Joined: 07 Feb 2009 Posts: 1047 Location: Oostende, Belgium
How do you populate an almost virgin RACF database, that has just a handful userids defined to it, but that needs to be set up as "you cannot do anything, unless you are given specific permission to do so" (and not "you can do anything unless we disallow you")
Joined: 23 Nov 2006 Posts: 19270 Location: Inside the Matrix
but that needs to be set up as "you cannot do anything, unless you are given specific permission to do so"
Isn't "closed" security fun. . .
I've not been a heads-down security guy, but i have helped a few folks with a similar situation as yours (most have been clerks rather than technicians). One way or another, i worked with them to generate a set of transactions that they could apply in batch. How these are generated depends on what is available to "generate from".
Recommend saving these as they may be needed again - with or without some changes. Also recommend saving a set of transactions to "kill" these userids.
Protecting all the datasets and general resources that may exist on your system involves a substantial amount of technically challenging work. It is far too broad an issue than can be dealt with on a forum such as this. If you are not a RACF expert, I suggest you hire one to complete this effort.
Joined: 14 Mar 2007 Posts: 8593 Location: Back in jolly old England
Oh, and just let me guess who this supposed RACF expert may be
Prino, there is one global setting in RACF as stated above, which I can not recall off the top of my head that will fail any access where none is granted or if a profile does not exist.
PROTECTALL I think, but may be wrong.
Another method may be to use a ** profile with UACC(NONE)
You most certainly DO NOT need to hire a self declared RACF wizard to solve this.
This is the same RACF guru who was warbling on about text files on the mainframe ...........................
There are many good RACF experts out there who can help. We're booked solid and don't have the time to help Robert, but I would be happy to give him some names if he contacts me directly. He definitely needs better advice than you can provide.
Before he turns on PROTECTALL(FAILURES) as you suggest, he first needs define a group or user for all his dataset HLQs and then a dataset profile of HLQ.** to cover these datasets with an appropriate UACC and permissions. Otherwise, he risks denying critical tasks access to their data and could conceivably cause an outage. A profile ** cannot be used for datasets, only general resources, and should not be used for all general resource classes as it can cause problems. This is merely the tip of the iceberg and is the reason why Robert needs to seek the advice of a knowledgeable RACF professional. He certainly cannot rely on anything YOU have to say on this matter as you don't know RACF and the terms "knowledgeable" and "professional" don't apply to you either.
25 years of experience with RACF gives me the expertise to answer his question. Google "Hansel RACF", and you'll find amply evidence to back up my claim. I don't have to hide behind a fictitious name. You clearly don't have anything close to that level of expertise, so when it comes to matters related to RACF, the world will thank you to SHUT UP!
As to your silly response about text file, since you want to criticize people because they don't use what you consider to be proper terms, then know that the term for RACF settings is "SETROPTS options". Anyone with the slightest bit of RACF knowledge is aware of this.
Fire away with more inane comments if you wish but don't expect a response unless you offer Robert further bad advice, in which case I will correct you once again.
No self advertising was ever intended. I was responding to sarcastic innuendoes accusing me of being self-serving and to unwarranted attacks on my credibility and level of expertise. I regard these as extremely serious accusations that prompted what for me was a most unusual harsh response. This is not the first time I have been subjected to Expat's unjustified attacks; however, this time I simply could not let them go unanswered. Unfortunately, I let anger get the better of me and crossed the line with a few of my comments.
Robert, the original poster, is starting from scratch with the laudable goal of building a well protected system using RACF. This is a big effort requiring considerable expertise to do it right and fraught with risk of causing major system problems or creating vulnerabilities if done incorrectly. There are many, many steps that must be carefully choreographed to completing a full, proper RACF implementation. Far too many than can be reasonably addressed via a forum such as this. Since Robert seems to be a RACF newcomer, he would be far better off seeking the help of a RACF professional with this effort, just as I myself did when I was first getting started with RACF. No where did I suggest the RACF professional he chooses be me. My intent, then and now, was only to offer helpful advice.
Opinion is fine in many circumstances, but not for making offhand suggestions about activating an option with which you are not thoroughly familiar. PROTECTALL can be lethal to a system if activated without proper prior preparation. In my opinion, making such suggestions is best left to someone who truly knows subject product.
Joined: 07 Feb 2009 Posts: 1047 Location: Oostende, Belgium
This is indeed about a Hercules based system running something it should not be running - I've been out of work for the past 20 months, without much hope of getting anything new, 51 is not a good age and not having COBOL knowledge doesn't help either, PL/I jobs are thin on the ground.
I've managed to create an additional account on the system, with rather a lot less privileges than the supplied one, and if things do go belly-up, I can simply roll back all changes by going to a previous backup of the Hercules created shadow disks.
Having this system gives me an opportunity to not only keep my skills reasonably (z/OS 1.10) current, but also to expand them with some more admin skills, such as RACF, and one of the things I would like to do with the latter is to make the system reflect the ones at my last two clients/employers, i.e. as I wrote in the first post of this thread, make it a system where everything is off limits, unless specifically authorized.
I have 0.0 RACF experience, and most certainly do not have the money to pay for professionals, whether real or self-declared, to help me. I'm sure that spending a few weeks going through ICHZA790.PDF, aka the "RACF Security Administrator's Guide" will tell me everything that I need to know, but some simple basic hints as how to start would be most welcome.
Try getting a copy of the book "Mainframe Basics for Security Professionals: Getting Started with RACF". It is summarize the Guide. Also Google "RACF Presentations" as you may find something helpful among the copies of RACF presentations posted on the Internet. IBM has quite a few; although I don't know if any of them will provide the help you seek.