S 2.295 System administration of z/OS systems

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

The system administration of z/OS systems is divided into different areas. For many tasks, there are experts in the computer centres who often only perform very specific activities on the z/OS systems. The following recommendations relating to system administration should be considered:

Division into roles

A role concept should be implemented. This allows assigning of system authorisations to the roles and therefore facilitates the work of the RACF administrators.

In order to reduce the assignment of high authorisation attributes in the RACF, it should be considered to divide the administration at least into the following roles:

• System administration
  
  System administration (no special RACF attribute) is responsible for installing and maintaining the z/OS systems. Its authorisations must only allow the performance of the work required for this role. Accesses to customer data should be permitted only in exceptional cases (e.g. during troubleshooting). Such accesses must be coordinated with the corresponding owner of the information.
• RACF administration
  
  RACF administration (RACF attribute SPECIAL) has the following task: administration of the RACF security program and creation and deletion of IDs and authorisations. The RACF administrator assigns and revokes the rights to resources in the z/OS system. This results in a special trust relationship. For reasons of security, the number of employees assigned to this role should be kept to a minimum.
• Space management
  
  Space management (RACF attribute OPERATIONS) is responsible for administering the data media in z/OS systems. The OPERATIONS attribute allows for accessing all data of the system. It should be considered to add IDs with the OPERATIONS attribute to the ACCESS list of an RACF profile with NONE. This way, access using the OPERATIONS authorisation is prevented. However, these files can only be administered by space management to a limited extent even in this case (e.g. disk relocation).
• Operating
  
  Operating (no special RACF attribute) is responsible for operating the z/OS systems. Since the operators may access the consoles, operating must be performed in rooms with access control. Due to reasons of comprehensibility, the shift schedules of operating should be archived.
• Audits
  
  The auditor (RACF attribute AUDITOR) may view all security-relevant system settings, but cannot change them. The auditor compares the current system settings to the specified system settings.

Substitute arrangements

Substitute arrangements must be in force for all important system administration roles. An important role must never be staffed with only one person. More detailed information regarding this can be found in S 3.10 Selection of a trustworthy administrator and his substitute.

Review questions:

• Is there a role concept for the z/OS systems?
• Are there substitute arrangements for the important system administration roles regarding z/OS systems?