The data security monitor (DSMON)
RACF® enables you to protect resources, but the protection is only as good as the implementation. You need a way to verify that the security mechanisms actually in effect are the ones intended. DSMON helps provide this information.
DSMON is a program that produces reports on the status of the security environment at your installation and, in particular, on the status of resources that RACF controls. You can use the reports to audit the current status of your installation's system security environment by comparing the actual system characteristics and resource protection levels with the intended characteristics and levels. You can also control the reporting that DSMON does by specifying control statements that request certain functions for user input.
The DSMON program
The data security monitor (DSMON) is a program that normally runs while RACF is active.
If the installation has not defined ICHDSM00 (DSMON) as a controlled program, you must have the AUDITOR or ROAUDIT attribute to run DSMON.
If DSMON has been defined as a controlled program, you must have at least EXECUTE or READ access to the ICHDSM00 resource in the PROGRAM class. Additionally, with READ access using the PROGRAM class if DSMON is not running in a clean program-controlled environment, you also need the AUDITOR or ROAUDIT attribute.
- To find out if DSMON is a controlled program at your MVS™ installation, contact your RACF security administrator.
- If your installation has a RACF database that is shared by MVS and z/VM® and you want to obtain reports for both systems, you must run DSMON on the MVS system.
- If you run DSMON while RACF is inactive, DSMON produces only the system report.
How to run DSMON
DSMON runs as an authorized program facility (APF)-authorized batch program. DSMON can also be run on TSO if IKJTSO00 is configured correctly; it can reside in any PARMLIB data set.
To invoke DSMON, you can use the sample job control language (JCL) statements in Figure 1. A SYSIN DD statement lets you specify DSMON control statements that can perform selected DSMON functions for specified user input. The words that appear in lowercase are parameters that you can change.
//stepname EXEC PGM=ICHDSM00
//SYSPRINT DD SYSOUT=A
//SYSUT2 DD SYSOUT=A
//SYSIN DD *
LINECOUNT 55
FUNCTION all
USEROPT USRDSN sivle.memo.text
- SYSPRINT
- Defines the sequential message data set (for example, SYSOUT) for status and error messages. SYSPRINT has a variable block (VB) format; block size, if specified, must be 137 (LRECL of 133 plus 4 for the block length) or greater.
- SYSUT2
- Defines the output listing data set (for example, SYSOUT) for the printed reports that DSMON generates. SYSUT2 has a fixed block (FB) format; block size, if specified, must be a multiple of 133.
- SYSIN
- Defines the control data set that contains DSMON control statements.
SYSIN is required if you want to select specific DSMON functions.
The control data set can be one of the following:
- A data set defined as in-stream data
- A data set defined as a sequential data set
- A data set defined as a member of a partitioned data set
Block size, if specified, must be a multiple of 80.
If you do not specify SYSIN, all DSMON functions except USRDSN are performed. (The USRDSN function requires you to specify a list of user data sets on the USEROPT control statement.)
DSMON control statements
- LINECOUNT
- FUNCTION
- USEROPT
Entering DSMON control statements
DSMON control statements can be entered in any order, one per input line, using columns 1 through 72. You can enter uppercase or lowercase characters. Use commas or blanks to separate list items in each DSMON statement.
/* Start of user data sets
USEROPT USRDSN jim.memo.text vol=8V0L03 -
jim.report.script
- LINECOUNT number
- specifies
the number of lines per page for reports. The valid values for number
are 0 or a number in the range of 40 through 99. A value of 0 indicates
that a page break occurs only at the start of a new report. If you
do not specify LINECOUNT, the default is 55 lines per page. If you
specify more than one LINECOUNT statement, RACF uses only the last one. Note: The LINECOUNT statement controls the number of lines per page for the SYSUT2 data set. It does not affect the number of lines per page for the SYSPRINT message data set, fixed at 55 lines per page.
- FUNCTION function-name
- specifies
the DSMON function or functions you want to include.
The default is ALL, which causes DSMON to generate all reports except USRDSN. For a complete description of the DSMON reports specified for function-name, see Functions DSMON uses.
- USEROPT function-name user-input
- defines
user input to be processed by the function you specify. Function-name
specifies the function to process the user-input; user-input specifies
the actual input you want processed. The valid functions you can specify
for function-name on the USEROPT control statement are:
- USRDSN
- RACGRP
USEROPT control statement
USEROPT and USRDSN
Specifying USRDSN with USEROPT causes DSMON to list the RACF protected status of the selected user data set or sets. To obtain information processed by USRDSN, specify USEROPT followed by one or more blanks, then followed by USRDSN and the data set name and volume or both for which you want information.
USEROPT USRDSN jim.memo.text
USEROPT USRDSN jim.memo.text VOL=volser
FUNCTION ALL
USEROPT USRDSN jim.memo.text VOL=volser
Note that FUNCTION
ALL is the default; if you omit it, DSMON produces all reports. The
following specifies that only the USRDSN function is to be performed
on the specified data set: FUNCTION USRDSN
USEROPT USRDSN jim.memo.text
FUNCTION USRDSN
USEROPT USRDSN jim.memo.text -
VOL=8V0L03 jim.test.obj -
jim.racf.cntl jim.racf.clist
USEROPT and RACGRP
FUNCTION RACGRP
USEROPT RACGRP payroll
If you specify SYS1 for USEROPT RACGRP, DSMON lists all group names in the system. If you want all DSMON reports but do not specify USEROPT RACGRP, SYS1 is the default group name for the RACF group tree report. You can specify any RACF-defined group. For more information about the DSMON report RACGRP produces, see Group tree report.
