Abstract for RACF Security Server Security Administrator's Guide

This document contains information on implementing a security policy using IBM® IBM RACF® Security Server for z/VM®.

This document helps the RACF security administrator do the following:
  • Planning:
    • Decide how to use RACF to increase the security of the system.
    • Organize a security implementation team.
    • Plan whether to delegate administrative tasks (a decentralized approach) or to restrict administrative tasks to a few users (a centralized approach).
    • Plan which system resources to protect. For example:
      • System minidisks
      • Virtual switches and VLANs
      • System-owned Guest LANs
      • Sensitive privileged CP commands
      • Terminals
    • Plan which user resources should be protected by security administrators and which should be protected by the users themselves. For example, RACF can protect the following user resources:
      • User minidisks
      • Guest LANs
      • SFS files and directories
    • Plan which users and groups are to be known to RACF. For example, an installation can use RACF to require that all batch jobs be associated with a RACF-defined user ID.
  • Daily administration:
    • Give users access to the system (assigning user IDs and passwords)
    • Give users access to system resources or functions
    • Assist users with access control problems (such as forgotten passwords or authorizations required to do their jobs).
  • Coordinating with administrators of other products, such as the tape librarian.

Intended Audience

This document is intended for security administrators, group administrators, and other administrators responsible for system data security and integrity on z/VM systems. In general, security administrators have the system-SPECIAL attribute, which allows them to issue any RACF command (except those that require the AUDITOR attribute). Group administrators have been granted specific authority (not usually granted to users) to perform security-related tasks related to a RACF group, or a RACF group's resources.

Note: This document should be read by RACF auditors, but is not the primary reference for them. RACF auditors should see z/VM: RACF Security Server Auditor's Guide.

Readers must be familiar with the RACF concepts and terminology described in z/VM: RACF Security Server General User's Guide. The readers of this document should also be familiar with z/VM systems.

For additional information about developing a security plan, see z/VM: RACF Security Server Auditor's Guide.

Most of this document describes how to protect specific kinds of z/VM resources. In general, you will first need to define users to RACF and set some RACF options. Then, depending on your security plan, you will select which classes of resources to protect, and create resource profiles for them.