RACF Tips - RSH Consulting
RACF Tips - RSH Consulting
Improved RACF Googling check was introduced via APAR OA33013 and
has since been incorporated into z/OS 1.13 . The
resource is STGADMIN.IGG.DEFINE.RECAT.
How often does your Google search on a RACF
READ access allows DEFINE RECATALOG for a
topic return page after page of irrelevant links?
dataset without having access to the dataset. The
Would you like to tell Google to search only those
original implementation of this check actually
sites where you expect to find answers to your
granted too much authority and required a
RACF questions? You can simply by appending:
corrective fix. See APAR OA38273 for details.
site:ibm.com OR site:rshconsulting.com
Thank you Joel Tilton of Publix for this tip.
. .
. .
. .
. .
and allow the program to execute privileged
Supervisor Calls (SVCs) that it could use to
elevate its authority and circumvent security.
RACF Health Checker Issues
NOPASS originally meant Bypass Password
The RACF_SENSITIVE_RESOURCES check
Protection and harks back to when datasets were
protected by MVS passwords. It also bypasses flags a dataset with a high-severity exception 'V'
RACF. Programs with NOPASS will not be subject for not being found on its designated volume
when, in fact, it actually does exist but is under
to authorization checks when accessing datasets.
exclusive control of some other address space.
No fix is yet available. See APAR OA41458.
DSMON's Program Properties Table Report lists
all PPT entries and indicates if they have been
RSH discovered that OPERCMDS resources
assigned KEY(0-7) or NOPASS. Require clear
and convincing justification as to why either of MVS.SET.PROG and MVS.SETPROG are
these privileges has been assigned to any flagged with a high-severity exception 'E' if they
installation-defined entry. One to watch for is the are protected by a profile with UACC of READ.
CICS program DFHSIP which is often needlessly These resources, however, require a minimum of
UPDATE permission to use them. IBM has been
and inappropriately assigned NOPASS. Review
the code of any PPT program that was written in- notified and will eventually fix this error.
house to confirm it does not compromise security.
. .
. .
RSH News
RACF FMID Reference Many thanks to all who have responded to our
queries seeking to confirm you are receiving the
Ever come across a reference to RACF by its 4- newsletter and helping us update the mailing list.
digit Function Modification Identifier (FMID) code
and wondered what release of RACF it meant? Upcoming RSH RACF Training:
The RACF FMIDs are listed in the chapter on RACF - Audit & Compliance Roadmap
SMF records in the RACF Macros and Interfaces April 23-25, 2013 - Boston, MA
manual. See the description for the type-80 record
field SMF80VRM. Here are three RACF FMIDs. RACF - Intro and Basic Administration
May 21-23, 2013 - Boston, MA
7760 z/OS Security Server (RACF) V1 R11
7770 z/OS Security Server (RACF) V1 R12 RACF and z/OS Unix
7780 z/OS Security Server (RACF) V1 R13 July 23-25, 2013 - WebEx