Security

When a user requests access to a resource, RACF will check the access list of the associated profile to determine if the user has been permitted the appropriate authority. During this process, RACF may perform up to three inspections of the access list.

RACF first looks through the entire access list for any entry matching the user’s ID. If it finds a match, RACF decides whether to grant the access based on the level of access permitted. If RACF doesn’t find an entry matching the user ID, it then takes each of the user’s groups and looks through the access list for any entry matching the group name. RACF continues this process until it has checked every one of the user’s groups against every entry in the access list. If any of the groups matches an entry, RACF decides whether to grant the access based on the highest access permitted. If none of the user’s groups are in the access list, RACF performs a final check to see if ID * (any RACF defined user) is in the access list.

To improve performance, reduce both the number of entries in each access list and the number of groups to which each user is connected. As a measure of performance, multiply the number of groups to which a user is connected by the number of entries in the access list to calculate the number of comparisons to be made. The smaller the number, the faster the process. Good role-based access design and group consolidation can benefit performance and improve administration.

Avoid adding individual user IDs to access lists. Organize users into groups and grant the groups access to resources instead. Exceptions to this rule are started tasks, batch IDs, File Transfer Protocol (FTP) IDs, and other process type IDs. These usually have unique access needs that don’t lend themselves to grouping. Placing their IDs in the access list avoids needless group checks and boosts performance, since the user ID check occurs first.

 8 Replace OPERATIONS with storage administration authorities

It isn’t uncommon to find OPE RATIONS authority being used for bulk storage administration tasks such as backups or DASD reorganizations. Such tasks may result in hundreds of authorization checks, one for each data set involved. Each individual access is likely to be logged to SMF. It may be possible to avoid all these checks and associated logging through the effective use of storage administration- related authorities. These authorities include access to DASDVOL profiles, FACILITY class STGADMIN profiles, and ALTE R access to catalogs. A single authorization check to confirm the user has the proper storage administration authority may be enough to bypass all the individual data set access checks. Effective implementation of these other authorities may eliminate virtually all use of the powerful OPE RATIONS authority, which will likely please the auditors.

 9 Implement Sysplex coupling facility caching

RACF databases shared in a Sysplex can benefvit from Sysplex data sharing, which uses a coupling facility as a large store-through cache. Index and data blocks are stored in the cache, then fetched from there instead of the database. You can use a coupling facility with caching to improve performance even for a stand-alone, non-Sysplexed system. Statements in the coupling facility policy govern activation and extent of caching. As a rule, ensure the cache size is large enough to hold all non- RACLIST ed profiles.

 10 Cease gathering unnecessary statistics

SETROPTS STATISTICS (classname) causes the access counter in discrete, non- RACLIST ed profiles to be incremented for each access. This causes needless I/O. These rarely examined statistics are of little value. To improve performance, eliminate the recording of statistics for all classes by entering the command SETROPTS NOSTATISTICS(*).

 Conclusion

RACF is the focal point of high volumes of critical security requests from every system process; its performance affects the entire system. It offers a wealth of features and opportunities for optimizing the authorization process, minimizing database I/O, and making I/O more efficient. If properly tuned, RACF should go unnoticed. Otherwise, users may start clamoring for a reduction in security controls to lessen RACF ’s impact on their work. Implementing the tuning options and practices discussed here will help meet service-level commitments while retaining good security. Z

4 Pages