How the Mainframe Provides Security

Any farmer will tell you, only a fool lets a fox guard the henhouse door. — Proverb

One way to implement mainframe security is to let all applications running on the system manage their own security. However, that would be akin to allowing foxes to guard the henhouse. Instead, the mainframe operating system is entrusted with providing security for all users and applications sharing the computer. Being an independent entity, the operating system has no vested interest in compromising the data.

A key integrity feature of the z/OS mainframe operating system is that all programs doing work are kept apart from each other. In other words, one program cannot see what the other is doing. This segregation is implemented via a feature called address spaces, whereby each entity in the mainframe is allocated an address space and cannot look into other address spaces.

Thus, the very foundation of the operating system provides data integrity, as shown in Figure 1.1.

While the operating system provides basic integrity, it uses an "external" security product to do all other security checking.

When we talk about an external security product, we mean it is external to the "core" operating system. However, the security product is still part of the operating system. The security checking has been externalized from the core operating system to enable competing security products to provide mainframe security.

There are three main mainframe security products: IBM's Resource Access Control Facility, or RACF, and ACF2 and Top Secret, both from CA Technologies (formerly Computer Associates International). We will use RACF throughout this book.

The operating system intercepts all authentication and validation requests. It then passes along these requests to RACF, which in turn makes its decision based on information in its security database. In this sense, the operating system is strictly a gatekeeper or go-between; it does not actively make decisions to allow or fail the security requests.

One can think of the operating system as having subcontracted all installation-specific security checking to RACF.

How RACF Does Access Checking

When RACF receives a request for access checking, it decides to grant or deny the request based on information residing in the RACF database. RACF checking for an access request is quite involved. There are of course the "access lists" in RACF profiles that specify who has access, but that's not all. Several other factors influence RACF's decision-making process. In addition to access lists, following are the main factors RACF considers before deciding whether to grant or deny access:

1. Universal access — The "universal access" (UACC) specified in the profile is above and beyond what is in the access lists. For example, if the value is READ and a user ID is not in the access list, then the user ID gets at least READ access.

2. General access — If the profile has an entry of * (an asterisk) in its access list, all user IDs have access that is specified for *. There is a subtle difference between this general access and universal access. This is covered in chapter 11, "Security Administration: Beyond the Basics."

3. Operations privilege — If a user has the OPERATIONS privilege, the user might get access because of that fact. This is discussed in detail in chapter 2, "RACF Special Privileges."

4. Global Access Checking (GAC) table — The GAC table can grant access before the pertaining profile is even checked. This is discussed in detail in chapter 5, "The Global Access Checking (GAC) Table."

5. RACF exits — RACF exits can override all access definitions in the RACF database. This is discussed in detail in chapter 16, "RACF Exits."

The RACF Access Checking Diagram

The diagram in Figure 1.2 is a simplified version of RACF authorization checking. It covers the main areas, but it does not go into the details of seldom-used cases. Let's use the diagram to understand how RACF works, by taking Quiz 1.1.

RACF Special Privileges

In this business you don't even trust yourself. — Former colleague

RACF has provisions for users to have special privileges. The three main special privileges are OPERATIONS, SPECIAL, and AUDITOR.

These three privileges come in two flavors: group-level and system-wide. A group-level privilege is only applicable to one RACF group, and the privilege applies only to users and resources that fall within the scope of the specified group. A system-wide privilege does not have this limitation — it applies to all resources, and to all users.

Note that the following are not discussed in this chapter:

• The UNIX® SUPERUSER privilege. For information about this privilege, refer to chapter 9, "Understanding z/OS UNIX Security."

• Special privileges available in optional system components such as DB2®, CICS®, and IMS®.

The OPERATIONS privilege allows the user to read, write, create, and delete most of the installation's data.

The SPECIAL privilege allows the user to define and administer security profiles and user IDs, and to set RACF global options through the SETROPTS command in the RACF database. It does not allow the ability to manipulate any data, although users with this privilege can do that in a roundabout way, by adding themselves to the appropriate access lists of profiles.

The AUDITOR privilege allows the holder to display all profiles in the RACF database.

In addition, your...