Educating the system users

Part of your job is to tell the system users what they need to know to work without disruption when RACF® is installed.

The amount of detailed information that each user needs to know about RACF depends on the RACF functions that you authorize the person to use. Here are some examples of information that various system users typically require:

All System Users: All users who are defined to RACF must know:

How to identify themselves to the system with their user ID and password or password phrase, and how to change their password or password phrase. They should also be aware of the significance of their password or password phrase to system security.
If list-of-groups processing is not in effect, how to log on to a group other than their default group.
Note: Users can use the LISTUSER command to find out the groups to which they belong.
If security labels are used on your system, how to log on with a security label other than their default security label. For more information, see Understanding security labels.
Note: To find out what security labels they can use, users can enter:
```
SEARCH CLASS(SECLABEL)
```
If you want them to be able to reduce their change intervals (for passwords and password phrases), how to use the PASSWORD (or PHRASE) command.
How to use the LISTUSER command to list their own profile information.

Users of RRSF functions: RRSF users need to understand RRSF network concepts and know RRSF node names. Depending on your security plan, some RRSF users might also need to know how to:

Direct commands
Synchronize passwords
Establish and approve user ID associations using the RACLINK command.

Users who RACF-protect general resources: Depending on your security plan, users might work with profiles in the TAPEVOL, JESSPOOL, or other general resource classes. These users must know:

How to define and modify profiles in the general resource class, including whether generic profiles are allowed in the class
What user IDs and group names they can use when giving access to the profiles
The meaning of the access authorities (such as NONE, READ, and WRITE) in the general resource class
What your installation's security policy is towards specific security enhancements like security levels, categories, and security labels

In addition to the education needed for administrators who are using generic profiles, even more education is required on generic profiles for those who are switching to enhanced generic naming (that is, from the SETROPTS NOEGN to the SETROPTS EGN option).

For more information, see Defining profiles for general resources and the topics of this document that describe how to use the class.

Technical support personnel: Users who install the RACF component of the Security Server must be familiar with migration planning considerations and the steps that are required to install or reinstall RACF. For complete RACF information, see all of the following z/OS® documents:

Users who maintain the RACF database must be familiar with the RACF utilities, which are described in z/OS Security Server RACF System Programmer's Guide.

Group administrators: Group administrators either have one of the group authorities, have a group attribute (such as group-SPECIAL), or own group resources. These users need to use the information in this document and z/OS Security Server RACF Command Language Reference.

RACF auditors: Users with the AUDITOR attribute should see z/OS Security Server RACF Auditor's Guide for information on using RACF for auditing.

Note that if ISPF and TSO/E are installed, the user can use the RACF ISPF panels to perform most of the same functions as the RACF commands. Using the RACF ISPF panels frees users from the need to know the details of command syntax. (The ISPF panels cannot be used to activate or deactivate mixed-case passwords.)

Note: You can ask a user with the AUDITOR attribute to issue the SETROPTS command with the CMDVIOL operand. This causes RACF to log all of the RACF command violations that it detects. The auditor can then use the RACF report writer to produce a printed audit trail of command violations. From the report, you can determine how many command violations are occurring and which users are causing the violations. A significant number of command violations, especially when RACF is first installed, might mean users need more education. The report can also help you to identify any specific users who are persistently trying to alter profiles without the proper authority.

z/OS Security Server RACF Command Language Reference contains detailed information on the RACF commands used.

Programmers writing unauthorized applications: Programmers writing unauthorized applications can use the RACROUTE macro to request many security-related services, including controlling access to protected resources (RACROUTE REQUEST=AUTH).

Note: Your installation can create installation-defined resource classes. If your installation creates profiles in those classes, an application can issue a RACROUTE REQUEST=AUTH to check if a user has sufficient authority to complete a user action. How much authority is needed for any particular user action is defined by the way in which the application invokes the RACROUTE REQUEST=AUTH macro. For more information on creating installation-defined classes, see z/OS Security Server RACF System Programmer's Guide.

Programmers writing authorized applications: Programmers writing authorized applications (that is, APF-authorized programs) can use the RACROUTE macro to request security-related services, including:

Identifying and verifying users (RACROUTE REQUEST=VERIFY)
Replacing or retrieving fields in RACF profiles (RACROUTE REQUEST=EXTRACT)

For more information on using the RACROUTE macro, see z/OS Security Server RACROUTE Macro Reference.