An error occurred:

Check: RACF0780

zOS RACF STIG: RACF0780 (in versions v6 r43 through v6 r32)

Title

RACF Global Access Checking must be restricted to appropriate classes and resources (Cat II impact)

Discussion

RACF Global access checking can be used to improve the performance of RACF authorization checking for selected resources. The global access checking table is maintained in storage and is checked early in the RACF authorization checking sequence. If an entry in the global access checking table allows the requested access to a resource, RACF performs no further authorization checking. This can eliminate the need for I/O to the RACF database to retrieve a resource profile, which can result in substantial performance improvements. However, if an entry in the global access checking table allows a requested access to a resource, no auditing is done for the request. Capture of audit data ensure a historical checking of individual user accountability. This accountability is basic for forensic purposes.

Check Content

From a command input screen enter: RL Global * Alternately this can be viewed by following steps: Refer to the following reports produced by the RACF Data Collection: - DSMON.RPT(RACGAC) – Examine the Global Access Checking entries. If Global * is specified in SETROPTS this is a finding. The following entries may be allowed with the approval of the ISSM: Dataset Class - ALTER access level to &RACUID.** (Allows users all access to their own datasets) OPERCMDS Class – READ access to MVS.MCSOPER.&RACUID (Allows users access to console for their jobs) JESJOBS Class – ALTER access to CANCEL.*.*.&RACUID (Allows users to cancel their own jobs) JESJOBS Class – ALTER access to SUBMIT.*.*.&RACUID (Allows users to submit their own jobs) The ISSM may allow other classes to be included after evaluation with the system programmer. If any other members are included for Global Access Checking this is a finding. If written approval by the ISSM is not provided this is a finding.

Fix Text

Ensure that Global Access Checking is appropriately administered. Evaluate the impact associated with implementation of the control option. Develop approval; documentation and a plan of action to implement the control option as specified in the example below: RALT GLOBAL class-name ADDMEM (resourcename)/accesslevel)

Additional Identifiers

Rule ID: SV-89739r1_rule

Vulnerability ID: V-75059

Group Title: RACF0780

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000213

The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-3

Access Enforcement