| ACF2 Administration | RACF Administration |
| OS/390 Auditing & Event Monitoring | Open Systems Event Monitoring |
| Other OS/390 Security | Security Matters |
RACF administration solutions on this page:
| Consul/RACF | Consul/RACF Administrator for Windows |
| Consul CICS/RACF Toolkit | Consul/CVO |
| ETF/R | E-HelpDesk |
| WWW Links |
Later called Consul/zAdmin RACF, Consul zAdmin RACF, and now Tivoli zSecure Admin.
No matter how powerful your mainframe security system is, its ultimate strength lies in the people who manage it, making it essential to furnish them with a means to perform their work as efficiently as possible.
By providing your staff with the key to efficient system management, Consul/RACF gives them exactly what they need, enhancing the efficiency and functionality of RACF - unleashing its true potential - by simplifying administration tasks and by increasing the granularity of security authorisations.
IBM's Resource Access Control Facility (RACF) is the standard security system for IBM (compatible) mainframes using OS/390. When used properly, RACF protects the mainframes from unauthorised entry and misuse.
Consul/RACF helps you to achieve the full potential of your mainframe security system, by automating many of the recurring administration tasks and by enhancing the native RACF authorisation and delegation capabilities.
RACF provides sound security for OS390, but it is not very easy to manage.
With RACF commands, you can request information about individual definitions in RACF without seeing the full impact of those definitions, or you can unload all RACF profiles to an external database such as DB2 for analysis and reporting. Many of today's IT staff have limited RACF management experience, so controlling the power inherent in RACF is not an easy task.
Using Consul/RACF, sites can optimise the talents of their system security officers and harness the power of RACF. Consul/RACF finds problems in RACF, such as missing or inconsistent definitions, and fixes or prevents mistakes before they become a threat to security.
Consul/RACF allows more granular distribution of administrative authority than native RACF.
In particular, the system security officerss can delegate the authority to reset user passwords, resume users, and grant specific access - without assigning full administrative (i.e. group-SPECIAL) privileges to the local administrators.
This capability allows frequently requested user-support tasks to be managed by staff closest to the user, and frees up the central security administrators for mission-critical tasks.
It will also allow improved security, by removing the need for cumbersome 'user verification' procedures for password resets: local administrators can see that the users are who they claim to be!
Consul/RACF gives central security administrators tools to help them perform more efficiently.
Consul/RACF can help automate recurring tasks, such as generating daily or monthly reports, which provide a comprehensive analysis of the security definition and settings within the RACF environment.
The complex tasks of adding or removing users is simplified to a one-step action, with Consul/RACF doing the hard work of keeping all entries updated and in synch.
Consul/RACF USER overview ---------------------------------------- Line 1 of 3
Command ===> Scroll===> CSR
like SELU%%% 3 Feb 2000 00:05
Profile Complex Name DfltGrp Owner RIP SOA AG g Grp X
SELUANT PICO ANT ALLAN SELU SELU 5
SELUDAV PICO DAVE POTTER SELU SELU RI 5 X
/ SELUNIC PICO NICK WEIR SELU SELU I 5 X
******************************* BOTTOM OF DATA ********************************
RIP: User is respectively revoked,
due to be revoked through inactivity, or
protected (i.e., cannot be used to logon).
SOA: User is respectively system Special, Operations, or Auditor.
AG: User has ADSP.
g: User is at least one of group Special, Operations or Auditor.
Grp: Number of groups the user is connected to.
X: This column contains an X if the user's password has expired.
Consul/RACF USER overview -----------------------------------------------------
C .------------------------------------------------. Scroll===> CSR
l | Select one of 18 actions | 2000 00:05
| | ner RIP SOA AG g Grp X
| A Authorization (permits and scope) | MC 5
| AC Show access for userid on profile | MC RI 5 X
/ | C Copy userid | MC I 5 X
* | D (Prepare actions for) delete userid | **************************
| E Display event logging |
| L RACF listuser all command |
| M Move user from group (to another) |
| MI Manage userid-information |
| ML Manage logon-information |
| MR Manage CNGRACF authority requirements |
| MS Manage CNGRACF revoke/resume schedules |
| MT Manage TSO-information |
| MU Manage installation-defined USRDATA |
| P Change password and resume |
| R Recreate userid |
| S Show additional information |
| SE Show application segments |
| |
'------------------------------------------------'
Another benefit of Consul/RACF is that it allows administrators to queue PERMIT and CONNECT commands for execution at a set date and/or with a special time limit. After the limit has expired, the change is automatically undone.
For highly sensitive resources, you can even opt for a policy whereby two administrators have to agree to a command before it is executed, thus implementing a workflow control system for security management.
By automating and delegating IT administration tasks, Consul/RACF allows your IT staff to accomplish more in less time.
Consul/RACF has automatic analysis and command generation functions for tasks that are complicated and time- intensive, and performs critical security tasks quickly and accurately.
In today's ever-changing business world flexibility is essential, especially where database management is concerned.
Consul/RACF allows you to copy or move users, groups, applications or whole databases between systems, as well as rename IDs within the same database.
When merging profiles from different databases, Consul/RACF performs extensive consistency checks and reports potential conflicts before generating commands.
For more information, see CONSUL's Web page [now IBM's].
Later called Consul/zSecure RACF and Consul zSecure RACF; now part of Tivoli zSecure Suite.
