IBM Security Z Security

 View Only
Expand all | Collapse all

Use RACF PERMIT command with conditional access list

  • 1.  Use RACF PERMIT command with conditional access list

    Posted Sat March 23, 2024 04:36 AM

    Hello,

    I want to use the PERMIT command with a conditional access list using the WHEN clause, but the WHEN clause has very limited options.

    As you know, the TCPIP OBEYFILE command is very critical, I want to limit the use of this command, especially during working hours (shift).

    I imagined using the PERMIT command with the WHEN clause as follows,

    PERMIT MVS.VARY.TCPIP.OBEYFILE ACCESS(CONTROL) CLASS(OPERCMDS) ID(USER1) WHEN(NOT (DATE(*-01) OR DATE(*-15)) AND TIME(08:00-18:00))

    According to this command format, the TCPIP OBEYFILE command will not be used on the 01, or 15 dates of the month and also it will not be used at working hours.

     I know that this usage of the PERMIT command is not in the RACF. How can I use this command format in the RACF?

    Regards,

    Kayhan Tanrıverir



    ------------------------------
    iyi çalışmalar, saygılar / Regards
    ________________________
    Kayhan TANRIVERİR
    Sn. Systems Programmer & Consultant
    VBT Yazılım A.Ş
    www.vbt.com.tr
    ------------------------------


  • 2.  RE: Use RACF PERMIT command with conditional access list

    IBM Champion
    Posted Mon March 25, 2024 04:12 AM

    Hello Kayhan.

    The PERMIT ... WHEN( ) operand is meant to set requirements on the environment of the resource access, not on the time/date.  You can require that updates to critical data sets are only permitted from a specific program.

    The ALTUSER WHEN( ) operand is meant to limit the time/days when a logon can occur.  There is a DAYS but no DATE specification.

    The two use the same WHEN( ) but for different domains.



    ------------------------------
    Rob van Hoboken
    ------------------------------

    Original Message


  • 3.  RE: Use RACF PERMIT command with conditional access list

    Posted Mon March 25, 2024 01:20 PM

    Hi Rob,
    Thank you for your response.

    Of course, I know that The PERMIT ... WHEN( ) operand is not on the time/date for general resources.

    But I believe that the PERMIT ... WHEN( ) operand must set requirements on the environment of the resource access, on the time/date too. 

    I think it is a very important need to be able to use the PERMIT ... WHEN() operand with time/date. Over the years, the need for the RACF's functionality has improved. RACF must be improved by our suggestions. While there are extraordinary developments in the field of cyber security, we expect some developments in the RACF too. This is only my improving suggestion as a customer. I hope IBM will evaluate this recommendation.

    Regards,

    Kayhan Tanrıverir



    ------------------------------
    iyi çalışmalar, saygılar / Regards
    ________________________
    Kayhan TANRIVERİR
    Sn. Systems Programmer & Consultant
    VBT Yazılım A.Ş
    www.vbt.com.tr
    ------------------------------

    Original Message