RACF Administration & Auditing

Objectives
On successful completion of this course, attendees will be able to:

• explain the need for security in business information systems
• describe how RACF meets business information systems security needs
• design a group structure to meet their installation's requirements
• explain & use RACF commands
• describe the effect of the various group profile related parameters
• explain the management and use of the various non-RACF segments in user profiles
• connect users to groups and manage the assigned group authorities
• use the data set related commands to manage both discrete and generic profiles
• manage general resources
• use and explain the operation of the setropts management commands
• use and interpret the output of the Data Security Monitor
• use the database unload utility, cross reference utility, remove id utility, database verification utility, database split/merge/extend utility, and the database block update utility.

Who Should Attend
RACF Administrators and Auditors, Systems Programmers and any other technicians requiring a knowledge of RACF administration principles and practices.
Prerequisites
Attendees should have a clear understanding of z/OS at a conceptual level and also have a basic understanding of RACF that can be gained by attending the RSM course 'RACF Overview'. A working knowledge of TSO/ISPF and JCL is also required.
Duration
4 days

Course Code
MRFA
Contents
Introduction
What is RACF?; Why do we need security?; Security in the old days; Security these days; What security do we need?; Where are the dangers?; How can RACF help?; RACF Profiles; How RACF operates; The RACF database; Resource Classes.


The RACF Manuals
The Manual Library; RACF Security Administrators Guide; RACF Command Language Reference; BookManager.


Planning for Security
The Security Policy; Resource ownership; How to protect resources?; Grouping resources and users; Document the plan.


Group Structure
What are Groups?; Why have Groups?; Users and Groups; The initial group structure; The Group Hierarchy; System Special and Group Special; Group Profile ownership; Group connections.


The RACF Commands
Entering RACF commands; RACF commands and the manuals; Entering RACF commands in batch; Online Help.


Defining RACF Groups
Group Profile Commands; Basic ADDGROUP; Specifying the Superior Group & Owner; Data set Profile Modeling; RACF Remote Sharing Parameters; Other ADDGROUP Parameters; Non-RACF Segments - DFP, OMVS and OVM; Non-RACF Segments - TME; Full ADDGROUP Syntax; Full ALTGROUP Syntax; Full LISTGRP Syntax; LISTGRP Output; Full DELGROUP Syntax; Group Command Authority.


Defining Users
User Profile Commands; Basic ADDUSER; Specifying the Default Group; Group Authority; Class Authority; Group Access Authority; RACF Remote Sharing Parameters; Dataset Profile Modeling; RACF Authorities; RACF Attributes; Security Levels and Security Categories; Security Level Checking; Security Category Checking; Security Labels; Other ADDUSER Parameters; Non-RACF Segments (CICS); Non-RACF Segments (DCE); Non-RACF Segments (DFP, LANGUAGE); Non-RACF Segments (KERB, LNOTES, NDS); Non-RACF Segments (NETVIEW); Non-RACF Segments (USS, zVM); Non-RACF Segments (OPERPARM); Non-RACF Segments (TSO); Non-RACF Segments (WORKATTR); Full ADDUSER Syntax; Basic ALTUSER; ALTUSER Only Parameters; Full ALTUSER Syntax; Full LISTUSER Syntax; LISTUSER Output; Full DELUSER Syntax; User Command Authority; Basic PASSWORD; Changing Other Users Passwords; Full Syntax of PASSWORD; Password Command Authority.


Connecting Users to Groups
Connect and Remove Commands; Basic CONNECT; Full CONNECT Syntax; Basic REMOVE; Full REMOVE Syntax; Connect/Remove Command Authority.


Data Set Profiles
Data set profile commands; Basic ADDSD; Discrete data set profiles; Discrete profile parameters; Generic data set profiles; Generic wildcard characters - %; Generic wildcard characters - *; Generic wildcard characters - **; Specifying data set attributes; Access levels; Auditing access attempts; Profile copying; RACF remote sharing parameters; Security level & category checking; Other profile attributes; Non-RACF segments - DFP; Non-RACF segments - TME; Full ADDSD syntax; Basic ALTDSD; ALTDSD only parameters; Full ALTDSD syntax; Basic LISTDSD; Listing many data set profiles; Listing generic or discrete profiles; Specifying what to list; Full LISTDSD syntax; LISTDSD output; Full DELDSD syntax; Data set command authority; Basic PERMIT; Conditional access lists; Permitting many users access; Removing users and groups; Deleting access lists; Full PERMIT syntax; PERMIT command authority.


General Resource Profiles
General resource profile commands; Basic RDEFINE; Common RDEFINE parameters; Adding additional profile information; Non-RACF segment - TME; When the class is DLFCLASS; When the class is APPCLU; When the class is REALM; When the class is PTKTDATA; When the class is ROLE; When the class is STARTED; When the class is SYSMVIEW; When the class is TAPEVOL; When the class is TERMINAL; Full RDEFINE syntax; Resource grouping classes; Protecting CICS transactions; Protecting load modules; Protecting SDSF; Basic RALTER; RALTER Only Parameters; Full RALTER syntax; Basic RLIST; Common RLIST parameters; Listing non-RACF segments; Special RLIST features; Full RLIST syntax; RLIST output; Full RDELETE syntax; Remember PERMIT?; General resource command authority.


Special RACF Features
SEARCH command and control parameters.


The SETROPTS Command
Basic SETROPTS; Data set related parameters; General parameters; In-storage profile parameters; B1 security parameters; JES parameters; Userid & password parameters; Auditor parameters; SETROPTS LIST examples; SETROPTS command authority.


Auditing RACF
RACF auditing; RACF Report Writer; Basic RACFRW commands; Full RACFRW syntax; Full SELECT syntax; Basic EVENT command; Full EVENT syntax; Full LIST syntax; RACFRW output example; Full SUMMARY syntax; RACF SMF data unload utility; SMF unload utility JCL; Using the unloaded RACF SMF data; Processing the RACF SMF data with DB2; Standard DB2 tables; Data Security Monitor; System & group tree reports; Pgm properties & Auth caller table reports; Class descriptor table & RACF exits report; GlobalaAccess table report; Started procedures table report; Selected user attribute reports; Selected data sets report.


RACF Utility Programs
Database unload utility; Database cross reference utility; Database cross reference utility output; RACF remove ID utility; Database verification utility; Database verification utility output; Database Split/Merge/Extend utility; Database Block-Update utility command.