Consul/RACF can be seamlessly combined with Consul/Audit for RACF to provide a powerful suite of tools for administering, monitoring and evaluating mainframe security. Key advantages of the combined product include:
Later called Consul/zVisual RACF, Consul zVisual RACF, and now Tivoli zSecure Visual.
Consul/RACF Administrator for Windows makes it easy for your helpdesk staff and local security administrators to perform everyday RACF management tasks from Windows workstations.
Consul/RACF Administrator for Windows creates a user-friendly interface into the decentralised support function provide through Consul/RACF.
Without prior knowledge of RACF, helpdesk staff and local security administrators can perform permitted functions such as password resets from a MS Windows 95, 98 or NT workstation. This solution eliminates the need for these users to access separate TSO/ISPF screens to perform these everyday RACF management tasks.
Consul/RACF Administrator for Windows works by providing your staff with an intuitive, easy-to-use, point-and-click, drag-and-drop GUI.
It accesses live RACF databases via secure (El Gamal) TCP/IP connectivity to give up-to-date information about your users and displays important information such as when their passwords were changed or reset. By accessing this data directly from Windows, completing these frequent tasks becomes easier and more efficient than ever before.
Consul/RACF Administrator for Windows requires only a minimum amount of training, which translates into lower overhead and high staff acceptance.
For more information, see CONSUL's Web page [now IBM's].
Later called Consul/zToolkit, Consul zToolkit, and now Tivoli zSecure CICS Toolkit.
When you need to administer RACF security from a CICS terminal, choose Consul CICS/RACF Toolkit. From a CICS terminal, the local security administrator maintains user profiles using fill-in-the- blanks menus. Standard IBM RACF commands can be issued without requiring (system) special or TSO access. With the flexibility of the Toolkit, you can distribute security authority through the CICS network as needed: only the commands a local administrator is authorised to use are displayed.
The API for Toolkit allows each installation to customise the screens, simulate field-level security in CICS applications, and invoke RACF commands from existing CICS application programs.
For more information, see CONSUL's Web page [now IBM's].
Later called Consul/zLock RACF, Consul InSight zLock, and now Tivoli zSecure Command Verifier.
Consul/CVO from CONSUL Risk Management enables you to take more control over RACF commands. CVO intercepts any RACF command and perform additional validation before the command is processed by RACF.
Many companies find that RACF allows an administrator to issue commands that do not comply with their corporate policy. Administrators with the SPECIAL attribute can change (almost) any field in RACF profiles, just like the owner of a profile can. RACF provides insufficient control over the changes that these users can make to (their) profiles, or use commands that may be contrary to your security policy. There are cases where RACF commands provide too many ways to change profiles, thereby allowing users to undermine your security policy, either intentionally or accidentally.
CVO provides extra controls on RACF commands to address this problem. CVO is executed every time a user issues RACF commands, and calls an installation specific exit to perform any additional checking before passing the command to RACF. CVO will intercept RACF commands from ISPF applications (IBM RACF panels, Consul/RACF, or any other ISPF panel), from the TSO command line, in batch jobs, and from the operator console.
Have you ever been concerned about...
Do you ever receive audit points regarding compliance with your standards?
These are just a few examples of areas where many companies have found the controls available within RACF just aren't adequate for their needs. With CVO you can use RACF profiles to apply an additional layer of checking to control who can use various keywords.
CVO runs on each MVS system, so if you administer multiple RACF systems, either via RRSF or manually, you can be assured of total compliance. If your requirements/policies are different on different systems, the different RACF profiles can reflect this via the access lists.
CVO has 3 exit points for USER, GROUP or RESOURCE commands. CVO is supplied with many sample exits that provide specialized additional security checks for RACF commands. You can use these or even write your own custom exit. A popular exit is the one that uses RACF profiles to check keyword usage. As an example you may require that anyone who attempts ALU uuuuuuu NAME('ssssssss, fffffffff') must have READ access to USER.BASE.NAME. The exit can allow, deny, or change the command, or even issue a different command either before or after the original command (or both).
Full auditing capabilities exist to log both the before and after image of the command to SMF.
For more information, see CONSUL's Web page [now IBM's].
The ETF/R Firecall facility allows controlled usage of special "high access" capabilities during an emergency situation giving Information Security greater control when the need for immediate access is required.
With ETF/R you can now perform dynamic class, router table, and exit updates without a system IPL! That means keeping RACF up and running 24 hours a day, 7 days a week without interruption of your security system giving you peace of mind that the integrity of you security environment is maintained.
For more information, see EKC's Web page
E-HelpDesk is used when a user forgets his current password. E-Help Desk is a VTAM application that will verify any of the last 1-32 passwords currently being stored in RACF, as well as any other installation-definable piece of information from the user record such as SSN, birth date, mother's maiden name, etc. If all pieces of information entered by the user are correct, E-Help Desk will prompt the user to enter a new password. That password is also synchronized across all nodes.
All sign-on and password change activity is logged to SMF using standard RACF facilities. There is no need for further logging.
For more information, see EKC's Web page
IBM's RACF Home Page [now Resource Access Control Facility (RACF)]
IBM's S/390 and OS/390 Security pages [now IBM: Security on IBM System z mainframes]
Copyleft & Creative Commons (cc) 2000–2008 Ant: This XHTML encoding is dual-licensed under both ― |
||||
|
The GNU Free Documentation License |
|
A Creative Commons Attribution-Noncommercial-Share Alike 3.0 License |
|
|
http://homepage.mac.com/antallan/racfadmi.html |
|
Last updated Friday 8 August 2008 |
|
 
|
|
 
|