Security--RACF Supersedes Keyword

MVS

Security—RACF Supersedes Keyword

Computer security seems to be the lead article in either TIME magazine, the Wall Street Journal, or the Washington Post every month. It makes you wonder, is your data secure?

The Computing Facilities Branch (CFB) will soon be making changes to the MVS system in order to help you bolster the security of your data. Part of the change on MVS is to use RACF (Resource Access Control Facility) for more of the security functions and to phase out the keyword subsystem. RACF took over logon password processing from the keyword subsystem in January of 1994. At that same time, it became the primary facility for controlling access to disk data sets. Although your data may have some protection provided by the keyword subsystem today, you should be using RACF for a complete set of security facilities for disk data.

Suppose you have decided that your MVS data should be available to everyone, but you do not want someone else to delete it. If you would like to protect your data using RACF but still make it available to those of your associates who need access to it, read on. CFB offers a number of facilities on the MVS platform to assist you in protecting your resources. It's up to you to decide which of your data sets should be protected and who should have access to them.

How to Set Up Levels of Access

It is easy to tell RACF what to protect and who should have access to it. Simply type ENTER RACF when you are in WYLBUR, and you will be prompted for information. Suppose you have data sets which are all named with your account and initials followed by .EXPERMNT. followed by one or more sets of characters, such as TEST1, DOC, etc., separated by periods. If there are a number of your associates who need access to the data sets, you will want to create a group to represent all of these users. In WYLBUR, type ENTER RACF and select GP (the group processing function) in order to define a group. There is a naming convention at the Computer Center that requires the first character of a group name be an @. Assume you choose the name @MYGRP. The GP function will make sure that the @MYGRP does not already exist. After creating the group, you can use the CN (connect) function to make your associates members of this group. The session scenario below shows the input and output of performing this scenario.

You can protect all of the data sets, which are stored (named) with your account and initials, by using a RACF generic definition. Use ENTER RACF and select P GENERIC (the protect function with the generic option). For example if the name that you provide is EXPERMNT.**, RACF protects any data set with EXPERMNT as the second qualifier, followed by one or more sets of characters separated by periods. The system will place the account/initials that you logged on with in front of that name, resulting in the name AAAAIII.EXPERMNT.**. You will then be prompted for the RACFID of the "owner" of this definition; you should probably use your initials, III. You will then be asked for the RACFID of a user that has authority to protect data sets under your initials. This too should probably be your initials, III. Then you will be asked whether you want to share your data universally at the NONE, READ, UPDATE, or ALTER level (called universal access). What you define for universal access will be granted to anyone who can access the MVS system (via WYLBUR, TSO, batch, or IMS).

Suppose you choose NONE as the universal access. Suppose further that you want your associates to be able to READ your data sets. After completing the PROTECT command, select M GENERIC (the modify function). You will be asked for a generic name: use EXPERMNT.** just as you did above. Next, you want to ADD (A) your group to the access list. Since you want to give them READ authority, you answer READ when prompted for the access type. Next you will be prompted for the names of users or groups to be given access. You can enter @MYGRP and cover all of your associates. Later, if you change your mind about the universal access or about who should be members of your group, the ENTER RACF command has functions to allow you to easily change the security information.

The following are some benefits in using RACF protection:

With RACF generic definitions you can be very selective as to which data sets are protected based on their names, and you can have different generic definitions for different sets of names.
You no longer have to worry about the number of other people to whom your associates have divulged the keyword.
Your associates do not have to present a keyword (interactively or in JCL) in order to have access to your data. They will be given access transparently (if they are authorized to it).

You can read more about using RACF in the NIH Computer Center Users Guide, Section 1.7.4. The Users Guide also describes some of the other utilities that enable you to protect data, such as encryption (DSSCM and DSUNSCRM), data erasure upon deletion of the data set (ADSERASE), and the keyword subsystem. Each of these utilities was written for the NIH environment. However, the keyword subsystem will be replaced by functions available through RACF in the future, so you should consider learning to use RACF now.

Session Scenario for Creating a Group

In the following example, extraneous output is not shown:

ENTER RACF *** Entering RACF Processing *** If you wish to receive the guidelines, reply YES. GUIDELINES? n Enter the desired function: FUNCTION? gp Enter the desired group processing function CREATE (C) CONNECT (CN) REMOVE (R) CHANGE OWNER (CO) DELETE (D) LIST (L) END (E) GROUP FUNCTION? c Enter the 2 to 8 character group name (first character must be "@"). NAME: @mygrp Please wait, checking RACF data base for uniqueness of group name. Enter the RACFID that is to be the owner of group @mygrp. OWNER? iii Group @MYGRP will be created, the owner will be III Is the information listed above correct? CORRECT? yes The following attributes will be used to submit the job: HOLD NOTIFY PRINT CENTRAL NO DISCOUNT NO QUICK NO PURGE If these attributes are correct, reply YES. ATTRIBUTES CORRECT? yes JOB 2460 IIIRACF submitted JOB 2460 IIIRACF has been submitted to perform the GROUP CREATE function. Check the output of this job to ensure successful completion. Do you wish to perform more group functions? MORE? yes Enter the desired group processing function GROUP FUNCTION? cn Enter the name of the group to which you wish to connect users. GROUP? @mygrp Enter the RACFID of the owner of group @MYGRP. OWNER? iii Enter 1 to 15 RACFIDs that you wish to add to group @MYGRP. RACFID(S): iix iiy The following users will be connected to group @MYGRP: IIX IIY. Is the information listed above correct? CORRECT? yes The following attributes will be used to submit the job: HOLD NOTIFY PRINT CENTRAL NO DISCOUNT NO QUICK NO PURGE If these attributes are correct, reply yes. ATTRIBUTES CORRECT? yes JOB 2494 IIIRACF submitted JOB 2494 IIIRACF has been submitted to perform the GROUP CONNECT function. Check the output of this job to ensure successful completion. Do you wish to perform more group functions? MORE? n RACF GROUP PROCESSING function terminated.

Interface 193 (December 15, 1995)

Other Issues and "Back Pages" | Comments