maximizing your use of the vanguard administrator · –which report should i use to be able to...
TRANSCRIPT
SECURITY & COMPLIANCE CONFERENCE 2016
Maximizing Your Use of the
Vanguard Administrator
Doug Behrends
Sr Professional Services Consultant
VSS-1 & VSS-2
VANGUARD SECURITY & COMPLIANCE 2016
Legal Notice
Copyright
©2016 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license
to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly
prohibited.
Trademarks
The following are trademarks of Vanguard Integrity Professionals – Nevada:
2
Vanguard Administrator
Vanguard Advisor
Vanguard Analyzer
Vanguard SecurityCenter
Vanguard Offline
Vanguard Cleanup
Vanguard PasswordReset
Vanguard Authenticator
Vanguard inCompliance
Vanguard IAM
Vanguard GRC
Vanguard QuickGen
Vanguard Active Alerts
Vanguard Configuration Manager
Vanguard Configuration Manager Enterprise Edition
Vanguard Policy Manager
Vanguard Enforcer
Vanguard ez/Token
Vanguard Tokenless Authenticator
Vanguard ez/PIV Card Authenticator
Vanguard ez/Integrator
Vanguard ez/SignOn
Vanguard ez/Password Synchronization
Vanguard Security Solutions
Vanguard Security & Compliance
Vanguard zSecurity University
VANGUARD SECURITY & COMPLIANCE 2016
The following are trademarks or registered trademarks of the International Business Machines Corporation: Java and all Java-based trademarks are trademarks of Oracle and/or its affiliates. UNIX is a registered trademark of The Open Group in the United States and other countries.
Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation.
Other company, product, and service names may be trademarks or service marks of others.
Trademarks
3
CICS
CICSPlex
DB2
eServer
IBM
IBM z
IBM z Systems
IBM z13
S/390
System z
System z9
System z10
System/390
VTAM
WebSphere
z Systems
z9
z10
z13
z/Architecture
z/OS
z/VM
zEnterprise
IMS
MQSeries
MVS
NetView
OS/390
Parallel Sysplex
RACF
RMF
VANGUARD SECURITY & COMPLIANCE 2016
Why is this session important?
• Too much work, too little time
• Work smarter, not harder
• Be happy in your work
• Never say never
• Professional development
• Impress your colleagues and your boss
• Return on Investment
4
VANGUARD SECURITY & COMPLIANCE 2016
Session Topics
• Transfer a user to another department
• Automatically define alias when cloning a TSO user
• Eliminate obsolete profiles and redundant access list entries
• Purpose of Rebuild
• Rebuild Basics and Usage
• Vanguard QuickGen™ Basics and Usage
• Automatically remove a user from a group at a future date
and time (Command Scheduler)
• Vanguard UNIX® Manager (VUM) – A new way to look at your USS environment
• Be a power user with Vanguard QuickGen
5
VANGUARD SECURITY & COMPLIANCE 2016
Transferring a User to a New Department
• This applies to situations where a user keeps the
same userid in the new job
• Using Task Oriented Administration, you model
the user being transferred to be the same as one
of the users in the new department
• You may need to choose a replacement user for
any OWNERs and NOTIFYs
• Example - we will transfer DOUGB and model
him like ARTM
6
VANGUARD SECURITY & COMPLIANCE 2016
Select Task Oriented Administration
7
VANGUARD SECURITY & COMPLIANCE 2016
Select Option 4 to Transfer a User
8
VANGUARD SECURITY & COMPLIANCE 2016
Model DOUGBHD after DOUGBX
9
Optional
Fields
VANGUARD SECURITY & COMPLIANCE 2016
Here Are the Generated RACF® Commands - 1
10
VANGUARD SECURITY & COMPLIANCE 2016
Here Are the Generated RACF Commands - 2
11
VANGUARD SECURITY & COMPLIANCE 2016
How to Implement Exit to Define Alias
• Locate the member CMDEXIT in the Vanguard Sample Library (VANSAMP).
