Housekeeping using IBM® zSecure Access Monitor
The IBM® ZSecure Access Monitor tool is an excellent option to perform housekeeping (cleanup) activities in RACF. It allows one to identify unused userids, obsolete dataset/resource profiles and excessive dataset/resource permissions. These activities can be performed either as an ad-hoc or scheduled event.
Good examples of the cleanup benefits of Access Monitor reports are: removing redundant profiles that duplicate other profiles, removing users that are already members of a group in the same access list or removing a group with the same access level of the UACC.
Pre-settings
Before you start using Access Monitor, ensure the following steps have been performed in your system:
- Access Monitor is installed and configured
- Data Collection is started in Access Monitor
In order to use the Access Monitor features, the Mainframe Security Analyst will first set up the CKFREEZE and Monthly Consolidated AM files using the SETUP menu options SE.1. Ideally, you should use the last 6 monthly consolidated files, at a minimum. The more input you use, the more confidence you can have on the results. Just consider that more files also mean more processing time and larger outputs.
Once the pre-req files are setup, Access Monitor can be accessed via option AM, as part of zSecure main menu.
Types of reports
1.
2.
3.
Report 1 - Redundant Userids & Logonids (i.e. interactive, generic, batch and functional accounts that are no longer in use)
Use option AM.I
Mark “Zero counts”
Mark 1 “Use historic ID in access records”
Mark “Further Selection”
Mark “Print format”.
On Creation date Until, insert the oldest date of your monthly consolidated file, so it does not show a recently defined profile in the report.
Leave other fields blank.
This will generate a report with obsolete userids (i.e. a report showing userids not used during the last # months).
Report 2 - Redundant Dataset Profiles/Rules (i.e. Dataset Profiles and Dataset Rules that are no longer referenced)
Use option AM.5
Insert DATASET in the Class field
Mark “Zero counts”
Mark 1 “Use historic profile name in access summary if present”
Mark “Further selection”
Mark “Print format”
On “Profile creation date Until”, insert the oldest date of your monthly consolidated file, so it does not show a recently defined profile in the report.
Leave other fields blank.
This will generate a report with obsolete dataset profiles (i.e. a report showing dataset profiles not used during the last # months).
Report 3 - Redundant General Resource Profiles/Resource Rules (i.e. General Resource Profiles and Resource Rules that are no longer referenced)
Use option AM.5
Leave the Class field blank
Mark “Zero counts”
Mark 1 “Use historic profile name in access summary if present”
Mark “Further selection”
Mark “Print format”.
On “Profile creation date Until”, insert the oldest date of your monthly consolidated file, so it does not show a recently defined profile in the report.
Leave other fields blank.
This will generate a report with obsolete resource profiles (i.e. a report showing resource profiles not used during the last # months).
Report 4 - Redundant Dataset and General Resource Access List/Rule entries (i.e. Access List/Rule Entries that are no longer referenced)
Use option AM.3
Leave the Class field blank
Mark “Zero counts”
Mark 1 “Use historic profile name in access summary if present”
Mark “Further selection”
Mark “Print format”.
On “Profile creation date Until”, insert the oldest date of your monthly consolidated file, so it does not show a recently defined profile in the report.
Leave other fields blank.
This will generate a report with obsolete permits (i.e. a report showing permits not used during the last # months).
Report 5 - Redundant Access (levels of access that are no longer used – i.e. a user has UPDATE access but only ever uses READ)
Use option AM.3
Leave the Class field blank
Mark “Non-zero counts”
Mark 1 “Use historic profile name in access summary if present”
Mark “Further selection”
Mark “Print format”.
On “Profile creation date Until”, insert the oldest date of your monthly consolidated file, so it does not show a recently defined profile in the report. The “Highest access used less than access allowed” field should also be marked.
Leave other fields blank.
This will generate a report with obsolete levels of access (i.e. a report showing levels of access not used during the last # months).
Final considerations
Please keep in mind that, even though Access Monitor can provide valuable information for housekeeping activities, a detailed review of its output is still needed by the Mainframe Security Analyst. There are situations where an apparently unused definition in RACF might have a purpose that is not clear, at first. One example is a profile preventing a user from accessing a resource, and the user never actually tried to access this resource. This does not mean that this profile is not needed. It only means that there were no records of an access attempt in the logs for a certain period, but it might be still necessary to prevent future attempts by this same user. Another situation is if you have a profile protecting a dataset that does not exist in the moment the report was run, but this dataset might be defined and later deleted as part of a scheduled process. Thus, make sure to ask for the RACF profile owner validation, before deleting anything.
For more detailed instructions, you can refer to the IBM zSecure Admin and Audit for RACF: User Reference Manual:
https://www.ibm.com/docs/en/szs/2.4.0?topic=deployment-setup-zsecure-admin-access-monitor