SlideShare uma empresa Scribd logo

IBM Workload Scheduler for z/OS Security with RACF & IBM zSecure

Transferir como PPTX, PDF
Nico Chillemi
Nico Chillemi

This presentation is intrended to show and demonstrate how powerful can be IBM zSecure a quick overview about internal criteria used by IBM Workloadwith RACF to fully protect IBM Scheduler for z/OS (IWSz) resources, especially with the new modern needs of addressing DEVOPS issues of allowing developers to access IWSz in a limited way enabling work only with batch applications and objects they are responsible for. This is also achieved with last IWSz 9.3 enhancements, and can be protected in the best way by using zSecure Command Verifier. I created this presentation for several Workload Automarion and zSecure User Groups (Denmark, France, UK and Germany in Copenhagen, Paris, London, Nuremberg, Frankfurt).

Tecnologia
1 de 34
IBM Systems & IBM Security © 2018 IBM Corporation IBM zSystems IT Service Management IBM Workload Scheduler for z/OS Security with RACF & IBM zSecure Domenico (Nico) Chillemi IBM Executive IT Specialist nicochillemi@it.ibm.com Best Practices
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Ciao  IBM Mainframe 50 years old Strong Batch experience IBM Academy of Technology z Platform Initiatives Leader zChampion 2 IBM Workload Scheduler RACF & zSecure zStorage Rocket Tools System Automation Log Analytics Tools
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity zSecure components RACF commands RACF db SMF RACF zSecure Admin zSecure Alert zSecure Audit z/OS + UNIX + DB2 + CICS + IMS configuration info z/OS DB2 CICS S A F zSecure Visual zSecure CICS Toolkit zSecure Command Verifier SIEM Other
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity IBM Workload Scheduler for z/OS components Info Mgmt IWS for z/OS/ES A Monitoring ALLSYSTEMSCITY1 CITY2 CITY 3 ISPF Z/OS Domain IWS z/OS Agents IBM Workload Console Websphere Application Server IWS Distributed zCentric Agents IWS z/OS Engine Sysplex MAS DASD XCF FTP
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Main IWSz concepts and objects  Database – Batch applications – Workstations – Calendars  Plans – Long Term Plan – Current Plan  Run Cycles  JOBs  Generic Operations  Commands  JOBLOGs  .....
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity IBM Workload Scheduler for z/OS - What to consider for protection  IWSz data sets – This can be done just protecting all data sets needed to IWSz address spaces to start  Subsystem (Controller/Tracker/Server) USERID – Any IWSz address space needs to be associated with a user, which can be the same for more than one subsystem – This user has to be registered in the STARTED RACF class  IWSz Subsystems – Any direct access to IWSz or also via any kind of interface (Console, API, etc...) can be prevented or authorized through the APPL RACF Class  IWSz Objects – Any access to AD, CP, or also for example to specific IWSz jobs, can be prevented or authorized  IWSz Commands – One or more typical IWSz commands can be prevented or authorized 6
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity IWSz - What to consider for protection (RACF)  IWSz data sets ADDSD IWS.V9R3.** UACC(N) OWNER(NICO) PERMIT IWS.V9R3.** ACC(ALTER) ID(IWSUSER AdminGrup)  Subsystem (Controller/Tracker) USERID ADDUSER IWSSTC DFLTGRP(Admin) OWNER(NICO) NOPASSWORD .... RDEF STARTED IWS*.* STDATA( USER(IWSSTC) .....) PERMIT IWS.V9R3.** ACC(ALTER) ID(IWSSTC)  IWSz Subsystems RDEF APPL IWS9 UACC(N) OWNER(NICO) PERMIT IWS9 CLASS(APPL) ACC(R) ID(.......) 7
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity IWSz - What to consider for protection (zSecure) 8
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Protect IWSz Objects with RACF 9  One dedicated RACF Class, already defined in RACF – IBMOPC dedicated RACF Class • Automatically activated • We can have others dedicated, to be defined to RACF – Activated in IWSz with the AUTHDEF initialization statement  Other RACF classes can be defined in RACF – Dynamically or via job  Two protection levels – IWSz Fixed Resources (AD, WS, LT, CP, ...) • All activated if IBMOPC activated both in RACF and in AUTHDEF – IWSz Subresources (Specific objects inside each resource) • Only those specified in the AUTHDEF initialization statement are activated
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity IBM Workload Scheduler for z/OS Parameters Example  IWSz PARMLIB – IWSz Fixed Resources AUTHDEF CLASS(IBMOPC) – IWSz Subresources AUTHDEF CLASS(IBMOPC) SUBRESOURCES(AD.ADNAME, AD.OWNER, WS.WSNAME, LT.ADNAME, CP.JOBNAME, JS.JOBNAME, .....) RACF Resource ADA.** ADO.** CPJ.**
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Fixed Resources protection (1st level)  Application Description, Current Plan, JS, etc... RDEF IBMOPC (AD) UACC(N) RDEF IBMOPC (CP) UACC(N) RDEF IBMOPC (JS) UACC(N) … PERMIT AD CLASS(IBMOPC) ACC(U) ID(Admin) PERMIT CP CLASS(IBMOPC) ACC(U) ID(Admin) PERMIT JS CLASS(IBMOPC) ACC(U) ID(Admin) … PERMIT AD CLASS(IBMOPC) ACC(U) ID(Grup1) PERMIT CP CLASS(IBMOPC) ACC(U) ID(Grup1 Grup2) PERMIT JS CLASS(IBMOPC) ACC(U) ID(Grup1 Grup2 Grup3) 11
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Subresources protection (2nd level)  Specific applications, specific jobs, etc... – Applications by owner-name RDEF IBMOPC (ADO.NIC*) UACC(N) PERMIT ADO.NIC* CLASS(IBMOPC) ACC(U) ID(Admin) – Long term plan objects by application-name RDEF IBMOPC (LTA.APPL1*) UACC(N) PERMIT LTA.APPL1* CLASS(IBMOPC) ACC(U) ID(Grup1) – Current plan objects by job-name RDEF IBMOPC (CPJ.J01*) UACC(N) PERMIT CPJ.J01* CLASS(IBMOPC) ACC(U) ID(Grup1 Grup2) – JS objects by job-name RDEF IBMOPC (JSJ.J01*) UACC(N) PERMIT JSJ.J01* CLASS(IBMOPC) ACC(U) ID(Grup3) 12
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity zSecure – Fixed Resources and Subresources 13
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity © 2016 IBM Corporation Enhanced Security in Workload Automation for z/OS (last IWSz 9.3 SPE) Value Solution  More granularity in security access help guarantee product stability  Secure actions, in addition to data  Security access can now be controlled at any level, from object level down to action level
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity © 2016 IBM Corporation AUTHDEF COMMAND1(J,ARC,…) SUBRESOURCES(CP.ADDOPER, CP.COMMAND1) RACF Commands RDEF IBMOPC CP.ADDOPER PERMIT CP.ADDOPER ID(JASON) ACCESS(UPDATE) CLASS(IBMOPC) Fixed resource Subresource & RACF resource name Description CP CP.ADD Add workload (occurrences or operations) CP.MODIFY Modify attributes CP.DELETE Delete workload (occurrences or operations) CP.COMMANDx Line commands CP.ADDOPER Add operations CP.DELOPER Delete operations CP.MODOPER Modify operations CP.ADDDEP Add dependencies CP.DELDEP Delete dependencies CP.MODDEP Modify dependencies CP.MODOPSTAT Modify operation status • Define actions as sub-resources in AUTHDEF statement • Use RACF commands to provide/deny access to users IWSz Security Enhancements Occurrence Commands • RG Remove from group • DG Delete group • CG Complete group • C Complete an occurrence • W Set waiting • R Rerun Operation Commands  J Edit JCL (J command resource)  MH, MR Manual Hold, Manual Release (MR, MH command resources)  NP, UN NOP,UN NOP (NP, UN command resources)  K Kill (K command resource)  EX Execute (EX command resource)  JR/FJR JT, Fast path JR (JR command resource)  SR/FSR SR, Fast path SR (SR command resource)  SC/FSC SC, Fast path SC (SC command resource)  SJR Simple Job Restart Execute (SJR command resource)  R Reset Status (MODOPSTAT resource)  BIND Bind operation (BND command resources)  N Set NEXT logical status (MODOPSTAT resource)  N-x Set specific status (MODOPSTAT resource)
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity © 2016 IBM Corporation Enhanced IWSz Security - Scenarios Tim, the System Administrator Tim can now authorize Jason, the Scheduler, to add operations to the Current Plan. In the same time, he can prevent him from adding new occurrences. Jason, the scheduler Tim can secure a set of commands, creating new User Profiles. • He can authorize Jane to perform a recovery action, but prevent her from editing a job • He can authorize Jason to Complete and Rerun an existing occurrence, but prevent him from adding new occurrences Jane, the Application Developer 1 2
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity © 2016 IBM Corporation • Define the CP.ADD and CP.ADDOPER subresources in the AUTHDEF SUBRESOURCES(CP.ADD,CPADDOPER) (AUTHDEF statement) • Define them to RACF and give universal NONE access by default RDEF IBMOPC CP.ADD RDEF IBMOPC CP.ADDOPER • Give user Jason update access to the CP.ADDOPER resource PERMIT CP.ADDOPER ID(MARNIE) ACCESS(UPDATE) CLASS(IBMOPC) To allow Jane to perform “ARC” (Automatic Recovery) and Jason to perform “C” (Complete occurrence) and “R” (Rerun Occurrence) commands: • Define the CP.COMMANDx subresources in the AUTHDEF AUTHDEF CLASSNAME(IBMOPC) COMMAND1(ARC, C, R) SUBRESOURCES(CP.COMMAND1) • Define to RACF RDEF IBMOPC CP.ADD • Give Jane update access to CP.COMMAND1 PERMIT CP.COMMAND1 ID(JANE) ACCESS(UPDATE) CLASS(IBMOPC) 1 2 Enhanced IWSz Security - Scenarios
