SUMMARY:   This course introduces students to the concepts, terminology, commands, and procedures involved in administering a RACF secured system. All major aspects of RACF administration are covered and these facilities will benefit the audit process. The course can be run with either online labs (if a suitable environment is available) or with paper based labs (if online access is not available). AUDIENCE:   This course will benefit RACF Administrators, RACF Auditors, help desk personnel, and anyone requiring knowledge of RACF administration principles and practices. It is of particular benefit to those new to RACF administration or RACF auditing. PREREQUISITES:   No previous RACF experience is required however delegates should be fully familiar with the z/OS environment, and have an understanding of TSO/E ISPF/PDF. DURATION:   4 Days APPROACH:   Hands-on, Instructor-Led Training OBJECTIVES:   Identify the need for security in business information systems Understand how RACF meets business information systems security needs Design a group structure to meet their installations requirements Describe the various ways in which RACF commands can be issued Use the group related commands to administer the group structure Describe the effect of the various group profile related parameters Use the user related commands to administer user profiles Use the various group authorities effectively Explain the management and use of the various non-RACF segments in user profiles Describe the effect of the various user profiles related parameters Connect users to groups and manage the assigned group authorities Describe the advantages and disadvantages of both discrete and generic data set profiles Use the data set related commands to manage both discrete and generic profiles Specify the appropriate auditing parameters for data set profiles Provide users with the appropriate access to protected data sets Use the general resource commands to manage general resources Describe how CICS transactions, load modules, secured sign-on, and the started task table can be protected and controlled Describe how digital certificates, field level access checking, and RACF variables can be protected and controlled Use the search command to locate specified profiles in the database Use and explain the operation of the RVARY and SETROPTS management commands Explain how RACF Remote Sharing operates and how it's use can be controlled Identify how the operation of RACF changes when running in a parallel sysplex Explain how to control RACF operation in a parallel sysplex Describe how to use the RACF Report Writer product to format and print audit records Identify how to process RACF audit records within a DB2 database Use and interpret the output of the Data Security Monitor Use the database unload utility, cross reference utility, remove userid utility, database verification utility, database split/merge/extend utility, and the database block update utility COURSE CONTENT:   Introduction Positioning RACF with SAF and Operating System Security past and present Security threats and the role of RACF RACF Structure: Profiles and Classes Review of available documentation Where to start with Security Policy statement production Identifying Resources and ownership Identifying the Users Relating Resources and Users Converting the policy to a Plan The Group Structure Identifying Business Groups Relating Business Groups to RACF Groups Associating Users with Groups Group/Sub-group Hierarchy Privilege Status –Special vs Group Special Group Ownership and Connection The RACF Commands Entering RACF Commands RACF Commands and the Manuals Entering RACF Commands in Batch Online Help Defining/Deleting RACF Groups Group Profile Commands Adding a Group (ADDGROUP) Deleting a Group (DELGROUP) Modifying an existing Group (ALTGROUP) Obtaining Group information (LISTGRP) Specifying the Superior Group Data set Profile Modelling RACF Remote Sharing Parameters Additional ADDGROUP Parameters Additional Group Segments Required authority levels for Group Commands Defining Users User Profile Commands Adding a User profile (ADDUSER) Deleting a User profile (DELUSER) Modifying a existing user Profile (ALTUSER) Obtaining user information (LISTUSER) Specifying the Default Group Group and Class Authority Group Access Authority RACF Remote Sharing Parameters Data set Profile Modelling RACF Authorities and Attributes Security Levels and Security Categories Security Labels Defining the CICS Segments Defining the DCE Segments Defining the DFP Segment Defining the LANGUAGE Segment Defining the OMVS Segment and why Defining the NETVIEW Segments) Defining the OPERPARM