From z/OS RACF STIG
Part of RACF0780
Associated with: CCI-000213
RACF Global access checking can be used to improve the performance of RACF authorization checking for selected resources. The global access checking table is maintained in storage and is checked early in the RACF authorization checking sequence. If an entry in the global access checking table allows the requested access to a resource, RACF performs no further authorization checking. This can eliminate the need for I/O to the RACF database to retrieve a resource profile, which can result in substantial performance improvements. However, if an entry in the global access checking table allows a requested access to a resource, no auditing is done for the request. Capture of audit data ensure a historical checking of individual user accountability. This accountability is basic for forensic purposes.
From a command input screen enter: RL Global * Alternately this can be viewed by following steps: Refer to the following reports produced by the RACF Data Collection: - DSMON.RPT(RACGAC) – Examine the Global Access Checking entries. If Global * is specified in SETROPTS this is a finding. The following entries may be allowed with the approval of the ISSM: Dataset Class - ALTER access level to &RACUID.** (Allows users all access to their own datasets) OPERCMDS Class – READ access to MVS.MCSOPER.&RACUID (Allows users access to console for their jobs) JESJOBS Class – ALTER access to CANCEL.*.*.&RACUID (Allows users to cancel their own jobs) JESJOBS Class – ALTER access to SUBMIT.*.*.&RACUID (Allows users to submit their own jobs) The ISSM may allow other classes to be included after evaluation with the system programmer. If any other members are included for Global Access Checking this is a finding. If written approval by the ISSM is not provided this is a finding.
Ensure that Global Access Checking is appropriately administered. Evaluate the impact associated with implementation of the control option. Develop approval; documentation and a plan of action to implement the control option as specified in the example below: RALT GLOBAL class-name ADDMEM (resourcename)/accesslevel)
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer