Policy profiles for STDATA segment management
Because
of the sensitive nature of certain fields in the STDATA
segment,
your organization might need to maintain control over the STDATA
profiles,
beyond the controls already provided by RACF®.
As stated previously, RACF command authorization allows verification
only on the field name itself, and not on its value. Using Field
Level Access Checking
, it is possible to restrict setting
the PRIVILEGED
flag to certain users, if the terminal
user does not have the System-SPECIAL attributes. Profiles in the FIELD class
are not checked for System-SPECIAL users.
Additionally, some installations want to restrict the assignment
of certain values for the USER and GROUP in the STDATA
segment.
More controls are provided by zSecure Command
Verifier for
the STDATA
segment. These controls are in addition
to the RACF requirements like
System-SPECIAL or UPDATE access to the applicable profiles in the FIELD
class.
For instance, the zSecure Command
Verifier policy
profiles can be used to prevent the accidental assignment of the PRIVILEGED
attribute
by RACF administrators with
System-SPECIAL.
Class | Field | Profile |
---|---|---|
STARTED | PRIVILEGED | C4R.STARTED.STDATA.ATTR.PRIVILEGED.started-profile |
STARTED | TRUSTED | C4R.STARTED.STDATA.ATTR.TRUSTED.started-profile |
STARTED | TRACE | C4R.STARTED.STDATA.ATTR.TRACE.started-profile |
STARTED | C4R.STARTED.STDATA.=USER.started-profile | |
STARTED | C4R.STARTED.STDATA./USER.started-profile | |
STARTED | userid | C4R.STARTED.STDATA.USER.userid.started-profile |
STARTED | NOUSER | C4R.STARTED.STDATA.USER.=NONE.started-profile |
STARTED | C4R.STARTED.STDATA.=GROUP.started-profile | |
STARTED | C4R.STARTED.STDATA./GROUP.started-profile | |
STARTED | group | C4R.STARTED.STDATA.GROUP.group.started-profile |
STARTED | NOGROUP | C4R.STARTED.STDATA.GROUP.=NONE.started-profile |
- C4R.STARTED.STDATA.ATTR.PRIVILEGED.started-profile
- C4R.STARTED.STDATA.ATTR.TRUSTED.started-profile
- C4R.STARTED.STDATA.ATTR.TRACE.started-profile These profiles specify the authorization to set one of the attributes in the
STDATA
segment. The Privileged attribute results in passing most authorization checking. No installation exits are called, and no SMF records are written. It must be strictly controlled. The Trusted attribute is similar to the Privileged attribute, but SMF records can be written. The Trace attribute specifies that a record must be written to the console when theSTARTED
profile is used to assign an ID to a started task.- No profile found
- Control not implemented. Only RACF authorization
is used to control assignment of
STDATA
attributes. - NONE
- The terminal user is not authorized to assign the attribute to
this
STARTED
profile. The command is rejected. - READ
- Same as NONE.
- UPDATE
- The attribute setting is accepted. RACF authorization requirements can still cause failure of the command.
- CONTROL
- Same as UPDATE.
- C4R.STARTED.STDATA.=USER.started-profile
- C4R.STARTED.STDATA.=GROUP.started-profile
These two Mandatory Value policy profiles can be used to assign a mandatory value for these
STDATA
fields. The mandatory value must be specified in the APPLDATA field of the policy profile. zSecure Command Verifier does not recognize any special values for the APPLDATA. This setting allows use of the value"=MEMBER"
for the USER. This value is not substituted by zSecure Command Verifier but is used by RACF when the STARTED profile is used.These Mandatory Value policy profiles are only used when you add an
STDATA
segment either through the RDEFINE or the RALTER command. When you change existingSTDATA
segments, the Mandatory Value policy profiles are not used. The USER or GROUP obtained from this Mandatory Value profile is not subject to more user-or group-related policy profiles. The USER or GROUP value that is obtained from this Mandatory Value profile is not subject to more user- or group-related policy profiles.The qualifiers
=USER
and=GROUP
in the policy profile cannot be covered by generic characters. They must be present in the exact form shown.- No profile found
- The policy is not implemented. As a result, no mandatory value is enforced.
