Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Educating the system users z/OS Security Server RACF Security Administrator's Guide SA23-2289-00 |
|
Part of your job is to tell the system users what they need to know to work without disruption when RACF® is installed. The amount of detailed information that each user needs to know about RACF depends on the RACF functions that you authorize the person to use. Here are some examples of information that various system users typically require: All System Users: All users who are defined to RACF must know:
Users of RRSF functions: RRSF users need to understand RRSF
network concepts and know RRSF node names. Depending on your security
plan, some RRSF users might also need to know how to:
Users who RACF-protect general resources: Depending on your
security plan, users might work with profiles in the TAPEVOL, JESSPOOL,
or other general resource classes. These users must know:
In addition to the education needed for administrators who are using generic profiles, even more education is required on generic profiles for those who are switching to enhanced generic naming (that is, from the SETROPTS NOEGN to the SETROPTS EGN option). For more information, see Defining profiles for general resources and the topics of this document that describe how to use the class. Technical support personnel: Users who install the RACF component of the Security Server must
be familiar with migration planning considerations and the steps that
are required to install or reinstall RACF.
For complete RACF information,
see all of the following z/OS® documents:
Users who maintain the RACF database must be familiar with the RACF utilities, which are described in z/OS Security Server RACF System Programmer's Guide. Group administrators: Group administrators either have one of the group authorities, have a group attribute (such as group-SPECIAL), or own group resources. These users need to use the information in this document and z/OS Security Server RACF Command Language Reference. RACF auditors: Users with the AUDITOR attribute should see z/OS Security Server RACF Auditor's Guide for information on using RACF for auditing. Note that if ISPF and TSO/E are installed, the user can use the RACF ISPF panels to perform most of the same functions as the RACF commands. Using the RACF ISPF panels frees users from the need to know the details of command syntax. (The ISPF panels cannot be used to activate or deactivate mixed-case passwords.) Note: You can ask a user with the AUDITOR attribute to issue the SETROPTS
command with the CMDVIOL operand. This causes RACF to log all of the RACF command violations that it detects. The
auditor can then use the RACF report
writer to produce a printed audit trail of command violations. From
the report, you can determine how many command violations are occurring
and which users are causing the violations. A significant number of
command violations, especially when RACF is
first installed, might mean users need more education. The report
can also help you to identify any specific users who are persistently
trying to alter profiles without the proper authority.
z/OS Security Server RACF Command Language Reference contains detailed information on the RACF commands used. Programmers writing unauthorized applications: Programmers writing unauthorized applications can use the RACROUTE macro to request many security-related services, including controlling access to protected resources (RACROUTE REQUEST=AUTH). Note: Your installation can create installation-defined resource classes.
If your installation creates profiles in those classes, an application
can issue a RACROUTE REQUEST=AUTH to check if a user has sufficient
authority to complete a user action. How much authority is needed
for any particular user action is defined by the way in which the
application invokes the RACROUTE REQUEST=AUTH macro. For more information
on creating installation-defined classes, see z/OS Security Server RACF System Programmer's Guide.
Programmers writing authorized applications: Programmers
writing authorized applications (that is, APF-authorized programs)
can use the RACROUTE macro to request security-related services, including:
For more information on using the RACROUTE macro, see z/OS Security Server RACROUTE Macro Reference. |
Copyright IBM Corporation 1990, 2014
|