Main Office:	800.631.0410
Sales Office:	800.533.3893

RACF Administration

Course: RACFAD01

Duration: 4 Days

Level: II

On our website at: http://www.verhoef-training.com/courses/RACFAD01.html

Course Summary

This course introduces students to the concepts, terminology, commands, and procedures involved in administering a RACF secured system. All major aspects of RACF administration are covered and these facilities will benefit the audit process. The course can be run with either online labs (if a suitable environment is available) or with paper based labs (if online access is not available).

Topics Covered In This Course

Introduction

Positioning RACF with SAF and Operating System
Security past and present
Security threats and the role of RACF
RACF Structure: Profiles and Classes
Review of available documentation

Where to start with Security

Policy statement production
Identifying Resources and ownership
Identifying the Users
Relating Resources and Users
Converting the policy to a Plan

The Group Structure

Identifying Business Groups
Relating Business Groups to RACF Groups
Associating Users with Groups
Group/Sub-group Hierarchy
Privilege Status –Special vs Group Special
Group Ownership and Connection

The RACF Commands

Entering RACF Commands
RACF Commands and the Manuals
Entering RACF Commands in Batch
Online Help

Defining/Deleting RACF Groups

Group Profile Commands
Adding a Group (ADDGROUP)
Deleting a Group (DELGROUP)
Modifying an existing Group (ALTGROUP)
Obtaining Group information (LISTGRP)
Specifying the Superior Group
Data set Profile Modelling
RACF Remote Sharing Parameters
Additional ADDGROUP Parameters
Additional Group Segments
Required authority levels for Group Commands

Defining Users

User Profile Commands
Adding a User profile (ADDUSER)
Deleting a User profile (DELUSER)
Modifying a existing user Profile (ALTUSER)
Obtaining user information (LISTUSER)
Specifying the Default Group
Group and Class Authority
Group Access Authority
RACF Remote Sharing Parameters
Data set Profile Modelling
RACF Authorities and Attributes
Security Levels and Security Categories
Security Labels
Defining the CICS Segments
Defining the DCE Segments
Defining the DFP Segment
Defining the LANGUAGE Segment
Defining the OMVS Segment and why
Defining the NETVIEW Segments)
Defining the OPERPARM Segments
Defining the TSO Segments and why
Defining the WORKATTR Segments
Parameters only applicable to ALTUSER
Required authority levels for User Commands
Basic PASSWORD
Changing Other Users Passwords
Full Syntax of PASSWORD
Required authority levels Password Command

Connecting Users to Groups

Connect and Remove Commands
CONNECT a user to a Group
REMOVE a user from a Group
Relevance to deleting a Group
Required authority levels for Connect/Remove

Data set Profiles

Data set Profile Commands
Discrete Data set Profiles
Generic Data set Profiles
Adding a data set profile (ADDSD)
Discrete Profile Parameters
Generic Wildcard Characters - %
Generic Wildcard Characters - *
Generic Wildcard Characters - **
Specifying Data set Attributes
Access Levels
Auditing Access Attempts
Profile Copying
RACF Remote Sharing Parameters
Security Level & Category Checking
Other Profile Attributes
Deleting a data set profile (DELDSD)
Modifying an existing data set profile (ALTDSD)
Parameters only applicable to ALTDSD
Obtaining data set profile information (LISTDSD)
Listing multiple data set Profiles
Listing Generic or Discrete Profiles
Required authority levels for data set Commands
Allowing other users/groups access (PERMIT)
Conditional Access Lists
Permitting Many Users access
Denying Users and Groups access
Deleting Access Lists
Required authority levels for Permit Command

General Resource Profiles

General Resource Profile Commands
Defining additional resources (RDEFINE)
Common RDEFINE Parameters
Providing extra Profile Information
TME Segment
Controlling DLF use - DLFCLASS
Controlling APPX use - APPCLU
Controlling PassTickets - PTKTDATA
Interfacing with Tivoli Products - ROLE
Controlling STCs - STARTED
Controlling access to SystemView - SYSMVIEW
Why not to use - TAPEVOL
Controlling access by screen - TERMINAL
The use of GTERMINL
Using TCICSTRN/GCICSTRN to protect CICS Transactions
Using WHEN(PROGRAM) to Protect Load Modules
RACF rather than ISFPARMS to Protect SDSF
Deleting a resource profile (RDELETE)
Modifying resource profiles (RALTER)
Parameters only applicable to RALTER
Obtaining information about resources ( RLIST)
Common RLIST Parameters
Listing Non-RACF Segments
Special RLIST Features
General resources and the PERMIT command
Required authority levels for General Resource Command

