Policy profiles for STDATA segment management

Because of the sensitive nature of certain fields in the STDATA segment, your organization might need to maintain control over the STDATA profiles, beyond the controls already provided by RACF®.

As stated previously, RACF command authorization allows verification only on the field name itself, and not on its value. Using Field Level Access Checking, it is possible to restrict setting the PRIVILEGED flag to certain users, if the terminal user does not have the System-SPECIAL attributes. Profiles in the FIELD class are not checked for System-SPECIAL users.

Additionally, some installations want to restrict the assignment of certain values for the USER and GROUP in the STDATA segment.

More controls are provided by zSecure Command Verifier for the STDATA segment. These controls are in addition to the RACF requirements like System-SPECIAL or UPDATE access to the applicable profiles in the FIELD class. For instance, the zSecure Command Verifier policy profiles can be used to prevent the accidental assignment of the PRIVILEGED attribute by RACF administrators with System-SPECIAL.

Table 1. Profiles used for verification of STDATA values. The entries in this table reflect the Class, Segment, and Field and the corresponding policy profiles.
Class Field Profile
STARTED PRIVILEGED C4R.STARTED.STDATA.ATTR.PRIVILEGED.started-profile
STARTED TRUSTED C4R.STARTED.STDATA.ATTR.TRUSTED.started-profile
STARTED TRACE C4R.STARTED.STDATA.ATTR.TRACE.started-profile
STARTED   C4R.STARTED.STDATA.=USER.started-profile
STARTED   C4R.STARTED.STDATA./USER.started-profile
STARTED userid C4R.STARTED.STDATA.USER.userid.started-profile
STARTED NOUSER C4R.STARTED.STDATA.USER.=NONE.started-profile
STARTED   C4R.STARTED.STDATA.=GROUP.started-profile
STARTED   C4R.STARTED.STDATA./GROUP.started-profile
STARTED group C4R.STARTED.STDATA.GROUP.group.started-profile
STARTED NOGROUP C4R.STARTED.STDATA.GROUP.=NONE.started-profile
The profiles in the preceding table describe mandatory and default values for both the USER and the GROUP. They also describe the policies that verify whether the values for the keywords, as entered by the terminal user, are acceptable.
  • C4R.STARTED.STDATA.ATTR.PRIVILEGED.started-profile
  • C4R.STARTED.STDATA.ATTR.TRUSTED.started-profile
  • C4R.STARTED.STDATA.ATTR.TRACE.started-profile
    These profiles specify the authorization to set one of the attributes in the STDATA segment. The Privileged attribute results in passing most authorization checking. No installation exits are called, and no SMF records are written. It must be strictly controlled. The Trusted attribute is similar to the Privileged attribute, but SMF records can be written. The Trace attribute specifies that a record must be written to the console when the STARTED profile is used to assign an ID to a started task.
    No profile found
    Control not implemented. Only RACF authorization is used to control assignment of STDATA attributes.
    NONE
    The terminal user is not authorized to assign the attribute to this STARTED profile. The command is rejected.
    READ
    Same as NONE.
    UPDATE
    The attribute setting is accepted. RACF authorization requirements can still cause failure of the command.
    CONTROL
    Same as UPDATE.
  • C4R.STARTED.STDATA.=USER.started-profile
  • C4R.STARTED.STDATA.=GROUP.started-profile

    These two Mandatory Value policy profiles can be used to assign a mandatory value for these STDATA fields. The mandatory value must be specified in the APPLDATA field of the policy profile. zSecure Command Verifier does not recognize any special values for the APPLDATA. This setting allows use of the value "=MEMBER" for the USER. This value is not substituted by zSecure Command Verifier but is used by RACF when the STARTED profile is used.

    These Mandatory Value policy profiles are only used when you add an STDATA segment either through the RDEFINE or the RALTER command. When you change existing STDATA segments, the Mandatory Value policy profiles are not used. The USER or GROUP obtained from this Mandatory Value profile is not subject to more user-or group-related policy profiles. The USER or GROUP value that is obtained from this Mandatory Value profile is not subject to more user- or group-related policy profiles.

    The qualifiers =USER and =GROUP in the policy profile cannot be covered by generic characters. They must be present in the exact form shown.

