Educating the System Users

Part of your job is to tell the system users what they need to know to work without disruption when RACF® is installed.

The amount of detailed information each user needs to know about RACF depends on the RACF functions you authorize the person to use. Some examples of information required by various types of system users are:

All System Users: All users defined to RACF must know the following:
  • How to identify themselves to the system with their user ID and credential (which can be an MFA credential, a password, a passphrase, or a pass ticket).
  • How to create or change their credential, depending on their authentication method.

    Users might need to be familiar with the RACF PASSWORD command if you want them to be able to change their password intervals.

  • Users using MFA need to know how many times a generated credential can be used and for how long the credential is valid.
  • The significance of their credential to system security.

    z/VM® users and administrators should be aware that, when logging on with RACF, a user can change a current password/passphrase or establish a new one when the old one has expired. Prior to installing RACF, these options were not available to the user.

  • z/VM users defined as MFA (the PWFALLBACK option) can change their password/phrase with the RACF PASSWORD command or when they LOGON with the FALLBACK option when their password/passphrase is expired.
Make sure to inform all users that they can use either the RAC command processor or the RACF command session. In addition, users should be able to:
  • Use the RACF LISTUSER command to list their own profile information
  • Protect their own z/VM minidisks with RACF profiles
  • Protect their own SFS files and directories with RACF profiles
  • Protect their own OpenExtensions resources as documented in OpenExtensions for z/VM: User's Guide.

If security labels are used on your system, users should know how to log on with a security label other than their default security label. For more information, see How Users Specify Current Security Labels.

Note: Users can enter the following command to find out what security labels they can use: 
SEARCH CLASS(SECLABEL)

For complete information on tasks general users might perform using RACF, such as permitting others to use their minidisks, see z/VM: RACF Security Server General User's Guide.

Users Who RACF-Protect General Resources: Depending on your security plan, users might work with profiles in the VMMDISK or other general resource classes. These users must know:
  • How to define and modify profiles in the general resource class, including whether generic profiles are allowed in the class
  • What user IDs and group IDs they can use when giving access to the profiles
  • The meaning of the access authorities (NONE, READ, and so forth) in the general resource class
  • What your installation's security policy is towards specific security enhancements like security levels, categories, and security labels.

For more information, see Defining Resources and the sections of this book that describe how to use the class.

Technical Support Personnel: Users who install RACF need to be familiar with migration considerations and the steps required to install or re-install RACF. See z/VM: RACF Program Directory.

Users who maintain the RACF database (for example, technical support personnel) must be familiar with the RACF utilities. z/VM: RACF Security Server System Programmer's Guide describes these utilities.

Group Administrators: Group administrators have one of the group authorities, a group attribute (such as group-SPECIAL), or own group resources. These users will need to have information described in this book and in z/VM: RACF Security Server Command Language Reference.

RACF Auditors: Users with the AUDITOR or ROAUDIT attribute should refer to z/VM: RACF Security Server Auditor's Guide for information on using RACF for auditing.

Note that if ISPF is installed, the user can use the RACF ISPF panels to perform the same functions as the RACF commands. Using the RACF ISPF panels frees users from the need to know the details of command syntax.

Note: You can ask a user with the AUDITOR attribute to issue the SETROPTS command with the CMDVIOL operand. This causes RACF to log all the RACF command violations that it detects. The auditor can then use the RACF report writer to produce a printed audit trail of command violations. From the report, you can determine how many command violations are occurring and which users are causing the violations. A significant number of command violations, especially when RACF is first installed, might indicate the need for more user education. The report can also help you to identify any specific users who are persistently trying to alter profiles without the proper authority.

z/VM: RACF Security Server Command Language Reference contains detailed information on the RACF commands.

Programmers Writing Unauthorized Applications: Unauthorized applications need READ access to ICHCONN in the FACILITY class. That is, any RACROUTE request which could execute without APF authority on a z/OS® system requires READ access to ICHCONN. See z/VM: Security Server RACROUTE Macro Reference for more information on access levels required for different request types.

Note: Your installation can create installation-defined resource classes. If your installation creates profiles in those classes, an application can issue a RACROUTE REQUEST=AUTH to check if a user has sufficient authority to complete a user action. How much authority is needed for any particular user action is defined by the way the application invokes the RACROUTE REQUEST=AUTH macro. For more information on creating installation-defined classes, see z/VM: RACF Security Server System Programmer's Guide.
Programmers Writing Authorized Applications: Programmers writing authorized applications can use the RACROUTE macro to request more sensitive security-related services, including:
  • User identification and verification (RACROUTE REQUEST=VERIFY)
  • Replacing or retrieving fields in RACF profiles (RACROUTE REQUEST=EXTRACT)

That is, any RACROUTE request which could execute only with APF authority on a z/OS system requires UPDATE access to ICHCONN. For more information on using the RACROUTE macro, see z/VM: Security Server RACROUTE Macro Reference.