Special RACF Features

The Started Task Table
Using ICHRIN03
Using the STARTED Class
The Global Access Checking Table
Using the Global Access Checking Table
RACF Variables
Using the RACFVARS Class
Using RACF Variables
Field Level Access Checking
Using the FIELD Class
FIELD Class Examples
The FACILITY Class
Digital Certificates
Basic RACDCERT
Full RACDCERT Syntax
RACDCERT Command Authority
SEARCH Command Basics
SEARCH Control Parameters
The FILTER & MASK Parameters
FILTER & MASK Examples
The Backup RACF Database
The RACF Database Name Table
The RVARY Command

The SETROPTS Command

Why have SETROPTS?
Parameters associated with data set profiles
Parameters for general operation
Dynamic implementations (GENLIST & RACLIST)
US D-o-D requirements
Parameters related to JES
General Userid and Password options
Parameters applicable to AUDITOR authority
Required authority level for SETROPTS Command

RACF Remote Sharing Facility

The RACF Remote Sharing Facility
RACF Command Direction
RACF Password Synchronisation
Managed User Associations
Controlling RACLINK Use
Controlling Password Synchronisation
Controlling the AT Keyword
Automatic RACF Command Direction
Controlling Automatic RACF Command Direction
Combined RACF Command Direction
Use of ONLYAT Keyword
Automatic Password Synchronisation
Controlling Automatic Password Synchronisation
Password Synchronisation by Command
Combined RACF Command Direction
Defining RRSF Nodes
The RACF Subsystem & Parameter Library

RACF and Sysplex

Types of Sysplex
Basic Sysplex
Parallel Sysplex
RACF and Sysplex
RACF Communication
RACF Data Sharing
RACF Data Sharing Problems
The Four Sysplex Modes
The RACF Database Name Table
Coupling Facility Structures
Defining Coupling Facility Structures
In-Storage Profiles
RACLISTed profiles via RACROUTE
In-Storage Profiles and Sysplex
Introducing RACGLIST
RACGLIST and REFRESH
Using RACGLIST

Auditing RACF

Auditing data collection
RACF Report Writer Overview
RACFRW Command summaries
Extracting RACF records from SMF
IRRADU00
IFASMFDP
Using DB2 to process RACF SMF data
IRRADUTB
IRRUDULD
IRRADUQR
DSMON - Data Security Monitor
Overview of report types

RACF Utility Programs

IRRDBU00 –Unload Utility
IRRUT100 - Cross Reference Utility
IRRRID00 - The RACF Remove Userid Utility
IRRUT200 - Verification Utility
IRRUT400 - Split/Merge/Extend Utility
BLKUPD - Block-Update Utility Command

What You Can Expect

Identify the need for security in business information systems
Understand how RACF meets business information systems security needs
Design a group structure to meet their installations requirements
Describe the various ways in which RACF commands can be issued
Use the group related commands to administer the group structure
Describe the effect of the various group profile related parameters
Use the user related commands to administer user profiles
Use the various group authorities effectively
Explain the management and use of the various non-RACF segments in user profiles
Describe the effect of the various user profiles related parameters
Connect users to groups and manage the assigned group authorities
Describe the advantages and disadvantages of both discrete and generic data set profiles
Use the data set related commands to manage both discrete and generic profiles
Specify the appropriate auditing parameters for data set profiles
Provide users with the appropriate access to protected data sets
Use the general resource commands to manage general resources
Describe how CICS transactions, load modules, secured sign-on, and the started task table can be protected and controlled
Describe how digital certificates, field level access checking, and RACF variables can be protected and controlled
Use the search command to locate specified profiles in the database
Use and explain the operation of the RVARY and SETROPTS management commands
Explain how RACF Remote Sharing operates and how it's use can be controlled
Identify how the operation of RACF changes when running in a parallel sysplex
Explain how to control RACF operation in a parallel sysplex
Describe how to use the RACF Report Writer product to format and print audit records
Identify how to process RACF audit records within a DB2 database
Use and interpret the output of the Data Security Monitor
Use the database unload utility, cross reference utility, remove userid utility, database verification utility, database split/merge/extend utility, and the database block update utility

Who Should Take This Course

This course will benefit RACF Administrators, RACF Auditors, help desk personnel, and anyone requiring knowledge of RACF administration principles and practices. It is of particular benefit to those new to RACF administration or RACF auditing.

Recommended Prerequisites

No previous RACF experience is required however delegates should be fully familiar with the z/OS environment, and have an understanding of TSO/E ISPF/PDF.

Training Style

Hands-on, Instructor-Led Training

Related Courses

Code	Course Title	Duration	Level
ZSECAD	Effective IBM Tivoli zSecure Admin - Administration and Reporting	2 Days	I	Details

Every student attending a Verhoef Training class will receive a certificate good for $100 toward their next public class taken within a year.

You can also buy "Verhoef Vouchers" to get a discounted rate for a single student in any of our public or web-based classes. Contact your account manager or our sales office for details.

Verhoef Training USA

Training Courses and On-Line Classes Preferred By IT Pros

Visit us at: http://www.verhoef-training.com