications No GROUP modelling RRSF propagate passwords No RRSF honour RACLINK PWSYNC Yes Application ID mapping stage 0 Level of KERB processing Primary Language ENU Secondary Language ENU RACF software release level HRF7703 HRF7703 RACF DB template level HRF7703 No Yes/fail No Yes ONEQUAL No No No No Figure 55. Audit status SETROPTS report The current SETROPTS (=SET RACF options) are listed in this report. You can use PF8 to scroll down to see the other SETROPTS parameters that are currently active, such as system-wide audit settings and password rules. 7. Press PF3 to return to the report overview. 8. Select SETROPAU to open the report shown in Figure 56. This report lists the audit concerns related to the current SETROPTS settings. Audit concerns give an indication of possible security exposures in the current installation. SETROPTS settings - audit concerns Line 1 of 3 Command ===> _________________________________________________ Scroll===> CSR_ 8 Apr 2005 08:46 Pri Complex System Count 11 DEMO DEMO 3 Pri Parameter Value Audit concern __ 11 RVARYSTATUSPWSET No Password to deactivate RACF still at I __ 10 RVARYSWITCHPWSET No Password to switch RACF database still Figure 56. SETROPTS audit concerns overview zSecure Audit for RACF ranks the severity of problems found. These are in the field labeled Pri, and are numbers from 0 - 255. Be aware, however, that 68 Version 1.13: Getting Started understanding the reason for those rankings requires some knowledge of z/OS internals and some judgment of the context of the total system. Table 10 provides a rough categorization of the audit concern priorities. Table 10. Audit concern priority categories Priority Type Explanation and action required 40-255 Exposure A very serious potential security exposure and concern for an auditor. Require an immediate action. 20-39 Concern A serious security threat. Require an action, but it is less urgent. 11-19 Housekeeping Minor problem or authority that must be audited, reviewed, and approved or denied. RACF housekeeping can remove many these concerns. 1-10 Watch Read it, and resolve it as time permits. 0 OK No audit concern. By default the Audit concerns are sorted by descending priority. The details of the audit concerns can be displayed by entering an S or / in front of the concern you want to view. To view the Audit concerns, complete the following steps: 1. Press PF3 again to return to the report overview. 2. Select report RACFCLAS and press Enter to open the Audit Status RACFCLAS report shown in Figure 57. This report displays the contents of the RACF Class Descriptor Table. You find a record for all classes defined to RACF. Line 1 of 168 RACF CDT, SETROPTS class info and number of profiles Command ===> _________________________________________________ Scroll===> CSR_ 8 Apr 2005 08:45 Complex System Classes Active Nonempty Profiles Audit concerns Priority DEMO DEMO 168 59 58 2383 43 22 Pr Class Pos Grouping Members Protect Glbl Generic Profiles RC Oper RF __ 22 DEVICES 115 Inactive 4 Ye __ 20 TEMPDSN 106 Inactive 8 Ye __ 7 DASDVOL 0 GDASDVOL Inactive 3 4 OPER Ye __ 7 VMPOSIX 63 Inactive Discrete 16 4 Ye __ 6 SERVER 546 Inactive Discrete 1 8 Ye __ 6 TERMINAL 2 GTERMINL Inactive 11 4 Ye __ 6 VMCMD 14 Inactive 1 4 OPER Ye __ 6 VMMDISK 18 Inactive 9 4 OPER Ye __ 5 AIMS 4 Inactive 1 4 Ye __ 5 APPCTP 89 Inactive 2 8 Ye __ 5 GIMS 4 TIMS Inactive 9 4 Ye __ 5 JESINPUT 108 Inactive 2 8 Ye __ 5 PERFGRP 125 Inactive 1 4 Ye __ 5 ROLE 551 Inactive Discrete 16 8 Ye __ 5 SECDATA 9 SCDMBR Inactive 2 4 Ye __ 5 SECLABEL 117 Inactive 6 8 Ye __ 5 SYSMVIEW 542 Inactive 8 4 Ye __ 5 TIMS 4 GIMS Inactive 35 4 Ye Figure 57. Audit status RACFCLAS report In this report, the classes are sorted by descending audit concern priority. However, you can sort this overview ordered by any column that you desire. Entering command sort pos results in this overview being reordered according to posit number, while the command sort class results in the classes being sorted alphabetically by class name. Chapter 8. Auditing system integrity and security 69 Tip: Remember that the available help panels provide background information and explanations. 70 Version 1.13: Getting Started Chapter 9. Querying SMF data Note The SMF Query function is available only in the zSecure Audit product. The SMF displays can work with the live SMF data sets, SMF log streams, or with sequential SMF data that has been produced by the IBM IFASMFDP or IFASMFDL programs. While you are getting familiar and experimenting with zSecure Audit for RACF, work with sequential SMF data rather than the live SMF files. Using static, sequential data provides more consistent results when you retry something with slightly different parameters. You must consider what SMF data you use with zSecure Audit. The amount of SMF data collected by z/OS varies greatly among different installations. In some cases, you can place a week of data in a reasonable DASD allocation (30 MB, for example), while in other cases, that allocation might hold only an hour of SMF data collection. For simple experimentation with zSecure Audit for RACF, a set of SMF data in the 10-30 MB range is reasonable. If you must apply filtering to reduce the size of the data set, make sure that the record types shown in Table 11 are not filtered out. Table 11. SMF Record types that should not be filtered out of the SMF data Record type Description 14 INPUT or RDBACK Data Set Activity 15 OUTPUT, UPDATE, INOUT or OUTIN Data Set Activity 17 Scratch Data Set Status 18 Rename Data Set Status 30 Common Address Space Work 60 VSAM Volume Data Set Updated 61 ICF Define Activity 62 VSAM Component or Cluster Opened 63 VSAM Catalog Entry Defined 64 VSAM Component or Cluster Status 65 ICF Delete Activity 66 ICF Alter Activity 67 VSAM Catalog Entry Delete 68 VSAM Catalog Entry Renamed 69 VSAM Data Space, Defined, Extended or Deleted 80 RACF Processing 81 RACF Initialization 83 RACF Processing Record for Auditing Data Sets 90 System Status 92 UNIX Hierarchical File System 102 DB2® Performance and Audit 109 Firewall © Copyright IBM Corp. 1989, 2011 71 Table 11. SMF Record types that should not be filtered out of the SMF data (continued) Record type Description 118 TCP/IP Telnet and FTP 119 TCP UDP and IP 120 WebSphere® Application Server You can also run the zSecure Audit for RACF SMF analysis on a full SMF file with all record types present. The zSecure Audit for RACF supports approximately 100 different SMF record types. Defining input sets When you opt to process SMF data, the data sets must be defined to zSecure Audit for RACF. You can use live or log stream SMF data, or obtain a reasonable amount of recent SMF data and copy it to a sequential data set. In both cases, you must change your input files settings. You can also run zSecure Audit for RACF SMF analysis on a full SMF file (with all record types present). The product supports about 100 different SMF record types. To use a data set with SMF data, complete the following steps: 1. Select option SE (Setup) from the Main menu and press Enter. 2. Select 1 (Input Files) and press Enter to open the Setup Input panel. For information about this panel, see “Selecting the input set” on page 50. 3. Move the cursor to the input field (left-most position) on a line. 4. Type the letter I and press Enter to insert a new input set. The Setup Input panel opens but without data. 5. Type a title such as Filtered SMF data set in the Description field below the Command line. 6. Move the cursor to the first Data set or Unix file name field. Type the name of the data set that contains SMF data. Then press Enter. If the data set name ends with .SMF, the file type (SMF) is automatically filled in. If it does not end with .SMF, a panel such as Figure 58 on page 73 opens so that you can assign a type to the file you are defining. 72 Version 1.13: Getting Started Menu Options Info Commands Setup ------------------------------------------------------------------------------zSecure Admin+Audit for RACF - Setu Row 1 to 13 of 13 Command ===> ________________________________________________ Scroll ===> CSR_ Select the type of data set or file _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Type ACCESS ACT.BACK ACT.PRIM ACT.SMF ACT.SYSTEM CKFREEZE CKRCMD COPY.RACF COPY.SEC COPY.TEMP SMF SMF.LOGSTR UNLOAD WEBACCESS WEBERROR Description RACF ACCESS monitor data set The backup RACF database of your active system The primary RACF database of your active system The live SMF data set(s) Live settings A CKFREEZE data set A file for generated RACF commands A copy of a single data set RACF database A non-first component of a multiple data set RACF database The first component of a multiple data set RACF database VSAM or dumped SMF SMF logstream An unloaded RACF database IBM HTTP Server access log IBM HTTP Server error log Figure 58. Assign file type 7. Select option SMF and press Enter to create a line that references the live SMF data. 8. Press PF3. You return to the Input file panel with the new input set selected. Tip: You can select multiple input sets at the same time. Consider defining a set for each file or couple of files. For example, define a live SMF set and a most recent unload of the RACF database and CKFREEZE data set, and select both sets as input. Your input file settings will look similar to those in Figure 59. Menu Options Info Commands StartPanel ------------------------------------------------------------------------------zSecure Admin+Audit for RACF - Setup - Input file Row 1 from 5 Command ===> ________________________________________________ Scroll ===> CSR_ (Un)select (U/S) set of input files or work with a set (B, E, R, I, D or F) Description Complex _ Filtered SMF data set selected _ Input set created 8 Apr 2005 selected _ Active primary RACF data base DEMO _ Active backup RACF data base DEMO _ Active backup RACF data base and live SMF data sets DEMO ******************************* Bottom of data ******************************** Figure 59. Input file settings To use live SMF data you do not need to specify a data set. Type / in the Type field, and then press Enter. The panel in Figure 58 opens so that you can select option ACT.SMF. This is the most basic form of SMF input. In a more complex situation, you can combine live SMF plus the most recent n generations, if you use Generation Data Groups (GDGs) of archived SMF data by listing multiple lines within the input set. Chapter 9. Querying SMF data 73 SMF reports To create reports, complete the following steps: 1. Select option EV (Events) in the Main menu and then press Enter. 