Re: RACF Automation (Cross Posted)
The last major RACF project I architected was for something I presume would probably fit your clients bill here. Some of the necessary elements we incorporated were: Delegated (though not via RACF means) Ownership of all RACF general resource and dataset profiles - thereby making sure that there were people distributed throughout the organisation who a) knew what their security requirements were, at least conceptually, and b) took responsibility for authorising requests for access to or changes made to the RACF definitions they 'owned'. A naming convention that meant ownership of RACF definitions was able to be related to specific application systems (z/OS itself was considered just another application system running on the mainframe also - it's owner was of course the systems programming management). A request workflow that walked ordinary users through the process of raising a change record for RACF definitions. We used ServiceNow for this, with heavily customised workflows that linked into a Configuration Management Database that was a mirror, refreshed frequently, of the content of the RACF database. The previously mentioned CMDB was an essential part of ensuring that we had auditable, documented, reliable oversight - governance they like to call it nowadays - of the process of RACF change management. The CMDB relied heavily on the naming convention being used to identify which application (and therefore which responsible Owner) would be allowed to authorise requests. An in house written started task that issued the necessary RACF commands based on authorised changes coming through the ServiceNow workflow. Standardisation of the format for Installation Data - which we used to describe things such as a profiles security classification - i.e Public, Internal, Confidential, Secret - something like that, the labels are up to you. This 'data classification' was used to provide different versions of the ServiceNow workflow to suit the sensitivity of the resources being manipulated. (I would have liked to use/abuse SECLABEL/SECLEVEL for this but that made some people nervous :-). A lot of SMF based audit reports, especially with respect of the more highly classifiied resource profiles. Two years work with a couple of sysprogs, a project manager and assistant plus a great deal of support from the organisations management to get this task done. The alternative, was that we were going to need a team minimum 4 people with solid RACF knowledge to be available as mainframe security management - so the cost benefit analysis was quite crystal clear. There were many other considerations that our RACF Automation project had to consider, and we solved a lot of other historical audit related issues during the process also and were very fortunate that we could implement some worlds best practice mainframe security constructs (i.e. separating all batch access on an application by application basis) as a part of the project. Happy to discuss offline in case anyone is interested. Cheers - Mike PS: the organisation already had a fully integrated IAM solution for provisioning mainframe access and an RBAC-like construct for this, that's the easy part - anyone without this nowadays is simply dragging the chain. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACF Automation (Cross Posted)
Classification: Confidential Try Vanguard software. http://www.go2vanguard.com/ -Original Message- From: IBM Mainframe Discussion List On Behalf Of Bob Bridges Sent: Thursday, January 25, 2024 4:52 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: RACF Automation (Cross Posted) [CAUTION: This Email is from outside the Organization. Unless you trust the sender, Don't click links or open attachments as it may be a Phishing email, which can steal your Information and compromise your Computer.] Back when my client in Ohio installed it, we called it "Sam-Jupiter". I don't know what the extra name implies. The client seemed content with their choice, although it was really designed to work with RACF and this is an ACF2 client. Also Sailpoint, but I think you mentioned that possibility already. --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* Getting an inch of snow is like winning 10 cents in the lottery. -from _Calvin & Hobbes_ */ -Original Message- From: IBM Mainframe Discussion List On Behalf Of Jon Perryman Sent: Thursday, January 25, 2024 14:08 See if SAM (Security Administration Manager) still exists (possibly rebranded). The company no longer exists but I found https://dl.acm.org/doi/pdf/10.1145/266741.266758 which described the product. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ::DISCLAIMER:: The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only. E-mail transmission is not guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or may contain viruses in transmission. The e mail and its contents (with or without referred errors) shall therefore not attach any liability on the originator or HCL or its affiliates. Views or opinions, if any, presented in this email are solely those of the author and may not necessarily reflect the views or opinions of HCL or its affiliates. Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of this message without the prior written consent of authorized representative of HCL is strictly prohibited. If you have received this email in error please delete it and notify the sender immediately. Before opening any email and/or attachments, please check them for viruses and other defects. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACF Automation (Cross Posted)