- NONE
- No action. No mandatory value is enforced.
- READ
- The APPLDATA field is extracted and used for the command.
- UPDATE
- Same as READ
- CONTROL
- The policy profile is not active for the terminal user. No mandatory value is supplied. The value for the USER or GROUP as specified by the terminal user is used in the command.
Note: The access levels for this profile are not hierarchical. In general, zSecure Command Verifier policies do not apply to users that have CONTROL access or higher. Alternatively, access NONE indicates that the facility as described by the policy is not available to the terminal user. For the Mandatory Value policy profiles, the profiles lead to the odd situation that access NONE has the same net result as access CONTROL. -
Currently, the following values for the APPLDATA are recognized:
- BLANK
- This setting is used to indicate that no explicit ID must be inserted.
- id
- Any other value is considered to be the userid or group that
must be inserted in the
STDATA
segment. No verification is done to ensure that this value is a valid user ID or GROUP.
- C4R.STARTED.STDATA./USER.started-profile
- C4R.STARTED.STDATA./GROUP.started-profile
These two Default value profiles can be used to assign a Default value for these
STDATA
fields. The Default value must be specified in the APPLDATA field of the policy profile. zSecure Command Verifier does not recognize any special values for the APPLDATA. This setting allows use of the value"=MEMBER"
for the USER. This value is not substituted by zSecure Command Verifier, but is used by RACF when the STARTED profile is used.These Default value profiles are only used when you add an
STDATA
segment without a value for the USER or the GROUP, either through the RDEFINE or the RALTER command. When you change existingSTDATA
segments, the Default value policy profiles are not used. The USER or GROUP value that is obtained from this Default Value profile is not subject to more user- or group-related policy profiles.The qualifiers /USER and /GROUP in the policy profile cannot be covered by generic characters. They must be present in the exact form shown.
- No profile found
- The policy is not implemented. No default value is provided.
- NONE
- No action. No default value is provided.
- READ
- The APPLDATA field is extracted and used for the command.
- UPDATE
- Same as READ
- CONTROL
- The policy profile is not active for the terminal user. No default value is provided.
Note: The access levels for this profile are not hierarchical. In general, zSecure Command Verifier policies do not apply to users that have CONTROL access or higher. Alternatively, access NONE indicates that the facility as described by the policy is not available to the terminal user. For the Default Value profiles, these profiles lead to the odd situation that access NONE has the same net result as access CONTROL.Currently, the following values for the APPLDATA are recognized:
- BLANK
- This setting is used to indicate that no explicit ID must be inserted.
- id
- Any other value is considered to be the userid or group that
must be inserted in the
STDATA
segment. No verification is done to ensure that this value is a valid user ID or GROUP.
- C4R.STARTED.STDATA.USER.userid.started-profile
- C4R.STARTED.STDATA.USER.=NONE.started-profile
This policy profile specifies valid values for the userid for the started-profile. The special value
=NONE
is used when the terminal user specified the NOUSER keyword for theSTDATA
segment. This special value can be covered by a generic pattern. This setting allows treating the removal of the user assignment from the same policy profile as setting the user to a value. The following access levels are used.- No profile found
- The policy is not implemented. The user specified value is accepted.
- NONE
- The specified USER is not allowed. The command is rejected.
- READ
- Same as NONE
- UPDATE
- The specified value for the USER is accepted
- CONTROL
- Same as UPDATE
- C4R.STARTED.STDATA.GROUP.group.started-profile
- C4R.STARTED.STDATA.GROUP.=NONE.started-profile
This policy profile specifies valid values for the group for the started-profile. The special value
=NONE
is used when the terminal user specified the NOGROUP keyword for theSTDATA
segment. This special value can be covered by a generic pattern. This setting allows treating the removal of the group assignment from the same policy profile as setting the group to a value. The following access levels are used.- No profile found
- The policy is not implemented. The user specified value is accepted.
- NONE
- The specified GROUP is not allowed. The command is rejected.
- READ
- Same as NONE
- UPDATE
- The specified value for the GROUP is accepted
- CONTROL
- Same as UPDATE