Resource Access Control Facility
Resource Access Control Facility ( RACF ) is IBM's implementation of the security interface SAF (System Authorization Facility ) of the mainframe operating systems MVS ( the core of the z / OS ), and - in an older version - z / VM. The present name is SecureWay Security Server - RACF.
The main functions that are fulfilled it:
- Identification and verification of the user by means of user key and password authentication ( authentication)
- Protection of resources by managing the access rights (authorization)
- Logging of accesses to protected resources ( auditing).
The RACF administrator maintains using RACF commands the RACF database. This includes so-called profiles in the user key ( user IDs ), the resources to be protected ( Resources ) and groups ( Groups).
Userids
Users of the system are natural persons and also technical users who log in with a RACF user ID in an online system such as TSO, CICS or IMS at a terminal or server processes ( " Started Tasks" in the MVS parlance), which RACF the Administration has assigned a userid.
In a user profile, RACF stores next to the name of the user statistics and more information:
- Modified password
- Recent use of the userid
- Password ( encrypted) password history
- Group membership
- User attributes as REVOKED indicating that the user ID is disabled and special administrative permissions.
- Other properties that describe and define the use of the MVS subsystems such as Unix System Services, CICS, TSO, or the file system.
Administrative permissions for user IDs
In the user profile also administrative permissions can be set for a user:
Monitoring ( auditing) of userids
Critical or highly authorized users can be audited optional. For this purpose the UAUDIT attribute for the corresponding user is set in the RACF. This means that all actions of this user as a so -called SMF record stored in the operating system log files. An evaluation can then be carried out with special applications.
Resources
Resources are classically files, tapes, terminals, today however abstractly everything considered an installation worthy of protection, such as console commands, names of online transactions or for permission to reset the password of another user.
A resource is protected by a resource profile. A resource profile is identified by a class name (such as DATASET ) and a name of the resource to be protected completely ( discrete profile ) or partial ( generic profile ) describes. For example, protects the generic DATASET profiles SYS1. ** All files. SYS1 with. start
A profile defines the so-called Universal Access, which applies to all users. In the access list other permissions can be defined for individual users or user groups.
- NONE: No access
- EXECUTE: execute permission for a program, but the program can not be copied or even suppressed in the dump.
- READ: When read access files contains EXECUTE
- UPDATE: If write access files, includes READ
- CONTROL: If write access files contains UPDATE
- AGE: For files unrestricted access: creating, deleting, renaming the file, includes CONTROL
Originally RACF, was intended only to protect files. The extension to other resources was realized only later. For this reason, the names of access levels relate to file access.
RACF - groups
Behind RACF groups is a complex concept:
- On the one hand they can be used to sum up user IDs and then to give full powers to that group, rather than to each individual user. A user can belong to a maximum of 8191 groups ( maximum of 65,536 bytes) and enjoys the sum of the powers of all the groups to which he belongs (when RACF option ' LIST OF GROUPS ACCESS CHECKING IS ACTIVE' set).
- Groups are organized hierarchically: The top group is named SYS1. This hierarchy is the basis for decentralizing RACF administration according to organizational criteria. When a user with administration rights is connected to a group, it also has administration rights for all subgroups of this group.
Resource Manager
RACF, that is actually SAF, is passive. The users of the system access via a resource manager to a resource. The respective resource manager forms resource name and then interrogates SAF, whether access is permitted. SAF / RACF responds with yes, no, or "do not know " ( ie if the resource is not protected by a profile). The subsystem allows then the use of the resource (or not ).
Examples of resource managers are the file system of the operating system z / OS with the resource file or CICS to the resource ( among many others) transaction code. It is also possible for the DB2 database system to drive so that it does not drop the database proxies with SQL Grants in their catalog but as RACF resources in RACF. Since version 8 of DB2 z / OS even access permissions to individual data sets can be awarded in a DB2 table via RACF through Multi Level Security ( MLS) with row level granularity.