The Gazette by lonyoo

VIEWS: 8 PAGES: 6

									A Publication of Information Technology

Technology Information Page
GETTING STARTED

RACF
RESOURCE ACCESS CONTROL FACILITY
Committed to Quality Information

Resource Access Control Facility (RACF) is a software security product that protects information by controlling access to it. RACF also controls what you can do in the operating system and protects your resources. It provides this security by identifying and verifying users, authorizing users to access protected resources, and recording and reporting access attempts.

PASSWORD INFORMATION AND RULES
Password expiration is set at 90-day intervals. TSO will begin warning of an upcoming expiration 8 days in advance. However, you may change your password at any logon via the TSO/E LOGON screen NEW PASSWORD field. See example below. RACF will not allow you to reuse a password that has been used within approximately 2 and 1/2 years. Passwords must be 5 to 8 characters long and begin with an alphabetic character.

EXAMPLE:

TSO/E LOGON

PF1/PF13 ==> Help PF3/PF15 ==> Logoff PA1 ==> Attention PA2 ==> Reshow You may request specific HELP information by entering a '?' in any entry field. ENTER LOGON PARAMETERS BELOW: RACF LOGON PARAMETERS: USERID1 PASSWORD PROCEDURE ACCT NMBR SIZE PERFORM COMMAND ===> your userid ===> your old password ===> $TSOPROC ===> your account number ===> your region size ===> ===> NEW PASSWORD ===> new password GROUP IDENT ===>

JOBCARD CHANGES
In order for jobs to run, the following line needs to be added to your jobcard:
USER=RACFUSER, PASSWORD=RACFPASS

See the Job Control Language (JCL) TIP Sheet for additional information.

AUTOMATIC REVOCATION OF USERIDS
RACF is used to protect both TSO and CICS. In order to protect University data from unauthorized use and to comply

with auditor's standards, RACF will automatically revoke any userid which has not been signed on within a period of 45 days. For administrative personnel who are not frequent users, we suggest placing a reminder on your calendar to sign on the first working day of the month or whichever day is convenient for you. Academic users that are unable to meet this deadline or other personnel who fail to remember to sign on within this time frame may have their userid resumed by contacting Colleen Cowin, at 325-0826.

HELP! LOGON REJECTED
At logon, should you receive the following screen:
LOGON REJECTED, RACF TEMPORARILY REVOKING USER ACCESS. CONTACT YOUR TSO ADMINISTRATOR

You have failed to sign on within the 45-day limit. To have your userid resumed, contact Colleen Cowin, at 325-0826.

GAINING ACCESS TO THE RACF PANELS
The RACF software product comes packaged with a set of panels to simplify any changes you may require be made to your dataset's protection. To gain access to these panels, simply type in the command "RACF" from any COMMAND ===> line within ISPF. This will take you to the RACF SERVICES OPTION MENU. See example below.
RACF - SERVICES OPTION MENU OPTION ===> SELECT ONE OF THE FOLLOWING: 1 2 3 4 5 6 99 DATA SET PROFILES GENERAL RESOURCE PROFILES

GROUP PROFILES AND USER-TO-GROUP CONNECTIONS USER PROFILES AND YOUR OWN PASSWORD SYSTEM OPTIONS REMOTE SHARING EXIT

DISPLAYING YOUR DATASET'S PROFILE
From the RACF SERVICES OPTION MENU, select option 1 for DATA SET PROFILES. See the example on the next page. A generic dataset profile has been added for your userid (youruserid.*). This profile protects all datasets under your TSO userid. The access list may be maintained under this profile.

