Re: RACF AUDITOR authority and OMVS segment
Lucy, Do you have any profiles in the RACF FIELD class that are limiting access? Do a SR CLASS(FIELD) NOMASK and see what profiles you have.Look for a profile prefixed USER., then do an RL FIELD profile_name and see if the auditor has access. Mark On 07/07/2009 02:45, Lucymarie Ruth lucymarie.r...@safeway.com wrote: Hi. The z/OS V1R10.0 RACF Security Server RACF Administrator's Guide says that The user who has the AUDITOR attribute can list all of the profile information that is available to the SPECIAL user, as well as information that is available to auditors. In table 40 in the same manual, it says that a userid with AUDITOR authority can also specify all operands of the RACF LISTUSER command. However, one of our user's with AUDITOR authority received a message that she did not authority to view an OMVS segment when issueing this: LU user-id NORACF OMVS Is this a bug, a feature, or just an anomaly that needs to be explained? Anyone else noticed this? Lucymarie Ruth, Safeway, Inc. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: RACF AUDITOR authority and OMVS segment
Lucymarie, Does this user have System-level AUDITOR authority or Group-level AUDITOR authority? If you execute an LU command on her ID and AUDITOR appears in the first couple of lines associated with ATTRIBUTES, she has System-level AUDITOR and should be able to execute the command. If instead you see AUDITOR associated with CONNECT ATTRIBUTES in one or more of her group connections, she only has Group-level authority and will not be allowed to examine segments unless she is given FIELD class profile permissions. To allow her examine OMVS segment information, you might need to define a profile like USER.OMVS.* in the FIELD class and give her READ access. You'll first need to review any other profiles you may have defined in the FIELD class to determine what is appropriate. Bear in mind that this would enable her to list the OMVS segments of all users, not just those within her otherwise limited scope of groups. BTW, if you happen to know Juanita Dean, Jenny Kwok, or Cindy Skeim on the security staff, please give them my regards. Regards, Bob - Robert S. Hansel | 2009 RACF Training Lead RACF Specialist | Intro Basic Admin - Boston - SEPT 22-24 RSH Consulting, Inc. | Audit for Results - Boston - NOV 3-5 www.rshconsulting.com | Visit our website for registration details 617-969-8211 | - -Original Message- Date:Mon, 6 Jul 2009 20:41:23 -0500 From:Lucymarie Ruth lucymarie.r...@safeway.com Subject: RACF AUDITOR authority and OMVS segment Hi. The z/OS V1R10.0 RACF Security Server RACF Administrator's Guide says that The user who has the AUDITOR attribute can list all of the profile information that is available to the SPECIAL user, as well as information that is available to auditors. In table 40 in the same manual, it says that a userid with AUDITOR authority can also specify all operands of the RACF LISTUSER command. However, one of our user's with AUDITOR authority received a message that she did not authority to view an OMVS segment when issueing this: LU user-id NORACF OMVS Is this a bug, a feature, or just an anomaly that needs to be explained? Anyone else noticed this? Lucymarie Ruth, Safeway, Inc. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: RACF AUDITOR authority and OMVS segment
Lucymarie, RACF questions are always best asked on the RACF-L. That is the forum for RACF related questions. Now to your specific question... Auditor (system level or group level) gives the user the ability to list any RACF base segment within scope. What it does not do is give the ability to view segments (OMVS, TSO, CICS, etc...) outside the base. To give your auditor the ability to list the content of the TSO segment, you would need to define FIELD USER.TSO.*, and permit them to the resource with READ. Sample commands (assumes you've never used FIELD): SETROPTS GENERIC(FIELD) GENCMD(FIELD) RDEF FIELD USER.TSO.* UACC(NONE) OWNER( specify an owner here ) /* let users see their own TSO segment */ PE USER.TSO.* ID(RACUID) ACCESS(READ) /* let group AUDITORS view all users TSO segments */ PE USER.TSO.* ID(AUDITORS) ACCESS(READ) SETROPTS CLASSACT(FIELD) RACLIST(FIELD) Hayim _ Hayim Sokolsky, CISSP Mainframe Security Architect DTCC Corporate Information Security 18301 Bermuda Green Dr, MS 1-CIS Tampa FL 33647-1760 Tel. (813) 470-2177 Lucymarie Ruth lucymarie.r...@safeway.com Sent by: IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu 2009.07.06 21:41 Please respond to IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu To IBM-MAIN@bama.ua.edu cc Subject RACF AUDITOR authority and OMVS segment Hi. The z/OS V1R10.0 RACF Security Server RACF Administrator's Guide says that The user who has the AUDITOR attribute can list all of the profile information that is available to the SPECIAL user, as well as information that is available to auditors. In table 40 in the same manual, it says that a userid with AUDITOR authority can also specify all operands of the RACF LISTUSER command. However, one of our user's with AUDITOR authority received a message that she did not authority to view an OMVS segment when issueing this: LU user-id NORACF OMVS Is this a bug, a feature, or just an anomaly that needs to be explained? Anyone else noticed this? Lucymarie Ruth, Safeway, Inc. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: RACF AUDITOR authority and OMVS segment
