Usage

Use the following questions to determine how RACF® is currently being implemented.

  1. Which user IDs (including started tasks) have any of the following privileged attributes or authorities? Why? You can use the IRRICE reports or DSMON reports to answer this particular question.
    • SPECIAL and group-SPECIAL
    • OPERATIONS and group-OPERATIONS
    • AUDITOR and group-AUDITOR
    • Start of changeROAUDITEnd of change
    • CLAUTH
    • JOIN
    • CONNECT
    • GRPACC
  2. How is the granting of these privileges controlled?
  3. Are user IDs shared? If so, why, and how is accountability maintained? Is the RESTRICTED attribute used to limit the resource access of the shared user IDs?
  4. Is the default for UACC always NONE? If not, why?

    All or part of this question can be answered by manipulating the output of the RACF database unload utility or by using the sample reports contained in the IRRICE member of SYS1.SAMPLIB.

  5. How are password qualities complied with? Do you use, for example, password length, nature (alphabetic, alphanumeric, no vowels), repetition, or change frequency?
  6. What RACF information, such as the following, is logged to SMF?
    • Command violations
    • Changes to profiles
    • Accesses to specific resources
    • Actions of SPECIAL and group-SPECIAL users
    • Actions of OPERATIONS and group-OPERATIONS users
  7. Who decides what resource-access information is to be collected? On what criteria?
  8. What RACF statistics are collected?
  9. What are the access rules when RACF is inactive or unavailable, such as stopping production, performing repair work only, or allowing selected jobs and applications to run?
  10. Is WARNING mode active, entirely or partially? Are there non-WARNING mode resources?

    All or part of this question can be answered by manipulating the output of the RACF database unload utility.

  11. Do access lists contain groups rather than individuals?
  12. How is the authority to run production work handled? Does the job submitter have access to production data? If so, how are the profiles deleted?
  13. How is RACF protection handled in disaster-recovery plans?
  14. Describe any operational or usage problems for which the installation cannot currently determine a solution.
  15. Do you need to delete tape profiles before using tape volumes again?
  16. Is DASDVOL authorization used instead of the OPERATIONS user attribute?
Parent topic: RACF implementation