For more information, contact the Information Technology Helpdesk 325-HELP 2

Revision Date: 03/03/06

RACF - DATA SET PROFILE SERVICES OPTION ===> d or 8 SELECT ONE OF THE FOLLOWING: 1 ADD Add a profile 2 CHANGE Change a profile 3 DELETE Delete a profile 4 ACCESS Maintain access list 5 AUDIT Monitor access attempts (For auditors only) D or 8 S or 9 DISPLAY SEARCH Display profile contents Search RACF data set for profiles

Press enter to display the following panel:
ENTER THE FOLLOWING INFORMATION: PROFILE NAME TYPE VOLUME SERIAL UNIT PASSWORD ===>'YOURUSERID.*' ===> generic MODEL, TAPE, GENERIC, or blank ===> If a discrete profile and the data set is not cataloged ===> If you are adding a profile and specified VOLUME SERIAL ===> Data set password, if the data is password protected ===> Re-enter password to verify

On the following panel, enter a 'Y' or 'YES' on the ACCESS LIST line and press enter. See example below and continue with the next page.
RACF - DISPLAY DATA SET PROFILE COMMAND ===> PROFILE NAME : ‘YOURUSERID.*’ TO SELECT INFORMATION TO BE DISPLAYED, ENTER YES: ACCESS LIST HISTORY STATISTICS DFP DATA SETS NO RACF ===> YES ===> ===> ===> ===> ===> Profile access list Profile history Profile use statistics Profile DPF information Protected data sets Limit the display to the selected information,

TO LIMIT THE DISPLAY TO PROFILES FOR DATA SETS ON SPECIFIC VOLUMES, ENTER VOLUME SERIAL NUMBER(s): ===> ===> ===> ===> ===> ===> ===> ===> ===> ===> ===> ===> ===> ===> ===>

The items of most interest to you may be the UNIVERSAL ACCESS field and the ACCESS List. The UNIVERSAL ACCESS field specifies what type of access any user of our mainframe will have. The ACCESS list specifies what single users or groups of users have access to your dataset and the type of access they are allowed. See ACCESS AUTHORITY LEVELS for information on types of authority. To exit, press your designated END key (usually PFK3). See example on the next page.
For more information, contact the Information Technology Helpdesk 325-HELP 3 Revision Date: 03/03/06

************************************************TOP OF DATA********************************************** INFORMATION FOR DATASET YOURUSERID.* (G) LEVEL 00 OWNER userid UNIVERSAL ACCESS NONE WARNING NO ERASE NO

AUDITING -------FAILURES (READ) NOTIFY -------NO USER TO BE NOTIFIED YOUR ACCESS ----------ALTER CREATION GROUP -------------Group name DATASET TYPE -----------NON-VSAM

VOLUME ON WHICH DATASET RESIDES ------------------------------volume serial number NO INSTALLATION DATA SECURITY LEVEL --------------------------------------------NO SECURITY LEVEL CATEGORIES ---------NO CATEGORIES SECLABEL -------NO SECLABEL ID ------USERID1 USERID2 ACCESS ACCESS COUNT -------- -----READ 00000 UPDATE 00000

(USERID1 and USERID2 are examples)

ACCESS AUTHORITY
UNIVERSAL ACCESS - Global Access to Your Dataset Universal access (UACC) specifies what type of access any user of our mainframe may have. ACCESS LISTS - Restricted Access to Your Dataset Users or groups of users that are permitted access to your dataset via ACCESS LISTS.

For more information, contact the Information Technology Helpdesk 325-HELP 4

Revision Date: 03/03/06

ACCESS AUTHORITY LEVEL definitions NONE READ Prevents any type of access. Allows users to access the dataset for reading only. (Note that users who can read the dataset can copy and print it, also.) Allows users to read from, copy from or write to the data set. Update does not, however, authorize a user to delete, rename, move or scratch the dataset. Allows users to perform normal VSAM I/O (not improved control interval processing) to VSAM datasets. CONTROL For non-VSAM datasets, CONTROL is equivalent to UPDATE. For VSAM datasets, CONTROL is equivalent to the VSAM CONTROL password; that is, it allows users to perform improved control interval processing. This is control-interval access (access to individual VSAM data blocks), and the ability to retrieve, update, insert or delete records in the specified dataset. ALTER Allows users to read, update, delete, rename, move or scratch the dataset. This also allows users to read, alter and delete the RACF protection (PROFILE) for your dataset. (They may give others access to your data). NOTE: ALTER does not allow users to change the owner of the PROFILE. However, if a user with ALTER access authority to a dataset PROFILE renames the dataset, changing the high-level qualifier to his or her own user ID, both the dataset and the profile are renamed, and the OWNER of the profile is changed to the new userid.