USEROPT considerations
A JCL REGION= keyword may limit the number of USEROPT control statements that can be specified. If many USEROPT statements are specified, increase the REGION= keyword value accordingly. Users may also run a multistep job if increasing the region size is unsuccessful.
Functions DSMON uses
DSMON generates different kinds of reports that you can specify on the FUNCTION or USEROPT control statements. After completing each function on the control statement (except for the system report), DSMON issues a message to SYSPRINT stating whether the report executed successfully or unsuccessfully.
If the report ended unsuccessfully, DSMON issues an error code that indicates the cause of the failure. In most cases, DSMON continues processing with the next control statement.
Table 1 summarizes the DSMON reports that are generated when you use the FUNCTION control statement. Table 2 summarizes the DSMON reports that are generated when you use the USEROPT control statement. You can specify the kind of report you want by modifying function name on each control statement. Both tables list the type of report produced and the information (or checks) each report provides.
Function-name | Type of Report | Information Provided |
---|---|---|
SYSTEM | System Report |
|
RACGRP | Group Tree Report (also used with USEROPT; Table 2) | Group name and level in hierarchy for entire system |
SYSPPT | Program Properties Table Report | All information (see sample report) |
RACAUT | RACF Authorized Caller Table Report | All information (see sample report) |
RACCDT | RACF Class Descriptor Table Report | All information (see sample report) |
RACEXT | RACF Exits Report | All information (see sample report) |
RACGAC | RACF Global Access Table Report | All information (see sample report) |
RACSPT | RACF Started Procedures Table Report | All information (see sample report) |
RACUSR | Selected User Attribute Report and Selected User Attribute Summary Report | All information (see sample reports) |
SYSLNK | Selected Data Sets Report | All LNKLSTxx data set members of the SYS1.PARMLIB library |
SYSAPF | Current Link List Data Set Report | Authorized program facility (APF) libraries |
SYSCAT | Selected Data Sets Report | Master catalog and all user catalogs. Requires
additional authorization to obtain information on user catalogs Note: If
you have a FACILITY class profile that protects SYSCAT resource ICHDSM00.SYSCAT
and you do not have READ access, DSMON suppresses the user catalog
listing and issues message ICH66134I, notifying you of the insufficient
authorities
|
RACDST | Selected Data Sets Report | Primary and backup RACF databases |
SYSSDS | Selected Data Sets Report | Selected system data sets |
USRDSN | Selected Data Sets Report (used with USEROPT; Table 2) | Selected user data sets |
Function-name | Type of Report | Information Provided |
---|---|---|
USRDSN | Selected User Data Sets Report | Selected user data sets |
RACGRP | Group Tree Report | Group name and level in hierarchy for user-specified group |
DSMON reports
DSMON produces the following reports:
The information in the DSMON reports answers many of your audit questions. (See Conducting the audit.)
System report
- The identification number and model of the processor complex
- The name, version, and release of the operating system
- The serial number of the system residence volume
- The system identifier (SMF-ID) that SMF uses
The report also specifies the RACF version and release number and whether RACF is active. If RACF is inactive, either because it was not activated at IPL or because it has been deactivated by the RVARY command, DSMON prints a message.
You can use the system report to verify that the system has the expected hardware and software. In addition, you can verify the status of RACF.
Column headings
- CPU-ID
- is the identification number of the processor complex on which the system is running.
- CPU MODEL
- is the model number of the processor complex.
- OPERATING SYSTEM/LEVEL
- specifies the name, version and release of the operating system, the product FMID for the operating system, and the installation's personalized name, if the information is present in the communications vector table (CVT).
- SYSTEM RESIDENCE VOLUME
- specifies the serial number of the volume on which the system resides.
- SMF-ID
- is the system identifier that the system management facilities (SMF) uses when creating log records.
Report messages
The following messages may appear at the end of the report:
RACF FMID HRFnnnn IS ACTIVE
Explanation: The specified FMID of RACF was not activated during initial program load (IPL).
RACF FMID HRFnnnn IS INACTIVE
Explanation: The specified FMID of RACF is active. In most cases, this is the message that appears on the report.
RACF FMID HRFnnnn HAS BEEN DEACTIVATED
Explanation: The specified FMID of RACF has been deactivated by the RVARY command; this situation is normally temporary.
RACF IS NOT INSTALLED
Explanation: DSMON cannot locate the RACF communications vector table (RCVT), indicating that RACF has not been installed.
S Y S T E M R E P O R T
----------------------------------------------------------------------------------------------
CPU-ID 111606
CPU MODEL 2064
OPERATING SYSTEM/LEVEL z/OS 1.2.0 HBB7705 Test System 2390
SYSTEM RESIDENCE VOLUME DR250B
SMF-ID IM13
RACF FMID HRF7705 IS ACTIVE
Group tree report
The group tree report lists all subgroups for the SYS1 group and continues to list subgroups for those subgroups on down the group tree. Alternately, if a user-specified group name is specified for the USEROPT control statement, the report lists all subgroups for that user-supplied group. The report provides the owner's name for each group, if the owner is not the superior group.
You can use the group tree report to examine the overall RACF group structure for your system. You can also determine how the group related attributes (group-SPECIAL, group OPERATIONS, and group AUDITOR) for users associated with each subgroup are related. In this way, you can decide whether the group authorities are structured effectively for your system.
Column Headings
- LEVEL
- Starting with the highest requested group, the group level number that indicates the relative nesting level of the group or subgroup within the requested group tree. SYS1 is always 1; the groups with SYS1 as their superior group are 2, and so on down the group tree.