2. Select option 2 (RACF Events) and then press Enter. Menu Options Info Commands Setup ------------------------------------------------------------------------------zSecure Audit for RACF - Events - RACF events Option ===> _________________________________________________________________ Enter "/" to select report(s) _ All events Overview of all following RACF events (except IPL) _ Logging RACF logging of all events except RACINIT _ Not normal RACF access not due to normal profile access _ Warnings RACF access due to profiles in warning modes _ Violations RACF access violations _ Commands RACF command auditing _ CKGRACF zSecure Admin CKGRACF commands _ IPL RACF RACF initialization Figure 60. SMF RACF events display 3. Select All events in the RACF events panel, and then press Enter. The SMF selection panel shown Figure 61 is common to a number of SMF reports. Menu Options Info Commands Setup ─────────────────────────────────────────────────────────────────────────────── zSecure Admin+Audit for RACF "DOWN " is not active Command ===> __________________________________________________________________ Select SMF records that fit all of the following criteria Use EGN masks for selection criteria Userid . . . . . . IBMUSER Jobname . . . . . . __________________________________________________________ Terminal . . . . . __________________________________________________________ Dataset name . . . __________________________________________________________ Profile class . . . __________________________________________________________ Profile key . . . . __________________________________________________________ Level . . . . . . . __ __ (installation defined resource level) Time Date Weekday From Until ____ : ____ __________ : __________ ____ : ____ Show all _ Success _ Warning Intended access at least 6 1. Execute 2. Read 3. Update 4. Control 5. Alter 6. All access _ Violation Figure 61. SMF selection criteria Only SMF records that match your specified selection criteria are processed. Any fields in this panel that you do not use are not considered in the selection process. For this panel: v The Userid, Jobname, Terminal, Profile class, Profile key, and Data set name fields each accept one or more search strings separated by blanks. Wild cards (%, *, and **) can be used. A single asterisk in the Userid field, with no other parameters, selects all SMF records that can be attributed to a RACF user. v You can use the Level field to select by data set or resource level. 74 Version 1.13: Getting Started Use the first field to specify the operator to determine a level present in the profile. Use < and <= for selection less than or equal to the level, > or >= for high level, = for exact level, ¬= and <> for all but the specified level. v v v v v The second field is to specify a numeric value for the data set or resource level. This level is not set or updated by IBM utilities, but can be used by the installation. Your userid is not automatically prefixed to data set names. Times are specified in 24-hour HHMM format. Dates are specified as YYYY-MM-DD, DDMMMYYYY or YYYY/DDD; for example, 2005-03-01, 01MAR2005, or 2005/301. A range of dates is separated by a colon; for example, 10APR2005:14APR2005. Weekdays are spelled in English using the first three letters; for example, Mon for Monday. In the Intended access at least field, you can select only access events that required, at least, the authority you specify. After the selection panel, an exclusion panel opens, similar to Figure 61 on page 74. Be aware that the selection and exclusion panels look very similar. If an SMF record passes the selection process, it can still be rejected by the exclusion parameters. You do not need to specify any exclusion parameters. As an example, select all accesses to data sets with the name SYS*.** with access level at least UPDATE, but exclude access to data set SYS1.BRODCAST. After the selection and exclusion panels, there are panels to control the report generated. These panels can be used to limit the number of input records. Especially if your SMF file is huge, limit the number of output records, and format output for displaying or printing. For this example, do not select any CKFREEZE data set to use with SMF reports. Make sure that there is no / before Use CKFREEZE data in the SMF process options panel. For RACF-only purposes this option is not needed and can increase the TSO region size required. You do need this option to format UNIX file system records (type 92). The SMF search produces an overview report with one line for each SMF record being displayed and a statistical summary. You can enter an S line command for a detailed display of any of the records. zSecure Audit for RACF processing of SMF records is fairly straightforward. Its power lies in good use of the selection and exclusion panels and the high-speed processing. Nevertheless, effective use of SMF processing requires planning on your part so that you have reasonable amounts of recent SMF data available that is easily accessible on-line, or through HSM facilities. zSecure Audit for RACF supplements any SMF event record with information from the RACF data source, if such information is missing from the record. In this way, z/OS event records like type 14 and 15 can be attributed to a RACF userid, even if the Jobname in the SMF record does not match the appearance of the RACF userid. Auditing types of users To audit a user event trail, you must have an input data set that contains SMF data selected first. Then complete the following steps: 1. Return to the Main menu. Chapter 9. Querying SMF data 75 2. Select option EV.U (Event, User events) to open the User Selection panel shown in Figure 62. This panel is the starting point for finding the audit trail of one or more specific users, or finding events caused by some types of users. Menu Options Info Commands Setup ─────────────────────────────────────────────────────────────────────────────── zSecure Admin+Audit for RACF - Events - User Selection Command ===> __________________________________________________ _ start panel Show records that Userid . . . . . Owned by . . . . System . . . . . Name . . . . . . Installation data Jobname . . . . . Terminal . . . . fit all of the following criteria: . ________ (userid or EGN mask) . ________ (group or userid, or EGN mask) . ____ (system name or EGN mask) . ___________________________ (name/part of name, no filter) . ___________________________ (scan of data, no filter) . ________ (job name or EGN mask) . ________ (Terminal id or EGN mask) Advanced selection criteria / User actions _ User attributes _ Data set selection _ HFS selection _ DB2 selection _ CICS selection Output/run options _ Include detail _ Output in print format Run in background _ Summarize Customize title Sort differently _ Date and time _ Resource selection _ Omegamon selection _ Specify scope Send as e-mail Figure 62. EV.U User Selection panel 3. In the Advanced selection criteria section, select User actions, and press Enter. You now see a selection panel with the types of actions recognized. 4. Type a / in RACF/CKGRACF commands issued and another / in front of Successful. Then press Enter to open the RACF command overview panel shown in Figure 63. This panel shows you the successful RACF commands issued in your system. You can scroll right using PF1. Event log record detail information 1 s elapsed, 0.7 s CPU Command ===> _________________________________________________ Scroll===> CSR_ 4Apr05 09:17 to 4Apr05 09:21 Date Time Description __ 04Apr2005 09:17:16 RACF PERMIT success for IBMUSER: PERMIT FACILITY $C2R.OPT __ 04Apr2005 09:17:32 RACF PERMIT success for IBMUSER: PERMIT FACILITY $C2R.OPT __ 04Apr2005 09:17:46 RACF PERMIT success for IBMUSER: PERMIT FACILITY $C2R.OPT __ 04Apr2005 09:17:53 RACF SETROPTS success for IBMUSER __ 04Apr2005 09:21:22 RACF PERMIT success for IBMUSER: PERMIT FACILITY $C2R.OPT __ 04Apr2005 09:21:30 RACF PERMIT success for IBMUSER: PERMIT FACILITY $C2R.OPT __ 04Apr2005 09:21:49 RACF PERMIT success for IBMUSER: PERMIT FACILITY $C2R.OPT __ 04Apr2005 09:21:55 RACF SETROPTS success for IBMUSER ******************************* BOTTOM OF DATA ******************************** Figure 63. RACF command event log records overview 5. To see more detail than just a one-line summary per record, select option Include detail in the Output/run options section of the User Selection panel (Figure 62) and rerun the query. In the RACF Event log overview panel, select a record to open the RACF command detail panel shown in Figure 64 on page 77. Now you can see the details; for example, the full command and fields identifying the user. 76 Version 1.13: Getting Started Event log record detail information Line 1 of 43 Command ===> _________________________________________________ Scroll===> CSR_ 4Apr05 09:17 to 4Apr05 09:21 Description RACF PERMIT success for IBMUSER: PERMIT FACILITY $C2R.OPTION.HD.8 Record identification _ Jobname + id: IBMUSER SMF date/time: Wed 4 Apr 2005 09:17:46.59 _ SMF system: DEMO record type: 80 Event identification RACF event description RACF event qualifier RACF descriptor for event RACF reason for logging SAF authority used Audit/message logstring record no: CKR1SM01 3013 Permit command (Success:No violations detected) 0 Success Class Special Special RACF command PERMIT ’$C2R.OPTION.HD.8’ ACCESS(READ) CLASS(FACILITY) ID(IBMUSER) Figure 64. RACF command event log record detail panel Tracking configuration changes Note This function is available only in zSecure Audit for RACF. The Change Tracking function is a powerful way of ensuring that changes in sensitive RACF and SYSTEM definitions are tracked. You can list differences between the verified base and the current configuration. There are different kinds of sensitive RACF definitions. Some examples are: system-wide SPECIAL users, OPERATIONS users, and profiles that protect sensitive data sets. SYSTEM-related sensitive definitions are, for instance, APF defined data sets such as APFLIST. You can also identify other RACF or SYSTEM definitions as sensitive in addition to those already marked as sensitive. Other system settings that can be monitored include changes to the list of APF-authorized libraries and changes to the RACF Class Descriptor table. You can track changes to most items that zSecure Audit for RACF shows information about. Tracked changes must be accepted or rejected, or deferred. You accept a change to update the verified base, or you reject a change because of an incorrect modification. If you reject a change, be