UPDATE

CHANGING THE UNIVERSAL ACCESS (UACC) OF YOUR DATASET
From the RACF SERVICES OPTION MENU, select option 1 for DATA SET SERVICES, press enter. Select option 2 for CHANGE a profile, press enter. Type in the PROFILE NAME, tab to TYPE and type GENERIC. Press enter. The generic profile name should be enclosed with single quotes. On the next panel, tab down to the UACC field and type in your Universal Access change. See example below.
RACF - CHANGE DATA SET PROFILE COMMAND ===> PROFILE NAME: ‘YOURUSERID.*’ ENTER DATA SET PROFILE INFORMATION TO BE CHANGED: OWNER ===> LEVEL ===> FAILED ACCESSES ===> UACC ===> read AUDIT SUCCESSES ===> AUDIT FAILURES ===> REMOVE NOTIFY ===> NOTIFY USER ===> ERASE WHEN DELETED ===> RETPD ===> TO CHANGE OPTIONAL INFORMATION, ENTER Userid or group name 0-99 FAIL or WARN NONE, READ, UPDATE, CONTROL, or ALTER READ, UPDATE, CONTROL, ALTER, OR NOAUDIT READ, UPDATE, CONTROL, ALTER, OR NOAUDIT YES or Blank Userid YES, NO or Blank 1-9999 days YES:

CHANGING THE ACCESS LIST OF YOUR DATASET
For more information, contact the Information Technology Helpdesk 325-HELP 5 Revision Date: 03/03/06

From the RACF SERVICES OPTION MENU, select option 1 for DATA SET SERVICES, press enter. Type in option 4 for MAINTAIN access list, press enter. Type in the PROFILE NAME and tab to TYPE and type GENERIC press enter. The generic profile name should be enclosed with single quotes. On the next panel, select option 1 to add users or groups to your access list or option 2 to remove users or groups to your list. Option 3 will remove all users from your access list. (You will always have implicit access to your datasets.) See example below.
RACF - MAINTAIN DATA SET ACCESS LIST OPTION ===> PROFILE NAME: ‘YOURUSERID.*’ SELECT ONE OF THE FOLLOWING: 1 2 3 ADD Add users or groups, and/or Copy the access list from an existing profile. REMOVE RESET Remove specified users or groups from the access list. Remove all users and groups from the access list.

When selecting option 1, another panel will appear on the screen. Tab to SPECIFY and type YES, press enter.

ADDING USERS TO YOUR ACCESS LIST
Enter the ACCESS AUTHORITY you are granting the user and tab down to add the userids. See example below.
RACF - MAINTAIN DATA SET ACCESS LIST - ADD COMMAND ===> PROFILE NAME: ‘YOURUSERID.*’ ENTER AUTHORITY TO BE GRANTED: ACCESS AUTHORITY ===> update ENTER USER/GROUP ID TO BE ADDED: ===> userid1 ===> ===> ===> ===> ===> NONE, READ, UPDATE, CONTROL or ALTER ===> ===> ===> ===> ===> ===>

REMOVING USERS FROM YOUR ACCESS LIST
Enter the userids you wish to delete from your access list. See example below.
RACF - MAINTAIN DATA SET ACCESS LIST - REMOVE COMMAND ===> PROFILE NAME: ‘YOURUSERID.*’ ENTER USER/GROUP ID TO BE REMOVED: ===> userid1 ===> ===> ===> ===> ===> ===> ===> ===> ===> ===> ===>

For more information, contact the Information Technology Helpdesk 325-HELP 6

Revision Date: 03/03/06


								
To top