Risk management and ownership: Identify the member of staff who will have responsibility for managing the risk e.g owner of RACF profile(s). Risks are normally managed and owned by one department. However, if the risk is regarded as a corporate risk, the risk may be owned by the Corporate Management Team or the Executive but managed by a named department. RRE helps to manage/monitor the ownership of RACF profiles.
RRE is a „Compliance Evaluator“ enabling managers, auditors etc. to quickly check the compliance of their systems with industry and corporate policies based on user-friendly reports:
Purpose:
- To verify all RACF profiles against a HR/CD/ID system and vice versa.
- To verify all RACF profiles against a set of user defined ‘rules’.
- To enforce naming conventions in a RACF environment without having to have any exits.
- To simplify and automate future audits.
- To reduce the immense costs of any internal or external RACF audits.
- To keep HR/CD and RACF information in sync based on installation standards.
- To have a better control over all RACF profiles.
- To be able to manage multiple clients.
- To verify SETROPTS settings.
- To verify IKJTSOXX settings (AUTHCMD, AUTHPGM, AUTHTSF, PLATPGM, PLATCMD, NOTBKGND)
- To verify PPT settings (SCHED=)
- To verify subsystems (SSN)
- To verify SVC Table
- To verify LINKLIST settings and its RACF protection
- To verify APFLIST settings and its RACF protection
- To verify LPALIST settings and its RACF protection
- To verify CATALOG and its RACF protection
- To verify SMF datasets and its RACF protection
- To verify user datasets and its RACF protection
Most RACF installations do no longer know why certain user-Ids are connected to various RACF Group-Ids. Even when installations utilize a corporate directory (ID or CD or HR) it never matches the RACF environment 100%. Ownership of profiles is not up-to-date either.
Especially large corporations with many decentralized RACF administrators face the immense problem to enforce standards. Manually controlling such RACF environments is almost impossible. Home-grown tools are in many cases no solution either to the well known problem.
This batch facility helps every RACF installation to verify corporate directories versus RACF. It lists all inconsistencies and generates the necessary RACF commands to alter/delete RACF profile information.
RRE consists of two parts:
CD/ID/HR verification against RACF and vice versa
Rules checking for RACF group-, user- (incl. connects), dataset- and general resource profiles
IBM recommendation is: Keep an eye on things -
HOW? - RRE is your solution 