Resource Access Control Facility

from Wikipedia, the free encyclopedia

Resource Access Control Facility ( RACF ) is IBM's implementation of the SAF ( System Authorization Facility ) security interface of the mainframe operating systems MVS (core of z / OS ) and - in an older version - z / VM . The current name is SecureWay Security Server - RACF . It was first introduced in 1976.

The main functions that it performs are:

  • Identification and verification of users by means of a user key and password check (authentication)
  • Protection of resources through the administration of access rights (authorization)
  • Logging of access to protected resources (auditing).

The RACF administrator maintains the RACF database using RACF commands. In so-called it contains profiles the user key ( user IDs ), the protected resources ( resources ) and groups ( Groups ).

Userids

Users of the system are natural persons and also technical users who log into an online system such as TSO , CICS or IMS at a terminal with a RACF user ID or server processes ("started tasks" in MVS parlance) that the RACF -Administration has assigned a userid.

In addition to the name of the user, RACF saves statistical and other information in a user profile:

  • Change date of the password
  • Last use of the userid
  • Password (encrypted), password history
  • Group membership
  • User attributes such as REVOKED which indicates that the userid is blocked and special administrative permissions.
  • Further properties that describe and define the use of the MVS subsystems such as Unix System Services , CICS, TSO or the file system.

Administrative permissions for userids

Administrative authorizations can also be set for a user in the user profile:

SPECIAL
Makes the user the RACF system administrator. Such a user can administer all RACF settings.
AUDITOR
allows the user (e.g. an auditor) to control access monitoring (logging):
ROAUDIT
(READ ONLY AUDITOR) allows the user to display the data as it would be seen by a SPECIAL or AUDITOR, but without the rights to control access monitoring (logging). (From ZOS 2.2.0)
OPERATIONS
allows the user full access to all file resources. This attribute is often given to employees in memory management. Accesses made using this attribute are optionally logged.

Monitoring (auditing) of userids

Critical or highly authorized users can optionally be audited. For this purpose, the UAUDIT attribute is set in the RACF for the corresponding users. I.e. all actions of these users are stored as a so-called SMF record in the operating system log files. An evaluation can then be carried out with special applications.

resources

Resources are traditionally files, tapes, terminals, but today everything that an installation considers to be worth protecting is very abstract, e.g. B. Console commands, names of online transactions, or permission to reset another user's password.

A resource is protected by a resource profile. A resource profile is identified by a class name (e.g. DATASET) and a name that describes the resource to be protected in full (discrete profile) or partially (generic profile). E.g. the generic DATASET profile SYS1. ** protects all files starting with SYS1. unless they are protected by a more specific profile.

A profile defines what is known as Universal Access, which applies to all users. In the access list, other authorizations can be defined for individual users or user groups.

RACF knows six levels of access rights, which are interpreted in an obvious way by the resource managers of z / OS (see below):

  • NONE: No access
  • EXECUTE: Execution right for a program, but the program cannot be copied and is even suppressed in the memory dump.
  • READ: Read access to files, contains EXECUTE
  • UPDATE: Write access to files, includes READ
  • CONTROL: Write access to files, includes UPDATE
  • ALTER: Unrestricted access to files: create, delete, rename the file, includes CONTROL

Originally, RACF was only intended to protect files. The expansion to other resources was only realized later. For this reason, the names of the access levels relate to file access.

RACF groups

There is a complex concept behind RACF groups:

  • On the one hand, they can be used to summarize user IDs and then give powers of attorney to this group instead of to each individual user. A user can belong to a maximum of 8191 groups and enjoys the sum of the powers of all groups to which he belongs (if RACF option 'LIST OF GROUPS ACCESS CHECKING IS ACTIVE' is set).
  • Groups are organized hierarchically: The top group is called SYS1. This hierarchy is the basis for decentralizing the RACF administration according to organizational aspects. If a user with administration rights is connected to a group, he also has administration rights for all subgroups of this group.

Resource manager

RACF, d. H. actually SAF, works passively. The users of the system access a resource by means of a resource manager . The respective resource manager creates a resource name and then asks SAF whether access is permitted. SAF / RACF replies with yes, no or “don't know” (namely when the resource is not protected by a profile). The subsystem then allows the resource to be used (or not).

Examples of resource managers are the file system of the z / OS operating system with the resource file or CICS with the resource (among many others) transaction code. It is also possible to run the database system DB2 in such a way that it does not store the database authorizations with SQL grants in its own catalog, but as RACF resources in the RACF. As of version 8 of DB2 z / OS, multilevel security (MLS) with row level granularity can even be used to assign access rights to individual data records in a DB2 table via RACF.

Web links

Individual evidence

  1. IBM Knowledge Center. Retrieved June 26, 2017 (American English).
  2. IBM Knowledge Center. Retrieved February 28, 2017 .