frank.ternest

RACF Security for Dynamic Rules in OPS/MVS

Discussion created by frank.ternest on Aug 9, 2018
Latest reply on Aug 14, 2018 by MarcelvanEk

One of the variables for OPSAOF security events is SEC.AUAORSNA.

 

When somebody is using Dynamic Rules, SEC.AUAORSNA or the current rule set name string is set to *DYNAMIC.

 

But RACF doesn't like qualifiers as *DYNAMIC:

 

Defining the profile

 

/* OPS/MVS OPSAOF                                                     */ 
RDEFINE XFACILIT OPSMVS.OPSAOF.*DYNAMIC.RULE1                          +
 OWNER(G$PSYS) UACC(NONE)                                               
RALT    XFACILIT OPSMVS.OPSAOF.*DYNAMIC.RULE1                          +
 AUDIT(ALL(READ))                                                       
RALT    XFACILIT OPSMVS.OPSAOF.*DYNAMIC.RULE1                          +
 DATA('OPS/MVS AOF DYNAMIC RULES')                                      

 

results in

 

IKJ56702I INVALID ENTITY, OPSMVS.OPSAOF.*DYNAMIC.RULE1
IKJ56702I INVALID ENTITY, OPSMVS.OPSAOF.*DYNAMIC.RULE1
IKJ56702I INVALID ENTITY, OPSMVS.OPSAOF.*DYNAMIC.RULE1 

 

It's possible to circumvent the problem, changing the SEC.AUAORSNA *DYNAMIC to something as @DYNAMIC in the AOF security rule before using OPSECURE to reach following RACF-definition :

 

 

 

RDEFINE XFACILIT OPSMVS.OPSAOF.@DYNAMIC.RULE1                          +
 OWNER(G$PSYS) UACC(NONE)                                               

 

 

 

But it doesn't show the real situation when an error occurs (violation...).

The person, who changed the rule will know it, but later on it will  be difficult to find the link between @DYNAMIC rules and the documentation of CA Technologies.

 

As it's necessary to protect the rule-sets in our environment, with different types of access as a refinement of the external security, I liked to know how others solved the problem.

Outcomes