sure to also undo the modification in your configuration; otherwise, during the next Change Tracking step, the same modification will be reported again. Chapter 9. Querying SMF data 77 Detecting library changes Note This function is available only in zSecure Audit for RACF. Using the Library Change Detection function in a realistic manner requires a certain amount of planning and time. After reviewing the short description that follows, you can decide whether you want to use this function during your evaluation. The function is described, in detail, in the Library Audit section of the IBM Security zSecure Admin and Audit for RACF: User Reference Manual. The Library Change Detection function provides a library update report that is used to find and display changes to members consisting of load modules or source text of partitioned data sets. It contains logic to track libraries on shared DASD, in a sysplex environment, and in an SMS-managed environment. The basic function is built around zSecure Collect data for every member in every library being monitored. All system libraries are usually included, though you can also exclude them, and you can specify other libraries to be monitored. zSecure Collect for z/OS examines each member of these libraries and computes a digital signature for the data in the member. This digital signature is recorded in the CKFREEZE data set produced by zSecure Collect for z/OS Library change detection is very useful for internal auditors. Using the Change Detection function can be a powerful tool, especially for internal auditors. By comparing data from month to month or year to year, the auditor can identify every program, either source code or load module, changed during that period. This is not limited to system libraries: Application libraries can be monitored just as well. The default CKFREEZE data sets, such as you created when building your current input sets, do not contain the necessary data for library management. You must submit another zSecure Collect for z/OS job to gather library member data. If you want to try this, use the Freeze option (Option 0) in the Audit-Libraries panel shown in Figure 65 on page 79. This option asks you for parameters and allows you to submit the necessary job. (The best option for you to select is probably System Libraries, but you can specify any libraries you want.) You can elect to reuse your existing CKFREEZE data set. The new CKFREEZE data set will have all the default data (from your z/OS tables but not from VTOC, VVDS, catalogs, etc.), plus the new library member data. This zSecure Collect for z/OS job takes a few minutes to run because it must open and read every member of the selected libraries. 78 Version 1.13: Getting Started Menu Options Info Commands Setup StartPanel ------------------------------------------------------------------------------zSecure Audit for RACF - Audit - Libraries Option ===> ____________________________________________________ 0 1 2 3 4 5 6 7 8 9 Freeze Lib all Lib changes Status Changes Scan Duplicates Application Prefix PTF - ZAP Calculate new digital signatures Overview of all libraries Overview of all libraries with changes Show member status Identify members with changes Show members flagged by SCAN function Identify identical members Members summarized by application Members summarized by member prefix (component code) Members touched by PTF or ZAP Figure 65. Primary library update analysis panel To perform library change detection, you must have multiple generations of CKFREEZE data sets, and define at least two in your input set. With some planning, GDGs are ideal for this purpose. zSecure Audit for RACF compares the signatures in the various CKFREEZE data sets and produces reports. Not all functions of library update analysis require two CKFREEZE data sets. Options 1, 3, 5, 6, 7, 8, and 9 can be used with just one or more CKFREEZE data sets. Other options are available as part of library monitoring. For example, zSecure Collect for z/OS can examine library members for specific text or hexadecimal strings anywhere in the member, or for usage of specific SuperVisor Calls (SVCs). This is a good way to answer the frequently asked question of which program is using an SVC. These options are described in the IBM Security zSecure Admin and Audit for RACF: User Reference Manual. During data collection for CKFREEZE, the hexadecimal searches can also be used to locate typical authorization code fragments. The option to identify duplicate members can be useful. It can detect library members in all the libraries scanned when the CKFREEZE data set was built with duplicate member names, or with duplicate contents regardless of the member name. There is no reasonable way to do either of these functions with standard z/OS utilities, yet detection of duplicate members is critical for effective software maintenance and for audit control. To use the Library Change Detection functions, your input file setup might look similar to this example: Menu Options Info Commands ------------------------------------------------------------------------------zSecure Audit for RACF - Setup - Input F Row 1 from 5 Command ===> ________________________________________________ Scroll ===> CSR_ (Un)select (U/S) set of input files or work with a set (B, E, R, I, D or F) Description Complex _ CKFREEZE dd 4 Apr 2005 selected _ CKFREEZE dd 8 Apr 2005 selected _ Active primary RACF data base DEMO _ Active backup RACF data base DEMO _ Active backup RACF data base and live SMF data sets DEMO ******************************* Bottom of data ******************************** Figure 66. Input set definition This is a rather primitive input structure, but it can be used for evaluation. The SMF data set is not required for the library functions discussed here. You would Chapter 9. Querying SMF data 79 collect the OLD data first using the Freeze option to generate and submit the necessary job, and then collect the NEW data a few days later. For long-term use, you would probably use generation data groups, such as 'HLQ.CKFREEZE(0)' and ‘HLQ.CKFREEZE(-1)’. An input set can contain any reasonable number of SMF and CKFREEZE data sets, and one RACF database. The RACF database can be the active RACF database, unloaded RACF data, a copy of a RACF database, or an active RACF database from another system. It can consist of any number of data sets. 80 Version 1.13: Getting Started Chapter 10. Using resource-based reports on TCP/IP configuration, z/OS UNIX, CICS, IMS, and DB2 The Resource reports option (RE) available from the Main menu provides access to display and reporting options for the following RACF resources: v TCP/IP configuration and statistics v UNIX file system information and audit reports v CICS® region, transaction, and program data v IMS™ region, transaction, and program data v DB2 region data Menu Options Info Commands Setup ------------------------------------------------------------------------------zSecure Suite - Main menu Option ===> __________________________________________________________________ SE RA AU RE I U C M D AM EV CO IN LO X Setup RACF Audit Resource IP Stack Unix CICS IMS DB2 Access Events Commands Information Local Exit Options and input data sets RACF Administration Audit security and system resources Resource reports TCP/IP stack reports Unix filesystem reports CICS region and resource reports IMS control region and resource reports DB2 region report RACF Access Monitor Event reporting from SMF and other logs Run commands from library Information and documentation Locally defined options Exit this panel Input complex: DAILY Product/release: 5655-T01 IBM Security zSecure Admin 1.13.0 5655-T02 IBM Security zSecure Audit for RACF 1.13.0 Figure 67. zSecure Audit for RACF Main menu For more information, see the following topics: v “IP Stack reports” v v v v “UNIX filesystem reports (RE.U)” on page 83 “CICS region and resource reports” on page 86 “IMS region and resource reports” on page 89 “DB2 region reports” on page 92 IP Stack reports Use the RE.I option to select and display TCP/IP configuration and statistics data. This data is obtained from a CKFREEZE data set created by running zSecure Collect APF-authorized with the TCPIP=YES parameter. You can also report on SMF events related to IP configuration data using the EV.I menu option. © Copyright IBM Corp. 1989, 2011 81 When you select RE.I from the Main menu, the panel shown in Figure 68 is displayed. Menu Options Info Commands Setup ------------------------------------------------------------------------------zSecure Suite - Resource - IP stack Selection Command ===> __________________________________________________ _ start panel Show TCP/IP stack configuration Stack name . . . . . . ________ System . . . . . . . . ________ Sysplex . . . . . . . ________ Output/run options _ Ports _ Interfaces _ AUTOLOG _ Output in print format _ Run in background data that fit all of the following criteria: (name or filter) (system or filter) (sysplex or filter) _ Rules _ Routes _ Resolver _ Customize title _ _ VIPA Netaccess _ Send as e-mail Figure 68. IP stack Selection panel From the IP stack Selection panel, you can limit the TCP/IP stack configuration data by entering selection criteria into one or more fields. When you specify selection criteria, only records that match all criteria are included in the output. Filters can be used in some of the selection fields. For a description of the selection fields and to determine whether a field supports filters, use the field-sensitive help function (PF1). You can also specify Output and run options on the Selection panel. You can use the run options (Ports, Rules, VIPA, Interfaces, Routes, Netaccess, AUTOLOG, and Resolver) to specify additional selection criteria for specific types of IP configuration data. Use the output run options to specify report and print options. When you select any of these options, the corresponding panels are displayed when you press Enter on the IP stack Selection panel. If you do not select any Output or run options, the data is processed as soon as you press Enter on the IP Stack Selection panel. An overview panel is immediately displayed with a summary of the IP configuration records that match the selection criteria you specified. See the IBM Security zSecure Admin and Audit for RACF: User Reference Manual for more detailed information about these reports. 