z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Checklist: Resolving problems when access is allowed incorrectly

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

You might see occurrences when a user or job obtains access to a protected resource and you believe that the user should not have that access. There are many reasons why this could happen. The following checklist can eliminate some of them:
  • Make sure that RACF® is active, and that message ICH520I has been issued for this IPL. (To see if RACF is active, issue a RACF command, such as the LISTUSER command. If RACF is not active, the command will fail.)
    Note: Even though RACF is active, resource managers for which external security is optional (such as CICS®) might not be using RACF. You must ensure that such resource managers are calling RACF. Also, there might be other options that control which general resource classes are protected by RACF. Therefore, you must make sure that the resource manager is calling RACF for the particular resource class. For CICS, you must ensure that the particular CICS region is using external security. For information specifically related to RACF and CICS, visit CICS Transaction Server for z/OS Information Center.
  • If the resource is a general resource (in other words, not protected by a profile in the DATASET class), make sure that the general resource class is active. For example, for tape volumes, make sure that the TAPEVOL class is active. To do this, issue the SETROPTS LIST command.
  • Check for a global access checking table entry for the resource. An entry in the global access checking table can allow access for all users, except those with the RESTRICTED attribute, when a profile protecting the resource would deny access. For example, for data sets, enter: 
    RLIST GLOBAL DATASET
    Note: Do not ignore the presence of entries containing &RACGPID or &RACUID.
  • If the profile is a generic profile, use the SETROPTS LIST command to ensure that generic profile checking is in effect for the class.
  • Make sure you know which profile is actually protecting the resource. For example, a more specific profile might actually be used instead of the generic profile you believe protects the resource. The more specific profile might grant the user the access. To do this, issue the LISTDSD and RLIST command, specifying the resource name. For the LISTDSD command, if you receive a message indicating that no profile is found, issue the command again with the GENERIC operand to check for any generic profiles that might protect the resource.
  • Check the user's access to the resource. You can do this in two ways:
    • Ask the user to list the profile protecting the resource. For example, the user can issue the LISTDSD and RLIST command, specifying the resource name. For the LISTDSD command, if the user receives a message indicating that no profile is found, have the user issue the command again with the GENERIC operand to check for any generic profiles that might protect the resource.

      Have the user check the YOUR ACCESS field in the profile listing. If this field indicates that the user or job should have access, use the steps described in Authorizing access to RACF-protected resources to analyze the profile for reasons why the user or job has that access.

    • If the user cannot issue the LIST command, do it yourself. In the listing supplied by RACF, the following fields can, by themselves, allow access to a user:
      • For data sets and minidisks, the high-level qualifier
      • The standard access list
      • The conditional access list
      • UACC
      • WARNING

      If list-of-groups processing is in effect on your system, check to see if a group of which the user is a member is in the access list. Check both the standard access list and the conditional access list. Also, note that installation exits (both RACF exits and certain exits in products that call RACF, such as JES) can affect a user's access to resources.

  • If your analysis of the protecting profile shows that the user should not have access, continue with the following checks.
  • If the SETROPTS RACLIST processing or SETROPTS GENLIST processing is in effect, make sure that any in-storage profiles are refreshed.
    • If the resource is protected by a generic profile in a class that is not RACLISTed or GENLISTed, ask the user to log off and log on again, or resubmit the job. This refreshes the user's copy of the profile.
    • Issue the SETROPTS GENERIC(classname) REFRESH or SETROPTS RACLIST(classname) REFRESH command again.

      For information about SETROPTS REFRESH processing on shared systems, see Refreshing shared systems (REFRESH option).

  • You can use audit records to gather information that you would not otherwise have. In particular, you can request that audit records be generated for all accesses to protected resources, or for only successful accesses. You can also request that audit records be kept for a particular user. With the auditing in effect, you can use the RACF report writer to view the access requests associated with the access requests.
    Note: In some cases (such as some resources in the OPERCMDS class), a RACROUTE request from a resource manager can include a "log string", which is a string of characters to be placed in the SMF record if the access is audited. The log string can be useful in determining what kind of action the user was taking. For example, the log string might include the exact operator command, as the operator issued it.
Parent topic: Debugging problems in the RACF database

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014