- GROUP
- is the name of the RACF-defined group.
- (OWNER)
- is the name of the owner of the group. This name is listed only if the owner is not the superior group.
Report Messages
An arrow (===>) in the report indicates that the information has overflowed the right-hand margin. The missing information appears after the main body of the report is printed. The characters -----CONTINUATION----- appear before the overflowed information, and the discontinued level number, group, and owner name (if the name is not the same as that of the superior group) appear in the left-hand margin.
R A C F G R O U P T R E E R E P O R T
LEVEL GROUP (OWNER)
------------------------------------------------------------------------------------
1 SYS1 (IBMUSER )
|
2 | SYSPROG (IBMUSER )
|
2 | RACFADMN (IBMUSER )
Program properties table report
The program properties table report lists all the programs in the program properties table (PPT). The report also indicates whether each program is authorized to bypass password protection and whether it runs in a system key. The programs shown in this report may be able to bypass password protection for password protected data sets and thus also bypass all RACF protection for RACF-protected resources.
You can use the program properties table report to verify that only those programs that should be authorized to bypass password protection are, in fact, able to do so. Such programs are normally communication and database control programs, or other system control programs. You can also verify that only those programs that must run in a system key are authorized to do so.
Column Headings
- PROGRAM NAME
- is the name of the program, as defined in the PPT.
- BYPASS PASSWORD PROTECTION
- indicates whether the program is authorized to bypass password protection checking when accessing RACF-protected or password-protected data sets. The value is either YES or NO.
- SYSTEM KEY
- indicates whether the program is authorized to run in a system key (keys 0-7) and is thus able to bypass system security controls. The value is either YES or NO.
Report Messages
The following message may appear beneath the report column headings:
NO ENTRIES IN PROGRAM PROPERTIES TABLE
Explanation: There are no entries in the program properties table. This message indicates an abnormal condition because the program properties table should contain several entries that were supplied by IBM®.
P R O G R A M P R O P E R T I E S T A B L E R E P O R T
PROGRAM BYPASS PASSWORD SYSTEM
NAME PROTECTION KEY
----------------------------------------------------------------------------------------------
IEDQTCAM NO YES
ISTINM01 YES YES
IKTCAS00 NO YES
AHLGTF NO YES
HHLGTF NO YES
IHLGTF NO YES
IEFIIC NO YES
IEEMB860 YES YES
IEEVMNT2 NO YES
IASXWR00 NO YES
CSVVFCRE NO YES
HASJES20 YES YES
DFSMVRC0 NO YES
IATINTK YES YES
DXRRLM00 NO YES
APSPPIEP NO YES
IATINTKF YES YES
DSNYASCP NO YES
DSNUTILB NO YES
IEAVTDSV YES YES
IFASMF NO YES
CSVLLCRE YES YES
AVFMNBLD NO YES
ERBMFMFC NO NO
ERB3GMFC NO NO
IGGOCLX0 NO YES
IGDSSI01 YES YES
COFMINIT YES YES
COFMISD0 NO YES
RACF authorized caller table report
The RACF authorized caller table report lists the names of all programs in the RACF authorized caller table. The report also indicates whether each program is authorized to issue a VERIFY (RACINIT) request (which performs user verification) or a LIST (RACLIST) request (which loads profiles into main storage), or both.
You can use this report to verify that only those programs authorized to modify an access control environment element (ACEE) are able to issue a VERIFY request. This verification is an important security requirement because the ACEE contains a description of the current user. This description includes the user ID, the current connect group, the user attributes, and the group authorities. A program that is authorized to issue a VERIFY request can alter the ACEE to simulate any user ID.
You can also use the report to verify that only those programs authorized to access any profile on the RACF data set are able to issue a LIST request. Because profiles contain complete descriptions of the characteristics associated with RACF-defined entities, you must carefully control access to them.
Column Headings
- MODULE NAME
- is the name of the program module as it is defined in the RACF authorized caller table.
- RACINIT AUTHORIZED
- indicates whether the module is authorized to issue a VERIFY request. The value is either YES or NO.
- RACLIST AUTHORIZED
- indicates whether the module is authorized to issue a LIST request. The value is either YES or NO.
Report Messages
The following message may appear beneath the report column headings:
NO ENTRIES IN RACF AUTHORIZED CALLER TABLE
Explanation: There are no entries in the RACF authorized caller table. This message does not indicate an error condition. When RACF is initially installed, for example, the RACF authorized caller table normally contains no entries.
R A C F A U T H O R I Z E D C A L L E R T A B L E R E P O R T
MODULE RACINIT RACLIST
NAME AUTHORIZED AUTHORIZED
-------------------------------------------------------------------------------------------------------
NO ENTRIES IN RACF AUTHORIZED CALLER TABLE
RACF class descriptor table report
The class descriptor table report lists class name and status for all general resource classes in the class descriptor table, including information about auditing activity, statistics, the activity of OPERATIONS users, and the universal access authority (UACC).
You can use the class descriptor table report to determine the resource classes defined to RACF for your system. In this way, you can obtain information about the protection status of any resource in the class descriptor table.
Column Headings
- CLASS NAME
- is the class name found in the RACF class descriptor table. The dynamic classes are noted with a "(D)" after the class name.
- STATUS
- indicates whether the class is active or inactive.
- AUDITING
- indicates whether there is auditing for the class. The value is either YES or NO.
- STATISTICS
- indicates whether RACF is gathering statistics for the class. The value is either YES or NO.