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Subresources protection with the last IWSz 9.3 SPEs  AUTHDEF in IWSz PARM AUTHDEF CLASSNAME(IBMOPC) COMMAND1(ARC, C, R) SUBRESOURCES(CP.COMMAND1)  RACF RESOURCE DEFINITION RDEF IBMOPC CP.COMMAND1  PERMIT TO DEVELOPERS PERMIT CP.COMMAND1 ID(Grup3) ACCESS(UPDATE) CLASS(IBMOPC) 18
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity IBM New Security Enhancements Parameters Example  IWSz PARMLIB AUTHDEF CLASS(IBMOPC) SUBRESOURCES(CP.COMMAND1, CP.COMMAND2, .....) COMMAND1(ARC, C, R) COMMAND2(M, L) ... RACF Resource CP.COMMAND1 CP.COMMAND2
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Quick zSecure Scenario - IWSz 9.3 SPE example 20
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity zSecure Command Verifier and IWSz  When acting on resources in RACF, often the SPECIAL attribute is required  Also in IWSz this can be a problem, since a SPECIAL user can do much more  With only RACF this problem is not solved  zSecure Command Verifier allows to limit SPECIAL users power  IWSz can strongly benefit by this zSecure capability 21
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity zSecure Command Verifier in Action 22 RACF db mgr TSO/ISPF RACF commands + output zSecure Admin Cmds RACF commands RACF profiles Command Verifier EXIT Policy SMF
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity zSecure CV Best Practices examples with IWSz  Suppose you would like to establish a IWSz RACF compliance rule, saying that development people inside a department can define only IWS Application Description profiles for applications starting with TIV*.  The objective is to prevent RACF accepting any IWS profile creation, other than a IWS Application Description profile matching the TIV* wildcard, issued by a user belonging to the TIVCFG group.  The first thing to do is to define the generic C4R profile saying that TIVCFG cannot add IWS for zOS profiles  This is done by adding the C4R.IBMOPC.ID.* profile to the C4R class 23
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity zSecure CV Best Practices examples with IWSz 24
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity zSecure CV Best Practices examples with IWSz 25 YES NO
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Typical zSecure Command Verifier DEVOPS Scenario with IBM Workload Scheduler for z/OS  Suppose we need to establish IWSz RACF compliance rule, saying that: – PAYROLL administrators can define IWSz resources, based on payroll batch applications their teams are responsible for • PAYROLL application developers can define only with IWSz applications they are responsible for – REPORTING administrators can define IWSz resources, based on reporting batch applications their teams are responsible for • REPORTING application developers can define only IWSz applications they are responsible for  There will be 3 types of figures in this scenario: – RACF administrator – PAYROLL administrator and REPORTING administrator – PAYROLL developers and REPORTING developers 26
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity PAYROLL and REPORTING DEVOPS Scenarios  RACFADM is the RACF Administrator – Creates Command Verifier profiles to authorize PAYROLL and REPORTING administrators, with SPECIAL attribute, to create only specific PAYROLL and REPORTING IWSz RACF profiles  IWSPAYR is the IWSz Payroll Administrator – Creates RACF profiles for different Payroll IWSz applications  IWSREPT is the IWSz Reporting Administrator – Creates RACF profiles for different Reporting IWSz applications  IWSGPAY1 is the IWSz Payroll Application Developers 1 Team – Users connected to this RACF group will be authorized to define only IWSz applications with names starting with PAYR1  IWSGPAY2 is the IWSz Payroll Application Developers 2 Team – Users connected to this RACF group will be authorized to define only IWSz applications with names starting with PAYR2  IWSGRPT1 is the IWSz Reporting Application Developers A Team – Users connected to this RACF group will be authorized to define only IWSz applications with names starting with REPTA  IWSGRPTB is the IWSz Reporting Application Developers B Team – Users connected to this RACF group will be authorized to define only IWSz applications with names starting with REPTB 27
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Administrators work in this scenario  RACFADM – RDEF C4R C4R.IBMOPC.ID.** UACC(N) OWNER(RACFADM) – RDEF C4R C4R.IBMOPC.ID.ADA.PAYR* UACC(N) OWNER(IWSPAYR)  1st line – RDEF C4R C4R.IBMOPC.ID.ADA.REPT* UACC(N) OWNER(IWSREPT)  2nd line  IWSPAYR – RDEF IBMOPC ADA.PAYR1* UACC(N) OWNER(IWSPAYR)  matches (1st line) – RDEF IBMOPC ADA.PAYR2* UACC(N) OWNER(IWSPAYR)  matches (1st line) – PERMIT ADA.PAYR1* ACCESS(U) ID(IWSGPAY1) CLASS(IBMOPC) – PERMIT ADA.PAYR2* ACCESS(U) ID(IWSGPAY2) CLASS(IBMOPC)  IWSREPT – RDEF IBMOPC ADA.REPTA* UACC(N) OWNER(IWSREPT)  matches (2nd line) – RDEF IBMOPC ADA.REPTB* UACC(N) OWNER(IWSREPT)  matches (2nd line) – PERMIT ADA.REPTA* ACCESS(U) ID(IWSGRPTA) CLASS(IBMOPC) – PERMIT ADA.REPTB* ACCESS(U) ID(IWSGRPTB) CLASS(IBMOPC) 28
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Results  ITUSER01 is connected to IWSGPAY1 – ITUSER01 can access IBM Workload Scheduler for z/OS • He/She can define/update PAYR1APPL001, PAYR1APPLXXX, ... • He/She cannot define/update PAYR2APPZZZ, REPTAAPPKKK, BANKAPP1, ...  ITUSER25 is connected to IWSGPAY2 – ITUSER25 can access IBM Workload Scheduler for z/OS • He/She can define/update PAYR2APPL001, PAYR2APPLXXX, ... • He/She cannot define/update PAYR1APPZZZ, REPTBAPPKKK, BANKAPP1, ...  ITUSER71 is connected to IWSGRPTA – ITUSER01 can access IBM Workload Scheduler for z/OS • He/She can define/update REPTAAPPL001, REPTAAPPLXXX, ... • He/She cannot define/update PAYR2APPZZZ, REPTBAPPKKK, BANKAPP1, ...  ITUSER95 is connected to IWSGRPTB – ITUSER25 can access IBM Workload Scheduler for z/OS • He/She can define/update REPTBAPPL001, REPTBAPPLXXX, ... • He/She cannot define/update PAYR2APPZZZ, REPTAAPPKKK, BANKAPP1, ... 29
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Command Verifier Scenario with new IWSz enhancements  Suppose we need to establish IWSz RACF compliance rule, saying that: – PAYROLL administrators can define IWSz command resources, based on payroll batch applications their teams are responsible to test • PAYROLL application testers can test only IWSz Payroll RERUN in the Current Plan – REPORTING administrators can define IWSz resources, based on reporting batch applications their teams are responsible to test • REPORTING application testers can test only IWSz browse joblog in the Current Plan  There will be 3 types of figures also in this scenario: – RACF administrator – PAYROLL administrator and REPORTING administrator – PAYROLL testers and REPORTING testers Note: We assume here that all appropriate Current Plan RACF protections have been performed for both PAYROLL and REPORTING applications! 30
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Testing (last IWSz enhancements) DEVOPS Scenarios  RACFADM is the RACF Administrator – Creates Command Verifier profiles to include PAYROLL and REPORTING commands  IWSPAYR is the IWSz Payroll Administrator – Creates RACF profiles for Payroll tester groups  IWSREPT is the IWSz Reporting Administrator – Creates RACF profiles for Reporting tester groups  IWSGPAYT is the IWSz Payroll tester group – Users connected to this RACF group can test only the RERUN (R) command related to PAYROLL occurrences  IWSGRPTT is the IWSz Reporting tester group – Users connected to this RACF group can test only the BROWSE JOBLOG (L) command related to PAYROLL occurrences 31
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Enable R and L different commands in IWSZ  IWSz PARMLIB – AUTHDEF CLASS(IBMOPC) SUBRESOURCES(CP.COMMAND5, CP.COMMAND7) COMMAND5(R) COMMAND7(L)  RACFADM – RDEF C4R C4R.IBMOPC.ID.** UACC(N) OWNER(RACFADM) – RDEF C4R C4R.IBMOPC.ID.CP.COMMAND5 UACC(N) OWNER(IWSPAYR) – RDEF C4R C4R.IBMOPC.ID.CP.COMMAND7 UACC(N) OWNER(IWSREPT)  IWSPAYR – RDEF IBMOPC CP.COMMAND5 UACC(N) OWNER(IWSPAYR) – PERMIT CP.COMMAND5 ACCESS(U) ID(IWSGPAYT) CLASS(IBMOPC)  IWSREPT – RDEF IBMOPC CP.COMMAND7 UACC(N) OWNER(IWSREPT) – PERMIT CP.COMMAND7 ACCESS(U) ID(IWSGRPTT) CLASS(IBMOPC) –32
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Results Considering that appropriate Current Plan RACF protections have been done for both PAYROLL and REPORTING applications, we will get:  ITUSER51 is connected to IWSGPAYT – ITUSER51 can access IBM Workload Scheduler for z/OS • He/She can test the RERUN command on all PAYROLL occurrences • He/She cannot test any other command  ITUSER73 is connected to IWSGRPTT – ITUSER73 can access IBM Workload Scheduler for z/OS • He/She can test the BROWSE JOBLOG command on all REPORTING occurrences • He/She cannot test any other command 33
IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity 34 Thank You