ACF2 has since added full support for RACF-style groups, and some ACF2 shops have made the change to using those instead of UID strings. This was before that, though, and I'm pretty sure they handled it by storing, for each role, groups of UID strings. I don't remember the details of how that worked, but I was their ETL guy and I remember creating lots of mass-import data for pouring into SAM-Jupiter. The problem it is was more than twenty years ago, so it's all pretty fuzzy... --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* It's extremely difficult to distinguish a Canadian from an American. In fact the most reliable way of doing so is to make that observation in the presence of a Canadian. -attributed at the Gunroom to a "British man of letters" */ -Original Message- From: IBM Mainframe Discussion List On Behalf Of Jon Perryman Sent: Thursday, January 25, 2024 18:53 It appears that Beta Systems acquired the product and call it Beta-Access. https://www.betasystems.com/en/products/beta-access/ It also appears they removed everything except for RACF support. RACF had groups which made implementing role-based administration easier. ACF2 and Top-Secret have a different architecture which some customer implementations were burdensome to implement within SAM. It also had performance implications. However, it had the benefit for customers acquiring other companies where they could use the same SAF logic regardless of the SAF products being used. It also allowed conversion between SAF products. --- On Thu, 25 Jan 2024 17:51:46 -0500, Bob Bridges wrote: >Back when my client in Ohio installed it, we called it "Sam-Jupiter". > The client seemed content with their choice, although it was really > designed to work with RACF and this is an ACF2 client. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACF Automation (Cross Posted)
On Thu, 25 Jan 2024 17:51:46 -0500, Bob Bridges wrote: >Back when my client in Ohio installed it, we called it "Sam-Jupiter". It appears that Beta Systems acquired the product and call it Beta-Access. https://www.betasystems.com/en/products/beta-access/ It also appears they removed everything except for RACF support. > The client seemed content with their choice, although it was > really designed to work with RACF and this is an ACF2 client. RACF had groups which made implementing role-based administration easier. ACF2 and Top-Secret have a different architecture which some customer implementations were burdensome to implement within SAM. It also had performance implications. However, it had the benefit for customers acquiring other companies where they could use the same SAF logic regardless of the SAF products being used. It also allowed conversion between SAF products. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACF Automation (Cross Posted)
Back when my client in Ohio installed it, we called it "Sam-Jupiter". I don't know what the extra name implies. The client seemed content with their choice, although it was really designed to work with RACF and this is an ACF2 client. Also Sailpoint, but I think you mentioned that possibility already. --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* Getting an inch of snow is like winning 10 cents in the lottery. -from _Calvin & Hobbes_ */ -Original Message- From: IBM Mainframe Discussion List On Behalf Of Jon Perryman Sent: Thursday, January 25, 2024 14:08 See if SAM (Security Administration Manager) still exists (possibly rebranded). The company no longer exists but I found https://dl.acm.org/doi/pdf/10.1145/266741.266758 which described the product. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACF Automation (Cross Posted)
On Thu, 25 Jan 2024 10:15:57 -0600, Steve Beaver wrote: >I don't even know if the product still exists. -- The closest IVP that I know >of is OKTA. See if SAM (Security Administration Manager) still exists (possibly rebranded). The company no longer exists but I found https://dl.acm.org/doi/pdf/10.1145/266741.266758 which described the product. >The down side of ROLLING your own you have to administer and maintain it >And no one wants to spend the couple hundred thousand to write and watch >people retire. You haven't defined the customer's expectation of "Automate RACF". To say "couple hundred thousand $" is meaningless because at this point you don't know the customers problem.. Maybe the customer simply needs standards that simplify and consolidate the process. Products like AutoOperator may simplify distribution of security definitions to a few simple execs. What is the problem that the customer trying to solve? Maybe the customer will find an 80% solution written in 2 weeks is acceptable. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACF Automation (Cross Posted)
I don't even know if the product still exists. -- The closest IVP that I know of is OKTA. OTKA Can administer lockouts and password. However in our world there is nothing cheap And easy. The down side of ROLLING your own you have to administer and maintain it And no one wants to spend the couple hundred thousand to write and watch people retire. Steve -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Jon Perryman Sent: Thursday, January 25, 2024 10:07 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: RACF Automation (Cross Posted) On Tue, 23 Jan 2024 12:39:47 -0600, Steve Beaver wrote: >I have a customer that would like to AUTOMATE RACF. Did you solve your problem? You need to clarify what AUTOMATE RACF means to the customer. What is the problem the customer is trying to solve because they can't mean automate. Security definitions requires someone to fill in the blanks. Are they looking to simplify the process and streamline it with a company's security strategy. I worked on a product that centralized security thru a single interface (RACF, TopSecret, ACF2, Unix, Windows and others. It's been many years and I don't even know if the product still exists. If you can describe the problem, then we might have some suggestions to solve your problem. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACF Automation (Cross Posted)
On Tue, 23 Jan 2024 12:39:47 -0600, Steve Beaver wrote: >I have a customer that would like to AUTOMATE RACF. Did you solve your problem? You need to clarify what AUTOMATE RACF means to the customer. What is the problem the customer is trying to solve because they can't mean automate. Security definitions requires someone to fill in the blanks. Are they looking to simplify the process and streamline it with a company's security strategy. I worked on a product that centralized security thru a single interface (RACF, TopSecret, ACF2, Unix, Windows and others. It's been many years and I don't even know if the product still exists. If you can describe the problem, then we might have some suggestions to solve your problem. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
RACF Automation (Cross Posted)
I have a customer that would like to AUTOMATE RACF. Personally I think this heresy but. I am aware of Sail Point, and it will automate changing passwords. Are there any tools/Program Products that can be used to Provision ID's, and Update profiles without having the auditors looking for someone's scalp? Regards, Steve -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN