IBM Security zSecure, Version 2.2.0

Introduction

Resources and users in the MVS Operating System can be described in RACF using profiles. Almost any resource, whether it is a data set, a CICS® transaction, or something else, can be described using a resource profile. Historically, RACF® separates data sets from other types of resources, called General Resources. This separation is also reflected in the RACF command syntax, where two distinct sets of commands are being used: one for data sets and one for general resources.

A user profile describes a user. For efficiency purposes, users are collected into RACF groups. These groups can be used for the following purposes:
  • To access resources
  • To authorize to modify profiles

Access to the resources is controlled through the resource profiles. These resource profiles can be discrete or generic.

People mostly use generic profiles. The resource profiles contain a universal access, or UACC, and two forms of Access List, or ACL. The UACC controls the access that everybody has, provided the user is not specified in the ACL. The Standard ACL is a list of users and groups and their respective access. The Conditional ACL is a list of users and some condition, such as program, terminal, or console, which is combined with their corresponding access rights.

Authorization to modify profiles is based on ownership of the profile. The owner of a profile must be an existing RACF user or group. If you specify a user as the owner, then only that particular user is authorized to maintain the profile. If you specify a group as the owner, then all people with administrative authorization in the group (that is, group-SPECIAL) can maintain the profile.

Like users and resources, groups are described in RACF by profiles. These group profiles, in their turn, also have an owner. The owner of a group profile can authorize people to modify the definition of the group. However, when group-SPECIAL is used as the authorization method, the user with group-SPECIAL also has authorization over many of the subgroups of the group. You can find more information about this percolation of group-SPECIAL authority in the RACF Security Administrator's Guide. See the information about user attributes at the group level in the chapter about defining groups and users.

Authorization to define, modify, and delete RACF profiles is based on the RACF profile itself. Sometimes, other authorizations such as system-SPECIAL can be used as well; but these authorizations are not standard authorizations available to regular users. However, RACF hardly ever controls the attribute or the new value you store into the profile in any way. For instance, if you are the owner of a group, you can connect any user in the system to your group. RACF does not verify which users you are connecting or removing. Another example is changing the owner and ACL of a profile. If you are the owner, you can specify any other user or group to be the new owner. In effect, you can give away any profile you own to anyone.

These examples are typical of the types of actions that an installation might want to prevent from occurring. Often, you want to control not only which profiles and attributes are changed, but also what they are being changed to. For example, you might want to specify that an authorized user can change the Owner value to Mary but not to Joe. With zSecure™ Command Verifier you can do just that:
Control the new value of any field, option, or attribute of any profile.



Feedback