IBM Server OS/390 Manuale Utente

OS/390 IBM Security Server (RACF)Planning: Installation and Migration GC28-1920-03

viii OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

TrademarksThe following terms are trademarks of the IBM Corporation in the United States orother countries or both:  AIX/6000  BookManager 

x OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

About This BookThis book contains information about the Resource Access Control Facility (RACF),which is part of the OS/390 Security Server. The Se

 Chapter 6, “Customization Considerations” on page 29, highlights informationabout customizing function to take advantage of new support after th

RACF CoursesThe following RACF classroom courses are also available:Effective RACF Administration, H3927MVS/ESA RACF Security Topics, H3918Impl

Other Sources of InformationIBM provides customer-accessible discussion areas where RACF may bediscussed by customer and IBM participants. Other i

You can get sample code, internally-developed tools, and exits to help you useRACF. All this code works in our environment, at the time we make it

xvi OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

Summary of Changes| Summary of Changes| for GC28-1920-03| OS/390 Version 2 Release 4| This book contains primarily new information for OS/390 Versi

xviii OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

Chapter 1. Planning for MigrationThis chapter provides information to help you plan your installation's migration tothe new release of OS/390

Installation ConsiderationsBefore installing a new release of RACF, you must determine what updates areneeded for IBM-supplied products, system l

Auditing ConsiderationsAuditors who are responsible for ensuring proper access control and accountabilityfor their installation are interested in

4 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

Chapter 2. Release OverviewThis chapter lists the new and enhanced functions of RACF for OS/390 Release 4and gives a brief overview of each new fu

Enhancements to Support for OpenEdition ServicesEnhancements to RACF's support for OpenEdition services include: Extended ability to audit t

The getUMAP and getGMAP services also look for default values. If getUMAP isgiven a UID as input and the corresponding USER profile has no OMVS seg

 The ALTUSER command allows an administrator to reset a user's password toa temporary password or a default value. This command is modified

system. This support provides a solution to many customers that find themselves insuch a situation.The PERMIT command has a new keyword to add user

OS/390 IBMSecurity Server (RACF)Planning: Installation and Migration GC28-1920-03

Enable/Disable ChangesOS/390 Version 2 Release 4 has a new product ID that affects the enable/disablefunction in all of its elements including th

Chapter 3. Summary of Changes to RACF Components forOS/390 Release 4This chapter summarizes the new and changed components of OS/390 Release 4Secur

Figure 2. Changed Callable ServicesCallableServiceName Description SupportinitUSP  If no OMVS segment is found in the user'sprofile, the i

Figure 3. New ClassesName Description SupportDSNADM DB2 administrative authority class DB2GDSNBP Grouping class for buffer pool privileges DB2GDS

Figure 4 (Page 2 of 3). Changes to RACF CommandsCommand Description SupportALTUSER This command supports the removal of all of theuser'

Figure 4 (Page 3 of 3). Changes to RACF CommandsCommand Description SupportTARGET The new keyword WDSQUAL is added to theRACF TARGET command

Figure 5. Changes to PSPI Data AreasData Area Description SupportAFC This data area maps the contents for the OpenEdition MVS security audit fun

RFXALET and RFXLOGS correspond to new fields in the RACROUTEREQUEST=FASTAUTH parameter list. These fields only exist in parameter listscreated with

RALTER Command Messages: ICH11304ISETROPTS Command Messages: ICH14042IRACF Manager Error Messages: ICH51011IRACF Processing Messages: IRR410IRACF

Figure 7. New Panels for RACFPanel Description SupportICHP241n This panel enables you to add an entry for theconditional access list and to ident

Note Before using this information and the product it supports, be sure to read the general information under “Notices” on page vii. Fourth Edit

Publications LibraryFigure 10 lists changes to the OS/390 Security Server (RACF) publications library.Note: You are able to print the softcopy do

Chapter 4. Planning ConsiderationsThis chapter describes the following high-level planning considerations forcustomers upgrading to OS/390 Release

–OS/390 Security Server (RACF) Planning: Installation and Migration forOS/390 Release 1.(GC28-1920-00)If you have RACF 1.9.2 installed, in additio