Segments Defining the TSO Segments and why Defining the WORKATTR Segments Parameters only applicable to ALTUSER Required authority levels for User Commands Basic PASSWORD Changing Other Users Passwords Full Syntax of PASSWORD Required authority levels Password Command Connecting Users to Groups Connect and Remove Commands CONNECT a user to a Group REMOVE a user from a Group Relevance to deleting a Group Required authority levels for Connect/Remove Data set Profiles Data set Profile Commands Discrete Data set Profiles Generic Data set Profiles Adding a data set profile (ADDSD) Discrete Profile Parameters Generic Wildcard Characters - % Generic Wildcard Characters - * Generic Wildcard Characters - ** Specifying Data set Attributes Access Levels Auditing Access Attempts Profile Copying RACF Remote Sharing Parameters Security Level & Category Checking Other Profile Attributes Deleting a data set profile (DELDSD) Modifying an existing data set profile (ALTDSD) Parameters only applicable to ALTDSD Obtaining data set profile information (LISTDSD) Listing multiple data set Profiles Listing Generic or Discrete Profiles Required authority levels for data set Commands Allowing other users/groups access (PERMIT) Conditional Access Lists Permitting Many Users access Denying Users and Groups access Deleting Access Lists Required authority levels for Permit Command General Resource Profiles General Resource Profile Commands Defining additional resources (RDEFINE) Common RDEFINE Parameters Providing extra Profile Information TME Segment Controlling DLF use - DLFCLASS Controlling APPX use - APPCLU Controlling PassTickets - PTKTDATA Interfacing with Tivoli Products - ROLE Controlling STCs - STARTED Controlling access to SystemView - SYSMVIEW Why not to use - TAPEVOL Controlling access by screen - TERMINAL The use of GTERMINL Using TCICSTRN/GCICSTRN to protect CICS Transactions Using WHEN(PROGRAM) to Protect Load Modules RACF rather than ISFPARMS to Protect SDSF Deleting a resource profile (RDELETE) Modifying resource profiles (RALTER) Parameters only applicable to RALTER Obtaining information about resources ( RLIST) Common RLIST Parameters Listing Non-RACF Segments Special RLIST Features General resources and the PERMIT command Required authority levels for General Resource Command Special RACF Features The Started Task Table Using ICHRIN03 Using the STARTED Class The Global Access Checking Table Using the Global Access Checking Table RACF Variables Using the RACFVARS Class Using RACF Variables Field Level Access Checking Using the FIELD Class FIELD Class Examples The FACILITY Class Digital Certificates Basic RACDCERT Full RACDCERT Syntax RACDCERT Command Authority SEARCH Command Basics SEARCH Control Parameters The FILTER & MASK Parameters FILTER & MASK Examples The Backup RACF Database The RACF Database Name Table The RVARY Command The SETROPTS Command Why have SETROPTS? Parameters associated with data set profiles Parameters for general operation Dynamic implementations (GENLIST & RACLIST) US D-o-D requirements Parameters related to JES General Userid and Password options Parameters applicable to AUDITOR authority Required authority level for SETROPTS Command RACF Remote Sharing Facility The RACF Remote Sharing Facility RACF Command Direction RACF Password Synchronisation Managed User Associations Controlling RACLINK Use Controlling Password Synchronisation Controlling the AT Keyword Automatic RACF Command Direction Controlling Automatic RACF Command Direction Combined RACF Command Direction Use of ONLYAT Keyword Automatic Password Synchronisation Controlling Automatic Password Synchronisation Password Synchronisation by Command Combined RACF Command Direction Defining RRSF Nodes The RACF Subsystem & Parameter Library RACF and Sysplex Types of Sysplex Basic Sysplex Parallel Sysplex RACF and Sysplex RACF Communication RACF Data Sharing RACF Data Sharing Problems The Four Sysplex Modes The RACF Database Name Table Coupling Facility Structures Defining Coupling Facility Structures In-Storage Profiles RACLISTed profiles via RACROUTE In-Storage Profiles and Sysplex Introducing RACGLIST RACGLIST and REFRESH Using RACGLIST Auditing RACF Auditing data collection RACF Report Writer Overview RACFRW Command summaries Extracting RACF records from SMF IRRADU00 IFASMFDP Using DB2 to process RACF SMF data IRRADUTB IRRUDULD IRRADUQR DSMON - Data Security Monitor Overview of report types RACF Utility Programs IRRDBU00 –Unload Utility IRRUT100 - Cross Reference Utility IRRRID00 - The RACF Remove Userid Utility IRRUT200 - Verification Utility IRRUT400 - Split/Merge/Extend Utility BLKUPD - Block-Update Utility Command TS/08