• Edit statement 42 to replace ‘YOUR.USER.CATALOG.NAME’ with the appropriate catalog name for your installation.
• Copy your edited version of CMDEXIT to VANCLIB
• CMDEXIT will – Generate a DEF ALIAS statement whenever you clone a
user that has a TSO segment
– Generate a DEL ALIAS statement whenever you delete a user
12
VANGUARD SECURITY & COMPLIANCE 2016
Sample Exit Code
13
Replace with your user
catalog name
VANGUARD SECURITY & COMPLIANCE 2016
Sample Exit Code - 2
14
VANGUARD SECURITY & COMPLIANCE 2016
Results of CMDEXIT (add & delete User)
15
VANGUARD SECURITY & COMPLIANCE 2016
Information and Analysis Services
Eliminate Access List Redundancies
Remove Obsolete User and Group Profiles
16
VANGUARD SECURITY & COMPLIANCE 2016
What is an Access List Anomaly?
• ID=* in access list with same access as the
UACC
• User in access list with same access as UACC or
ID=* and not connected to a group with different
access
• Group in access list with same access as UACC
or ID=* and having no user connected to it in the
access list having a different access
• User in access list with same access as a group
and is not connected to a group with higher
access
17
VANGUARD SECURITY & COMPLIANCE 2016
Select Option 8 - Information and Analysis Services
18
VANGUARD SECURITY & COMPLIANCE 2016
Select Access List Anomaly Analysis
19
VANGUARD SECURITY & COMPLIANCE 2016
Select 1 to Generate RACF Commands
20
VANGUARD SECURITY & COMPLIANCE 2016
You Can Omit Users With OPERATIONS &
Limit The CLASSES Analyzed
21
VANGUARD SECURITY & COMPLIANCE 2016
Limit the scope
22
VANGUARD SECURITY & COMPLIANCE 2016
We Keyed PF1 for Help
23
VANGUARD SECURITY & COMPLIANCE 2016
Help (continued)
24
VANGUARD SECURITY & COMPLIANCE 2016
Let’s Submit the Job
25
VANGUARD SECURITY & COMPLIANCE 2016
The Access List Anomaly Report
26
VANGUARD SECURITY & COMPLIANCE 2016
Let’s See What Commands Were Generated
27
VANGUARD SECURITY & COMPLIANCE 2016
The Generated RACF Commands
28
VANGUARD SECURITY & COMPLIANCE 2016
What is an Obsolete Profile?
• A user who no longer exists, but still is in Access
Lists, NOTIFY fields, or OWNER fields
• A group that no longer exists, but still is in Access
Lists or OWNER fields
• How to avoid this situation?
– Delete users and groups with the Administrator’s Task
Oriented Administration
– Periodically, run Obsolete
29
VANGUARD SECURITY & COMPLIANCE 2016
Select Option 8 - Information and Analysis Services
30
VANGUARD SECURITY & COMPLIANCE 2016
Select Option 2 - Obsolete Command
31
VANGUARD SECURITY & COMPLIANCE 2016
Select Option 1 for Obsolete
32
VANGUARD SECURITY & COMPLIANCE 2016
We Enter S to Submit the OBSOLETE Job
33
VANGUARD SECURITY & COMPLIANCE 2016
After the Job Completes,
Select 2 to See the RACF Commands
34
VANGUARD SECURITY & COMPLIANCE 2016
The Generated RACF Commands
35
VANGUARD SECURITY & COMPLIANCE 2016
Now We Can Execute the RACF Commands to
Clean up the RACF Database
36
Edit the ??
