The following questions provide technical orientation.
- What RACF® exit routines
are used, and what functions do they perform? The following list
identifies the exits. You can use the DSMON reports to answer this
particular question.
-
- Exit Routine
- Function
- ICHDEX01
- password authentication
- ICHDEX11
- password authentication
- ICHRIX01
- RACROUTE REQUEST=VERIFY preprocessing
- ICHRIX02
- RACROUTE REQUEST=VERIFY postprocessing
- ICHRCX01
- RACROUTE REQUEST=AUTH preprocessing
- ICHRCX02
- RACROUTE REQUEST=AUTH postprocessing
- ICHRDX01
- RACROUTE REQUEST=DEFINE preprocessing
- ICHRDX02
- RACROUTE REQUEST=DEFINE postprocessing
- ICHCCX00
- command preprocessing
- ICHCNX00
- command preprocessing
- ICHRFX01
- RACROUTE REQUEST=FASTAUTH preprocessing
- ICHRFX02
- RACROUTE REQUEST=FASTAUTH postprocessing
- ICHRFX03
- RACROUTE REQUEST=FASTAUTH preprocessing
- ICHRFX04
- RACROUTE REQUEST=FASTAUTH postprocessing
- ICHPWX01
- new password
- ICHPWX11
- new password phrase
- ICHRLX01
- RACROUTE REQUEST=LIST pre/postprocessing
- ICHRLX02
- RACROUTE REQUEST=LIST selection
- ICHRSMFE
- report writer
- IRRACX01
- ACEE compression and expansion
- IRRACX02
- ACEE compression and expansion
- IRREVX01
- command pre/postprocessing
- IRRVAF01
- custom field validation exit
- How are the exit routine functions and changes authorized and
controlled?
- Who is allowed to update exit routine code (both source and load
form)?
- What SETROPTS options are used? Are any important protection
or monitoring functions set off?
- Have basic RACF facilities
been enhanced, excluding exit routine code?
- How many primary RACF databases
are there? You can use the DSMON reports to answer this particular
question.
- Does each primary RACF database
have a backup on a different volume? You can use the DSMON reports
to answer this particular question.
- What other backup facilities exist for RACF databases?
- How is the RACF database
synchronized after a restore?
- Are all RACF databases
adequately protected, and who has access to them? You can use the
DSMON reports to answer this particular question.
- How does the installation control the switching and deactivating
of the RACF databases (RVARY
command, IPL/database name table)?
- Are any special checks required on the use of PERMIT?
- How are passwords and password phrases protected against disclosure
when batch jobs are submitted through internal readers?
- How are restores of entire volumes handled? How are synchronization
problems between volumes and the RACF databases
resolved?
- What are the RACF class
names as defined in the class descriptor table? What are the UACCs
associated with these names? Can OPERATIONS users access the resources
by default? You can use the DSMON reports to answer this particular
question.
- Is there a global access table, and what resources are specified
in the table? You can use the DSMON reports to answer this particular
question.
- What is in the started procedures table (ICHRIN03), and is the
authority of the associated user IDs appropriate? You can use the
DSMON reports to answer this particular question.