- DEFAULT UACC
- indicates that the default UACC defined for the class in the class
descriptor table. RACF uses
this UACC for profiles defined to the class, unless the UACC operand
is specified on the RDEFINE command that writes the profile. The following values may appear:
- ALTER
- For discrete profiles, ALTER indicates that, by default, all users have control over the resource and the resource profile and can authorize other users or groups (or both) to access the resource.
- For generic profiles, ALTER indicates that, by default, all users have control over the resource and can allocate data sets protected by the generic profile. Only the profile owner has full control over the resource profile.
- CONTROL indicates that, by default, all users have access authority to update, insert, or delete records in the VSAM data set and perform other operations as if the data set password were supplied.
- UPDATE indicates that, by default, all users can access the resource for both reading and writing.
- READ indicates that, by default, all users can access the resource for reading only.
- NONE indicates that, by default, users cannot access the resource.
- ACEE indicates that the UACC is taken from the accessor environment element (ACEE).
- ALTER
- OPERATIONS
- indicates whether RACF is to use the OPERATIONS attribute authority during authorization checking. A value of YES indicates RACF performs authorization checking; a value of NO indicates it does not.
Report Messages
The following message may appear beneath the report column headings:
NO ENTRIES IN THE RACF CLASS DESCRIPTOR TABLE
Explanation: There are no entries in the class descriptor table. RACF includes a basic class descriptor table, which is required for RACF processing. If you receive this message, report the condition to your RACF security administrator or installation manager.
R A C F C L A S S D E S C R I P T O R T A B L E R E P O R T
CLASS DEFAULT OPERATIONS
NAME STATUS AUDITING STATISTICS UACC ALLOWED
----------------------------------------------------------------------------------------------
$CAMP (D) INACTIVE NO NO NONE NO
#NUMCLAS (D) INACTIVE YES YES NONE NO
@NEWCLAS (D) INACTIVE NO NO NONE NO
AIMS INACTIVE NO NO NONE NO
APPL INACTIVE NO NO NONE NO
DASDVOL INACTIVE NO NO ACEE YES
DBCLASS5 (D) INACTIVE NO NO NONE NO
DBCLASS6 (D) INACTIVE NO NO NONE NO
DSNR INACTIVE NO NO ACEE NO
FACILITY INACTIVE NO NO NONE NO
GCICSTRN INACTIVE NO NO NONE NO
GDASDVOL INACTIVE NO NO ACEE YES
GIMS INACTIVE NO NO NONE NO
GLOBAL INACTIVE NO NO NONE NO
GMBR INACTIVE NO NO NONE NO
GTERMINL INACTIVE NO NO ACEE NO
PCICSPSB INACTIVE NO NO NONE NO
QCICSPSB INACTIVE NO NO NONE NO
RACFVARS INACTIVE NO NO NONE NO
RVARSMBR INACTIVE NO NO NONE NO
SECLABEL INACTIVE NO NO NONE NO
TAPEVOL INACTIVE NO NO ACEE YES
TCICSTRN INACTIVE NO NO NONE NO
TERMINAL INACTIVE NO NO ACEE NO
TIMS INACTIVE NO NO NONE NO
VMBATCH INACTIVE NO NO NONE YES
VMCMD INACTIVE NO NO NONE YES
VMMDISK INACTIVE NO NO NONE YES
VMRDR INACTIVE NO NO NONE YES
RACF exits report
The RACF exits report lists the names of all the installation-defined RACF exit routines and specifies the size of each exit routine module. For RACF's static exits, DSMON prints an error message if the RACF communications vector table (RCVT), which contains the address of each RACF exit routine module, indicates that an exit routine module should exist but the module cannot be loaded, or the entry address does not correspond with the address specified in the RCVT.
You can use this report to verify that the only active exit routines are those that your installation has defined. The existence of any other exit routines may indicate a system security exposure, because RACF exit routines could be used to bypass RACF security checking. Similarly, if the length of an exit routine module differs from the length of the module your installation defined, the module may have unauthorized modifications.
See z/OS MVS Programming: Authorized Assembler Services Reference ALE-DYN for information on the dynamic exit service CSVDYNEX macro which is used by RACF to define and query its dynamic exits. See z/OS MVS System Commands for information on the DISPLAY command's support of dynamic exits. The MVS DISPLAY command can be used to find the names of the modules associated with the exits. Additionally see the exit chapter in z/OS Security Server RACF System Programmer's Guide for information on IRREVX01 and IRRVAF01.
Column Headings
- EXIT MODULE NAME
- is the name of the RACF exit routine module, as defined by your installation.
- MODULE LENGTH
- is the length of the exit routine module in bytes (decimal).
Report Messages
The following message may appear beneath the report column headings:
NO RACF EXITS ARE ACTIVE
Explanation: There are no active RACF exit routines. This absence does not indicate an abnormal condition, unless your installation has defined RACF exit routines.
R A C F E X I T S R E P O R T
EXIT MODULE MODULE
NAME LENGTH
-------------------------------------------------------------------------------------------------------
NO RACF EXITS ARE ACTIVE
RACF global access checking table report
The global access checking table report lists all entries in the global access checking table. Each entry consists of a resource name and its associated global access checking authority level.
Also, you can use the global access checking table report to determine whether protection for a sensitive resource is adequate. By examining the global access information for an entry, you can discover whether the global access authority level provides the correct security for the resource.
Column Headings
- CLASS NAME
- is the class name found in the global access checking table.