82 Version 1.13: Getting Started UNIX filesystem reports (RE.U) When you select option RE.U, the Resource - Unix panel shown in Figure 69 opens. Menu Options Info Commands Setup ------------------------------------------------------------------------------zSecure Suite - Resource - Unix Option ===> __________________________________________________________________ F R Filesystem Reports Unix filesystem selection Unix audit reports Figure 69. Resource Unix Menu Filesystem - Unix filesystem reports Use this option to select and display UNIX file system records. A full CKFREEZE data set read is required, and the CKFREEZE data set must have been made with the UNIX=Y parameter. If the zSecure Collect run was APF-authorized, additional information is displayed. When you select option F, the Resource - Unix Selection panel shown in Figure 70 opens. Menu Options Info Commands Setup ------------------------------------------------------------------------------zSecure Suite - Resource - Unix Selection Command ===> __________________________________________________ _ start panel Show Unix files that fit all of the following criteria: File . . ________________________________________________________________ Complex . ________ (complex or EGN mask) Advanced selection criteria _ File attributes _ Output/run options _ Output in print format _ Run in background _ File system _ File ACL Customize title _ Send as e-mail Figure 70. Resource Unix selection panel If the selection panel is left blank, all UNIX files are selected. You can limit the UNIX files selected by completing one or more fields to be used as selection criteria. Only records that match all criteria are selected. Filters can be used in some of the selection fields. You can select one of the Advanced selection criteria to specify filters to select and display UNIX files. When you select a criterion, a panel opens where you can specify the attributes in which you are interested. Use the Output/Run options to customize settings to run the report and generate output. The settings you specify are saved in your ISPF profile and become the default settings for all UNIX panels that provide the option. For detailed information, see the IBM Security zSecure Admin and Audit for RACF: User Reference Manual and the online help. After processing the CKFREEZE file using the specified selection criteria, the UNIX summary panel opens to display the results as shown in Chapter 10. Using resource-based reports on TCP/IP configuration, z/OS UNIX, CICS, IMS, and DB2 83 Figure 71. IBM Security zSecure UNIX summary Line 1 of 26 Command ===> _________________________________________ Scroll===> CSR_ All Unix files 28 Aug 2008 00:07 Complex System Count EEND EEND 70562 Count FS mount point __ 24 / __ 2 /home __ 2 /home/crmbhg1 __ 205 /u __ 5 /u/automount __ 1713 /u/automount/c2eaudit __ 3105 /u/automount/c2rnew __ 446 /u/automount/smpe __ 730 /u/automount/smpe/smpnts/STP82890/SMPPTFIN __ 1434 /u/automount/C2RSRV#P __ 283 /u/automount/C2RSRV#P/PZ00350 __ 1 /u/automount2 __ 1 /u/zosmapper __ 11 /EEND Figure 71. UNIX summary display Selecting any of the mount points listed in the UNIX summary panel (Figure 71) displays the list of UNIX files for that mount point as shown in Figure 72. IBM Security zSecure UNIX summary Line 1 of 446 Command ===> _________________________________________ Scroll===> CSR_ All Unix files 28 Aug 2008 00:07 Complex System Count EEND EEND 70562 Count FS mount point 446 /u/automount/smpe T FileMode + apsl AuF Owner Group Relative pathname (within FS) __ d rwx-----fff CRMBHJ1 ZSECUR . __ d rwx-----fff CRMBHJ1 LDAP smpnts __ l fff CRMBHJ1 LDAP smpnts/zos19jpn __ d rwx-----fff CRMBHJ1 LDAP smpnts/STP82890 __ - rw--------s- fff CRMBHJ1 LDAP smpnts/STP82890/GIMPAF.XML __ - rw--------s- fff CRMBHJ1 LDAP smpnts/STP82890/GIMPAF.XSL __ d rwx-----fff CRMBHJ1 LDAP smpnts/STP82890/SMPHOLD __ - rw--------s- fff CRMBHJ1 LDAP smpnts/STP82890/SMPHOLD/S0004.ESMCP __ d rwx-----fff CRMBHJ1 ZSECUR smpnts/STP82890/SMPPTFIN __ d rwx-----fff CRMBHJ1 LDAP smpnts/STP82890/SMPRELF __ - rw--------s- fff CRMBHJ1 LDAP smpnts/STP82890/SMPRELF/CPPCACHE.IB __ - rw--------s- fff CRMBHJ1 LDAP smpnts/STP82890/SMPRELF/CPPCACHE.IB __ - rw--------s- fff CRMBHJ1 LDAP smpnts/STP82890/SMPRELF/CPPCACHE.IB __ - rw--------s- fff CRMBHJ1 LDAP smpnts/STP82890/SMPRELF/CPPCACHE.IB __ - rw--------s- fff CRMBHJ1 LDAP smpnts/STP82890/SMPRELF/CPPCACHE.IB __ - rw--------s- fff CRMBHJ1 LDAP smpnts/STP82890/SMPRELF/CPPCACHE.IB Figure 72. UNIX summary panel - UNIX file list for selected mount point You can perform the following actions from this panel: v To browse the regular files, type B in the selection field for a file or directory entry. v To call the UNIX System Services ISPF Shell for a file or directory, type I in the selection field for that file or directory. v To start the z/OS UNIX Directory List Utility for a directory, type U in the selection field for the directory. When you browse a file from the UNIX file list display panel (Figure 72), the UNIX file detail display panel shown in Figure 73 on page 85 opens. To 84 Version 1.13: Getting Started browse the contents of a file in this panel, type B in front of the Absolute pathname field. IBM Security zSecure UNIX summary Line 1 of 57 Command ===> _________________________________________ Scroll===> CSR_ All Unix files 28 Aug 2008 00:07 _ _ _ _ System view of file Complex name Sysplex name System name Absolute pathname FS mounted with SECURITY FS mounted with SETUID FS mounted READ/WRITE File access attributes Security label Extended file attributes Effective audit flags Owner name Owner name Group name Home Directory for Users Device Relative audit priority Audit concern EEND NLDLPPLX EEND /u/automount/smpe/smpnts/STP82890/GIMPAF.XML Yes No Yes go=,u=rw +s -apl =f CRMBHJ1 CRMQA097 HZSUSER LDAPSRV OMVS RCCSL01 SKRBKDC STRCONS STRTASK TCPSRV LDAP SMPE 1648 Physical file attributes Complex that owns file system System that owns file system File system data set name Volume serial for file system File system DASD serial + id Relative pathname within FS File type Physical access attributes Physical extended attributes User-requested audit flags Auditor-specified audit flags User id Group id Inode number File audit id Number of hard links Link target User TOrwx ACL id CRMBHJ1 urw- CRMBHJ1 CRMQA097 urw- CRMQA097 HZSUSER urw- HZSUSER LDAPSRV urw- LDAPSRV OMVS urw- OMVS RCCSL01 urw- RCCSL01 SKRBKDC urw- SKRBKDC STRCONS urw- STRCONS STRTASK urw- STRTASK TCPSRV urw- TCPSRV -groupgr-- LDAP -groupgr-- SMPE - any o--- -other- EEND EEND CRMBOMVS.U.SMPE.HFS SMPNTS IBM-68-000000065892-0062 smpnts/STP82890/GIMPAF.XML o=,u=rw,g=r +s -apl =f = 0 3 98 01E2D4D7D5E3E2000F05000000620000 1 UID/GID 0 0 0 0 0 0 0 0 0 0 3 3 n/a Name JOHN FRANK TEST QUOTED FORMAT InstData OMVS HOME TO TEST $QU Z/OS HEALTH CHECKER LDAP SERVER USER JOHN SMEDLINE SPEC. KERBEROS STARTEDTASK NETW AUTH KERBEROS STC VOOR TSO CONSOLE DIV STARTED TASK USR TCPIP STARTED TASK ******************************* Bottom of Data ******************************** Figure 73. UNIX detail display Chapter 10. Using resource-based reports on TCP/IP configuration, z/OS UNIX, CICS, IMS, and DB2 85 For more detailed information about these reports, see the IBM Security zSecure Admin and Audit for RACF: User Reference Manual and the online help. Reports - running the predefined UNIX audit reports Use the Reports option to generate any of the predefined UNIX audit reports available in zSecure. When you select this option, a panel opens with a list of reports for selection. See Figure 74. For details about a specific report, position the cursor on the report selection field, and then press F1 to view the online help. zSecure Suite Display Selection 3 s elapsed, 0.8 s CPU Command ===>__________________________________________________ Scroll===> PAGE Name Summary Records Title _ MOUNT 0 0 Effective UNIX mount points _ UNIXAPF 0 0 UNIX files with APF authorization _ UNIXCTL 0 0 UNIX files that are program controlled (daemons etc) _ UNIXSUID 0 0 UNIX files with SETUID authorization _ UNIXSGID 0 0 UNIX files with SETGID authorization _ GLBWUNIX 0 0 UNIX files vulnerable to trojan horse & back door at _ UIDNOUSR 0 0 UIDs not defined in the complex _ GIDNOGRP 0 0 GIDs not defined in the complex _ SHRDUIDS 1 196 OMVS UIDs shared between RACF users _ OMVSNUID 1 21 RACF users with OMVS segment but no UID _ SHRDGIDS 1 42 OMVS GIDs shared between RACF groups _ OMVSNGID 1 2 RACF groups with OMVS segment but no GID ******************************* Bottom of Data ******************************** Figure 74. Unix Reports listing CICS region and resource reports Use the RE.C option on the Main menu to select and display CICS region, transaction, and program data. The report data is obtained from a CKFREEZE data set that is created by running zSecure Collect APF-authorized. When you select RE.C, the CICS Resource panel shown in Figure 75 is displayed. The T and P options are features provided by the zSecure Audit products. Menu Options Info Commands Setup Startpanel ------------------------------------------------------------------------------zSecure Suite - Resource - CICS Option ===> __________________________________________________________________ R T P Regions Transactions Programs CICS region reports CICS CICS transactions selection and reports CICS programs selection and reports Figure 75. CICS Resource panel CICS region reports In the CICS Resource panel in Figure 75, select the R menu option to display the CICS Regions selection panel in Figure 76 on page 87. Use this panel to enter selection criteria in one or more fields to limit the CICS region configuration data. When you specify selection criteria, the output includes only those records that match all the selection criteria. Filters can be used in some of the selection fields. To find out if a field supports filters, use the field-sensitive help function (PF1). 