Since the mainframe stores mission critical data, it makes sense that resources on the mainframe are secured. There are several products available to provide security for the mainframe. RACF is one of them. RACF is a product from IBM.
There are similarities between the way security is implemented in RACF and in Windows and *NIX systems. For one, a user needs to authenticate himself to the system. This process of authenticating oneself to MVS is called logon or login.
Resources
In general, anything that can be accessed in MVS can be treated as a resource. This includes, data sets, databases, IMS and CICS transactions, terminals, consoles, disk and tape volumes and commands. Each of these can be treated as resource classes. Since most processing in MVS uses datasets, these are a class on its own.
The RACF administrator needs to enable RACF protection to each resource class before RACF can control it. Once enabled, each of the resources must have a profile so RACF will know how to control access to these resources.
RACF Profiles
RACF controls access through a RACF database. The database contains information on userids, groups, resources in what is called a profile. The resource is different from the profile. A user has a profile. A group has a profile. A data set has a profile and a general resource has a profile.
Userid and group profiles contain information about the userid and group respectively. Dataset and general resource profiles contain information about the resources and how these should be accessed. A dataset or resource profile may be defined as a generic or discrete profile.
A dataset or resource profile is discrete if the actual name of the resource is defined. If you want to protect a data set called SYS1.PROCLIB, the specific profile for this data set is SYS1.PROCLIB.
If you have more than one resource with the same name pattern and you want to these to be accessed in the same way, you may create a generic profile. You may use a % to denote one character, * to denote more than one character within a level or ** to denote more than one character within several levels.
If you want to protect all datasets starting with SYS1 with the same access, you may create a profile called SYS1.* or SYS1.**.
One * means any character within the level. SYS1.* covers SYS1.PROCLIB, SYS1.PARMLIB, SYS1.NUCLEUS but does not cover SYS1.PROCLIB.OLD. To cover SYS1.PROCLIB.OLD, the appropriate profile would be SYS1.**.
The first level qualified cannot have the generic characters.
RACF Userid
The userid is public knowledge but the password is known only to the user. There are however restrictions to the userid and password. The userid cannot exceed 8 characters. It has to be alphabetic or numeric characters. The password also has this restriction.
Listed below are some of the more important system attributes that a userid may have:
- SPECIAL - provides the user with administrative access to all profiles.
- OPERATIONS - provides the user with full access to resources
- AUDITOR - allows the user to read the profiles
- REVOKE - the userid cannot be used to logon to the system
Other attributes and ways of administering a userid are described in the RACF Security Administrator Guide.
RACF Group
Each userid needs to be connected to a RACF group. A RACF group contains one or more userids. A userid must be connected to at least one group with specific authorities:
- USE - allows the user to access resources allowed to the group.
- CONNECT - allows the user to connect other RACF userids to the group.
- CREATE - allows the user to create profiles for the group data set.
- JOIN - allows the user to create new users and new groups.
Groups can be used to simplify RACF administration. If you have 10 users with the same access to a resource, you can either define each user to the profile. Or you may create a group and connect these users to that group. You can then define the group to the profile. Access given to the group is passed to users within the group.
A user can also be assigned attributes within a group. These work the same way as system attributes except the scope is limited to only the resources owned by the group.
RACF Dataset Profile
The dataset are files. One can define generic dataset profiles or discrete dataset profiles. Once a dataset profile is created, the security administrator can either authorize a userid or a group to access the dataset or datasets protected by the profile. Each profile has a universal access (UACC) defined. The UACC is the default access allowed to users and groups. These are:
- NONE - no one can access
- READ - permit only read access
- UPDATE - permit read and update access
- ALTER - permit read and update access and allow user to delete, rename or move access
- CONTROL - used only for VSAM data sets to improve control interval access. If this is specified to non-VSAM datasets, this will translate to UPDATE.
Depending on how RACF is defined, you can set RACF to protect all datasets by default and create profiles for each dataset. This is more secure than having RACF only protect datasets with defined profiles.
If a profile has been defined, you may override its default access by authorizing a userid or group to the profile. Say you have SYS1.PARMLIB with a UACC of READ. This means that everyone can read from this dataset.
Since SYS1.PARMLIB is a system data set, you would want your system programmers to be able to update the members in the library. You can define the system programmers group to have UPDATE access to the profile that controls SYS1.PARMLIB. You can define accesses to several userids and groups to a profile.
RACF General Resource Profile
Other general resources that RACF can control are programs, IMS and CICS transactions among other things. Even if the program or transaction updates other resources, a READ access to these resources allows a user to use them. The update access to say a database or data set is controlled by the profile specific to the database or data set.
How RACF works
The general RACF process diagram in this article shows how RACF generally works.
- A user requests access to a resource.
- MVS or the program will pass the request to RACF.
- RACF will check the profile of the resource from the RACF database and return the result to the requesting program.
- If the user or one of the groups the user belongs to has access, RACF will allow access to the userid. If the userid does not have access, RACF will reject that request. If a user is accessing a dataset, the user will get a S913 ABEND. This indicates the user did not have sufficient access to the resource.
If the resource is a dataset, checking is done only when the dataset is opened.
Further reading
This is just a brief overview or RACF. If you want to know more details about RACF, you may read the RACF Security Administrator's Guide.
Philip Yuson - I have more than 20 years of experience in IT in three countries. I have been doing consulting for more than 10 years specializing in IT ...
Join the Conversation