Checklist for RACF setup

Use the following checklist to ensure that you complete all the tasks required to set up RACF® for multilevel security.

  • Ensure that you have created a USER profile for each user and started procedure that can access protected resources in your system, and create new profiles if required.
  • Ensure that there is an entry in the started procedure table or a profile in the STARTED class for every started procedure that accesses protected resources or authenticates users, and that each of these started procedures is assigned a RACF- defined user ID that is authorized to use a security label.
  • Ensure that no entries in the started procedure table or profiles in the STARTED class specify the privileged attribute.
  • Set up surrogate job submission, if you haven't already and you need to allow users to submit jobs on behalf of other users.
  • Ensure that any profiles defined in the DASDVOL resource class specify the security label SYSHIGH and UACC(NONE) and include only appropriate trusted users in the access lists. (For more information, see Protecting DASD volumes.)
  • Ensure that you do not have entries in the global access checking table for any of the following:
    • Resources that require mandatory access control checking for access
    • Resources that require discretionary access control checking for access
    • Resources with a security label other than SYSLOW
    • That specify an access level other than READ
  • Ensure that you do not have a profile in the FACILITY class protecting the resource IEC.TAPERING.
  • Ensure that you are not using the RACF remote sharing facility (RRSF) in remote mode.
  • Specify auditing options.
  • Define profiles in the ACCTNUM class.
  • Activate and RACLIST the ACCTNUM class.
  • Define profiles in the DEVICES class. Ensure that all profiles specify a security label.
  • Activate the DEVICES class.
  • Activate the DIRAUTH class.
  • Define profiles in the FACILITY class.
  • Activate and RACLIST the FACILITY class.
  • Define profiles in the JESSPOOL class.
  • Activate the JESSPOOL class.
  • Define profiles in the OPERCMDS class.
  • Activate and RACLIST the OPERCMDS class.
  • Define profiles in the PSFMPL class.
  • Activate and RACLIST the PSFMPL class.
  • Define profiles in the RACFVARS class.
  • Activate and RACLIST the RACFVARS class.
  • Define profiles in the SERVAUTH class. Ensure that all profiles specify a security label.
  • Activate and RACLIST the SERVAUTH class.
  • Define profiles in the SMESSAGE class.
  • Activate and RACLIST the SMESSAGE class.
  • Define profiles in the TAPEVOL class. Ensure that all profiles specify a security label.
  • Activate the TAPEVOL class.
  • Activate the TEMPDSN class.
  • Define profiles in the TERMINAL class. Ensure that all profiles specify a security label.
  • Activate the TERMINAL class.
  • Define profiles in the TSOAUTH class.
  • Activate and RACLIST the TSOAUTH class.
  • Define profiles in the TSOPROC class.
  • Activate and RACLIST the TSOPROC class.
  • Define profiles in the VTAMAPPL class.
  • Activate and RACLIST the VTAMAPPL class.
  • Activate the CATDSN(FAILURES) option
  • Activate the ERASE(ALL) option
  • Activate the GENERICOWNER option
  • Activate the JES(BATCHALLRACF,XBMALLRACF) option
  • Activate the PROTECTALL(FAILURES) option

See Activating multilevel security for a description of other SETROPTS options that you need to activate to complete the activation of multilevel security.