IBM Security Z Security

Expand all | Collapse all

Protecting actions when entering '/' by a userid, group etc.

  • 1.  Protecting actions when entering '/' by a userid, group etc.

    Posted Thu November 12, 2020 10:12 AM
    Hi All,
    Is it possible to protect/customise the list of actions a user sees when they enter a '/' by a user, group, dataset or resource in the zSecure RA panels?

    Thanks and regards,

    ------------------------------
    Anji Stephens
    ------------------------------


  • 2.  RE: Protecting actions when entering '/' by a userid, group etc.

    Posted Thu November 12, 2020 10:16 AM
    for example


    ------------------------------
    Anji Stephens
    ------------------------------



  • 3.  RE: Protecting actions when entering '/' by a userid, group etc.

    Posted Thu November 12, 2020 10:34 AM
    Hi Anji,

    Yes, it is possible to control which zSecure action commands can be used by zSecure Users. You can define profiles in the (by default) XFACILIT class that start with CKR.ACTION.overview-type.entity.action-character. 
    You can then use the UACC and access list entries to control which users can use what action character at what zSecure panels.

    This function is documented in Appendix B. Security setup for zSecure, paragraph Resources that configure which line commands are allowed in the IBM Security zSecure  Installation and Deployment Guide.

    I hope this helps.

    ------------------------------
    Tom Zeehandelaar
    z/OS Security Enablement Specialist - zSecure developer
    IBM
    Delft
    +31643351728
    ------------------------------



  • 4.  RE: Protecting actions when entering '/' by a userid, group etc.

    Posted Thu November 12, 2020 12:01 PM
    Thanks Tom. We did see these profiles in the manual but we were confused by the overview/entity combinations. For example which menu options do RC, ZA, QC, TR etc. refer to please?

    We recognise the RA overview but not the others.

    Thanks and regards,

    ------------------------------
    Anji Stephens
    ------------------------------



  • 5.  RE: Protecting actions when entering '/' by a userid, group etc.

    Posted Thu November 12, 2020 12:50 PM
    Edited by Jeroen Tiggelman Thu November 12, 2020 12:53 PM
    Hi Anji,

    In most cases the overview-type is a report type. For example, RC is the two-letter abbreviation for TYPE=RACF.

    RACF profiles are divided into the entities USER, GROUP, DATASET, and RESOURCE. This is primarily tied to the record being displayed rather than the menu  option per se. So "RC.R" does not only control menu option RA.R, but also [general resource output in] other reports that show general resource profiles using TYPE=RACF. (And "RA.R" refers to general resource output from report type RACF_ACCESS, which you find under option AM rather than RA... I can see that might be a tat confusing.)

    You can find the two-letter abbreviations for the report types using the primary command FIELDS, report BUILTIN: the second column headed "T2" (which is the NEWLIST_ABBREV field, which has the description "Newlist type 2-letter key").

       Type          T2 Fields Rpt Mod Sub Trn Tag
    __ RACF          RC    626 144 224 48        1
    __ RACF_ACCESS   RA     28   4   1          61

    If you sort on T2, you can easily find that QC is MQ_CONNECT (which you can find in RE.Q.CO) and TR is TRUSTED (for example, AU.S - RACF user - TRUSTED).

    In some cases menu options are not really related to a report type in that way. In particular, the part of the UI used to manage zSecure Alert (option SE.A) is not, and uses the overview-type ZA. You only find those explicitly listed in the Appendix, for example, "ZA.C: Alert (configuration selection)".

    I hope this helps.

    ------------------------------
    Jeroen Tiggelman
    Software Development and Level 3 Support Manager IBM Security zSecure Suite
    IBM
    Delft
    ------------------------------



  • 6.  RE: Protecting actions when entering '/' by a userid, group etc.

    Posted Thu November 12, 2020 04:01 PM
    Hi Jeroen,
    That makes sense now.
    Thank you.

    Regards,

    ------------------------------
    Anji Stephens
    ------------------------------