You define users to RACF by issuing RACF commands that include various user attributes, as well as other control information RACF will use. Some of the commands you might use in your user-definition tasks follow. (Note that this list is not an exhaustive list of either RACF commands or command descriptions. For a more complete description, see Appendix A and/or the RA CF Command Language Reference.)
Commands for User Administration ADD USER
ALTUSER CONNECT DELUSER REMOVE
LISTUSER PERMIT PASSWORD
Add a user profile to RACF Change a user's RACF profile Connect a user to a group
Delete a user profile from RACF and remove connection to all groups
Remove a user from a group and assign a new owner for group data sets owned by the removed user
Display the contents of a user's profile
Permit a user to access a resource (or deny access to a resource) Change a user's password
In addition to defining individual users, you can define groups of users. Group members can share common access authorities to a protected resource.
One benefit of grouping users is that you can authorize the entire group, as a single \ unit, to access a protected resource. Another benefit is that attributes such as
OPERATIONS can be assigned so that a given user has that attribute only when connected to a specific group, and the attribute is only effective for resources within the scope of that group.
Some of the commands you might use in your group-definition tasks follow. (Note that this is not an exhaustive list of either commands or command descriptions. For a more complete description, see Appendix A and/or the RA CF Command
Language Reference.)
Commands for Group Administration
ADDGROUP Define a subgroup of an existing group ALTGROUP Assign a subgroup to a new superior group DELGROUP Delete one or more groups
LISTGRP Display the contents of a group profile
PERMIT Permit a group of users to access a resource (or deny them access to a resource)
Assigning Optional User Attributes
You can assign user attributes by specifying keywords on RACF commands. User attributes describe various extraordinary privileges, restrictions, and processing environments that can be assigned to specified users in a RACF-protected system.
You can assign user attributes at either the user level or at the group level. When assigned at the user level, attributes are effective globally for the entire
RACF-protected system. When assigned at the group level, their effect is limited to the profiles of resources within the scope of the~. The scope of control of a group-level attribute percolates down through a group-ownership structure from group to subgroup to subgroup, and so on. Percolation is halted (and therefore the scope of control of the group-level attribute) when a subgroup is owned by a user, rather than a superior group. Figure 1-1 shows an example of the scope of control of an attribute assigned at the group level.
Figure 1-1. Scope of Control of an Attribute Assigned at the Group-Level
Figure 1-1 shows a group ownership structure. In this figure, GROUPl owns GROUP2, GROUP2 owns GROUP3 and USERl, and so on. A user who is connected to GROUPl with the group-SPECIAL attribute has an explicit scope of control as shown in the figure. That is, the user cannot modify any profiles owned by GROUPS. Figure l-2lists and describes attributes that can be assigned at the user and group level. For a more complete description, see Chapter 3.
Chapter 1. Introduction
1-9
Assigning Group Authorities
User Attribute SPECIAL
AUDITOR
OPERATIONS
CLAUTH
GRPACC
ADSP
REVOKE
Description
The SPECIAL attribute gives the user full control over all the RACF profiles in the RACF data set when you assign it at the user level. At the user level, the SPECIAL attribute allows the user to issue all RACF commands. When you assign the SPECIAL attribute at the group level, the group-SPECIAL user has full control over all resources that are within the scope of the group, and cannot issue RACF commands that would have a global effect on RACF processing.
When you assign the AUDITOR attribute at the user level, it gives the user full responsibility for auditing the security controls and the use of system resources across the entire system. With it, the user can specify logging options on the RACF commands, can list the auditing options of any profiles using the RACF commands, and can control additional logging to the SMF data set for detecting changes and attempts to change the RACF data set or for detecting accesses and attempted accesses of RACF-protected resources.
When you assign the AUDITOR attribute at the group level (that is, when you assign the group-AUDITOR attribute), authority is restricted to resources that are within the scope of the group.
When you assign this attribute at the user level, it allows the user to perform any maintenance operations, such as copying, reorganizing, cataloging, and scratching, on RACF-protected resources. At the group-OPERATIONS level, authorization to perform these operations is restricted to the resources that are within the scope of the group.
The CLAUTH (class-name authorization) attribute allows the user to define profiles for any of the classes specified by class-name. A class is a collection of RACF entities with similar characteristics. See Chapter 3 for a list of valid class-names.
Group data sets that are allocated by this user and protected by discrete profiles are automatically accessible to other users in the group. A group data set is a data set whose high-level qualifier (or RACF naming convention table-derived qualifier) is equivalent to a RACF-defined group name.
The ADSP attribute establishes an environment in which all permanent DASD data sets created by this user are automatically defined to RACF and protected with a discrete profile. ADSP can be assigned at the group level, in which case it is effective only when the user is connected to that group.
This attribute excludes the RACF-defined user from entering the system.
Revoke can be assigned at the group level, in which case the user cannot enter the system connected to that group.
Note: You and your delegates should assign the SPECIAL, AUDITOR, and OPERATIONS attributes to the minimum number of people necessary to administer security at the installation.
Figure 1-2. User Attributes
Each user in a group may have different responsibilities for the group. These responsibilities may include creating resource profiles to be used by the group and adding new members to the group. You should assign a specific level of group authority to the user that is based the user's responsibilities for administering and maintaining the group to which the user is connected. (You can do this with the ADDUSER, ALTUSER, or CONNECT command.)
The group authorities you can assign to a user are (in order of least to most authority); USE, CREATE, CONNECT, and JOIN. Each higher-level authority includes the lower levels of authority. Basically, the USE authority permits a user to access resources to which the group is authorized; the CREATE authority permits the user to create resource profiles; the CONNECT authority enables the user to add previously RACF-defined users to the group; and the JOIN authority enables the user to define new members and new groups. See "Group Authorities"
in Chapter 3 for specific details.
Profiles Associated with Users and Groups
When you use the various RACF commands to define users and groups, the information RACF gathers from these commands is stored in profiles and placed in the RACF data set. A general description of user, group, and connect profiles follows:
The User Profile: The user profile defines an individual user. Some of the things the user profile can contain are;
• Information about the user's identity, such as name and password (encrypted or masked)
• User attributes that are effective globally
• The name of the user's default group
• The name of a model profile to be used when new profiles are created
• Information about what logging is to be done for this user
• How often the user's password is to be changed
The Group Profile: The group profile defines a group. Some of the things the group profile can contain are;
• Information about the group, such as who owns it and what subgroups it has
• A list of connected users
• The group authorities of each member
• The name of a model profile to be used when new groupname data set profiles are created.
The Connect Profile: A connect profile is created automatically whenever you define a new user to RACF and connect the user to a default group with the ADDUSER command, or whenever you connect a previously-defined RACF user to an existing RACF group with the CONNECT command. The connect profile contains:
fI The name of the owner of the profile
• User attributes that are effective within the scope of the group
• Other information about the group
Chapter 1. Introduction 1-11