IBM Security Z Security

 View Only

  • 1.  Revoke Date on Datasets

    Posted Wed April 17, 2024 05:22 PM

    I am wanting to know if theirs such capability within RACF or zSecure and/or Carla where you can REVOKE access on a dataset on a certain date like in ACF2 UNTIL (00/00/00)?

     



    ------------------------------
    Floyd Womble
    Senior Identity and Access Management Engineer | Enterprise Information Protection (EIP) | Access Management - Mainframe

    Humana
    T 951.813.1822
    fwomble@humana.com
    ------------------------------


  • 2.  RE: Revoke Date on Datasets

    Posted Thu April 18, 2024 04:33 AM

    Hi Floyd,

    RACF does not support temporary permissions in a way that you can define an end-date on a permit. However, RACF does support the definition of an end-date to a connection between a user ID and a group. Thus, if you permit the access to the involved data set to a group and next, you can connect your target user ID that group with a future revoke date. This construction causes that the user ID can no longer access the data set after the connection revoke date is reached. 

    However, when you can also use zSecure in addition to native RACF commands, zSecure support the use of CKGRACF commands that do support temporary permissions. When you set up the appropriate CKGRACF profiles in the (by default) XFACILIT class, authorized CKGRACF administrators can use start- and end-dates on resource permissions. In addition, you must schedule an CKGRACF refresh job to run at least once per day (or more frequently if needed) to process the timed CKGRACF commands when start- and/or end-dates are reached. 

    You can find more information about CKGRACF command language in the zSecure Admin and Audit User Reference Manual:

    https://www.ibm.com/docs/en/szs/3.1.0?topic=manual-ckgracf-command-language 

    I hope this helps.



    ------------------------------
    Tom Zeehandelaar
    z/OS Security Enablement Specialist - zSecure developer
    IBM
    ------------------------------

    Original Message


  • 3.  RE: Revoke Date on Datasets

    IBM Champion
    Posted Thu April 18, 2024 05:26 AM

    Hi Floyd,

    The way to provide temporary access with RACF is to create a group, permit the group access to the dataset profile, and connect the user to the group with CONNECT REVOKE(mm/dd/yy). When the revoke date is reached, the user's connection will be nullified and the access granted to the group will be ignored.

    Regards, Bob



    ------------------------------
    Robert S. Hansel
    Lead RACF Specialist
    RSH Consulting, Inc.
    R.Hansel@rshconsulting.com
    www.rshconsulting.com
    ------------------------------

    Original Message


  • 4.  RE: Revoke Date on Datasets

    Posted Thu April 18, 2024 08:55 AM
    Hi,
    I worked in an installation where we used groups with names like Taammddx to manage temporary access up to the date aammdd; we would connect userids to those groups with REVOKE=mmddaa. And we had schedulled jobs that would delete all the Taammdd groups for which aammdd was a past date. We used a rexx to do the userid remove and delete group. It was a simple solution with no added maintenance effort.
    Jack



    Original Message


  • 5.  RE: Revoke Date on Datasets

    IBM Champion
    Posted Thu April 18, 2024 09:29 AM

    zSecure Admin offers temporary or timed commands.  These are executed via CKGRACF which adds an option to specify the date when the command should be issued and another date when the command should be retracted.   You have to activate CKGRACF and issue the necessary permits in XFACILITY profiles.

    Also, you must go to SETUP CONFIRM to activate these options in the ISPF interface.  Issue a check against some of the CKGRACF command types in the SE.4 panel.

    Now, when you issue a PE line command for a dataset profile, or user/group profile, you will see options to 

    • permit for xxx days
    • permit from date until date.

    Similar options can be found for the connect line command in user and group profiles.



    ------------------------------
    Rob van Hoboken
    ------------------------------

    Original Message