Before
Executing the
commands
VANGUARD SECURITY & COMPLIANCE 2016
Purpose of Exclude/Rebuild and Vanguard QuickGen
Efficient and effective manipulation of large numbers of profiles on the RACF Database
Done in 60 seconds
37
VANGUARD SECURITY & COMPLIANCE 2016
Rebuild Usage
• Recreating a deleted User
• Renaming a User
• Populating a new CICS® Transaction Class
• Populating a new CICS Transaction “Prefix”
• Creating a new HLQ for System Data Set
Profiles
• Changing the Logon Proc value in TSO
Segments
• Changing the UID value in OMVS Segments
38
VANGUARD SECURITY & COMPLIANCE 2016
Differences between EXCLUDE/REBUILD and Vanguard QuickGen™
• Exclude/Rebuild
– Panel driven
– Rebuild one, some, or all entries from a report
– Generally requires changes to generated
commands
• Vanguard QuickGen
– TSO and generally RACF command driven
– Source report is usually more granular
– Use of variables for command field replacements
• &USERID
• &PROFILE
– Can be executed from any Security Server Report
39
VANGUARD SECURITY & COMPLIANCE 2016
Rebuild Basics
• Original Purpose of Rebuild – Recovery of RACF profiles
• Users, Groups, Data Set HLQs, Classes of Resources
– Required the Extract Data Sets
• Current Purpose of Rebuild – Recovery of RACF profiles
– Massage large numbers of profiles quickly • Populate new CICS Transaction Classes
• Rename Users
– Combined with Exclude to increase granularity • Change Default Group for a large number of Users
• Change all profiles from WARNING to NOWARNING
40
VANGUARD SECURITY & COMPLIANCE 2016
Rebuild Basics
• Question - Where can Rebuild be used?
• Answer - Security Server Reports – Profile Summary Reports
• User, Group, Data Set, General Resource
– Profile Segment Reports
– RRSF Reports
– Connect Reports
• What’s the difference between – The REBUILD Command
– RB in the CMD Column
– (B)RB in the CMD Column?
41
VANGUARD SECURITY & COMPLIANCE 2016
Rebuild Basics (example)
• Before you Rebuild, you have to create the right report from which to Rebuild – Which report should I use to be able to connect
everyone in Group VANGUARD to the new VIP Group?
• Group Profile Summary
• Connect Summary
– Limit the size of the report using Masking Fields
– Isolate entries in a report using Sort and Sort List within a report
• You have to know how to use the ISPF CHANGE and Edit mode line commands
42
VANGUARD SECURITY & COMPLIANCE 2016
Using the REBUILD Command
43
VANGUARD SECURITY & COMPLIANCE 2016
Using RB in the CMD Column
44
VANGUARD SECURITY & COMPLIANCE 2016
Using BRB in the CMD Column
45
VANGUARD SECURITY & COMPLIANCE 2016
Let’s Go Thru an Example;
We’ll Connect Users in the VANGUARD Group to VIP Group
46
VANGUARD SECURITY & COMPLIANCE 2016
Connect Users in Vanguard Group to VIP Group
47
VANGUARD SECURITY & COMPLIANCE 2016
Connect Users in Vanguard Group to VIP Group
48
VANGUARD SECURITY & COMPLIANCE 2016
Connect Users in Vanguard Group to VIP Group
49
VANGUARD SECURITY & COMPLIANCE 2016
Connect Users in Vanguard Group to VIP Group
50
VANGUARD SECURITY & COMPLIANCE 2016
Connect Users in Vanguard Group to VIP Group
51
VANGUARD SECURITY & COMPLIANCE 2016
OR
52
VANGUARD SECURITY & COMPLIANCE 2016
Connect Users in Vanguard Group to VIP Group
53
VANGUARD SECURITY & COMPLIANCE 2016
Connect Users in Vanguard Group to VIP Group
54
VANGUARD SECURITY & COMPLIANCE 2016
Connect Users in Vanguard Group to VIP Group
55
VANGUARD SECURITY & COMPLIANCE 2016
Connect Users in Vanguard Group to VIP Group
56
VANGUARD SECURITY & COMPLIANCE 2016
Rebuild Usage in Review
• Recreating a deleted User
• Renaming a User
• Populating a new CICS Transaction Class
• Populating a new CICS Transaction “Prefix”
• Creating a new HLQ for System Data Set
Profiles
• Changing the Logon Proc value in TSO
Segments
• Changing the UID value in OMVS Segments
57
VANGUARD SECURITY & COMPLIANCE 2016
Exclude Basics
• Purpose of Exclude
– Extend the usefulness of Rebuild
– Change only certain fields in RACF Profiles
– Reduce the number of RACF commands
generated when using Rebuild
– Massage large numbers of profiles quickly
• Change Default Group for a large number of Users
• Change all profiles from WARNING to
NOWARNING
58
VANGUARD SECURITY & COMPLIANCE 2016
Exclude Basics
• Question - Where can Exclude be used?