86 Version 1.13: Getting Started You can also select output and run options in the CICS Regions selection panel, or select no options and report data is processed as soon as you press Enter. The overview panel that is displayed shows a summary of the CICS region records that match your selection criteria. Menu Options Info Commands Setup ------------------------------------------------------------------------------zSecure Suite - CICS - Regions Command ===> __________________________________________________________________ Show CICS regions Jobname . . . . . VTAM applid . . . SYSIDNT . . . . . Complex . . . . . System . . . . . that fit all of . . . ________ . . . ________ . . . ________ . . . ________ . . . ____ Advanced selection criteria _ Region security settings Output/run options _ Print format Background run _ the following criteria: (jobname or filter) (applid or filter) (identifier or filter) (complex or filter) (system or filter) Region attributes Customize title Full page form _ Classes Send as e-mail Figure 76. CICS Regions selection panel For detailed information, see the IBM Security zSecure Admin and Audit for RACF: User Reference Manual and the online help. CICS transaction reports In the CICS Resource panel in Figure 75 on page 86, select the T menu option to display the CICS Transactions selection panel in Figure 77 on page 88. Use this panel to enter selection criteria in one or more fields to limit the CICS transaction data. When you specify selection criteria, only those records that match all criteria are included in the output. Filters can be used in some of the selection fields. To find out if a field supports filters, use the field-sensitive help function (PF1). To create a simulate report, use the report type option Simulate access for specified resource. You can also select output and run options in the CICS Transactions selection panel, or select no options and report data is processed as soon as you press Enter. The overview panel that is displayed shows a summary of the CICS transaction records that match your selection criteria. Chapter 10. Using resource-based reports on TCP/IP configuration, z/OS UNIX, CICS, IMS, and DB2 87 Menu Options Info Commands Setup ------------------------------------------------------------------------------zSecure Suite - CICS - Transactions Command ===> __________________________________________________________________ Show CICS transactions that fit all of the following criteria: Transaction . . . . . . ____ (transaction or filter) Program . . . . . . . . ________ (program name or filter) Jobname . . . . . . . . ________ (jobname or filter) VTAM applid . . . . . . ________ (applid or filter) SYSIDNT . . . . . . . . ____ (identifier or filter) Complex . . . . . . . . ________ (complex or filter) System . . . . . . . . ____ (system or filter) Type of report . . . . 1 1. Show resource definitions 2. Simulate access for specified resource Advanced transaction selection criteria _ Security settings _ Attributes Output/run options 1 0. No summary _ Print format Background run 1. Summarize by region Customize title Full page form 2. Summarize by transaction Send as e-mail Figure 77. CICS Transactions selection panel For detailed information, see the IBM Security zSecure Admin and Audit for RACF: User Reference Manual and the online help. CICS program reports In the CICS Resource panel in Figure 75 on page 86, select the P menu option to display the CICS Programs selection panel in Figure 78 on page 89. Use this panel to enter selection criteria in one or more fields to limit CICS program data. When you specify selection criteria, only those records that match all criteria are included in the output. Filters can be used in some of the selection fields. To find out if a field supports filters, use the field-sensitive help function (F1). To create a simulate report, use the report type option Simulate access for specified resource. You can also select output and run options in the CICS Programs selection panel, or select no options and report data is processed as soon as you press Enter. The overview panel that is displayed shows a summary of the CICS program records that match your selection criteria. 88 Version 1.13: Getting Started Menu Options Info Commands Setup ------------------------------------------------------------------------------zSecure Suite - CICS - Programs Command ===> __________________________________________________________________ Show CICS programs that Program . . . . . . . . Program type . . . . . Jobname . . . . . . . . VTAM applid . . . . . . SYSIDNT . . . . . . . . Complex . . . . . . . . System . . . . . . . . Type of report . . . . fit all of the following criteria: ________ (program name or filter) 4 1. Program 2. Mapset 3. Partitionset 4. All ________ (jobname or filter) ________ (applid or filter) ____ (identifier or filter) ________ (complex or filter) ____ (system or filter) 1 1. Show resource definitions 2. Simulate access for specified resource Advanced transaction selection criteria _ Security settings _ Attributes Output/run options _ 0. No summary 1. Summarize by region 2. Summarize by program _ Print format Customize title Send as e-mail Background run Full page form Figure 78. CICS Programs selection panel For detailed information, see the IBM Security zSecure Admin and Audit for RACF: User Reference Manual and the online help. IMS region and resource reports Use the RE.M option on the Main menu to select and display IMS region, transaction, and program data. The report data is obtained from a CKFREEZE data set created by running zSecure Collect APF-authorized. When you select RE.M, the IMS Resource panel shown in Figure 79 is displayed. The T and P options are features provided by the zSecure Audit products. Menu Options Info Commands Setup Startpanel ------------------------------------------------------------------------------zSecure Suite - Resource - IMS Option ===> __________________________________________________________________ R T P Regions Transactions PSBs IMS control region reports IMS transactions reports IMS program specification blocks Figure 79. IMS Resource panel IMS region reports In the IMS Resource panel in Figure 79, select the R menu option to display the IMS Regions selection panel in Figure 80 on page 90. Use this panel to enter selection criteria in one or more fields to limit the IMS region configuration data. When you specify selection criteria, the output includes only those records that match all the selection criteria. Filters can be used in some of the selection fields. To find out if a field supports filters, use the field-sensitive help function (F1). You can also select output and run options in the IMS Regions selection panel, or select no options and report data is processed as soon as you press Enter. The overview panel that is displayed shows a summary of the IMS region records that Chapter 10. Using resource-based reports on TCP/IP configuration, z/OS UNIX, CICS, IMS, and DB2 89 match your selection criteria. Menu Options Info Commands Setup ------------------------------------------------------------------------------zSecure Suite - IMS - Regions Command ===> __________________________________________________________________ Show IMS control regions that fit Jobname . . . . . . . . ________ VTAM applid . . . . . . ________ IMSID . . . . . . . . ________ Complex . . . . . . . . ________ System . . . . . . . . ____ all of the following criteria: (jobname or filter) (applid or filter) (identifier or filter) (complex or filter) (system or filter) Advanced selection criteria _ Region security settings Output/run options _ Print format Background run Customize title Full page form Send as e-mail Figure 80. IMS Regions selection panel For detailed information, see the IBM Security zSecure Admin and Audit for RACF: User Reference Manual and the online help. IMS transaction reports In the IMS Resource panel in Figure 79 on page 89, select the T menu option to display the IMS Transaction selection panel shown in Figure 81 on page 91. Use this panel to enter selection criteria in one or more fields to limit IMS transaction data. When you specify selection criteria, only those records that match all criteria are included in the output. Filters can be used in some of the selection fields. To find out if a field supports filters, use the field-sensitive help function (F1). To create a simulate report, use the report type option Simulate access for specified resource. You can also select output and run options on the IMS transaction selection panel, or select no options and report data is processed as soon as you press Enter. The overview panel that is displayed shows a summary of IMS transaction records that match your selection criteria. 90 Version 1.13: Getting Started Menu Options Info Commands Setup ------------------------------------------------------------------------------zSecure Suite - IMS - Transactions Command ===> __________________________________________________________________ Show IMS transactions that fit all of the following criteria: Transaction . . . . . . ________ (transaction or filter) Transaction class . . . ____ (class number or filter) Program specif. block ________ (PSB or filter) Jobname . . . . . . . . ________ (jobname or filter) VTAM applid . . . . ________ (applid or filter) IMSID . . . . . . . . . ____ (identifier or filter) Complex . . . . . . . . ________ (complex or filter) System . . . . . . . . ____ (system or filter) Type of report . . . . 1 1. Show resource definitions 2. Simulate access for specified resource Advanced transaction selection criteria _ Security settings Output/run options 0 0. No summary 1. Summarize by region 2. Summarize by transaction _ Print format Customize title Send as e-mail Background run / Full page form Figure 81. IMS Transactions selection panel For detailed information, see the IBM Security zSecure Admin and Audit for RACF: User Reference Manual and the online help. IMS PSB reports In the IMS Resource panel in Figure 79 on page 89, select the P menu option to display the IMS PSBs selection panel in Figure 82 on page 92. Use this panel to enter selection criteria in one or more fields to limit IMS program specification block data. When you specify selection criteria, only those records that match all criteria are included in the output. Filters can be used in some of the selection fields. To find out if a field supports filters, use the field-sensitive help function (F1). To create a simulate report, use the report type option Simulate access for specified resource. You can also select output and run options on the IMS PSBs selection panel, or select no options and report data is processed as soon as you press Enter. The overview panel that is displayed shows a summary of IMS PSB records that match your selection criteria. Chapter 10. Using resource-based reports on TCP/IP configuration, z/OS UNIX, CICS, IMS, and DB2 91 Menu Options Info Commands Setup ------------------------------------------------------------------------------zSecure Suite - IMS - PSBs Command ===> __________________________________________________________________ Show IMS PSBs that fit all of the following criteria: Program specif. block ________ (PSB or filter) Jobname . . . . . . . . ________ (jobname or filter) VTAM applid . . . . ________ (applid or filter) IMSID . . . . . . . . . ____ (identifier or filter) Complex . . . . . . . . ________ (complex or filter) System . . . . . . . . ____ (system or filter) Type of report . . . . 