    No profile found
    The policy is not implemented. As a result, no mandatory value is enforced.
    NONE
    No action. No mandatory value is enforced.
    READ
    The APPLDATA field is extracted and used for the command.
    UPDATE
    Same as READ
    CONTROL
    The policy profile is not active for the terminal user. No mandatory value is supplied. The value for the USER or GROUP as specified by the terminal user is used in the command.
    Note: The access levels for this profile are not hierarchical. In general, zSecure Command Verifier policies do not apply to users that have CONTROL access or higher. Alternatively, access NONE indicates that the facility as described by the policy is not available to the terminal user. For the Mandatory Value policy profiles, the profiles lead to the odd situation that access NONE has the same net result as access CONTROL.

  • Currently, the following values for the APPLDATA are recognized:

    BLANK
    This setting is used to indicate that no explicit ID must be inserted.
    id
    Any other value is considered to be the userid or group that must be inserted in the STDATA segment. No verification is done to ensure that this value is a valid user ID or GROUP.
  • C4R.STARTED.STDATA./USER.started-profile
  • C4R.STARTED.STDATA./GROUP.started-profile

    These two Default value profiles can be used to assign a Default value for these STDATA fields. The Default value must be specified in the APPLDATA field of the policy profile. zSecure Command Verifier does not recognize any special values for the APPLDATA. This setting allows use of the value "=MEMBER" for the USER. This value is not substituted by zSecure Command Verifier, but is used by RACF when the STARTED profile is used.

    These Default value profiles are only used when you add an STDATA segment without a value for the USER or the GROUP, either through the RDEFINE or the RALTER command. When you change existing STDATA segments, the Default value policy profiles are not used. The USER or GROUP value that is obtained from this Default Value profile is not subject to more user- or group-related policy profiles.

    The qualifiers /USER and /GROUP in the policy profile cannot be covered by generic characters. They must be present in the exact form shown.

    No profile found
    The policy is not implemented. No default value is provided.
    NONE
    No action. No default value is provided.
    READ
    The APPLDATA field is extracted and used for the command.
    UPDATE
    Same as READ
    CONTROL
    The policy profile is not active for the terminal user. No default value is provided.
    Note: The access levels for this profile are not hierarchical. In general, zSecure Command Verifier policies do not apply to users that have CONTROL access or higher. Alternatively, access NONE indicates that the facility as described by the policy is not available to the terminal user. For the Default Value profiles, these profiles lead to the odd situation that access NONE has the same net result as access CONTROL.

    Currently, the following values for the APPLDATA are recognized:

    BLANK
    This setting is used to indicate that no explicit ID must be inserted.
    id
    Any other value is considered to be the userid or group that must be inserted in the STDATA segment. No verification is done to ensure that this value is a valid user ID or GROUP.
  • C4R.STARTED.STDATA.USER.userid.started-profile
  • C4R.STARTED.STDATA.USER.=NONE.started-profile

    This policy profile specifies valid values for the userid for the started-profile. The special value =NONE is used when the terminal user specified the NOUSER keyword for the STDATA segment. This special value can be covered by a generic pattern. This setting allows treating the removal of the user assignment from the same policy profile as setting the user to a value. The following access levels are used.

    No profile found
    The policy is not implemented. The user specified value is accepted.
    NONE
    The specified USER is not allowed. The command is rejected.
    READ
    Same as NONE
    UPDATE
    The specified value for the USER is accepted
    CONTROL
    Same as UPDATE
  • C4R.STARTED.STDATA.GROUP.group.started-profile
  • C4R.STARTED.STDATA.GROUP.=NONE.started-profile

    This policy profile specifies valid values for the group for the started-profile. The special value =NONE is used when the terminal user specified the NOGROUP keyword for the STDATA segment. This special value can be covered by a generic pattern. This setting allows treating the removal of the group assignment from the same policy profile as setting the group to a value. The following access levels are used.

    No profile found
    The policy is not implemented. The user specified value is accepted.
    NONE
    The specified GROUP is not allowed. The command is rejected.
    READ
    Same as NONE
    UPDATE
    The specified value for the GROUP is accepted
    CONTROL
    Same as UPDATE