Recomendados

Smpe
SmpeSmpe
SmpeThousif "thousif329@gmail.com"
 
Mvs commands
Mvs commandsMvs commands
Mvs commandsMaintec Technologies Inc.
 
Ipl process
Ipl processIpl process
Ipl processThousif "thousif329@gmail.com"
 
DB2 Systems Programming Tools of the Trade NA07B03
DB2 Systems Programming Tools of the Trade NA07B03DB2 Systems Programming Tools of the Trade NA07B03
DB2 Systems Programming Tools of the Trade NA07B03Linda Hagedorn
 
Z OS IBM Utilities
Z OS IBM UtilitiesZ OS IBM Utilities
Z OS IBM Utilitieskapa rohit
 
Server pac 101
Server pac 101Server pac 101
Server pac 101Marna Walle
 
Upgrade to IBM z/OS V2.5 Planning
Upgrade to IBM z/OS V2.5 PlanningUpgrade to IBM z/OS V2.5 Planning
Upgrade to IBM z/OS V2.5 PlanningMarna Walle
 
Upgrade to IBM z/OS V2.5 technical actions
Upgrade to IBM z/OS V2.5 technical actionsUpgrade to IBM z/OS V2.5 technical actions
Upgrade to IBM z/OS V2.5 technical actionsMarna Walle
 

Recomendados

Smpe
SmpeSmpe
SmpeThousif "thousif329@gmail.com"
 
Mvs commands
Mvs commandsMvs commands
Mvs commandsMaintec Technologies Inc.
 
Ipl process
Ipl processIpl process
Ipl processThousif "thousif329@gmail.com"
 
DB2 Systems Programming Tools of the Trade NA07B03
DB2 Systems Programming Tools of the Trade NA07B03DB2 Systems Programming Tools of the Trade NA07B03
DB2 Systems Programming Tools of the Trade NA07B03Linda Hagedorn
 
Z OS IBM Utilities
Z OS IBM UtilitiesZ OS IBM Utilities
Z OS IBM Utilitieskapa rohit
 
Server pac 101
Server pac 101Server pac 101
Server pac 101Marna Walle
 
Upgrade to IBM z/OS V2.5 Planning
Upgrade to IBM z/OS V2.5 PlanningUpgrade to IBM z/OS V2.5 Planning
Upgrade to IBM z/OS V2.5 PlanningMarna Walle
 
Upgrade to IBM z/OS V2.5 technical actions
Upgrade to IBM z/OS V2.5 technical actionsUpgrade to IBM z/OS V2.5 technical actions
Upgrade to IBM z/OS V2.5 technical actionsMarna Walle
 
JCL MAINFRAMES
JCL MAINFRAMESJCL MAINFRAMES
JCL MAINFRAMESkamaljune
 
IBM SMP/E
IBM SMP/EIBM SMP/E
IBM SMP/EAnderson de Souza
 
Upgrade to IBM z/OS V2.4 technical actions
Upgrade to IBM z/OS V2.4 technical actionsUpgrade to IBM z/OS V2.4 technical actions
Upgrade to IBM z/OS V2.4 technical actionsMarna Walle
 
I Didn't Know You Could Do That with zOS.pdf
I Didn't Know You Could Do That with zOS.pdfI Didn't Know You Could Do That with zOS.pdf
I Didn't Know You Could Do That with zOS.pdfMarna Walle
 
Parallel Sysplex Implement2
Parallel Sysplex Implement2Parallel Sysplex Implement2
Parallel Sysplex Implement2ggddggddggdd
 
z/OS Communications Server Overview
z/OS Communications Server Overviewz/OS Communications Server Overview
z/OS Communications Server OverviewzOSCommserver
 
z/OS Small Enhancements - Episode 2016A
z/OS Small Enhancements - Episode 2016Az/OS Small Enhancements - Episode 2016A
z/OS Small Enhancements - Episode 2016AMarna Walle
 
z/OS Communications Server: z/OS Resolver
z/OS Communications Server: z/OS Resolverz/OS Communications Server: z/OS Resolver
z/OS Communications Server: z/OS ResolverzOSCommserver
 
Systemz Security Overview (for non-Mainframe folks)
Systemz Security Overview (for non-Mainframe folks)Systemz Security Overview (for non-Mainframe folks)
Systemz Security Overview (for non-Mainframe folks)Mike Smith
 
RACF - The Basics (v1.2)
RACF - The Basics (v1.2)RACF - The Basics (v1.2)
RACF - The Basics (v1.2)Rui Miguel Feio
 
