Secure the "z"

Matching: racf

Is there a way to remotely administer my RACF data?

JonCottrell Tags: racf ldap ‎ 1 Comment ‎ 4,607 Views

This may be a question that you have pondered in the past. Wouldn't it be nice if there was a way to remotely manage your RACF (Remote Access Control Facility) data on z/OS while on your Linux or Windows machine? The great thing is that it is possible to do this today by configuring an IBM Tivoli Directory Server for z/OS.

The IBM Tivoli Directory Server for z/OS is an LDAP (Lightweight Directory Access Protocol) server which can communicate with a client that supports LDAP protocol. LDAP is an industry standard protocol that has been around for a number of years and is defined in IETF (Internet Engineering Task Force) RFCs (Request for Comments). RFCs are industry standard documents that define many of the Internet standards that are in use today.

An LDAP server or directory provides an easy way to maintain directory information in a central location for storage, update, retrieval, and exchange. A directory is very similar to a database however the information is much more descriptive. Attributes describe the entries that reside within an LDAP server or directory. The information in a directory is organized in a tree-like manner where the root entry branches into subordinate entries (or different trunks).

The IBM Tivoli Directory Server for z/OS supports different data repository types or what are referred to as backends. The SDBM backend in the IBM Tivoli Directory Server for z/OS provides access to the RACF data that resides on your system. If your LDAP server is listening on an IP address and/or port that is externally available, you can remotely login to the system with your RACF password or credentials via an LDAP client. This allows you to remotely administer RACF data such as users, groups, and general resource profiles (however not DATASET profiles) that reside in your RACF database. If you have the RACF authority to do so, you could add new users, groups, or general resource profiles. You may also be able to reset a user's password or permit users or groups to your general resource profiles.

To take advantage of this support, you need to have access to an LDAP client on your Windows or Linux machine. You can install a version of the IBM Tivoli Directory Server that runs on either Linux, zLinux, or Windows that will also provide an LDAP client. Most LDAP clients provide simple utilities that allow you to quickly add, delete and modify entries. If you need more robust support, most LDAP clients provide C/C++ APIs (Application Programming Interfaces) which enable you to code your own LDAP client applications.

For more information about IBM Tivoli Directory Server for z/OS and the SDBM backend, see the IBM Tivoli Directory Server for z/OS Administration and Use manual.

Modified on by JonCottrell

IRRXUTIL: RACF profile data retrieval, the easy way.

MikeOnghena Tags: racf irrxutil ‎ 4,692 Views

IRRXUTIL

Have you every tried to retrieve profile information from the RACF database for use in a Rexx program? If so, you have most likely issued a RACF list (listuser, rlist, etc.) command, and then parse the output to find what was needed. While not quite up there with classic problems in the field of computer science, it does end up being surprisingly time consuming and quite fiddly. RACF command output seems to have intentionally designed to be as difficult to parse as possible.

Starting in z/OSv1R11, it is much easier to get this information into your favorite Rexx programs using the IRRXUTIL utility. IRRXUTIL is a program which reads RACF profile information, and stores it into Rexx stem variables for easy reference and use. No more parsing of RACF list command output, unless you're in to that sort of thing.

Saying it is easy to retrieve the profile information doesn't mean that just anyone can do it. You still need to have permission to the data being retrieved. If you are not allowed to list the data with a RACF command, you won't be able to get it with IRRXUTIL either. You also need permission to use the r_admin callable service which is used by IRRXUTIL on your behalf. RACF documentation cover all of these exciting details.

Using IRRXUTIL you can retrieve profile information about users, groups, general resources, and general RACF settings administered by the setropts command. There is no IRRXUTIL support for dataset profiles. IRRXUTIL can extract the specified profile via the Extract function or the profile following the specified profile with the Extractn function.

Example:

Here is a very simple example. It displays the unix UID of a user and the GID of the user's default group. All it does is call IRRXUTIL to extract the user, retrieve the default group using information from the user profile, then prints the user UID and group GID.

/* REXX */

arg user

myrc=IRRXUTIL("EXTRACT","USER",user,"USR","R_") /* extract user */
groupId=USR.R_BASE.R_DFLTGRP.1 /* get default group from user profile */

myrc=IRRXUTIL("EXTRACT","GROUP",groupId,"GRP","R_") /* extract default group */

Say "User: "user /* Output user id */

say "OMVS uid="USR.R_OMVS.R_UID.1 /* Output user OMVS uid */

Say "Default group:"groupId /* Output group name */

say "OMVS gid="GRP.R_OMVS.R_GID.1 /* Output group GID */

For brevity, this example is missing vital return code checking, it is meant to be an example of the simplicity of the interface.

Using the Rexx variables:

The user profile was extracted into Rexx stem variable USR, as specified on the call to IRRXUTIL. The profile data is retrieved using RACF segment and field names. To get the OMVS(UID(xx)) (segment=OMVS, field=UID) field, simply reference it by its newly defined variable name USR.R_OMVS.R_UID.1 (the R_ prefix is discussed later). All fields are represented as potential list fields. A non-list field is treated like a list field with one element so we simply reference the '.1' element of the list. Following standard Rexx conventions, the '.0' element of each field indicates how many items are in the list.

IRRXUTIL returns a string containing a space separated list of return codes. If the first code in the list is 0, the request succeeded, go get your data. Otherwise look up the return codes in the aforementioned exciting documentation. Some common ones are '12 12 8 8 24' means you lack access to the r_admin function and '12 12 4 4 4' means profile not found.

Notes:

Note that IRRXUTIL does not have any facility to make changes to profiles, but you can easily create and issue your favorite RACF commands directly from REXX.

Although IRRXUTIL gives you the ability to iterate through all profiles of a given type via the Extractn function, doing so frequently may increase RACF database activity to the point where it may impact other parts of the system which are using RACF. Be nice to your database!

Referring the the above example, note that the segment and field name portion of the Rexx stem variable name are prefixed with 'R_'. The 'R_' corresponds to the 'R_' specified in the call to IRRXUTIL. You can change this prefix to anything you want, bit it should be something that you would never use as part of one of your Rexx variable names. Omitting the prefix is not a good idea because you risk variable name collisions.

Mike Onghena

SecureTheZ

The postings on this site are my own and don't necessarily represent IBM's positions, strategies or opinions

Feed for Blog Entries

Blogs

Secure the "z"

▼ Tags

▼ Similar Blogs

Security on d...

Application I...

MQdev Blog - ...

Notes from Ra...

Inside System...

▼ Similar Ideation Blogs

主机知刊

▼ Archive

▼ Blog Authors

Secure the "z"

Is there a way to remotely administer my RACF data?

IRRXUTIL: RACF profile data retrieval, the easy way.