RACF - anyone here has lots of experience with it?

prino · Posted: Mon Jun 06, 2011 12:30 am

How do you populate an almost virgin RACF database, that has just a handful userids defined to it, but that needs to be set up as "you cannot do anything, unless you are given specific permission to do so" (and not "you can do anything unless we disallow you")

Feel free to contact me via a private.

dick scherrer · Posted: Mon Jun 06, 2011 2:10 am

Hi Robert,

expat · Posted: Mon Jun 06, 2011 1:37 pm

Hi Robert, If I recall correctly there is an option that you can set to WARN or FAIL if you have no access. Can't recall it exactly, but a quick RTFM may reveal all.

Robert Hansel · New User Joined: 19 Feb 2010 Posts: 8 Location: Newton, MA

Robert,

Protecting all the datasets and general resources that may exist on your system involves a substantial amount of technically challenging work. It is far too broad an issue than can be dealt with on a forum such as this. If you are not a RACF expert, I suggest you hire one to complete this effort.

expat · Posted: Thu Jun 09, 2011 12:37 pm

Oh, and just let me guess who this supposed RACF expert may be

Prino, there is one global setting in RACF as stated above, which I can not recall off the top of my head that will fail any access where none is granted or if a profile does not exist.
PROTECTALL I think, but may be wrong.

Another method may be to use a ** profile with UACC(NONE)

You most certainly DO NOT need to hire a self declared RACF wizard to solve this.

This is the same RACF guru who was warbling on about text files on the mainframe ...........................

Robert Hansel · New User Joined: 19 Feb 2010 Posts: 8 Location: Newton, MA

Expat,

There are many good RACF experts out there who can help. We're booked solid and don't have the time to help Robert, but I would be happy to give him some names if he contacts me directly. He definitely needs better advice than you can provide.

Before he turns on PROTECTALL(FAILURES) as you suggest, he first needs define a group or user for all his dataset HLQs and then a dataset profile of HLQ.** to cover these datasets with an appropriate UACC and permissions. Otherwise, he risks denying critical tasks access to their data and could conceivably cause an outage. A profile ** cannot be used for datasets, only general resources, and should not be used for all general resource classes as it can cause problems. This is merely the tip of the iceberg and is the reason why Robert needs to seek the advice of a knowledgeable RACF professional. He certainly cannot rely on anything YOU have to say on this matter as you don't know RACF and the terms "knowledgeable" and "professional" don't apply to you either.

25 years of experience with RACF gives me the expertise to answer his question. Google "Hansel RACF", and you'll find amply evidence to back up my claim. I don't have to hide behind a fictitious name. You clearly don't have anything close to that level of expertise, so when it comes to matters related to RACF, the world will thank you to SHUT UP!

As to your silly response about text file, since you want to criticize people because they don't use what you consider to be proper terms, then know that the term for RACF settings is "SETROPTS options". Anyone with the slightest bit of RACF knowledge is aware of this.

Fire away with more inane comments if you wish but don't expect a response unless you offer Robert further bad advice, in which case I will correct you once again.

expat · Posted: Thu Jun 09, 2011 3:16 pm

I don't profess to be Mr RACF although I have worked with it in the past.

I was merely attempting to point Prino in the right direction. As stated in my post, it was just from memory.

dick scherrer · Posted: Thu Jun 09, 2011 7:32 pm

Hello,

dbzTHEdinosauer · Posted: Thu Jun 09, 2011 7:48 pm

i have found that people who blow their own horns,
usually have small instruments.

Robert Hansel · New User Joined: 19 Feb 2010 Posts: 8 Location: Newton, MA

Dick,

No self advertising was ever intended. I was responding to sarcastic innuendoes accusing me of being self-serving and to unwarranted attacks on my credibility and level of expertise. I regard these as extremely serious accusations that prompted what for me was a most unusual harsh response. This is not the first time I have been subjected to Expat's unjustified attacks; however, this time I simply could not let them go unanswered. Unfortunately, I let anger get the better of me and crossed the line with a few of my comments.

Robert, the original poster, is starting from scratch with the laudable goal of building a well protected system using RACF. This is a big effort requiring considerable expertise to do it right and fraught with risk of causing major system problems or creating vulnerabilities if done incorrectly. There are many, many steps that must be carefully choreographed to completing a full, proper RACF implementation. Far too many than can be reasonably addressed via a forum such as this. Since Robert seems to be a RACF newcomer, he would be far better off seeking the help of a RACF professional with this effort, just as I myself did when I was first getting started with RACF. No where did I suggest the RACF professional he chooses be me. My intent, then and now, was only to offer helpful advice.

Opinion is fine in many circumstances, but not for making offhand suggestions about activating an option with which you are not thoroughly familiar. PROTECTALL can be lethal to a system if activated without proper prior preparation. In my opinion, making such suggestions is best left to someone who truly knows subject product.

dbzTHEdinosauer · Posted: Thu Jun 09, 2011 9:21 pm

For someone who is booked solid and does not have time to help,
seems as if Mr. Hansel, LRS, has plenty of time to write novelettes
in order to set the record straight

expat · Posted: Thu Jun 09, 2011 10:19 pm

OK folks, shall we call it a day now.

First of all, I had a bad morning and after some time for further reflection feel that my comments were not warranted. So I will take this opportunity to apologise for that.

Also, by looking at other posts from Prino I believe that this is for a Hercules based MVS system, so probably not a great problem if it all goes belly up.

Dick and Dick, my thanks for your support, it is appreciated.
It's a nice feeling to know that I am still appreciated too

Robert, I believe that it is one of the unwritten rules of the forum that members do not post their company details either directly or by way of a footnote.

prino · Posted: Fri Jun 10, 2011 2:43 pm

All,

This is indeed about a Hercules based system running something it should not be running - I've been out of work for the past 20 months, without much hope of getting anything new, 51 is not a good age and not having COBOL knowledge doesn't help either, PL/I jobs are thin on the ground.

I've managed to create an additional account on the system, with rather a lot less privileges than the supplied one, and if things do go belly-up, I can simply roll back all changes by going to a previous backup of the Hercules created shadow disks.

Having this system gives me an opportunity to not only keep my skills reasonably (z/OS 1.10) current, but also to expand them with some more admin skills, such as RACF, and one of the things I would like to do with the latter is to make the system reflect the ones at my last two clients/employers, i.e. as I wrote in the first post of this thread, make it a system where everything is off limits, unless specifically authorized.

I have 0.0 RACF experience, and most certainly do not have the money to pay for professionals, whether real or self-declared, to help me. I'm sure that spending a few weeks going through ICHZA790.PDF, aka the "RACF Security Administrator's Guide" will tell me everything that I need to know, but some simple basic hints as how to start would be most welcome.

Robert Hansel · New User Joined: 19 Feb 2010 Posts: 8 Location: Newton, MA

Robert,

Try getting a copy of the book "Mainframe Basics for Security Professionals: Getting Started with RACF". It is summarize the Guide. Also Google "RACF Presentations" as you may find something helpful among the copies of RACF presentations posted on the Internet. IBM has quite a few; although I don't know if any of them will provide the help you seek.