- ENTRY NAME
- is the entry name or names defined in each class. If the GLOBAL class is inactive, GLOBAL INACTIVE appears in this column. If the GLOBAL class is active but no members are defined for the class, NO ENTRIES appears in the column.
- ACCESS LEVEL
- specifies the global access checking authority level for the entry.
Report Messages
The following message may appear beneath the report column headings:
GLOBAL INACTIVE
Explanation: There are no entries in the RACF global access checking table. This message does not indicate an error condition. When RACF is initially installed, for example, the RACF global access checking table normally contains no entries.
R A C F G L O B A L A C C E S S T A B L E R E P O R T
CLASS ACCESS ENTRY
NAME LEVEL NAME
--------------------------------------------------------------------------------------------------
DATASET -- GLOBAL INACTIVE --
RVARSMBR -- GLOBAL INACTIVE --
SECLABEL -- GLOBAL INACTIVE --
DASDVOL -- GLOBAL INACTIVE --
TAPEVOL -- GLOBAL INACTIVE --
TERMINAL -- GLOBAL INACTIVE --
APPL -- GLOBAL INACTIVE --
TIMS -- GLOBAL INACTIVE --
AIMS -- GLOBAL INACTIVE --
TCICSTRN -- GLOBAL INACTIVE --
PCICSPSB -- GLOBAL INACTIVE --
GMBR -- GLOBAL INACTIVE --
DSNR -- GLOBAL INACTIVE --
FACILITY -- GLOBAL INACTIVE --
VMMDISK -- GLOBAL INACTIVE --
VMRDR -- GLOBAL INACTIVE --
VMCMD -- GLOBAL INACTIVE --
VMNODE -- GLOBAL INACTIVE --
VMBATCH -- GLOBAL INACTIVE --
SCDMBR -- GLOBAL INACTIVE --
FCICSFCT -- GLOBAL INACTIVE --
JCICSJCT -- GLOBAL INACTIVE --
DCICSDCT -- GLOBAL INACTIVE --
SCICSTST -- GLOBAL INACTIVE --
RACF started procedures table reports
The status of the STARTED class determines the started procedures table reports that get generated. If the STARTED class is not active, the report is created using the installation replaceable load module, ICHRIN03, as shown in Figure 10. If the STARTED class is active, two reports are generated. Along with the report generated for the installation replaceable load module, ICHRIN03, a second report is created using the STARTED class profiles. An example of this second report is shown in Figure 11.
The started procedures table report lists each entry in the started procedures table. Each entry contains the procedure name, user identification, the group name associated with the procedure, the privileged status, and the trusted status. If the STARTED class is active, the report that gets generated also shows the job name associated with the procedure and the TRACE attribute.
SETR RACLIST(STARTED) REFRESH
before
running the report. Be aware that this command could cause some disruption
if profiles are being changed on the system at the exact time the
command is issued.Using STARTED class profiles allows you to dynamically change the table entries without having to re-IPL. For more details, refer to z/OS Security Server RACF Security Administrator's Guide.
You can use the started procedures table report to determine which started procedures are defined to RACF and which RACF user IDs and groups they will use. RACF user IDs associated with the started procedure can access RACF-protected resources. Therefore, you can check the information in the RACF started procedures table to determine which users and groups are associated with the started procedure that RACF recognizes, and determine whether those users are privileged or trusted.
You can also use the report to determine which started procedures are privileged or trusted. If the started procedure has the PRIVILEGED attribute, it can bypass all RACROUTE REQUEST=AUTH and REQUEST=FASTAUTH processing, including the security classification checks, and can therefore affect the overall security of the system. TRUSTED means the same as PRIVILEGED, except that auditing can be requested by using the SETROPTS LOGOPTIONS command or the UAUDIT operand on the ALTUSER command.
Column Headings
- PROCEDURE NAME
- is the procedure name, or an asterisk ("*") for a generic entry.
- ASSOCIATED USER
- is the RACF user identification associated with the procedure. An equal sign ("=") indicates that the procedure name is used for the RACF user identification.
- ASSOCIATED GROUP
- specifies the RACF group associated with the procedure. An equal sign ("=") indicates that the procedure name is used for the RACF group name.
- PRIVILEGED
- indicates whether the procedure has the privileged attribute. A value of YES indicates that the procedure has the attribute; a value of NO indicates it does not.
- TRUSTED
- indicates whether the procedure has the trusted attribute. A value of YES indicates that the procedure has the attribute; a value of NO indicates it does not.
- TRACE
- indicates whether the STARTED class profile has trace activated. If the attribute is activated, then when the started task is initiated, RACF issues message IRR812I to the operator to record the activity.
Report Messages
No messages appear at the end of this report.
