z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Migrating from BASIC to ENHANCED program security mode

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

With ENHANCED-WARNING mode, RACF® ensures that programs accessing data sets through PADS, accessing SERVAUTH resources by programs, or running execute-controlled programs meet the added restrictions of ENHANCED mode. However, if they do not meet the added restrictions, RACF still allows the access if it would have worked in BASIC mode. This allows you to test your setup to make sure it is suitable for ENHANCED mode while continuing to operate like BASIC mode while you adjust your profiles.

Guideline: Use ENHANCED-WARNING program security mode as part of your implementation of ENHANCED program security mode.

When you start this migration, you will have some profiles defined in the PROGRAM class but probably none of them specify APPLDATA('MAIN') or APPLDATA('BASIC') as those specifications do not mean anything in BASIC program security mode. You probably do not have the IRR.PGMSECURITY profile defined in the FACILITY class, or else you have it defined but specified APPLDATA('BASIC').

To begin your migration:
  1. Begin figuring out which programs you must define as MAIN or BASIC. You can do this by examining your DATASET and SERVAUTH profiles to see which ones have conditional access lists that specify WHEN(PROGRAM(program-name)). To simplify this task, consider using database unload (IRRDBU00) and looking for the type 0402 and 0507 records. (Refer to z/OS Security Server RACF Macros and Interfaces for the description of these records).
  2. From the type 0402 records for DATASET profiles, select the ones that have DSACC_CATYPE=PROGRAM and find the program name in DSACC_CANAME. These programs are candidates for the MAIN or BASIC attribute.
  3. From the type 0507 records for SERVAUTH profiles, select the ones that have GRCACC_CATYPE=PROGRAM and find the program name in GRCACC_CANAME. These programs are candidates for the MAIN or BASIC attribute.
  4. For each program (for example, program Y) that you find, determine if users execute program Y, or if they execute some other program (for example, program X) that in turn executes Y. In the first case, you probably only have Y in the conditional access list, and you would define Y as a MAIN or BASIC program. In the second case, both X and Y are in the conditional access list, so you should define X as a MAIN or BASIC program.
  5. For each of those programs, determine whether the program needs to be run in batch, TSO, or both. If the program only needs to be run in batch, you can define the program as MAIN. If program needs to be run in TSO or in both batch and TSO, you must consider how the users run the programs in TSO. If the users use the TSO/E TSOEXEC command to run the programs, or run them from another program that uses IKJEFTSR to invoke them, you can define the programs as MAIN. If this is not the case, you must define the program as BASIC or find a way for the users to invoke them through TSOEXEC or IKJEFTSR. If these are not possible, you might need to consider the more difficult option of redesigning the programs to work with IKJEFTSR.
  6. After you gather your list of programs that you will define with the MAIN or BASIC attribute, use the RLIST command to determine whether you have the programs defined with specific profiles (such as PROGRAM XYZ) or if you have them defined with nonspecific profiles (such as PROGRAM XY* or PROGRAM **). If the programs have specific profiles, the profiles can be modified using the RALTER command to specify APPLDATA('MAIN') or APPLDATA('BASIC'). However, if you have protected the programs with nonspecific profiles, you must use the RDEFINE command to define a new specific profile for each of the programs you need to define as MAIN or BASIC.
Once these steps are complete you should:
  1. Make a similar examination of IRRDBU00 output, looking at the records that indicate execute-controlled libraries:
    • Type 0400 records with a DSBD_UACC value of EXECUTE
    • Type 0402 records with a DSCACC_ACCESS value of EXECUTE
    • Type 0404 records with a DSACC_ACCESS value of EXECUTE
    Examine the programs in those libraries to see which you need to define as MAIN or BASIC, using similar criteria as used for PADS.
  2. Look at the records that indicate execute-controlled programs,
    • Type 0500 records with GRBD_CLASS_NAME of PROGRAM that have GRBD_UACC of EXECUTE
    • Type 0505 records with GRACC_CLASS_NAME of PROGRAM that have GRACC_ACCESS of EXECUTE
    Examine the programs in those libraries to see which you need to define as MAIN or BASIC.
When this is complete, you can switch to ENHANCED-WARNING mode to find out if you have any other changes that must be made. To switch to ENHANCED-WARNING mode:
  1. Use the RDEFINE command to define IRR.PGMSECURITY profile in the FACILITY class, and specify an APPLDATA value other than ENHANCED or BASIC. For example: 
    RDEFINE FACILITY IRR.PGMSECURITY APPLDATA('ENHWARN')
  2. Issue the SETROPTS REFRESH command to change modes. 
    SETROPTS WHEN(PROGRAM) REFRESH

To ease migration from BASIC to ENHANCED program security mode, the mode switch does not affect systems running any release earlier than z/OS® V1R4. It also does not affect jobs, started tasks, or TSO sessions that are already running. For this reason, you should IPL the system at least once while in ENHANCED-WARNING mode to ensure that you test any jobs, started tasks, and TSO users that started before you migrated from BASIC to ENHANCED program security mode.

While running in ENHANCED-WARNING mode, you might receive messages ICH427I or ICH430I to indicate the need for further necessary changes. After receiving the messages, making the relevant changes, and allowing a sufficient test period of running in ENHANCED-WARNING mode without getting further messages, you can switch to ENHANCED program security mode. To do this:

  1. Modify the APPLDATA value for the IRR.PGMSECURITY profile by issuing: 
    RALTER FACILITY IRR.PGMSECURITY APPLDATA('ENHANCED')
  2. Change modes by issuing: 
    SETROPTS WHEN(PROGRAM) REFRESH

Again, the mode switch does not affect systems running a release earlier than z/OS V1R4. It also does not affect any jobs, started tasks, or TSO sessions that are already running. So, again, you must IPL the system to fully implement the change. You should not have any problems as a result of this IPL, because you have already IPLed once in ENHANCED-WARNING mode and subsequently fixed any problems that caused RACF messages.

Guideline: If you have several systems, consider having a SPECIAL user logged on to TSO on one of them while you IPL to fix any unexpected problem that might arise.

Parent topic: Program security modes

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014