RACF Admin Toolkit - RSH Consulting Group
RACF Admin Toolkit - RSH Consulting Group
Toolkit
RUGONE+KOIRUG+GARUG+CHIRUG
May 2022
Robert S. Hansel is Lead RACF Specialist and founder of RSH Consulting, Inc. He
began working with RACF in 1986 and has been a RACF administrator, manager,
auditor, instructor, developer, and consultant. Mr. Hansel is especially skilled at
redesigning and refining large-scale implementations of RACF using role-based
access control concepts. He is a leading expert in securing z/OS Unix using RACF.
Mr. Hansel has created elaborate automated tools to assist clients with RACF
administration, database merging, identity management, and quality assurance.
• 617-969-8211
• [email protected]
• www.linkedin.com/in/roberthansel
• http://twitter.com/RSH_RACF
The intent of this presentation is to list all the resources and permissions
RACF Administrators should have and use to fulfill their responsibilities
RACF
Datasets
Health Checker
Unix
Operator Commands
SDSF
Storage Administration
Miscellaneous
RACF and z/OS are Trademarks of the International Business Machines Corporation
System SPECIAL
READ access
• Nucleus program library
• Configuration parameter (PARMLIB) libraries
• Link-Pack Area (LPA) program libraries
• Supervisor Call (SVC) program libraries
• Authorized Program Facility (APF) program libraries
• Link List (LNKLST) program libraries
• ISPF program and panel libraries
• Master and User Catalogs
• Started Task and Batch JCL Procedure (PROCLIB) libraries
• SMF datasets - live and archives
• Software product configuration libraries (e.g., CICS System Initialization Table)
• RACF table source code libraries
• Exit source code libraries
• Application Production JOBLIBs and PROCLIBs
Allow reading all files as alternative to granting individual file access permissions
• UNIXPRIV SUPERUSER.FILESYS - READ access
• UNIXPRIV SUPERUSER.FILESYS.ACLOVERRIDE - READ access (only if defined)
• Only if no sensitive data is kept in the Unix file system (consider digital keys)
IRRHFSU - Hierarchical File System Unload (see RSH presentation for details)
RACF Administrator Toolkit Joint RUG Meeting
11
© 2022 RSH Consulting, Inc. All Rights Reserved. May 2022
Operator Commands
Consoles
• CONSOLE console-profiles - READ access
• TSOAUTH CONSOLE - READ access
OPERCMDS MVS.MCSOPER.yourid[*] - READ access
• SDSF ISFOPER.SYSTEM - / command - READ access
(Optional) OPERCMDS jes.VS - JES2 $VS command - CONTROL access
View all Job processing results without JESSPOOL authority - READ access
• SDSF ISFOPER.DEST.jes - Destination operator
• SDSF ISFAUTH.DEST.*.DATASET.JESJCL
• SDSF ISFAUTH.DEST.*.DATASET.JESMSGLG
• SDSF ISFAUTH.DEST.*.DATASET.JESYSMSG
TSO
• TSOAUTH PARMLIB - Use TSO PARMLIB command
List TSO configuration - READ access
• TSOAUTH ACCT - Use TSO ACCOUNT command - READ access
List and administer TSO user definitions in SYS1.UADS - READ access
To allow view only, instead permit READ access to SYS1.UADS
Execute SYNC command to synchronize SYS1.BRODCAST with TSO segments when the
RACF database is shared by multiple systems but SYS1.BRODCAST is not shared
• SYS1.BRODCAST - Administer TSO segments - UPDATE access
CICS
• {TCICSTRN} CEDC transaction - View CICS resource definitions - READ access
• DFHCSDUP utility - List CICS resource definitions
Requires READ access to CICS System Definition (CSD) files
• CICS Explorer - GUI - View System Initialization Table (SIT) parms
Sysplex - RMF
• FACILITY ERBSDS.MON2DATA - Display info on SDSF DA panel - READ access
RACF Administrator Toolkit Joint RUG Meeting
18
© 2022 RSH Consulting, Inc. All Rights Reserved. May 2022
Miscellaneous
SMF
• IFASMFDP program Dump SMF datasets
Requires READ access to SMF dump datasets
• IFASMFDL program Dump SMF Logstreams
Requires READ access to SMF logstreams - LOGSTRM IFASMF.lsname
• RACF SMF unload programs - SMF user exits IRRADU00 and IRRADU86
• RACFRW - TSO command - RACF Report Writer (obsolete - stabilized 1992)