Purpose:
-
To verify all RACF
profiles against a HR/CD/ID system and vice
versa.
-
To verify all RACF
profiles against a set of user defined
‘rules’.
-
To enforce naming
conventions in a RACF environment without having to have
any exits.
-
To simplify and
automate future audits.
-
To reduce the
immense costs of any internal or external RACF
audits.
-
To keep HR/CD and
RACF information in sync based on installation
standards.
-
To have a better
control over all RACF profiles.
-
To be able to
manage multiple clients.
-
To verify SETROPTS
settings.
-
To verify IKJTSOXX
settings (AUTHCMD, AUTHPGM, AUTHTSF, PLATPGM, PLATCMD,
NOTBKGND)
-
To verify PPT
settings (SCHED=)
-
To verify
subsystems (SSN)
-
To verify SVC
Table
-
To verify LINKLIST
settings and its RACF protection
-
To verify APFLIST
settings and its RACF protection
-
To verify LPALIST
settings and its RACF protection
-
To verify CATALOG
and its RACF protection
-
To verify SMF
datasets and its RACF protection
-
To verify user
datasets and its RACF protection
Most RACF installations do no
longer know why certain user-Ids are connected to various
RACF Group-Ids. Even when installations utilize a
corporate directory (ID or CD or HR) it never matches the
RACF environment 100%. Ownership of profiles is not
up-to-date either.
Especially
large corporations with many decentralized RACF
administrators face the immense problem to enforce
standards. Manually controlling such RACF
environments is almost impossible. Home-grown tools
are in many cases no solution either to the well known
problem.
This batch facility helps every
RACF installation to verify corporate directories versus
RACF. It lists all inconsistencies and
generates the necessary RACF commands to
alter/delete RACF profile information.
RRE consists
of two parts:
-
CD/ID/HR verification against RACF and vice versa
-
Rules checking for RACF group-, user- (incl. connects), dataset- and general resource profiles
IBM recommendation is: Keep an eye on things -
HOW? - RRE is your solution