Upgrade to zOS V2.5 - Planning and Tech Actions.pdf
Upgrade to zOS V2.5 - Planning and Tech Actions.pdfUpgrade to zOS V2.5 - Planning and Tech Actions.pdf
Upgrade to zOS V2.5 - Planning and Tech Actions.pdfMarna Walle
 
CICS basics overview session-1
CICS basics overview session-1CICS basics overview session-1
CICS basics overview session-1Srinimf-Slides
 
Mainframe interview
Mainframe interviewMainframe interview
Mainframe interviewShivankoo Sharma
 
Z4R: Intro to Storage and DFSMS for z/OS
Z4R: Intro to Storage and DFSMS for z/OSZ4R: Intro to Storage and DFSMS for z/OS
Z4R: Intro to Storage and DFSMS for z/OSTony Pearson
 
IBM DB2 for z/OS Administration Basics
IBM DB2 for z/OS Administration BasicsIBM DB2 for z/OS Administration Basics
IBM DB2 for z/OS Administration BasicsIBM
 
zOSMF Software Update Lab.pdf
zOSMF Software Update Lab.pdfzOSMF Software Update Lab.pdf
zOSMF Software Update Lab.pdfMarna Walle
 
GDPS and System Complex
GDPS and System ComplexGDPS and System Complex
GDPS and System ComplexNajmi Mansoor Ahmed
 
Ibm tivoli workload scheduler for z os best practices end-to-end and mainfram...
Ibm tivoli workload scheduler for z os best practices end-to-end and mainfram...Ibm tivoli workload scheduler for z os best practices end-to-end and mainfram...
Ibm tivoli workload scheduler for z os best practices end-to-end and mainfram...Banking at Ho Chi Minh city
 
SKILLWISE-DB2 DBA
SKILLWISE-DB2 DBASKILLWISE-DB2 DBA
SKILLWISE-DB2 DBASkillwise Group
 
ALL ABOUT DB2 DSNZPARM
ALL ABOUT DB2 DSNZPARMALL ABOUT DB2 DSNZPARM
ALL ABOUT DB2 DSNZPARMIBM
 
Tailoring Redis Modules For Your Users’ Needs
Tailoring Redis Modules For Your Users’ NeedsTailoring Redis Modules For Your Users’ Needs
Tailoring Redis Modules For Your Users’ NeedsRedis Labs
 
Leveraging Open Source to Manage SAN Performance
Leveraging Open Source to Manage SAN PerformanceLeveraging Open Source to Manage SAN Performance
Leveraging Open Source to Manage SAN Performancebrettallison
 

Mais conteúdo relacionado

Mais procurados

JCL MAINFRAMES
JCL MAINFRAMESJCL MAINFRAMES
JCL MAINFRAMESkamaljune
 
Upgrade to IBM z/OS V2.4 technical actions
Upgrade to IBM z/OS V2.4 technical actionsUpgrade to IBM z/OS V2.4 technical actions
Upgrade to IBM z/OS V2.4 technical actionsMarna Walle
 
I Didn't Know You Could Do That with zOS.pdf
I Didn't Know You Could Do That with zOS.pdfI Didn't Know You Could Do That with zOS.pdf
I Didn't Know You Could Do That with zOS.pdfMarna Walle
 
Parallel Sysplex Implement2
Parallel Sysplex Implement2Parallel Sysplex Implement2
Parallel Sysplex Implement2ggddggddggdd
 
z/OS Communications Server Overview
z/OS Communications Server Overviewz/OS Communications Server Overview
z/OS Communications Server OverviewzOSCommserver
 
z/OS Small Enhancements - Episode 2016A
z/OS Small Enhancements - Episode 2016Az/OS Small Enhancements - Episode 2016A
z/OS Small Enhancements - Episode 2016AMarna Walle
 
z/OS Communications Server: z/OS Resolver
z/OS Communications Server: z/OS Resolverz/OS Communications Server: z/OS Resolver
z/OS Communications Server: z/OS ResolverzOSCommserver
 
Systemz Security Overview (for non-Mainframe folks)
Systemz Security Overview (for non-Mainframe folks)Systemz Security Overview (for non-Mainframe folks)
Systemz Security Overview (for non-Mainframe folks)Mike Smith
 
RACF - The Basics (v1.2)
RACF - The Basics (v1.2)RACF - The Basics (v1.2)
RACF - The Basics (v1.2)Rui Miguel Feio
 
Upgrade to zOS V2.5 - Planning and Tech Actions.pdf
Upgrade to zOS V2.5 - Planning and Tech Actions.pdfUpgrade to zOS V2.5 - Planning and Tech Actions.pdf
Upgrade to zOS V2.5 - Planning and Tech Actions.pdfMarna Walle
 
CICS basics overview session-1
CICS basics overview session-1CICS basics overview session-1
CICS basics overview session-1Srinimf-Slides
 
Z4R: Intro to Storage and DFSMS for z/OS
Z4R: Intro to Storage and DFSMS for z/OSZ4R: Intro to Storage and DFSMS for z/OS
Z4R: Intro to Storage and DFSMS for z/OSTony Pearson
 
IBM DB2 for z/OS Administration Basics
IBM DB2 for z/OS Administration BasicsIBM DB2 for z/OS Administration Basics
IBM DB2 for z/OS Administration BasicsIBM
 
zOSMF Software Update Lab.pdf
zOSMF Software Update Lab.pdfzOSMF Software Update Lab.pdf
zOSMF Software Update Lab.pdfMarna Walle
 
Ibm tivoli workload scheduler for z os best practices end-to-end and mainfram...
Ibm tivoli workload scheduler for z os best practices end-to-end and mainfram...Ibm tivoli workload scheduler for z os best practices end-to-end and mainfram...
Ibm tivoli workload scheduler for z os best practices end-to-end and mainfram...Banking at Ho Chi Minh city
 
ALL ABOUT DB2 DSNZPARM
ALL ABOUT DB2 DSNZPARMALL ABOUT DB2 DSNZPARM
ALL ABOUT DB2 DSNZPARMIBM
 

Mais procurados (20)

JCL MAINFRAMES
JCL MAINFRAMESJCL MAINFRAMES
JCL MAINFRAMES
 
IBM SMP/E
IBM SMP/EIBM SMP/E
IBM SMP/E
 
Upgrade to IBM z/OS V2.4 technical actions
Upgrade to IBM z/OS V2.4 technical actionsUpgrade to IBM z/OS V2.4 technical actions
Upgrade to IBM z/OS V2.4 technical actions
 
I Didn't Know You Could Do That with zOS.pdf
I Didn't Know You Could Do That with zOS.pdfI Didn't Know You Could Do That with zOS.pdf
I Didn't Know You Could Do That with zOS.pdf
 
Parallel Sysplex Implement2
Parallel Sysplex Implement2Parallel Sysplex Implement2
Parallel Sysplex Implement2
 
z/OS Communications Server Overview
z/OS Communications Server Overviewz/OS Communications Server Overview
z/OS Communications Server Overview
 
z/OS Small Enhancements - Episode 2016A
z/OS Small Enhancements - Episode 2016Az/OS Small Enhancements - Episode 2016A
z/OS Small Enhancements - Episode 2016A
 
z/OS Communications Server: z/OS Resolver
z/OS Communications Server: z/OS Resolverz/OS Communications Server: z/OS Resolver
z/OS Communications Server: z/OS Resolver
 
Systemz Security Overview (for non-Mainframe folks)
Systemz Security Overview (for non-Mainframe folks)Systemz Security Overview (for non-Mainframe folks)
Systemz Security Overview (for non-Mainframe folks)
 
RACF - The Basics (v1.2)
RACF - The Basics (v1.2)RACF - The Basics (v1.2)
RACF - The Basics (v1.2)
 
Upgrade to zOS V2.5 - Planning and Tech Actions.pdf
Upgrade to zOS V2.5 - Planning and Tech Actions.pdfUpgrade to zOS V2.5 - Planning and Tech Actions.pdf
Upgrade to zOS V2.5 - Planning and Tech Actions.pdf
 