R A C F S T A R T E D P R O C E D U R E S T A B L E R E P O R T
FROM THE STARTED PROCEDURES TABLE (ICHRIN03):
----------------------------------------------------------------------------------------------------
PROCEDURE ASSOCIATED ASSOCIATED
NAME USER GROUP PRIVILEGED TRUSTED
----------------------------------------------------------------------------------------------------
JES2 STCUSER STCGROUP NO YES
IRRDPTAB STCUSER STCGROUP NO NO
IEEVMPCR STCUSER STCGROUP NO YES
APSWPROC STCUSER STCGROUP NO YES
VTAM STCUSER STCGROUP NO YES
LLA STCUSER STCGROUP NO YES
LLAEPC STCUSER STCGROUP NO YES
RPCD RPCD STCGROUP NO YES
SECCLNTD SECCLNTD STCGROUP NO YES
SECD SECD STCGROUP NO YES
RSFJ STCUSER STCGROUP NO NO
RSFK STCUSER STCGROUP NO NO
RSFL STCUSER STCGROUP NO NO
* = NO NO
R A C F S T A R T E D P R O C E D U R E S T A B L E R E P O R T
FROM PROFILES IN THE STARTED CLASS:
----------------------------------------------------------------------------------------------------------
PROFILE ASSOCIATED ASSOCIATED
NAME USER GROUP PRIVILEGED TRUSTED TRACE
----------------------------------------------------------------------------------------------------------
CICS.REGIONA CICSA NO NO NO
CICS.REGIONB CICSB NO NO NO
NOSTDATA.NOSTDATA -STDATA NOT SPECIFIED, ICHRIN03 WILL BE USED-
NOUSER.JOBX -USER NOT SPECIFIED, ICHRIN03 WILL BE USED-
ANETVIEW.* (G) STCUSR SYS1 NO YES NO
APPC.* (G) STCUSR SYS1 NO YES NO
APSWPROC.* (G) STCUSR SYS1 NO YES NO
ASCH.* (G) STCUSR SYS1 NO YES NO
ASCHINT.* (G) STCUSR SYS1 NO YES NO
BLSJPRMI.* (G) STCUSR SYS1 NO YES NO
CATALOG.* (G) STCUSR SYS1 NO YES NO
CDSADV.* (G) CDSADV SYS1 NO NO NO
CDSCLRK.* (G) CDSCLRK SYS1 NO NO NO
CDSD.* (G) CDSD SYS1 NO NO NO
DTSD.* (G) DTSD SYS1 NO NO NO
DTSTP.* (G) DTSTP SYS1 NO NO NO
DUMPSRV.* (G) STCUSR SYS1 NO YES NO
IEEVMPCR.* (G) STCUSR SYS1 NO YES NO
IRRDPTAB.* (G) STCUSR SYS1 NO NO NO
JES2.* (G) STCUSR SYS1 NO YES NO
LLA.* (G) STCUSR SYS1 NO YES NO
LLAEPC.* (G) STCUSR SYS1 NO YES NO
NETVFCT.* (G) STCUSR SYS1 NO NO NO
NETVREL1.* (G) STCUSR SYS1 NO NO NO
NETVREL2.* (G) STCUSR SYS1 NO NO NO
NETVREL3.* (G) STCUSR SYS1 NO NO NO
NETVSSI.* (G) STCUSR SYS1 NO NO NO
NEV313.* (G) STCUSR SYS1 NO NO NO
RACF.* (G) STCUSR SYS1 NO NO NO
RPCD.* (G) RPCD SYS1 NO NO NO
RSFJ.* (G) STCUSR SYS1 NO NO NO
RSFK.* (G) STCUSR SYS1 NO NO NO
RSFL.* (G) STCUSR SYS1 NO NO NO
RUNJOB.* (G) STCUSR SYS1 NO NO NO
SECCLNTD.* (G) SECCLNTD SYS1 NO NO NO
SECD.* (G) SECD SYS1 NO NO NO
SMF.* (G) STCUSR SYS1 NO YES NO
TCAS.* (G) STCUSR SYS1 NO NO NO
TSOCMD.* (G) STCUSR SYS1 NO NO NO
TSODB.* (G) STCUSR SYS1 NO NO NO
TSOICMD.* (G) STCUSR SYS1 NO NO NO
VLF.* (G) STCUSR SYS1 NO YES NO
VTAM.* (G) STCUSR SYS1 NO YES NO
** (G) =MEMBER STCGRP NO NO YES
Selected user attribute report
The selected user attribute report lists all RACF users with the SPECIAL, OPERATIONS, AUDITOR, ROAUDIT or REVOKE attribute and indicates whether a user possesses the attribute on a system (user) or group level.
You can use the selected user attribute report to verify that only those users who need to be authorized to perform certain functions have been assigned the corresponding attribute.
Column Headings
- USERID
- is the user's system identifier.
- ATTRIBUTE TYPE
- identifies each attribute
and indicates whether the user has the attribute on a system (user)
or a group level. SYSTEM indicates the user has that attribute on
a system level, or at all times. GROUP indicates user has the attribute
only within one or more of the groups to which the user is connected.
If neither SYSTEM nor GROUP appears, the user does not possess that
attribute on either level.
If a user has one or more attributes on a group level, you can determine the names of the corresponding group or groups through the LISTUSER command or the "User Services" panel.
The report lists the following attribute types:- SPECIAL
- gives the user complete control over all the RACF profiles in the RACF database and authority to issue all RACF commands, except those reserved for the auditor's use.
- OPERATIONS
- gives the user authority to perform maintenance operations and provides full authority to access RACF-protected DASD data sets and certain resource classes.
- AUDITOR
- gives the user complete authority to audit security controls and the use of system resources.
- ROAUDIT
- gives the user authority to audit the use of system resources.
- REVOKE
- prevents,
on a system level, a RACF-defined user from entering the system at
all. On a group level, a user can enter the system but cannot use
any group authorities associated with the group, or access data sets
using that group's authority. Note: When REVOKE is specified with a future date, the status change does not occur until the specified date. Until that date, the report does not list the user as revoked.
For more information on each attribute, especially at the group level, see z/OS Security Server RACF Security Administrator's Guide.
