Defining generic profiles for resources

A zero trust strategy means that resources should be protected by only granting groups (roles) access to member list profiles. The member lists then contain the sets of resources that users in the group have a specific need to access. Whilst migrating to this strategy, there can be regions where the security are based on a naming convention for the resources rather that listing all of the resources.

For example, there might be just a few programs in the CICS® application program resource class that are particularly sensitive, and a much greater number that constitute no significant risk. In this case, you could protect the few by defining specific RACF® profiles for only those programs that are sensitive. You ensure that everyone can access the remaining, nonsensitive, programs by defining a completely generic resource profile, as follows:

RDEFINE  MCICSPPT  *  UACC(READ) ...

This profile applies to any authorization request for programs not covered by one of the specific profiles. RACF processing logic is such that the most specific profile for any given resource name is always used.

For an example of defining other types of profile, see How it works: Securing CICS with RACF.

Note that to determine whether a profile is generic, you need only check if 'G' appears after the name of the profile when it is listed with RLIST or SEARCH. For example:

SEARCH CLASS(TCICSTRN)

might give the following output:

C*
CED% (G)
** (G)

This output shows that both CED% and ** are generic profiles. The C profile is not generic because it is not followed by (G). This could have occurred if the C profile was created before generic profiles had been enabled with a SETROPTS command. The C profile can be deleted and redefined as a proper generic profile as follows:

SETROPTS NOGENERIC(TCICSTRN)
SETROPTS NOGENCMD(TCICSTRN)
RDEL TCICSTRN C*
SETROPTS GENERIC(TCICSTRN)
RDEFINE TCICSTRN C* UACC(NONE)

Access to all or access to none?

If RACF can find neither a specific nor generic profile, it returns a no profile found condition.

CICS treats this return code exactly the same as the user not authorized return code, and returns the NOTAUTH condition to the CICS application program. If RACF cannot find the APPL class, it returns a READ access intent condition.

You can either use the completely generic profile to permit access to any resources not otherwise covered by more specific profiles, or, to prevent any access, use the UACC(READ|UPDATE) or UACC(NONE) options. For example,

RDEFINE  DCICSDCT  *  UACC(NONE)

prevents access to any transient data queue not covered by any of the other profiles defined to RACF, and results in RACF writing an SMF record.

On the other hand, you can define files as public by the following command:

RDEFINE  FCICSFCT  *  UACC(READ)

If you are using generic profiles, ensure that generic profile checking has been activated for the CICS RACF resource classes (both the IBM®-supplied classes and any installation-defined classes added to the RACF class descriptor table) by issuing a SETROPTS GENERIC(classname) command for any one of the CICS classes having the same POSIT value. This ensures generic checking for all other CICS classes with the same POSIT value. If you change a generic profile, you must issue a SETROPTS GENERIC(classname) REFRESH command. For more information about POSIT values and defining generic classes, see the z/OS Security Server RACF System Programmer's Guide.