CICS basics overview session-1
CICS basics overview session-1CICS basics overview session-1
CICS basics overview session-1
 
Mainframe interview
Mainframe interviewMainframe interview
Mainframe interview
 
Z4R: Intro to Storage and DFSMS for z/OS
Z4R: Intro to Storage and DFSMS for z/OSZ4R: Intro to Storage and DFSMS for z/OS
Z4R: Intro to Storage and DFSMS for z/OS
 
IBM DB2 for z/OS Administration Basics
IBM DB2 for z/OS Administration BasicsIBM DB2 for z/OS Administration Basics
IBM DB2 for z/OS Administration Basics
 
zOSMF Software Update Lab.pdf
zOSMF Software Update Lab.pdfzOSMF Software Update Lab.pdf
zOSMF Software Update Lab.pdf
 
GDPS and System Complex
GDPS and System ComplexGDPS and System Complex
GDPS and System Complex
 
Ibm tivoli workload scheduler for z os best practices end-to-end and mainfram...
Ibm tivoli workload scheduler for z os best practices end-to-end and mainfram...Ibm tivoli workload scheduler for z os best practices end-to-end and mainfram...
Ibm tivoli workload scheduler for z os best practices end-to-end and mainfram...
 
SKILLWISE-DB2 DBA
SKILLWISE-DB2 DBASKILLWISE-DB2 DBA
SKILLWISE-DB2 DBA
 
ALL ABOUT DB2 DSNZPARM
ALL ABOUT DB2 DSNZPARMALL ABOUT DB2 DSNZPARM
ALL ABOUT DB2 DSNZPARM
 

Semelhante a IBM Workload Scheduler for z/OS Security with RACF & IBM zSecure

Tailoring Redis Modules For Your Users’ Needs
Tailoring Redis Modules For Your Users’ NeedsTailoring Redis Modules For Your Users’ Needs
Tailoring Redis Modules For Your Users’ NeedsRedis Labs
 
Leveraging Open Source to Manage SAN Performance
Leveraging Open Source to Manage SAN PerformanceLeveraging Open Source to Manage SAN Performance
Leveraging Open Source to Manage SAN Performancebrettallison
 
OpenStack Tokyo Talk Application Data Protection Service
OpenStack Tokyo Talk Application Data Protection ServiceOpenStack Tokyo Talk Application Data Protection Service
OpenStack Tokyo Talk Application Data Protection ServiceEran Gampel
 
Better Network Management Through Network Programmability
Better Network Management Through Network ProgrammabilityBetter Network Management Through Network Programmability
Better Network Management Through Network ProgrammabilityCisco Canada
 
Android Radio Layer Interface
Android Radio Layer InterfaceAndroid Radio Layer Interface
Android Radio Layer InterfaceChun-Yu Wang
 
Embedded Android
Embedded AndroidEmbedded Android
Embedded Android晓东 杜
 
점진적인 레거시 웹 애플리케이션 개선 과정
점진적인 레거시 웹 애플리케이션 개선 과정점진적인 레거시 웹 애플리케이션 개선 과정
점진적인 레거시 웹 애플리케이션 개선 과정Arawn Park
 
Android porting for dummies @droidconin 2011
Android porting for dummies @droidconin 2011Android porting for dummies @droidconin 2011
Android porting for dummies @droidconin 2011pundiramit
 
Using Terraform to manage the configuration of a Cisco ACI fabric.
Using Terraform to manage the configuration of a Cisco ACI fabric.Using Terraform to manage the configuration of a Cisco ACI fabric.
Using Terraform to manage the configuration of a Cisco ACI fabric.Joel W. King
 
Oracle RAC Presentation at Oracle Open World
Oracle RAC Presentation at Oracle Open WorldOracle RAC Presentation at Oracle Open World
Oracle RAC Presentation at Oracle Open WorldPaul Marden
 
Super-NetOps Source of Truth
Super-NetOps Source of TruthSuper-NetOps Source of Truth
Super-NetOps Source of TruthJoel W. King
 
Security benefits of the Nitro architecture - SEP401-R - AWS re:Inforce 2019
Security benefits of the Nitro architecture - SEP401-R - AWS re:Inforce 2019 Security benefits of the Nitro architecture - SEP401-R - AWS re:Inforce 2019
Security benefits of the Nitro architecture - SEP401-R - AWS re:Inforce 2019 Amazon Web Services
 
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...idsecconf
 
Airframe: Lightweight Building Blocks for Scala @ TD Tech Talk 2018-10-17
Airframe: Lightweight Building Blocks for Scala @ TD Tech Talk 2018-10-17Airframe: Lightweight Building Blocks for Scala @ TD Tech Talk 2018-10-17
Airframe: Lightweight Building Blocks for Scala @ TD Tech Talk 2018-10-17Taro L. Saito
 
Cloud Computing for Business - The Road to IT-as-a-Service
Cloud Computing for Business - The Road to IT-as-a-ServiceCloud Computing for Business - The Road to IT-as-a-Service
Cloud Computing for Business - The Road to IT-as-a-ServiceJames Urquhart
 
Ato2019 weave-services-istio
Ato2019 weave-services-istioAto2019 weave-services-istio
Ato2019 weave-services-istioLin Sun
 
Weave Your Microservices with Istio
Weave Your Microservices with IstioWeave Your Microservices with Istio
Weave Your Microservices with IstioAll Things Open
 
All Things Open 2019 weave-services-istio
All Things Open 2019 weave-services-istioAll Things Open 2019 weave-services-istio
All Things Open 2019 weave-services-istioLin Sun
 
gDBClone - Database Clone “onecommand Automation Tool”
gDBClone - Database Clone “onecommand Automation Tool”gDBClone - Database Clone “onecommand Automation Tool”
gDBClone - Database Clone “onecommand Automation Tool”Ruggero Citton
 
SecZone 2011: Scrubbing SAP clean with SOAP
SecZone 2011: Scrubbing SAP clean with SOAPSecZone 2011: Scrubbing SAP clean with SOAP
SecZone 2011: Scrubbing SAP clean with SOAPChris John Riley
 

Semelhante a IBM Workload Scheduler for z/OS Security with RACF & IBM zSecure (20)

Tailoring Redis Modules For Your Users’ Needs
Tailoring Redis Modules For Your Users’ NeedsTailoring Redis Modules For Your Users’ Needs
Tailoring Redis Modules For Your Users’ Needs
 
Leveraging Open Source to Manage SAN Performance
Leveraging Open Source to Manage SAN PerformanceLeveraging Open Source to Manage SAN Performance
Leveraging Open Source to Manage SAN Performance
 
OpenStack Tokyo Talk Application Data Protection Service
OpenStack Tokyo Talk Application Data Protection ServiceOpenStack Tokyo Talk Application Data Protection Service
OpenStack Tokyo Talk Application Data Protection Service
 
Better Network Management Through Network Programmability
Better Network Management Through Network ProgrammabilityBetter Network Management Through Network Programmability
Better Network Management Through Network Programmability
 
Android Radio Layer Interface
Android Radio Layer InterfaceAndroid Radio Layer Interface
Android Radio Layer Interface
 
Embedded Android
Embedded AndroidEmbedded Android
Embedded Android
 
점진적인 레거시 웹 애플리케이션 개선 과정
점진적인 레거시 웹 애플리케이션 개선 과정점진적인 레거시 웹 애플리케이션 개선 과정
점진적인 레거시 웹 애플리케이션 개선 과정
 
Android porting for dummies @droidconin 2011
Android porting for dummies @droidconin 2011Android porting for dummies @droidconin 2011
Android porting for dummies @droidconin 2011
 
Using Terraform to manage the configuration of a Cisco ACI fabric.
Using Terraform to manage the configuration of a Cisco ACI fabric.Using Terraform to manage the configuration of a Cisco ACI fabric.
Using Terraform to manage the configuration of a Cisco ACI fabric.
 
