|
You might see occurrences when a user or job obtains access to
a protected resource and you believe that the user should not have
that access. There are many reasons why this could happen. The following
checklist can eliminate some of them: - Make sure that RACF® is
active, and that message ICH520I has been issued for this IPL. (To
see if RACF is active, issue
a RACF command, such as the
LISTUSER command. If RACF is
not active, the command will fail.)
Note: Even though RACF is active, resource managers for which
external security is optional (such as CICS®)
might not be using RACF. You
must ensure that such resource managers are calling RACF. Also, there might be other options that
control which general resource classes are protected by RACF. Therefore, you must make sure that the
resource manager is calling RACF for
the particular resource class. For CICS,
you must ensure that the particular CICS region
is using external security. For information specifically related to RACF and CICS, visit CICS Transaction Server for z/OS Information Center.
- If the resource is a general resource (in other words, not protected
by a profile in the DATASET class), make sure that the general resource
class is active. For example, for tape volumes, make sure that the
TAPEVOL class is active. To do this, issue the SETROPTS LIST command.
- Check for a global access checking table entry for the resource.
An entry in the global access checking table can allow access for
all users, except those with the RESTRICTED attribute, when a profile
protecting the resource would deny access. For example, for data sets,
enter:
RLIST GLOBAL DATASET
Note: Do not ignore
the presence of entries containing &RACGPID or &RACUID.
- If the profile is a generic profile, use the SETROPTS LIST command
to ensure that generic profile checking is in effect for the class.
- Make sure you know which profile is actually protecting the resource.
For example, a more specific profile might actually be used instead
of the generic profile you believe protects the resource. The more
specific profile might grant the user the access. To do this, issue
the LISTDSD and RLIST command, specifying the resource name. For the
LISTDSD command, if you receive a message indicating that no profile
is found, issue the command again with the GENERIC operand to check
for any generic profiles that might protect the resource.
- Check the user's access to the resource. You can do this in two
ways:
- Ask the user to list the profile protecting the resource. For
example, the user can issue the LISTDSD and RLIST command, specifying
the resource name. For the LISTDSD command, if the user receives a
message indicating that no profile is found, have the user issue the
command again with the GENERIC operand to check for any generic profiles
that might protect the resource.
Have the user check the YOUR
ACCESS field in the profile listing. If this field indicates
that the user or job should have access, use the steps described in Authorizing access to RACF-protected resources to analyze the profile for reasons why
the user or job has that access.
- If the user cannot issue the LIST command, do it yourself. In
the listing supplied by RACF,
the following fields can, by themselves, allow access to a user:
- For data sets and minidisks, the high-level qualifier
- The standard access list
- The conditional access list
- UACC
- WARNING
If list-of-groups processing is in effect on your system,
check to see if a group of which the user is a member is in the access
list. Check both the standard access list and the conditional access
list. Also, note that installation exits (both RACF exits and certain exits in products that
call RACF, such as JES) can
affect a user's access to resources.
- If your analysis of the protecting profile shows that the user
should not have access, continue with the following checks.
- If the SETROPTS RACLIST processing or SETROPTS GENLIST processing
is in effect, make sure that any in-storage profiles are refreshed.
- You can use audit records to gather information that
you would not otherwise have. In particular, you can request that
audit records be generated for all accesses to protected resources,
or for only successful accesses. You can also request that audit records
be kept for a particular user. With the auditing in effect, you can
use the RACF report writer
to view the access requests associated with the access requests.
Note: In
some cases (such as some resources in the OPERCMDS class), a
RACROUTE request from a resource manager can include a "log string",
which is a string of characters to be placed in the SMF record if
the access is audited. The log string can be useful in determining
what kind of action the user was taking. For example, the log string
might include the exact operator command, as the operator issued it.
|