Which team require OPERATIONS attribute



All about SAF, RACF, encryption, Firewall, Risk assessment and integrity concepts

Which team require OPERATIONS attribute

Postby aarvalar1 » Thu Jul 13, 2023 4:44 pm

Hi All,
I need some help on OPERATIONS user attribute on RACF.
From the manual I understand that OPERATIONS attribute has full access authorization to all RACF protected resources in DATASETS and some storage related resource classes like DASDVOL,TAPEVOL etc.,

Hope a user with ALTER access to the dataset/resource profiles can also able to work on datasets, perform input/output operations on tape volume.
In that case , who/which team really need OPERATIONS attribute( like RACF administrators need RACF SPECIAL, auditors need RACF AUDITOR attribute)?
aarvalar1
 
Posts: 18
Joined: Fri Apr 14, 2023 3:12 pm
Has thanked: 4 times
Been thanked: 0 time

Re: Which team require OPERATIONS attribute

Postby willy jensen » Thu Jul 13, 2023 6:11 pm

Backup jobs, submitted using SURROGATE from a scheduler? No person should normally have it, it can be assigned by the RACF team if really needed for an emergency.
Just my 2 cents.
willy jensen
 
Posts: 467
Joined: Thu Mar 10, 2016 5:03 pm
Has thanked: 0 time
Been thanked: 70 times

Re: Which team require OPERATIONS attribute

Postby vasanthz » Fri Jul 14, 2023 6:52 pm

I had OPERATIONS and SPECIAL authority in previous role, I think it helps in working with storage volumes, Disaster recovery, replication, and some RACF tasks related to other user's datasets.
SPECIAL authority helped in running some zSecure audit reports, not really sure.
But it was a lawless shop where two people had all the available accesses and had to perform Storage, MVS, CICS, Endevor, some RACFadministration, Performance and Capacity. Fun times.
User avatar
vasanthz
 
Posts: 27
Joined: Thu Aug 05, 2010 2:53 pm
Has thanked: 8 times
Been thanked: 0 time

Re: Which team require OPERATIONS attribute

Postby willy jensen » Sat Jul 15, 2023 2:15 am

I think that security scopes also protects the personel. I remember one instance where something bad happened to production and I could safely say that it couldn't be me as I didn't have access, even though I was in the systems team. Of course in a purely system test environment I would like operations, just to be able to install and test products. In a prduction environment I'd rather not have that authority.
willy jensen
 
Posts: 467
Joined: Thu Mar 10, 2016 5:03 pm
Has thanked: 0 time
Been thanked: 70 times

Re: Which team require OPERATIONS attribute

Postby Robert Hansel » Sat Jul 29, 2023 8:30 pm

OPERATIONS use should only be necessary in rare instances where other storage administration authorities are insufficient to manage a dataset, such as deleting orphaned temporary datasets when TEMPDSN is active or managing a dataset where the RACF-indicated bit is ON but no discrete profile exists (better still, turn the bit OFF in such situations). Ideally, it should only be assigned to alternate "break-glass" storage administrators IDs or to vaulted IDs. I'm not a fan of assigning it to Firecall IDs as it grants too much authority. For more on the storage administration authorities that can replace OPERATIONS, see my presentation on this topic which is available on my website. Here's the link. I have replaced OPERATIONS use with these authorities on many occasions.
https://www.rshconsulting.com/RSHpres/R ... y_2019.pdf
Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.rshconsulting.com
Robert Hansel
 
Posts: 12
Joined: Fri Sep 17, 2010 12:24 am
Has thanked: 0 time
Been thanked: 4 times


Return to Mainframe Security

 


  • Related topics
    Replies
    Views
    Last post