Oracle RAC Presentation at Oracle Open World
Oracle RAC Presentation at Oracle Open WorldOracle RAC Presentation at Oracle Open World
Oracle RAC Presentation at Oracle Open World
 
Super-NetOps Source of Truth
Super-NetOps Source of TruthSuper-NetOps Source of Truth
Super-NetOps Source of Truth
 
Security benefits of the Nitro architecture - SEP401-R - AWS re:Inforce 2019
Security benefits of the Nitro architecture - SEP401-R - AWS re:Inforce 2019 Security benefits of the Nitro architecture - SEP401-R - AWS re:Inforce 2019
Security benefits of the Nitro architecture - SEP401-R - AWS re:Inforce 2019
 
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...
 
Airframe: Lightweight Building Blocks for Scala @ TD Tech Talk 2018-10-17
Airframe: Lightweight Building Blocks for Scala @ TD Tech Talk 2018-10-17Airframe: Lightweight Building Blocks for Scala @ TD Tech Talk 2018-10-17
Airframe: Lightweight Building Blocks for Scala @ TD Tech Talk 2018-10-17
 
Cloud Computing for Business - The Road to IT-as-a-Service
Cloud Computing for Business - The Road to IT-as-a-ServiceCloud Computing for Business - The Road to IT-as-a-Service
Cloud Computing for Business - The Road to IT-as-a-Service
 
Ato2019 weave-services-istio
Ato2019 weave-services-istioAto2019 weave-services-istio
Ato2019 weave-services-istio
 
Weave Your Microservices with Istio
Weave Your Microservices with IstioWeave Your Microservices with Istio
Weave Your Microservices with Istio
 
All Things Open 2019 weave-services-istio
All Things Open 2019 weave-services-istioAll Things Open 2019 weave-services-istio
All Things Open 2019 weave-services-istio
 
gDBClone - Database Clone “onecommand Automation Tool”
gDBClone - Database Clone “onecommand Automation Tool”gDBClone - Database Clone “onecommand Automation Tool”
gDBClone - Database Clone “onecommand Automation Tool”
 
SecZone 2011: Scrubbing SAP clean with SOAP
SecZone 2011: Scrubbing SAP clean with SOAPSecZone 2011: Scrubbing SAP clean with SOAP
SecZone 2011: Scrubbing SAP clean with SOAP
 

Mais de Nico Chillemi

IWSz job submission order best practices
IWSz job submission order best practicesIWSz job submission order best practices
IWSz job submission order best practicesNico Chillemi
 
System management & cloud solution on z update
System management & cloud solution on z updateSystem management & cloud solution on z update
System management & cloud solution on z updateNico Chillemi
 
IBM Academy of Technology & Cognitive Computing
IBM Academy of Technology & Cognitive ComputingIBM Academy of Technology & Cognitive Computing
IBM Academy of Technology & Cognitive ComputingNico Chillemi
 
Online eminence with Social Media & Systems of Engagement
Online eminence with Social Media & Systems of EngagementOnline eminence with Social Media & Systems of Engagement
Online eminence with Social Media & Systems of EngagementNico Chillemi
 
TWS 8.6 new features (from the 2013 European Tour)
TWS 8.6 new features (from the 2013 European Tour)TWS 8.6 new features (from the 2013 European Tour)
TWS 8.6 new features (from the 2013 European Tour)Nico Chillemi
 
TWS zcentric Proof of Technology (from 2013 European Tour)
TWS zcentric Proof of Technology (from 2013 European Tour)TWS zcentric Proof of Technology (from 2013 European Tour)
TWS zcentric Proof of Technology (from 2013 European Tour)Nico Chillemi
 

Mais de Nico Chillemi (6)

IWSz job submission order best practices
IWSz job submission order best practicesIWSz job submission order best practices
IWSz job submission order best practices
 
System management & cloud solution on z update
System management & cloud solution on z updateSystem management & cloud solution on z update
System management & cloud solution on z update
 
IBM Academy of Technology & Cognitive Computing
IBM Academy of Technology & Cognitive ComputingIBM Academy of Technology & Cognitive Computing
IBM Academy of Technology & Cognitive Computing
 
Online eminence with Social Media & Systems of Engagement
Online eminence with Social Media & Systems of EngagementOnline eminence with Social Media & Systems of Engagement
Online eminence with Social Media & Systems of Engagement
 
TWS 8.6 new features (from the 2013 European Tour)
TWS 8.6 new features (from the 2013 European Tour)TWS 8.6 new features (from the 2013 European Tour)
TWS 8.6 new features (from the 2013 European Tour)
 
TWS zcentric Proof of Technology (from 2013 European Tour)
TWS zcentric Proof of Technology (from 2013 European Tour)TWS zcentric Proof of Technology (from 2013 European Tour)
TWS zcentric Proof of Technology (from 2013 European Tour)
 

Último

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 

Último (20)