- ASSOCIATIONS
- are the characteristics
of the user ID association. The report lists the following associations:
- NODE.USERID
- is the node (local or remote) and user ID of the associated user
- PASSWORD SYNC
- tells whether password synchronization has been requested between the listed user and associate user
- ASSOCIATION TYPE
- describes the type of association, the status of the user ID association, or both
Report Messages
The following message may appear beneath the report column headings:
NO SELECTED USERS FOUND
Explanation: There are no users with the SPECIAL, OPERATIONS, AUDITOR, ROAUDIT, or REVOKE attributes on either a system or group level.
S E L E C T E D U S E R A T T R I B U T E R E P O R T
USERID ----------------- ATTRIBUTE TYPE ------------------ ------------- ASSOCIATIONS -------------
SPECIAL OPERATIONS AUDITOR ROAUDIT REVOKE NODE.USERID PASSWORD ASSOCIATION
SYNC TYPE
------------------------------------------------------------------------------------------------------------
JPETUSR SYSTEM SYSTEM SYSTEM
Selected user attribute summary report
The selected user attribute summary report shows totals for installation-defined users and for users with the SPECIAL, OPERATIONS, AUDITOR, ROAUDIT, and REVOKE attribute at both the system and the group level. You can use the summary report to verify that the number of users with each of the selected attributes, on either a system or a group level, is the number your installation wants.
Column Headings
- TOTAL DEFINED USERS
- is the number of users defined by your installation.
- TOTAL SELECTED ATTRIBUTE USERS
- is the number of users with each of the selected attributes (SPECIAL, OPERATIONS, AUDITOR, ROAUDIT, and REVOKE) at both the system and group level.
Report Messages
No messages appear at the end of this report.
S E L E C T E D U S E R A T T R I B U T E S U M M A R Y R E P O R T
---------------------------------------------------------------------------------------------------------
TOTAL DEFINED USERS: 1
TOTAL SELECTED ATTRIBUTE USERS:
ATTRIBUTE BASIS SPECIAL OPERATIONS AUDITOR ROAUDIT REVOKE
---------------- ------------- ------------- ------------- ------------- -------------
SYSTEM 1 1 1 0 0
GROUP 0 0 0 0 0
Selected data sets reports
The selected data sets report lists all the data sets, including the RACF database or databases, that meet one or more of the selection criteria that DSMON uses. For each selected data set, the report specifies the serial number of the volume on which the data set resides, the selection criterion, whether the data set is RACF-indicated or RACF-protected, and the universal access authority (UACC) for the data set. If a data set or RACF database meets more than one selection criterion, there is a separate entry for each criterion.
You can use the selected data sets report to determine which system and RACF data sets are protected by RACF and which are not. You can also check to learn whether the UACC associated with each of the data sets is compatible with the resource access control requirements of your installation.
Column Headings
- DATA SET NAME
- is the name of the data set.
- VOLUME SERIAL
- is the serial number of the direct access volume on which the data set resides. If the data set is not cataloged, this column is blank.
- SELECTION CRITERION
- is the criterion that
was used to select the data set for the report. The following entries may appear:
- LNKLST
- The data set is part of the LNKLIST concatenation (which is SYS1.LINKLIB and any data sets concatenated to SYS1.LINKLIB by using the LNKLSTxx member of SYS1.PARMLIB) for this IPL.
- APF
- specifies that the data set is an APF-authorized library. For information about defining the format and contents of the list of APF-authorized libraries used by MVS, refer to z/OS MVS Initialization and Tuning Reference.Note:
- Depending on your APF list definition, the list of APF-authorized libraries may be incomplete in the Selected Data Sets report generated by the FUNCTION ALL or FUNCTION SYSAPF control statements. Only APF-authorized libraries contained in the IEAAPFxx or PROGxx members of SYS1.PARMLIB, or specified by the MVS SETPROG operator command, are reflected in the report. APF-specification members can come from any member of PARMLIB, or from a command which dynamically adds APF data sets. Therefore, LPA, MLPA, and FLPA authorized libraries that are not defined in the APF LIST are not flagged as APF.
- Perform one of the following options to include all APF-authorized
libraries in the Selected Data Sets report.
- Define all your LPA, MLPA, and FLPA libraries in the applicable IEAAPFxx or PROGxx members of SYS1.PARMLIB. This allows MVS to recognize them as APF-authorized at all times.
- Use the FUNCTION USRDSN and USEROPT USRDSN control statements and specify the APF-authorized libraries that are not defined in the APF List. With this option, USRDSN is the SELECTION CRITERION field,
- If the APF-authorized library is part of the LNKLIST concatenation, specify either FUNCTION ALL or FUNCTION SYSLNK. In this case, the SELECTION CRITERION field contains LNKLST-APF.
- LNKLST-APF
- specifies that the data set is a linklist data set that is also an APF authorized library.
- MASTER CATALOG
- indicates that the data set is the MVS master catalog.
- USER CATALOG
- indicates that the data set is a user catalog.
- RACF PRIMARY
- indicates that the data set is a primary RACF database, containing RACF access control information. This information includes user, group, data set, and general-resource profiles.
- RACF BACKUP
- indicates that the data set is a backup or recovery RACF database.
- SYSTEM
- indicates that the data set is one of the following system data
sets:
- SYS1.CMDLIB
- SYS1.LINKLIB
- SYS1.LPALIB
- SYS1.NUCLEUS
- SYS1.PARMLIB
- SYS1.PROCLIB
- SYS1.SVCLIB
- SYS1.UADS
- USRDSN
- is the user data set specified on the USEROPT control statement.
- RACF INDICATED
- indicates whether the data set is RACF-indicated.
The following entries may appear:- YES
- indicates that the RACF indicator for the data set is on.