CompatibilityThis section describes considerations for compatibility between OS/390 Release 4Security Server (RACF) and OS/390 Release 3 Security

24 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

Chapter 5. Installation ConsiderationsThis chapter describes the following changes of interest to the system programmerinstalling OS/390 Release 4

Figure 11 (Page 2 of 3). RACF Estimated Storage UsageStorageSubpool Usage How to Estimate SizeESQA RACF data sharing control area 300 (when

Figure 11 (Page 3 of 3). RACF Estimated Storage UsageStorageSubpool Usage How to Estimate SizeECSA RACF data set descriptor table andextensio

28 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

Chapter 6. Customization ConsiderationsThis chapter identifies customization considerations for OS/390 Release 4 SecurityServer (RACF).For additio

ContentsNotices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiTrademarks . . . . . . . . . . . . . . . .

 Set the options in the RACF/DB2 external security module. To do this, seeOS/390 Security Server (RACF) System Programmer's Guide. Decide w

Chapter 7. Administration ConsiderationsThis chapter summarizes the changes to administration procedures that the securityadministrator should be

Enhancements of Global Access CheckingWhen you use RACROUTE REQUEST=AUTH processing (which utilizes globalaccess checking) for general resource cl

Chapter 8. Auditing ConsiderationsThis section summarizes the changes to auditing procedures for SMF records. SMF RecordsFigure 12 summarizes chan

34 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

Chapter 9. Application Development ConsiderationsApplication development is the process of planning, designing, and codingapplication programs that

36 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

Chapter 10. General User ConsiderationsRACF general users use RACF to: Log on to the system Access resources on the system Protect their own res

38 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

GlossaryAaccess. The ability to obtain the use of a protectedresource.access authority. An authority related to a request fora type of access to

SYS1.SAMPLIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Publications Library . . . . . . . . . . . . . . . . .

DATASET classes. The table is generated by executingthe ICHERCDE macro once for each class. The classdescriptor table contains both the IBM provid

Eentity. A user, group, or resource (for example, aDASD data set) that is defined to RACF.EXTRACT request. The issuing of the RACROUTEmacro with

LLIST request. The issuing of the RACROUTE macrowith REQUEST=LIST specified. A LIST request buildsin-storage profiles for RACF-defined resources.

posit. A number specified for each class in the classdescriptor table that identifies a set of flags that controlRACF processing options. See the

set that is RACF-protected by a discrete profile mustalso be RACF-indicated.RACROUTE macro. An assembler macro thatprovides a means of calling RA

supervisor. The part of a control program thatcoordinates the use of resources and maintains the flowof processing unit operations. Synonym for su

security program for the system. The batch jobowner is specified on the USER parameter on theJOB statement or inherited from the submitter of thej

How to Get Your RACF CDLet's face it, you have to search through a ton ofhardcopy manuals to locate all of the information youneed to secure y

48 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

IndexAaccess list entryconditional 23standard 23ACEEALET keyword 16ADDUSER command 15administrationclassroom courses xiiiadministration consider

Figures1. New Callable Services ... 112. Changed Callable Services ... 123. New Classes . . .

getGMAP callable service 6, 12getUMAP callable service 6, 12global access checking 10Hhardware requirementsplanning considerations 22HRF2240 9IIC

RR_Admin callable service 8, 11RACFclassroom courses xiiipublicationson CD-ROM xiisoftcopy xiiRACF 1.9migration path from 22RACF 1.9.2migration pa

Readers' Comments — We'd Like to Hear from YouOS/390Security Server (RACF)Planning: Installation and MigrationPublication No. GC28-1920-03O

Cut or FoldAlong LineCut or FoldAlong LineReaders' Comments — We'd Like to Hear from YouGC28-1920-03IBMFold and Tape Please do not staple F

IBMProgram Number: 5647-A01Printed in the United States of Americaon recycled paper containing 10%recovered post-consumer fiber.GC28-192ð-ð3

vi OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

NoticesReferences in this publication to IBM products, programs, or services do not implythat IBM intends to make these available in all countries