1 1. Show resource definitions 2. Simulate access for specified resource Advanced PSB selection criteria _ Security settings Output/run options 0 0. No summary _ Print format Background run 1. Summarize by region Customize title / Full page form 2. Summarize by transaction Send as e-mail Figure 82. IMS PSB selection panel For detailed information, see the IBM Security zSecure Admin and Audit for RACF: User Reference Manual and the online help. DB2 region reports Use the RE.D option on the Main menu to select and display DB2 region data. When you select RE.D, the DB2 regions selection panel shown in Figure 83 on page 93 is displayed. Use this panel to enter selection criteria in one or more fields to limit the DB2 region configuration data. When you specify selection criteria, the output includes only those records that match all the selection criteria. Filters can be used in some of the selection fields. To find out if a field supports filters, use the field-sensitive help function (PF1). You can also select output and run options in the DB2 regions selection panel, or select no options and report data is processed as soon as you press Enter. The overview panel that is displayed shows a summary of the DB2 region records that match your selection criteria. 92 Version 1.13: Getting Started Menu Options Info Commands Setup ------------------------------------------------------------------------------zSecure Suite - DB2 Command ===> __________________________________________________________________ Show DB2 regions that Jobname . . . . . . . Local LU name . . . . Local site name . . . DB2ID . . . . . . . . Group attachment name Complex . . . . . . . System . . . . . . . fit all of the following criteria: . ________ (jobname or filter) . ________ (luname or filter) . ________________ (name or filter) . ____ (identifier or filter) ____ (name or filter) . ________ (complex or filter) . ____ (system or filter) Advanced selection criteria _ Region security settings Output/run options _ Print format Background run Customize title Full page form Send as e-mail Figure 83. DB2 Region selection panel For detailed information, see the IBM Security zSecure Admin and Audit for RACF: User Reference Manual and the online help. Chapter 10. Using resource-based reports on TCP/IP configuration, z/OS UNIX, CICS, IMS, and DB2 93 94 Version 1.13: Getting Started Chapter 11. Using CARLa commands zSecure Admin and Audit for RACF ISPF panels generate commands that are sent to the products for execution. These commands are in the CARLa Auditing and Reporting Language (CARLa), a useful tool for systems programmers. This process is transparent to interactive users, but becomes important if you want to use product functions in batch mode. In general, the same CARLa commands can be used in either interactive mode or in batch mode. For example, you can use one of the primary options, the CO.C option, to specify CARLa commands directly. Tip: Instead of typing =CO.C, you can also type the primary command CARLA at the command prompt on a panel to specify CARLa commands. Many CARLa samples are provided with the products. When you have time, browse them at random and run the code samples that are interesting to you. You can also look at the index member CKA$INDX, which contains a list of all members in the CARLa library with a brief explanation. You can also browse the SCKRCARL library, which contains interactive ISPF and batch reports that you can use or tailor for your own needs. For more detailed information about CARLa and the SCKRCARL library, see the IBM Security zSecure Admin and Audit for RACF: User Reference Manual. Tip: To browse the SCKRCARL library, you can use the following steps: 1. Issue the TSO ISRDDN command from within the product under ISPF. 2. Type F SCKRCARL to look for the active SCKRCARL library. 3. Use the B(rowse) function to open the SCKRCARL library. The CKA$INDX member at the top lists the available members and their functions. In addition to the manuals, IBM offers CARLa programming and customer enablement courses for frequent users of zSecure Admin and zSecure Audit for RACF. There is also a zSecure Customer Forum on developerWorks® at http://www.ibm.com/developerworks/forums/forum.jspa?forumID=1255. For links to this forum and other resources, see the Community and Support tab in the zSecure Information Center at http://publib.boulder.ibm.com/infocenter/ tivihelp/v2r1/index.jsp?topic=/com.ibm.zsecure.doc_1.13/welcome.html. You can use CARLa to define and format custom reports, using any fields known to RACF and SMF, with headings and line formats specified by you. Typical use involves identifying a pre-built display or report that is almost what you need, capturing and saving the CARLa used to generate the Display/Report from the Results panel, and modifying it to produce exactly what you need. zSecure Admin and Audit for RACF provides a whole library of sample CARLa material, the CKRCARLA library. You can add new members to this library, or create your own library. Do not alter the existing members of the library, because the interactive functions of the products use these members. To run one of the members of the CKRCARLA library, complete the following steps: 1. Select option CO (Command) from the Main menu. Then press Enter to open the Commands panel shown in Figure 84 on page 96. © Copyright IBM Corp. 1989, 2011 95 This panel is used to perform library commands. Menu Options Info Commands Setup Startpanel ------------------------------------------------------------------------------zSecure Admin+Audit for RACF - Commands Option ===> __________________________________________________________________ 1 2 3 4 5 C Libraries Members Edit Run Submit Command Select and maintain command library Work with members from current command library Edit member from current command library Run member from current command library Run member from current command library in background Type in any CARLa command Member name . . . . ________ (If 3, 4 or 5 selected) Two pass query . . N (Y/N, option 4 only) Current library . . DD:CKRCARLA Input complex . . . Input set created 8 Apr 2005 Current mask type . EGN Figure 84. Commands (CO) used to run library commands 2. Select option 2 (Members) and then press Enter to select a member, or find the name of the member you want to execute in one of the user reference manuals. For this example, use member CKRLMTX3. 3. If you are using the Members function, find the member name (CKRLMTX3 or the member name you chose from the reference manual) in the Member list, or type the member name in the Member name field in the Commands panel. 4. From the members list, issue the E line command in front of the member you want to use (for example, CKRLMTX3). From the Commands panel, type option 3 (Edit) and press Enter. A panel opens showing the selected CARLa member as shown in Figure 85 on page 97. 96 Version 1.13: Getting Started EDIT CKR.SCKRCARL(CKRLMTX3) - 01.00 Columns 00001 00080 Command ===> Scroll ===> CSR ****** ********************************* Top of Data ********************************** =NOTE= Enter GO or RUN to execute commands, SUB or SUBMIT to generate batch job 000001 /**************************************************BeginModule******** 000002 * LICENSED MATERIALS - PROPERTY OF IBM 000003 * 5655-T01 000004 * Copyright IBM Corp. 1989, 2007 000005 * All Rights Reserved 000006 * US Government Users Restricted Rights - Use, duplication or 000007 * disclosure restricted by GSA ADP Schedule Contract with IBM Corp. 000008 * File-stamp: <050621 MR 12:44:08 CKRLMTX3.SCKRCARL> 000009 * FMID: HCKR1C0 RMID: HCKR1C0 IBM Security zSecure Base 1.12.0 000010 * Purpose: 000011 * List ACL matrix 000012 * Notes: 000013 * Imbed this member after a selection newlist RACFSEL, e.g.: 000014 * 000015 * n name=racfsel outlim=0 000016 * select c=dataset s=base qual=SYS1 000017 * sortlist qual 000018 * i m=ckrlmtx3 000019 * 000020 * History: 000021 * 011015 1.2.0 SDG ERZ120: Created 000022 * 050621 1.7.0 MR EZ0506016: Added execute & RACFSEL 000023 ****************************************************EndModule********/ 000024 000025 n type=racf title=’Data set access matrix’ 000026 def alter(aclid,8,’Alter’) 000027 subselect acl(access=alter and missing(whenprof)) 000028 def control(aclid,8,’Control’) 000029 subselect acl(access=control and missing(whenprof)) 000030 def update(aclid,8,’Update’) 000031 subselect acl(access=update and missing(whenprof)) 000032 def read(aclid,8,’Read’) 000033 subselect acl(access=read and missing(whenprof)) 000034 def exec(aclid,8,’Execute’) 000035 subselect acl(access=execute and missing(whenprof)) 000036 def condacc(aclaccess,1,’C’) 000037 subselect acl(exists(whenprof)) 000038 def hdr_o(’o’,1,hdr$blank) true where((key=’^’)) /* always FALSE */ 000039 def cond(aclid,’nditional’) 000040 subselect acl(exists(whenprof)) 000041 000042 select c=dataset s=base likelist=racfsel 000043 sortlist key(35) uacc alter control update read exec condacc, 000044 | hdr_o | cond ****** ******************************** Bottom of Data ******************************** Figure 85. Member CKRLMTX3 of the CKCARLA library Update the data sets that contain the software only during installation and when applying maintenance. If you need customized members, store them in a data set of your own and use the configuration parameters WPREFIX or UPREFIX to use these data sets. The CARLa program selected shows a matrix of the access granted on one or more profiles. It needs some customization for you to select the profiles you want to be reported on. To avoid changing the original member, this procedure shows you how to work with a temporary copy. To customize the CARLa program, complete the following steps: 1. Issue the CANCEL command to be sure that you leave the edit session without making any accidental changes to the member. 2. Enter option 4 (Run). Because the needed customization has not yet been done, using this option results in a syntax error about an incorrect LIKELIST. Chapter 11. Using CARLa commands 97 3. Press PF3 to open the Results panel. Then, enter an E before the Command line and press Enter. You are now editing a temporary copy of the CARLa program. 