UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

RACF Global Access Checking must be restricted to appropriate classes and resources


Overview

Finding ID Version Rule ID IA Controls Severity
V-75059 RACF0780 SV-89739r1_rule Medium
Description
RACF Global access checking can be used to improve the performance of RACF authorization checking for selected resources. The global access checking table is maintained in storage and is checked early in the RACF authorization checking sequence. If an entry in the global access checking table allows the requested access to a resource, RACF performs no further authorization checking. This can eliminate the need for I/O to the RACF database to retrieve a resource profile, which can result in substantial performance improvements. However, if an entry in the global access checking table allows a requested access to a resource, no auditing is done for the request. Capture of audit data ensure a historical checking of individual user accountability. This accountability is basic for forensic purposes.
STIG Date
z/OS RACF STIG 2019-12-12

Details

Check Text ( C-75101r1_chk )
From a command input screen enter:
RL Global *

Alternately this can be viewed by following steps:
Refer to the following reports produced by the RACF Data Collection:

- DSMON.RPT(RACGAC) –

Examine the Global Access Checking entries.

If Global * is specified in SETROPTS this is a finding.

The following entries may be allowed with the approval of the ISSM:
Dataset Class - ALTER access level to &RACUID.** (Allows users all access to their own datasets)
OPERCMDS Class – READ access to MVS.MCSOPER.&RACUID (Allows users access to console for their jobs)
JESJOBS Class – ALTER access to CANCEL.*.*.&RACUID (Allows users to cancel their own jobs)
JESJOBS Class – ALTER access to SUBMIT.*.*.&RACUID (Allows users to submit their own jobs)

The ISSM may allow other classes to be included after evaluation with the system programmer.

If any other members are included for Global Access Checking this is a finding.

If written approval by the ISSM is not provided this is a finding.
Fix Text (F-81933r1_fix)
Ensure that Global Access Checking is appropriately administered.

Evaluate the impact associated with implementation of the control option. Develop approval; documentation and a plan of action to implement the control option as specified in the example below:
RALT GLOBAL class-name
ADDMEM (resourcename)/accesslevel)