UCF STIG Viewer Logo

IBM RACF Global Access Checking must be restricted to appropriate classes and resources.


Finding ID Version Rule ID IA Controls Severity
V-223665 RACF-ES-000170 SV-223665r604139_rule Medium
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.
IBM z/OS RACF Security Technical Implementation Guide 2022-09-19


Check Text ( C-25338r514684_chk )
From a command input screen enter:
RL Global *

If Global * is specified in SETROPTS, this is a finding.

The following entries may be allowed with the approval of the ISSM:
Dataset Class - ALTER access level to &RACUID.** (Allows users all access to their own datasets)
OPERCMDS Class – READ access to MVS.MCSOPER.&RACUID (Allows users access to console for their jobs)
JESJOBS Class – ALTER access to CANCEL.*.*.&RACUID (Allows users to cancel their own jobs)
JESJOBS Class – ALTER access to SUBMIT.*.*.&RACUID (Allows users to submit their own jobs)

The ISSM may allow other classes to be included after evaluation with the system programmer.

If any other members are included for Global Access Checking, this is a finding.

If written approval by the ISSM is not provided, this is a finding.
Fix Text (F-25326r514685_fix)
Configure Global Access Checking to be appropriately administered.

Evaluate the impact associated with implementation of the control option. Develop approval; documentation and a plan of action to implement the control option as specified in the example below:
RALT GLOBAL class-name
ADDMEM (resourcename)/accesslevel)