4. Customize the program: The customization required is documented in the Notes® section of the header. This program was created to be included from other programs. To include the program, write a selection newlist (lines 15 to 17), and include the program directly behind it (line 18). You can achieve the same result by adding the selection newlist to the start of the CARLa program: 5. Copy lines 15 to 17 directly after line 23. (Remove the * to uncomment them.) 6. Change the class (c=dataset) and HLQ (qual=sys1) specifications to match the profiles that you want to see. 7. Type Go or Run in the Command line to execute this program. A report similar to the one shown in Figure 86 opens. BROWSE - IBMUSER.C2R10FE.REPORT -----—–------------- LINE 0000 0.5 s CPU, RC=0 COMMAND ===> SCROLL ===> CSR ********************************* Top of Data ********************************** P R O F I L E L I S T I N G 4 Apr 2005 00:50 Access matrix Profile key SYS1.*.** UACC READ Update NONE Alter Control SYS1 SYSPROG P390 SYSPROG STRTASK SYS1.*.MAN*.** SYS1.BRODCAST NONE SYSPROG * C#MBWTK C#MBWT3 SYS1.CMDLIB READ SYS1.C#M.LINKLIB READ SYS1.CSSLIB READ SYS1 SYSPROG SYS1 SYSPROG SYS1 Read C#MA C#MBRACF C#MARACF C#MBDSCT C#MA C#MA C#MA Figure 86. CARLA access matrix Instead of running one of the existing samples, you can program your own CARLa program. In the following example, run a small CARLa program to see what CARLa programming can mean to you. To create a sample CARLa program, complete the following steps: 1. Select option CO (Command) from the Main menu to open the Commands panel shown in Figure 84 on page 96 so that you can run library commands. 2. Select option C (Command) to open the PDF editor. 3. In the editor workspace, type the following CARLa statements, changing c#mb to some RACF group in your system that owns userids. newlist type=racf file=ckrcmd nopage select class=user owner=c#mb segment=base list ’alu’ key(8) ’owner(newowner)’ Figure 87. CARLa example program 98 Version 1.13: Getting Started This small CARLa program generates RACF commands to change the owner. All user profiles currently owned by c#mb are selected and the owner field will be changed into newowner. The output (RACF commands) is written in the CKRCMD file and can be processed by the RUN command. See “Using the Results panel” on page 58. The output is similar to the output shown in Figure 88: /* CKRCMD file CKR1CMD complex DEMO NJE JES2DEMO generated 27 alu C#MBHEN owner(newowner) alu C#MBERT owner(newowner) alu C#MBJVO owner(newowner) Figure 88. CARLa example program output To save this CARLa program for later use, you can copy it into your own private data set. To copy the program, type the command C9999 over the line number field of the first CARLa line. Then, enter CREATE in the command area. You now use the normal ISPF Edit function to create (or replace) members in a PDS. Whenever you want to rerun your saved CARLa program, complete the following steps: 1. Type CO from the Main menu and press Enter. 2. Type 1 (Libraries) from the Commands panel and press Enter. 3. Type I (insert) line command in any detail line and press Enter to insert a line. 4. Type the name of your private library, use quotation marks if necessary and press Enter. 5. Select the library with the S line command and press Enter. 6. Press PF3 to return to the Commands panel. The name of your library is displayed in the Current® library field. 7. Type the member name of the CARLa program in the Member name field. 8. Select option 4 (Run). Chapter 11. Using CARLa commands 99 100 Version 1.13: Getting Started Chapter 12. Performing typical administration and audit tasks The following section discusses how to perform typical administration and audit tasks in Security zSecure Admin and Audit for RACF. Removing a user If you want to remove the RACF access credentials for a user and do not know the userid, you can use the zSecure Audit for RACF RA.U option to enter a name search pattern to locate the userid and determine which data sets the user can access. Then, you can select the user profile for removal. To remove a user, complete the following steps: 1. Enter RA.U in the Command line to open the RACF User panel. 2. In the Programmer Name field, type the user name or name pattern to display all user profiles that match the name somewhere in the Programmer Name field. 3. Press Enter to display the results. 4. To remove the user from RACF, type D in front of the user profile and then press Enter. Displaying which data sets a user can access To list all data sets that a particular user can access, use the RACF Report Permit/Scope function (option RA.3.4). Auditing load libraries The Audit Library functions, Option AU.L in zSecure Audit for RACF, can easily detect situations that are difficult to detect with standard z/OS or RACF tools. These situations, in both load libraries and source libraries, include: v Whether the load libraries are clean, especially the system and APF libraries. v Whether a module is present multiple times, under different names and perhaps under different owner profiles. v Whether the same module is present in more than one library. Note: It would cause serious problems if one copy is obsolete, but is unknowingly called by some jobs due to the library search order. Printing display panels While you are examining the output of a Display function, you might want to print the data. Use the PRT command. Output goes to the ISPF LIST data set. For more complex reports, use the RESULTS command to review all the files produced by the last function. You can also print from this panel. © Copyright IBM Corp. 1989, 2011 101 Finding profiles based on search criteria The Match function can be exceptionally useful. This function finds all profiles that cover a specified data set or sets, or general resources. You can find this function in the following panels: v Dataset profiles, option RA.D Data set v General Resource profiles, option RA.R Resource v RACF Report match, option RA.3.7 For RA.D and RA.R: v 3 Match treats the profile field as a resource name and selects the best profile that could match the resource name. (See the BESTMATCH parameter in the IBM Security zSecure Admin and Audit for RACF: User Reference Manual.) v 4 Any match treats the profile field as a resource name and selects all profiles that could match the resource name. (See the MATCH parameter in the IBM Security zSecure Admin and Audit for RACF: User Reference Manual.) RA.3.7 works like Any match: The profile used by RACF is shown in the first line. The other profiles are used if the first profile is removed. Poor planning or administration can result in several profiles with different access lists and UACC values covering a data set. Verifying a Protect All environment You might be thinking about going to a Protect All environment. Most z/OS installations do so, although there can be much work involved. Try the Verify function of Protect All. If you use SMS or HSM or ABR, you might exclude the volume MIGRAT on the submenu of the Protect All function. This action can greatly reduce the number of unwanted messages. Especially in a RACF environment without PROTECT ALL, this Verify function can be very helpful. It outlines the work to be done in going to Protect All, and provides an inventory of all data sets that do not have RACF protection. Using the Command function Try the Command function (Option CO on the primary panel). See Chapter 11, “Using CARLa commands,” on page 95 for information. 102 Version 1.13: Getting Started Appendix A. Frequently asked questions This section provides a list of frequently asked questions along with detailed answers. Table 12. Frequently Asked Questions Q: Why is the Main panel empty? A: You need READ access to the CKR.** profile in the XFACILIT class. CKR** profiles can allow or prohibit the use of functions. Q: I am still not sure which functions are for zSecure Admin and which are for zSecure Audit for RACF. How can I separate them? A: You can check the IBM Security zSecure Admin and Audit for RACF: User Reference Manual. With every function, the manual shows a check box indicating which product it supports. You can also add, for example, LIMIT FOCUS=AUDITRACF to the preamble SETUP PREAMBLE(SE.3) to limit the usable function to those in the zSecure Audit only. Q: How can I generate the DEFINE ALIAS as part of the COPY USER action? A: The catalog information is from the CKFREEZE data set. So you must include a CKFREEZE data set in the set of input files that you use. To create a CKFREEZE data set, use the option SETUP NEWFILES from the panels to generate the JCL. Save this JCL and run it early every morning using OPC/A or a similar product. The CKFREEZE data set can be very large, so use SYSIN parameters to reduce its size. First, try creating a large CKFREEZE, running it with APF, and specifying no parameters. If running zSecure Admin with this CKFREEZE setting is too slow, add parameters: VTOC=NO,CAT=MCAT,BCD=NO,MCD=NO,TMC=NO,RMM=NO,UNIX=NO. You still need the bigger CKFREEZE if you want to delete users, including their data sets. You can also enter the line command MT (manage TSO) in front of a User profile in the RA.U option. You can then define the alias and the ISPF profile data set for an existing user. With this alternative, however, you must know the name of the catalog to which you want to add the user's alias. Q: Can I collect information of unloaded RACF and CKFREEZE files on different systems and send this information to one system for display and analysis? A: Yes, if all systems are licensed. This is a typical way to use Security zSecure Admin and Audit for RACF. Q: The output from my L line command does not match the information that is reported by zSecure Admin and zSecure Audit for RACF. What is wrong? A: Check the input RACF data source. You are probably reporting from a RACF unload, whereas the L line command always shows the information from the active RACF database. Q: How do I handle a shared JES2 spool environment, with one RACF database and several z/OS images? © Copyright IBM Corp. 1989, 2011 103 Table 12. Frequently Asked Questions (continued) A: Run the RACF unload once, from any system unless you want to work with live RACF data, and run multiple zSecure Collect jobs, one on each system. You can use the SHARED=NO parameter with the second or additional zSecure Collect for z/OS job to reduce the size of the resulting CKFREEZE data sets. You can do this only if your UCBs are properly defined with SHARED options to exactly reflect the sharing environment. Otherwise, zSecure Collect for z/OS processes everything. Create an INPUT SET that has these multiple CKFREEZE data sets defined. Q: When should I use my live RACF