Risk management and ownership: Identify the member of staff who will have responsibility for managing the risk e.g owner of RACF profile(s). Risks are normally managed and owned by one department. However, if the risk is regarded as a corporate risk, the risk may be owned by the Corporate Management Team or the Executive but managed by a named department. RRE helps to manage/monitor the ownership of RACF profiles.
RRE is a
„Compliance Evaluator“ enabling managers, auditors etc. to
quickly check the compliance of their systems with industry
and corporate policies based on user-friendly
reports:
Purpose:
-
To verify all RACF
profiles against a HR/CD/ID system and vice
versa.
-
To verify all RACF
profiles against a set of user defined
‘rules’.
-
To enforce naming
conventions in a RACF environment without having to have
any exits.
-
To simplify and
automate future audits.
-
To reduce the
immense costs of any internal or external RACF
audits.
-
To keep HR/CD and
RACF information in sync based on installation
standards.
-
To have a better
control over all RACF profiles.
-
To be able to
manage multiple clients.
-
To verify SETROPTS
settings.
-
To verify IKJTSOXX
settings (AUTHCMD, AUTHPGM, AUTHTSF, PLATPGM, PLATCMD,
NOTBKGND)
-
To verify PPT
settings (SCHED=)
-
To verify
subsystems (SSN)
-
To verify SVC
Table
-
To verify LINKLIST
settings and its RACF protection
-
To verify APFLIST
settings and its RACF protection
-
To verify LPALIST
settings and its RACF protection
-
To verify CATALOG
and its RACF protection
-
To verify SMF
datasets and its RACF protection
-
To verify user
datasets and its RACF protection
Most RACF installations do no
longer know why certain user-Ids are connected to various
RACF Group-Ids. Even when installations utilize a
corporate directory (ID or CD or HR) it never matches the
RACF environment 100%. Ownership of profiles is not
up-to-date either.
Especially
large corporations with many decentralized RACF
administrators face the immense problem to enforce
standards. Manually controlling such RACF
environments is almost impossible. Home-grown tools
are in many cases no solution either to the well known
problem.
This batch facility helps every
RACF installation to verify corporate directories versus
RACF. It lists all inconsistencies and
generates the necessary RACF commands to
alter/delete RACF profile information.
RRE consists
of two parts:
-
CD/ID/HR verification against RACF and vice versa
-
Rules checking for RACF group-, user- (incl. connects), dataset- and general resource profiles
IBM recommendation is: Keep an eye on things -
HOW? - RRE is your solution