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 

IBM Workload Scheduler for z/OS Security with RACF & IBM zSecure

  • 1. IBM Systems & IBM Security © 2018 IBM Corporation IBM zSystems IT Service Management IBM Workload Scheduler for z/OS Security with RACF & IBM zSecure Domenico (Nico) Chillemi IBM Executive IT Specialist nicochillemi@it.ibm.com Best Practices
  • 2. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Ciao  IBM Mainframe 50 years old Strong Batch experience IBM Academy of Technology z Platform Initiatives Leader zChampion 2 IBM Workload Scheduler RACF & zSecure zStorage Rocket Tools System Automation Log Analytics Tools
  • 3. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity zSecure components RACF commands RACF db SMF RACF zSecure Admin zSecure Alert zSecure Audit z/OS + UNIX + DB2 + CICS + IMS configuration info z/OS DB2 CICS S A F zSecure Visual zSecure CICS Toolkit zSecure Command Verifier SIEM Other
  • 4. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity IBM Workload Scheduler for z/OS components Info Mgmt IWS for z/OS/ES A Monitoring ALLSYSTEMSCITY1 CITY2 CITY 3 ISPF Z/OS Domain IWS z/OS Agents IBM Workload Console Websphere Application Server IWS Distributed zCentric Agents IWS z/OS Engine Sysplex MAS DASD XCF FTP
  • 5. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Main IWSz concepts and objects  Database – Batch applications – Workstations – Calendars  Plans – Long Term Plan – Current Plan  Run Cycles  JOBs  Generic Operations  Commands  JOBLOGs  .....
  • 6. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity IBM Workload Scheduler for z/OS - What to consider for protection  IWSz data sets – This can be done just protecting all data sets needed to IWSz address spaces to start  Subsystem (Controller/Tracker/Server) USERID – Any IWSz address space needs to be associated with a user, which can be the same for more than one subsystem – This user has to be registered in the STARTED RACF class  IWSz Subsystems – Any direct access to IWSz or also via any kind of interface (Console, API, etc...) can be prevented or authorized through the APPL RACF Class  IWSz Objects – Any access to AD, CP, or also for example to specific IWSz jobs, can be prevented or authorized  IWSz Commands – One or more typical IWSz commands can be prevented or authorized 6
  • 7. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity IWSz - What to consider for protection (RACF)  IWSz data sets ADDSD IWS.V9R3.** UACC(N) OWNER(NICO) PERMIT IWS.V9R3.** ACC(ALTER) ID(IWSUSER AdminGrup)  Subsystem (Controller/Tracker) USERID ADDUSER IWSSTC DFLTGRP(Admin) OWNER(NICO) NOPASSWORD .... RDEF STARTED IWS*.* STDATA( USER(IWSSTC) .....) PERMIT IWS.V9R3.** ACC(ALTER) ID(IWSSTC)  IWSz Subsystems RDEF APPL IWS9 UACC(N) OWNER(NICO) PERMIT IWS9 CLASS(APPL) ACC(R) ID(.......) 7
  • 8. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity IWSz - What to consider for protection (zSecure) 8
  • 9. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Protect IWSz Objects with RACF 9  One dedicated RACF Class, already defined in RACF – IBMOPC dedicated RACF Class • Automatically activated • We can have others dedicated, to be defined to RACF – Activated in IWSz with the AUTHDEF initialization statement  Other RACF classes can be defined in RACF – Dynamically or via job  Two protection levels – IWSz Fixed Resources (AD, WS, LT, CP, ...) • All activated if IBMOPC activated both in RACF and in AUTHDEF – IWSz Subresources (Specific objects inside each resource) • Only those specified in the AUTHDEF initialization statement are activated
  • 10. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity IBM Workload Scheduler for z/OS Parameters Example  IWSz PARMLIB – IWSz Fixed Resources AUTHDEF CLASS(IBMOPC) – IWSz Subresources AUTHDEF CLASS(IBMOPC) SUBRESOURCES(AD.ADNAME, AD.OWNER, WS.WSNAME, LT.ADNAME, CP.JOBNAME, JS.JOBNAME, .....) RACF Resource ADA.** ADO.** CPJ.**
  • 11. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Fixed Resources protection (1st level)  Application Description, Current Plan, JS, etc... RDEF IBMOPC (AD) UACC(N) RDEF IBMOPC (CP) UACC(N) RDEF IBMOPC (JS) UACC(N) … PERMIT AD CLASS(IBMOPC) ACC(U) ID(Admin) PERMIT CP CLASS(IBMOPC) ACC(U) ID(Admin) PERMIT JS CLASS(IBMOPC) ACC(U) ID(Admin) … PERMIT AD CLASS(IBMOPC) ACC(U) ID(Grup1) PERMIT CP CLASS(IBMOPC) ACC(U) ID(Grup1 Grup2) PERMIT JS CLASS(IBMOPC) ACC(U) ID(Grup1 Grup2 Grup3) 11
  • 12. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Subresources protection (2nd level)  Specific applications, specific jobs, etc... – Applications by owner-name RDEF IBMOPC (ADO.NIC*) UACC(N) PERMIT ADO.NIC* CLASS(IBMOPC) ACC(U) ID(Admin) – Long term plan objects by application-name RDEF IBMOPC (LTA.APPL1*) UACC(N) PERMIT LTA.APPL1* CLASS(IBMOPC) ACC(U) ID(Grup1) – Current plan objects by job-name RDEF IBMOPC (CPJ.J01*) UACC(N) PERMIT CPJ.J01* CLASS(IBMOPC) ACC(U) ID(Grup1 Grup2) – JS objects by job-name RDEF IBMOPC (JSJ.J01*) UACC(N) PERMIT JSJ.J01* CLASS(IBMOPC) ACC(U) ID(Grup3) 12
  • 13. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity zSecure – Fixed Resources and Subresources 13
  • 14. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity © 2016 IBM Corporation Enhanced Security in Workload Automation for z/OS (last IWSz 9.3 SPE) Value Solution  More granularity in security access help guarantee product stability  Secure actions, in addition to data  Security access can now be controlled at any level, from object level down to action level
  • 15. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity © 2016 IBM Corporation AUTHDEF COMMAND1(J,ARC,…) SUBRESOURCES(CP.ADDOPER, CP.COMMAND1) RACF Commands RDEF IBMOPC CP.ADDOPER PERMIT CP.ADDOPER ID(JASON) ACCESS(UPDATE) CLASS(IBMOPC) Fixed resource Subresource & RACF resource name Description CP CP.ADD Add workload (occurrences or operations) CP.MODIFY Modify attributes CP.DELETE Delete workload (occurrences or operations) CP.COMMANDx Line commands CP.ADDOPER Add operations CP.DELOPER Delete operations CP.MODOPER Modify operations CP.ADDDEP Add dependencies CP.DELDEP Delete dependencies CP.MODDEP Modify dependencies CP.MODOPSTAT Modify operation status • Define actions as sub-resources in AUTHDEF statement • Use RACF commands to provide/deny access to users IWSz Security Enhancements Occurrence Commands • RG Remove from group • DG Delete group • CG Complete group • C Complete an occurrence • W Set waiting • R Rerun Operation Commands  J Edit JCL (J command resource)  MH, MR Manual Hold, Manual Release (MR, MH command resources)  NP, UN NOP,UN NOP (NP, UN command resources)  K Kill (K command resource)  EX Execute (EX command resource)  JR/FJR JT, Fast path JR (JR command resource)  SR/FSR SR, Fast path SR (SR command resource)  SC/FSC SC, Fast path SC (SC command resource)  SJR Simple Job Restart Execute (SJR command resource)  R Reset Status (MODOPSTAT resource)  BIND Bind operation (BND command resources)  N Set NEXT logical status (MODOPSTAT resource)  N-x Set specific status (MODOPSTAT resource)
  • 16. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity © 2016 IBM Corporation Enhanced IWSz Security - Scenarios Tim, the System Administrator Tim can now authorize Jason, the Scheduler, to add operations to the Current Plan. In the same time, he can prevent him from adding new occurrences. Jason, the scheduler Tim can secure a set of commands, creating new User Profiles. • He can authorize Jane to perform a recovery action, but prevent her from editing a job • He can authorize Jason to Complete and Rerun an existing occurrence, but prevent him from adding new occurrences Jane, the Application Developer 1 2
  • 17. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity © 2016 IBM Corporation • Define the CP.ADD and CP.ADDOPER subresources in the AUTHDEF SUBRESOURCES(CP.ADD,CPADDOPER) (AUTHDEF statement) • Define them to RACF and give universal NONE access by default RDEF IBMOPC CP.ADD RDEF IBMOPC CP.ADDOPER • Give user Jason update access to the CP.ADDOPER resource PERMIT CP.ADDOPER ID(MARNIE) ACCESS(UPDATE) CLASS(IBMOPC) To allow Jane to perform “ARC” (Automatic Recovery) and Jason to perform “C” (Complete occurrence) and “R” (Rerun Occurrence) commands: • Define the CP.COMMANDx subresources in the AUTHDEF AUTHDEF CLASSNAME(IBMOPC) COMMAND1(ARC, C, R) SUBRESOURCES(CP.COMMAND1) • Define to RACF RDEF IBMOPC CP.ADD • Give Jane update access to CP.COMMAND1 PERMIT CP.COMMAND1 ID(JANE) ACCESS(UPDATE) CLASS(IBMOPC) 1 2 Enhanced IWSz Security - Scenarios
  • 18. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Subresources protection with the last IWSz 9.3 SPEs  AUTHDEF in IWSz PARM AUTHDEF CLASSNAME(IBMOPC) COMMAND1(ARC, C, R) SUBRESOURCES(CP.COMMAND1)  RACF RESOURCE DEFINITION RDEF IBMOPC CP.COMMAND1  PERMIT TO DEVELOPERS PERMIT CP.COMMAND1 ID(Grup3) ACCESS(UPDATE) CLASS(IBMOPC) 18
