IBM Security Z Security

Expand all | Collapse all

What is CKGOWNR and why is it granting access to my resources?

  • 1.  What is CKGOWNR and why is it granting access to my resources?

    Posted Wed April 14, 2021 04:06 PM
    Trying to review how I have "alter" access to a profile in class DASDVOL when I am not in the access list either via ID or group or resource owner.

    In ZSecure Admin, RA.3.4 (Permit/Scope), with my user ID and Specify type of authorization 3 3. Scope (access or administrative authority by any means):

    expanded (option "S Show additional information") :

    What is this? What is CKGOWNR? It's not in the resource class or profile access list. It's not defined to RACF. 
    The only documented reference to CKGOWNR is in the ZSecure messages manual with no indication of what it is, why it is. or where it is.
    How is it I am being granted alter access in this manner, and what does "-SCP.ID-" mean?  

    Thanks in advance for any help.

    David Malbuff

  • 2.  RE: What is CKGOWNR and why is it granting access to my resources?

    Posted Wed April 14, 2021 04:46 PM
    Hi David,

    When I look in the section on RA.3.4 in the Admin and Audit User Reference Manual for zSecure 2.4.0, I find:
    The Via column shows the user ID or group in the access list entry that gave the access indicated.
    value can also be any of the following:

    followed by a list of values including -SCP.ID-
    followed by
    For more information, see the "VIA" field description in the REPORT_SCOPE NEWLIST in IBM Security zSecure CARLa Command Reference

    When I look in that section, I find the following explanation for that value:
    Resource in scope due to access permitted on a CKG.SCP.ID... scope check

    When I look at the ACCESS field for the same report type, I get redirected to a table for the ACCESS=<level> parameter of the REPORT CARLa command that explains CKGOWNR as:
    Access granted by the CKGRACF authorized component of IBM Security zSecure Admin through the CKG.SCP scope profiles. Exactly what can be changed further depends on CKG.CMD profile access. This can only be more access then standard RACF, not less.

    The CKGRACF component allows defining administrative scope at a very granular level. This scope is defined using profiles with prefixes as shown here, in a class that can be configured (it defaults to XFACILIT). For details, see Chapter 12 "CKGRACF Command Language" in the User Reference Manual.

    In the back of the chapter is a section "CKGRACF authority checks" with a subsection "Scope profiles", which explains, among other things:
    Access through CKGRACF is regulated by the access granted by two different checks: ID profile checks (CKG.SCP.ID), and user/group (U/G) profile checks (CKG.SCP.U or CKG.SCP.G). ID profiles permit access directly based on the groupid/userid associated with the target object. SCP.U/G profiles use the ownership tree of the target object, with as top qualifier either a user (for SCP.U profiles) or a group (for SCP.G profiles).

    Anyway, to make a long story short, CKGOWNR roughly means that you have "owner" level authority through CKGRACF, that is, you are authorized to use that component to make modifications.

    I hope this helps.

    Best regards,

    Jeroen Tiggelman
    Software Development and Level 3 Support Manager IBM Security zSecure Suite

  • 3.  RE: What is CKGOWNR and why is it granting access to my resources?

    Posted Thu April 15, 2021 03:12 AM
    Edited by Rob van Hoboken Thu April 15, 2021 03:14 AM
    To summarize Jeroen's explanation:

    CKGOWNR indicates that CKGRACF may give you ability to modify the indicated profile, thus allowing you to grant yourself access.  This is conditional on

    * CKGRACF being installed in an APF library and accessible to you
    * CKGRACF being tagged as an APF command/module in IKJTSOxx, or accessible through batch JCL
    * Access to individual CKGRACF (command) functions though CKG.CMD profiles

    The reported CKGOWNR access is similar to group special authority to the DASDVOL  profile, you can change the profile.  Such indirect access through group special or OWNER shows up in the scope report as OWNER.

    There is a lower grade of CKGRACF access indicated with CKGLIST, this is the result of having a READ PERMIT on the relevant CKG.SCP profile.

    How can you get rid of this indication, assuming you do not use CKGRACF, or you're currently not interested?  When you request a scope report by typing 3 for the type of authorization, you see a prompt panel for the types of authorization/privilege to ignore:

             zSecure Suite - RACF - User Permit

    Enter "/" to exclude access granted because of
       Universal Access
       Access to all RACF defined users
       Global Access Table
       Profiles in Warning mode allow ALTER to resource
       Resource is not protected
       User is special
       User is auditor
       User is group auditor, can review any profile in scope
       User is group operations, can access resources in scope
       User is group special, can modify any profile in scope
       User is owner of profile
       User can change password or password phrase of profile owner
       User is group special, can connect to any group in scope
       User can change his own user profile
       User has Devolved Authorities to RACMAP and DIGTCERT resources via CKGRACF
       User has Devolved Authorities over profile via CKGRACF
       CLAUTH class authorization or connect CREATE/CONNECT/JOIN authority

    Type an S or a / in front of the devolved authority reasons in the list.

    Rob van Hoboken