Lucymarie, RACF questions are always best asked on the RACF-L. That is the forum for RACF related questions. (Sorry got distracted and posted stuff for TSO segment instead of OMVS segment.) Now to your specific question... Auditor (system level or group level) gives the user the ability to list any RACF base segment within scope. What it does not do is give the ability to view segments (OMVS, TSO, CICS, etc...) outside the base. To give your auditor the ability to list the content of the OMVS segment, you would need to define FIELD USER.OMVS.*, and permit them to the resource with READ. Sample commands (assumes you've never used FIELD): SETROPTS GENERIC(FIELD) GENCMD(FIELD) RDEF FIELD USER.OMVS.* UACC(NONE) OWNER( specify an owner here ) /* let users see their own OMVS segment */ PE USER.OMVS.* ID(RACUID) ACCESS(READ) /* let group AUDITORS view all users OMVS segments */ PE USER.OMVS.* ID(AUDITORS) ACCESS(READ) SETROPTS CLASSACT(FIELD) RACLIST(FIELD) Hayim _ Hayim Sokolsky, CISSP Mainframe Security Architect DTCC Corporate Information Security 18301 Bermuda Green Dr, MS 1-CIS Tampa FL 33647-1760 Tel. (813) 470-2177 Lucymarie Ruth lucymarie.r...@safeway.com Sent by: IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu 2009.07.06 21:41 Please respond to IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu To IBM-MAIN@bama.ua.edu cc Subject RACF AUDITOR authority and OMVS segment Hi. The z/OS V1R10.0 RACF Security Server RACF Administrator's Guide says that The user who has the AUDITOR attribute can list all of the profile information that is available to the SPECIAL user, as well as information that is available to auditors. In table 40 in the same manual, it says that a userid with AUDITOR authority can also specify all operands of the RACF LISTUSER command. However, one of our user's with AUDITOR authority received a message that she did not authority to view an OMVS segment when issueing this: LU user-id NORACF OMVS Is this a bug, a feature, or just an anomaly that needs to be explained? Anyone else noticed this? Lucymarie Ruth, Safeway, Inc. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: RACF AUDITOR authority and OMVS segment
On Tue, 7 Jul 2009 09:48:12 -0400, Hayim Sokolsky hsokol...@dtcc.com wrote: Now to your specific question... Auditor (system level or group level) gives the user the ability to list any RACF base segment within scope. What it does not do is give the ability to view segments (OMVS, TSO, CICS, etc...) outside the base. To give your auditor the ability to list the content of the OMVS segment, you would need to define FIELD USER.OMVS.*, and permit them to the resource with READ. Sample commands (assumes you've never used FIELD): Sorry, Hayim, but users with AUDITOR do not need FIELD authority at least according to our documentation. From the RACF Command Language Reference: quote Listing the other segments of a user profile: To list information from segments other than the RACF segment for a user profile, including your own, one of the following conditions must be true: * You have the SPECIAL or AUDITOR attribute * You have at least READ authority to the desired field within the segment through field-level access checking. /quote I agree, of course, that RACF questions should be on RACF-L rather than IBM-MAIN. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: RACF AUDITOR authority and OMVS segment
Walt, I stand corrected. I assume that reference is for System-Special and System-Auditor only. It does looks like a documentation conflict between the Command Language Reference and the RACF Security Administrator's Guide. In the SAG, under 7.3 Field-level access checking there is a statement: Note: If you do not activate the FIELD class and activate SETROPTS RACLIST processing for the FIELD class, only SPECIAL users can access fields in segments (other than the base segment) of RACF profiles. As I didn't have time to test, I assumed this implied that AUDITOR users would not have READ access. My bad. Hayim _ Hayim Sokolsky, CISSP Mainframe Security Architect DTCC Corporate Information Security 18301 Bermuda Green Dr, MS 1-CIS Tampa FL 33647-1760 Tel. (813) 470-2177 Walt Farrell wfarr...@us.ibm.com Sent by: IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu 2009.07.07 11:45 Please respond to IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu To IBM-MAIN@bama.ua.edu cc Subject Re: RACF AUDITOR authority and OMVS segment On Tue, 7 Jul 2009 09:48:12 -0400, Hayim Sokolsky hsokol...@dtcc.com wrote: Now to your specific question... Auditor (system level or group level) gives the user the ability to list any RACF base segment within scope. What it does not do is give the ability to view segments (OMVS, TSO, CICS, etc...) outside the base. To give your auditor the ability to list the content of the OMVS segment, you would need to define FIELD USER.OMVS.*, and permit them to the resource with READ. Sample commands (assumes you've never used FIELD): Sorry, Hayim, but users with AUDITOR do not need FIELD authority at least according to our documentation. From the RACF Command Language Reference: quote Listing the other segments of a user profile: To list information from segments other than the RACF segment for a user profile, including your own, one of the following conditions must be true: * You have the SPECIAL or AUDITOR attribute * You have at least READ authority to the desired field within the segment through field-level access checking. /quote I agree, of course, that RACF questions should be on RACF-L rather than IBM-MAIN. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: RACF AUDITOR authority and OMVS segment
Sorry for the confusion. When I tested this the first time, I gave my alternate userid AUDITOR authority, and apparently did not log off and log back on before testing the LISTUSER command. Now when I logon with my alternate userid (which still has AUDITOR authority), I do see the OMVS segment. so the RACF System Admin manual is telling the truth. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
RACF AUDITOR authority and OMVS segment
Hi. The z/OS V1R10.0 RACF Security Server RACF Administrator's Guide says that The user who has the AUDITOR attribute can list all of the profile information that is available to the SPECIAL user, as well as information that is available to auditors. In table 40 in the same manual, it says that a userid with AUDITOR authority can also specify all operands of the RACF LISTUSER command. However, one of our user's with AUDITOR authority received a message that she did not authority to view an OMVS segment when issueing this: LU user-id NORACF OMVS Is this a bug, a feature, or just an anomaly that needs to be explained? Anyone else noticed this? Lucymarie Ruth, Safeway, Inc. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html