  • 19. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity IBM New Security Enhancements Parameters Example  IWSz PARMLIB AUTHDEF CLASS(IBMOPC) SUBRESOURCES(CP.COMMAND1, CP.COMMAND2, .....) COMMAND1(ARC, C, R) COMMAND2(M, L) ... RACF Resource CP.COMMAND1 CP.COMMAND2
  • 20. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Quick zSecure Scenario - IWSz 9.3 SPE example 20
  • 21. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity zSecure Command Verifier and IWSz  When acting on resources in RACF, often the SPECIAL attribute is required  Also in IWSz this can be a problem, since a SPECIAL user can do much more  With only RACF this problem is not solved  zSecure Command Verifier allows to limit SPECIAL users power  IWSz can strongly benefit by this zSecure capability 21
  • 22. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity zSecure Command Verifier in Action 22 RACF db mgr TSO/ISPF RACF commands + output zSecure Admin Cmds RACF commands RACF profiles Command Verifier EXIT Policy SMF
  • 23. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity zSecure CV Best Practices examples with IWSz  Suppose you would like to establish a IWSz RACF compliance rule, saying that development people inside a department can define only IWS Application Description profiles for applications starting with TIV*.  The objective is to prevent RACF accepting any IWS profile creation, other than a IWS Application Description profile matching the TIV* wildcard, issued by a user belonging to the TIVCFG group.  The first thing to do is to define the generic C4R profile saying that TIVCFG cannot add IWS for zOS profiles  This is done by adding the C4R.IBMOPC.ID.* profile to the C4R class 23
  • 24. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity zSecure CV Best Practices examples with IWSz 24
  • 25. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity zSecure CV Best Practices examples with IWSz 25 YES NO
  • 26. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Typical zSecure Command Verifier DEVOPS Scenario with IBM Workload Scheduler for z/OS  Suppose we need to establish IWSz RACF compliance rule, saying that: – PAYROLL administrators can define IWSz resources, based on payroll batch applications their teams are responsible for • PAYROLL application developers can define only with IWSz applications they are responsible for – REPORTING administrators can define IWSz resources, based on reporting batch applications their teams are responsible for • REPORTING application developers can define only IWSz applications they are responsible for  There will be 3 types of figures in this scenario: – RACF administrator – PAYROLL administrator and REPORTING administrator – PAYROLL developers and REPORTING developers 26
  • 27. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity PAYROLL and REPORTING DEVOPS Scenarios  RACFADM is the RACF Administrator – Creates Command Verifier profiles to authorize PAYROLL and REPORTING administrators, with SPECIAL attribute, to create only specific PAYROLL and REPORTING IWSz RACF profiles  IWSPAYR is the IWSz Payroll Administrator – Creates RACF profiles for different Payroll IWSz applications  IWSREPT is the IWSz Reporting Administrator – Creates RACF profiles for different Reporting IWSz applications  IWSGPAY1 is the IWSz Payroll Application Developers 1 Team – Users connected to this RACF group will be authorized to define only IWSz applications with names starting with PAYR1  IWSGPAY2 is the IWSz Payroll Application Developers 2 Team – Users connected to this RACF group will be authorized to define only IWSz applications with names starting with PAYR2  IWSGRPT1 is the IWSz Reporting Application Developers A Team – Users connected to this RACF group will be authorized to define only IWSz applications with names starting with REPTA  IWSGRPTB is the IWSz Reporting Application Developers B Team – Users connected to this RACF group will be authorized to define only IWSz applications with names starting with REPTB 27
  • 28. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Administrators work in this scenario  RACFADM – RDEF C4R C4R.IBMOPC.ID.** UACC(N) OWNER(RACFADM) – RDEF C4R C4R.IBMOPC.ID.ADA.PAYR* UACC(N) OWNER(IWSPAYR)  1st line – RDEF C4R C4R.IBMOPC.ID.ADA.REPT* UACC(N) OWNER(IWSREPT)  2nd line  IWSPAYR – RDEF IBMOPC ADA.PAYR1* UACC(N) OWNER(IWSPAYR)  matches (1st line) – RDEF IBMOPC ADA.PAYR2* UACC(N) OWNER(IWSPAYR)  matches (1st line) – PERMIT ADA.PAYR1* ACCESS(U) ID(IWSGPAY1) CLASS(IBMOPC) – PERMIT ADA.PAYR2* ACCESS(U) ID(IWSGPAY2) CLASS(IBMOPC)  IWSREPT – RDEF IBMOPC ADA.REPTA* UACC(N) OWNER(IWSREPT)  matches (2nd line) – RDEF IBMOPC ADA.REPTB* UACC(N) OWNER(IWSREPT)  matches (2nd line) – PERMIT ADA.REPTA* ACCESS(U) ID(IWSGRPTA) CLASS(IBMOPC) – PERMIT ADA.REPTB* ACCESS(U) ID(IWSGRPTB) CLASS(IBMOPC) 28
  • 29. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Results  ITUSER01 is connected to IWSGPAY1 – ITUSER01 can access IBM Workload Scheduler for z/OS • He/She can define/update PAYR1APPL001, PAYR1APPLXXX, ... • He/She cannot define/update PAYR2APPZZZ, REPTAAPPKKK, BANKAPP1, ...  ITUSER25 is connected to IWSGPAY2 – ITUSER25 can access IBM Workload Scheduler for z/OS • He/She can define/update PAYR2APPL001, PAYR2APPLXXX, ... • He/She cannot define/update PAYR1APPZZZ, REPTBAPPKKK, BANKAPP1, ...  ITUSER71 is connected to IWSGRPTA – ITUSER01 can access IBM Workload Scheduler for z/OS • He/She can define/update REPTAAPPL001, REPTAAPPLXXX, ... • He/She cannot define/update PAYR2APPZZZ, REPTBAPPKKK, BANKAPP1, ...  ITUSER95 is connected to IWSGRPTB – ITUSER25 can access IBM Workload Scheduler for z/OS • He/She can define/update REPTBAPPL001, REPTBAPPLXXX, ... • He/She cannot define/update PAYR2APPZZZ, REPTAAPPKKK, BANKAPP1, ... 29
  • 30. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Command Verifier Scenario with new IWSz enhancements  Suppose we need to establish IWSz RACF compliance rule, saying that: – PAYROLL administrators can define IWSz command resources, based on payroll batch applications their teams are responsible to test • PAYROLL application testers can test only IWSz Payroll RERUN in the Current Plan – REPORTING administrators can define IWSz resources, based on reporting batch applications their teams are responsible to test • REPORTING application testers can test only IWSz browse joblog in the Current Plan  There will be 3 types of figures also in this scenario: – RACF administrator – PAYROLL administrator and REPORTING administrator – PAYROLL testers and REPORTING testers Note: We assume here that all appropriate Current Plan RACF protections have been performed for both PAYROLL and REPORTING applications! 30
  • 31. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Testing (last IWSz enhancements) DEVOPS Scenarios  RACFADM is the RACF Administrator – Creates Command Verifier profiles to include PAYROLL and REPORTING commands  IWSPAYR is the IWSz Payroll Administrator – Creates RACF profiles for Payroll tester groups  IWSREPT is the IWSz Reporting Administrator – Creates RACF profiles for Reporting tester groups  IWSGPAYT is the IWSz Payroll tester group – Users connected to this RACF group can test only the RERUN (R) command related to PAYROLL occurrences  IWSGRPTT is the IWSz Reporting tester group – Users connected to this RACF group can test only the BROWSE JOBLOG (L) command related to PAYROLL occurrences 31
  • 32. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Enable R and L different commands in IWSZ  IWSz PARMLIB – AUTHDEF CLASS(IBMOPC) SUBRESOURCES(CP.COMMAND5, CP.COMMAND7) COMMAND5(R) COMMAND7(L)  RACFADM – RDEF C4R C4R.IBMOPC.ID.** UACC(N) OWNER(RACFADM) – RDEF C4R C4R.IBMOPC.ID.CP.COMMAND5 UACC(N) OWNER(IWSPAYR) – RDEF C4R C4R.IBMOPC.ID.CP.COMMAND7 UACC(N) OWNER(IWSREPT)  IWSPAYR – RDEF IBMOPC CP.COMMAND5 UACC(N) OWNER(IWSPAYR) – PERMIT CP.COMMAND5 ACCESS(U) ID(IWSGPAYT) CLASS(IBMOPC)  IWSREPT – RDEF IBMOPC CP.COMMAND7 UACC(N) OWNER(IWSREPT) – PERMIT CP.COMMAND7 ACCESS(U) ID(IWSGRPTT) CLASS(IBMOPC) –32
  • 33. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity Results Considering that appropriate Current Plan RACF protections have been done for both PAYROLL and REPORTING applications, we will get:  ITUSER51 is connected to IWSGPAYT – ITUSER51 can access IBM Workload Scheduler for z/OS • He/She can test the RERUN command on all PAYROLL occurrences • He/She cannot test any other command  ITUSER73 is connected to IWSGRPTT – ITUSER73 can access IBM Workload Scheduler for z/OS • He/She can test the BROWSE JOBLOG command on all REPORTING occurrences • He/She cannot test any other command 33
  • 34. IBM Systems & IBM Security © 2018 IBM Corporation zSystems & zSecurity 34 Thank You