database with zSecure Admin and zSecure Audit for RACF, when should I use unloaded data, and when should I use an old database copy? A: Use the live RACF database for simple ad hoc inquiries and day-to-day routine RACF administration. Use an unloaded copy of the RACF database when (a) you intend to do extensive analysis work, and (b) you have no immediate intention of changing RACF data. When you are planning to use the Recreate function, be sure to run from an old database copy, because an unload database does not contain passwords. If you are working with RACF data from another system, this is unloaded data unless the RACF database for the other system resides on shared DASD and is accessed directly as a normal data set. As an oversimplified statement, an administrator typically works with the live RACF database, while an auditor typically works with an unloaded copy. Q: I have produced a report that contains double lines for all reported profiles. What can cause this problem? A: There are two possibilities that can cause this problem. If you have created this overview using the panels, then the double lines might be caused by selecting two RACF data sources in the SETUP application. When you are using CARLa, this same problem can be caused by forgetting to specify the keyword SEGMENT=BASE in the SELECT statement. Q: I used the SETUP INPUT options to define my input sets. The next time I used zSecure Admin and zSecure Audit for RACF, my setup values were not saved. Why? A: You might have used a different TSO userid the second time. The setup information is saved in your ISPF profile, and each TSO userid has its own ISPF profile data set. Also, there is a SETUP option to use the input files you last used. Look at the SETUP RUN to determine the setting of this option. Q: Security zSecure Admin and Audit for RACF inspects many z/OS controls for various reports. When do the products obtain these controls from z/OS storage, and when should you use a CKFREEZE data set? A: For full checking, Security zSecure Admin and Audit for RACF uses z/OS control blocks that are copied into the CKFREEZE data set. While this is more complex than simply using in-storage z/OS data, it produces much more consistent results. The results are meaningful for the time at which the CKFREEZE data was collected. For this reason, you might sometimes want to collect CKFREEZE data when your system is fully loaded and most active. This also means that you can perform studies on remote z/OS systems, using a CKFREEZE file and RACF unloaded data created on the remote system. Q: I prefer to use an unloaded RACF database for my analysis work. When I find something that needs to be corrected, I normally use the RACF commands generated by zSecure Admin and zSecure Audit for RACF, which I sometimes edit, to correct the problem. However, my unloaded RACF database represents historical data. How do I know if the same problem still exists in the live RACF database? 104 Version 1.13: Getting Started Table 12. Frequently Asked Questions (continued) A: Before submitting any significant change to RACF, switch to the live RACF database using a different input set in the Setup panels, and repeat the display that detected the problem. If the problem still exists, then execute the RACF changes. Q: Some panels, such as the AUDIT STATUS panel, differentiate between full CKFREEZE data sets and some other type of CKFREEZE data sets. What is this? A: Using the instructions in this evaluation guide, when you defined new input files and ran the Refresh job, you created a full CKFREEZE data set. In very large or widely distributed installations, a CKFREEZE data set can be large, and you might want to save multiple CKFREEZE data sets for audit and comparison purposes. There are options in zSecure Collect for z/OS to gather only part of the potential CKFREEZE data. Multiple CKFREEZE data sets are useful, for example, if you use the freeze functions to detect changes in various libraries, or if your auditors want system snapshots at certain defined times. Q: I want to clone a user using the RACF/MASS UPDATE/COPY USER function, but the target, which is a new user, is already defined. How is this handled? A: Assuming that you want to keep some of the permissions of the existing target user, use the Copy function, and type a / before Generate RACF commands when the target user exists. This action leaves existing permissions of the target, provided they do not conflict with authorities of the source user. If a conflict occurs, then the final authority rests with the source or target user, depending on the exact commands (add versus alter). The target user might have some of its existing authority levels reduced because the source user had these lower levels. Q: I get message CKR0536 when I attempt to copy to an existing userid. A: If your intent is to have the set of commands as a basis to start editing, then you can suppress the message by putting a / before Generate RACF commands when the target user exists. The standard way to merge user attributes is to use MERGE. Q: I need to perform daily security administration. What RACF data source should I use? A: For daily security administration, use an up-to-date RACF database. This database can be the active primary RACF database or the active backup RACF database. Changes to the active primary database are immediately replicated to the active backup RACF database. Because the active backup database is not used to perform access verification processing, it is a good practice to use it as the input data source. This practice does not degrade the performance of the RACF database when executing the access verification process for the other users of the system while you are running reports. Appendix A. Frequently asked questions 105 106 Version 1.13: Getting Started Appendix B. Notices This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A. For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: Intellectual Property Licensing Legal and Intellectual Property Law IBM Japan, Ltd. 1623-14, Shimotsuruma, Yamato-shi Kanagawa 242-8502 Japan The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement might not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web © Copyright IBM Corp. 1989, 2011 107 sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact: IBM Corporation 2Z4A/101 11400 Burnet Road Austin, TX 78758 U.S.A. Such information may be available, subject to appropriate terms and conditions, including in some cases payment of a fee. The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us. Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. COPYRIGHT LICENSE: This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not 108 Version 1.13: Getting Started been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy, modify, and distribute these sample programs in any form without payment to IBM for the purposes of developing, using, marketing, or distributing application programs conforming to IBM‘s application programming interfaces. If you are viewing this information in softcopy form, the photographs and color illustrations might not be displayed. Trademarks IBM, the IBM logo, and ibm.com® are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml. Adobe, the Adobe logo, Acrobat, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries. Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Other company, product, and service names may be trademarks or service marks of others. Appendix B. Notices 109 110 Version 1.13: Getting Started Index A L T Access command 24 access control list 20 access control list formats 21 access rights 24 accessibility See customer support administration and audit tasks 101 auditing load libraries 101 displaying data sets 101 finding profiles 102 printing display panels 101 removing a user 101 using the Command function 102 verifying Protect All 102 application segments 12 auditing 67 library changes 78 line commands 55 Tivoli Information Center vi Tivoli technical training vii Tivoli user groups vii C CARLa language 2 data source 3 CKG scope 42 class settings 37 comparing users 26 configuration changes connecting users 15 conventions viii typeface viii dataset profile 16 date selection 12 digital certificates 25 discrete profiles 19 F U universal groups 14 user groups, Tivoli vii user profile 7 user selection 10 V verifying 54 W warning mode 19 O overtyping 54 P publications vi accessing online publications licensed publications vi ordering publications vi vi Q 12 Quick Administration panel G group profile managing data 47 adding new data 47 adding new files 47 input set 50 refreshing and loading files 50 managing users 29 changing RACF data 29 copying a user 31 data structure 35 deleting a user 33 mass update 30 merging profiles 33 recreating a profile 33 redundant profiles 33 Multi-system support 4 Multisystem support routing commands to remote systems 4 using remote data 4 77 D filters M 13 H Helpdesk function 43 accessing Helpdesk 43 tailoring Helpdesk 45 using Helpdesk 44 I IP stack configuration reports Selection criteria 82 © Copyright IBM Corp. 1989, 2011 41 R removing users 15 reports 57 archiving report output 58 mailing report output 59 Results panel 58 Reports IP stack configuration 81 S SETROPTS reports 37 Setup parameters 51 SMF reports 74 111 112 Version 1.13: Getting Started Printed in USA GI11-9162-00 ">

Public link updated
The public link to your chat has been updated.
Advertisement
Key features
- RACF administration and audit automation
- User access privilege monitoring
- Scoped administrator privilege implementation
- User behavior auditing
- Enhanced RACF administrative and reporting functions
- Security monitoring
- Decentralized system administration
Frequently asked questions
zSecure Admin and Audit for RACF automates many of the recurring administrative tasks and audit reporting for RACF systems.
zSecure Admin provides RACF management and administration at the system, group, and individual levels along with RACF command generation. zSecure Audit provides RACF and z/OS monitoring, Systems Management Facility (SMF) reporting, z/OS integrity checking, change tracking, and library change detection.
From the Main menu, select RA (RACF Administration). Then, select option U (User) to open the User Selection panel.
The wildcard characters used in filters are: %, *, **, and :.
You can customize the output by placing a / next to the desired field in the Output/run options section of the User Selection panel. This will open a panel for you to specify additional selection criteria.