- NO
- indicates that the RACF indicator for the data set is off. RACF will not check for a discrete profile.
- N.C.
- indicates that the data set is not listed (cataloged) in the master catalog.
- N.M.
- indicates that the DASD volume on which the data set resides is not mounted or has been dynamically deleted.
- N.F.
- indicates DSMON cannot find the data set on the specified volume. For APF data sets, this may indicate a security exposure that should be investigated and corrected.
- RACF PROTECTED
- indicates whether the data set has
a RACF profile. The following
entries may appear:
- YES
- indicates that the data set has a discrete or generic profile. If the RACF indicator for the data set is off, the data set is protected by a generic profile.
- NO
- indicates that no profile exists for the data set. The data set
is not protected in any way by RACF.
Note:
- An error condition exists when the RACF indicator for a data set is on but no profile exists for the data set. The data set is not accessible until the condition is corrected.
- For a data set profile that has WARNING set, RACF issues a warning message, but permits access to the data set. Thus, although the data set has a RACF profile and is indicated as RACF-protected in the report (YES), it can nevertheless be accessed and is not really protected. You may want to list the contents of the data set profile (through the LISTDSD command) to see whether WARNING is set.
- UACC
- is
the data set's universal access authority (UACC), if it is defined.
The UACC is the default access authority that specifies how the data
set can be accessed by users or groups not in the access list of the
data set's RACF profile. Note: The UACC does not necessarily indicate the actual authority that a user has to access the data set. The global access checking table may contain an entry applicable to the data set, or the user may be on the access list, if the data set has a discrete profile.The following universal access authorities may appear:
- ALTER
- For a data set that is protected by a discrete profile, ALTER allows all users to read, update, or delete the data set.
- CONTROL
- For VSAM (virtual
storage access method) data sets, CONTROL provides all users with
the same authority that is provided with the VSAM CONTROL password;
that is, authority to perform control interval access (access to individual
VSAM data blocks), and to retrieve, update, insert, or delete records
in the specified data set.
For non-VSAM data sets, CONTROL is equivalent to UPDATE.
- UPDATE
- allows all users to read or update the data set. UPDATE does not, however, authorize a user to delete the data set.
- READ
- allows all users to access the data set for reading or copying only.
- NONE
- does not allow users to access the data set.
Report Messages
The following message may appear beneath the report column headings:
NO SELECTED DATA SETS FOUND
Explanation: DSMON did not find any data sets meeting the criteria.
S E L E C T E D D A T A S E T S R E P O R T
VOLUME SELECTION RACF RACF
DATA SET NAME SERIAL CRITERION INDICATED PROTECTED UACC
-------------------------------------------------------------------------------------------------------------
CATALOG.AOCSMP.USERCAT D94HV2 USER CATALOG N.M. YES UPDATE
CATALOG.CICSCAT D83CL2 USER CATALOG NO YES NONE
CATALOG.CICSDCT D83HW1 USER CATALOG NO YES NONE
CATALOG.CMNA00 CMNA00 USER CATALOG N.M. YES NONE
CICS.CURRENT.SDFHAUTH DB2LD1 APF NO YES NONE
CICS.CURRENT.SDFHEXCI DB2LD1 APF NO YES READ
CICS.CURRENT.SEYUAUTH DB2LD1 APF NO YES NONE
CICS.NEW.SDFHAUTH DB2LD1 APF NO YES NONE
CICSCAT.USERCAT CIC330 USER CATALOG N.M.
DB1L.SDSNEXIT SMS066 APF NO YES READ
DB2.DB2L.DB2PM.SDGOLOAD DB2LS2 APF NO YES READ
DB2.DB2M.DB2PM.SDGOLOAD DB2S01 APF NO YES READ
DB2.LOCAL.LOADLIB DB2LS0 APF NO YES READ
DB2.USER.CATALOG DB2PRD USER CATALOG NO YES NONE
DB2L.DSNEXIT DB2LS1 APF NO YES READ
DB2M.DSNEXIT DB2MS0 APF NO YES READ
LINKLIST.DB2L.DSNLINK DB2LS1 APF NO YES READ
LNKLST - APF
LINKLIST.DB2L.DSNLOAD DB2LS1 APF NO YES READ
LNKLST - APF
LINKLIST.DB2M.DSNLINK DB2MS0 APF NO YES READ
LNKLST - APF
LINKLIST.DB2M.DSNLOAD DB2MS0 APF NO YES READ
LNKLST - APF
LINKLIST.DB2PM.SDGOLINK DB2MS0 APF NO YES READ
NCP1.SSPLIB TPPAK2 APF NO YES READ
NETVIEW.NETVIEW.USERLNK TPPAK5 APF NO YES NONE
NETWORK.ANOMVS.USERLNK TPPAK5 APF NO YES READ
POSIX.CBC.OSV1R2M0.USERCAT BPXRTL USER CATALOG NO YES NONE
SYS1.ACCOUNT PPP002 APF YES YES NONE
LNKLST - APF
SYS1.AUTHLIB PPP002 APF YES YES READ
LNKLST - APF
SYS1.CEE.SCEELKED PRIPK3 APF NO YES READ
SYS1.CEE.SCEERUN PRIPK3 APF NO YES READ
LNKLST - APF
SYS1.CICS410.LINKLIB DB2LD1 APF NO YES NONE
LNKLST - APF
SYS1.CICS410.LPALIB DB2LD1 APF NO YES NONE
SYS1.CMDLIB PRIPK3 APF NO YES READ
LNKLST - APF
SYSTEM