• Answer - Security Server Reports – Profile Summary Reports
– Profile Segment Reports
– Connect Reports
– Not RRSF Reports
• How do you invoke Exclude?
– Only from the report command line
• What does it show? – All fields eligible for Rebuild in the profile
59
VANGUARD SECURITY & COMPLIANCE 2016
Let’s Go Back to Our Earlier Example;
Connect Users in the VANGUARD Group to VIP Group
60
VANGUARD SECURITY & COMPLIANCE 2016
Exclude Example
61
VANGUARD SECURITY & COMPLIANCE 2016
Exclude Example
62
VANGUARD SECURITY & COMPLIANCE 2016
Exclude Example
63
VANGUARD SECURITY & COMPLIANCE 2016
Exclude Example
64
VANGUARD SECURITY & COMPLIANCE 2016
Exclude Example
65
VANGUARD SECURITY & COMPLIANCE 2016
Using Rebuild in Batch Mode
• JCL found in member VRARBLDJ in JCL
library (VANJLIB)
• JCL must be customized
• Control Statement formats found in Chapter
3 of User Guide
• Inputs
– SYSIN Data Set
– Required REBUILD and END control statements
– Required profile name control statement
– Optional EXCLUDE/INCLUDE control statements
66
VANGUARD SECURITY & COMPLIANCE 2016
Using Exclude/Rebuild in Batch Mode
• Output
– VIPOUT Data Set with processing messages
– COMMAND Data Set with generated RACF
commands
67
VANGUARD SECURITY & COMPLIANCE 2016
Batch Mode Sample JCL
68
VANGUARD SECURITY & COMPLIANCE 2016
Batch Mode Generated RACF Commands
69
VANGUARD SECURITY & COMPLIANCE 2016
REBUILD Summary
• Exclude/Rebuild
– Panel driven
– Rebuild one, some, or all entries from a report
– Generally requires changes to generated
commands
70
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard QuickGen™ Basics
• Changing Users Password Interval
• Eliminating Non-expiring Passwords
• Changing Users Default Group
• Setting UAUDIT on for SPECIAL Users
• Resolving Breaks in Scope of Group
• Changing WARNING to NOWARNING
• Correcting Audit Settings in Data Set Profiles
• Changing the Logon Proc value in TSO Segments
• Adding/Removing Entries from Access Lists
71
VANGUARD SECURITY & COMPLIANCE 2016
Changing Users Password Intervals
72
VANGUARD SECURITY & COMPLIANCE 2016
Changing Users Password Intervals
73
VANGUARD SECURITY & COMPLIANCE 2016
QuickGen Templates
74
VANGUARD SECURITY & COMPLIANCE 2016
QuickGen with Default Options
75
VANGUARD SECURITY & COMPLIANCE 2016
QuickGen Options
76
VANGUARD SECURITY & COMPLIANCE 2016
QuickGen with New Options
77
VANGUARD SECURITY & COMPLIANCE 2016
Changing Users Password Intervals
78
VANGUARD SECURITY & COMPLIANCE 2016
Changing Users Password Intervals
79
VANGUARD SECURITY & COMPLIANCE 2016
Changing Users Password Intervals
80
VANGUARD SECURITY & COMPLIANCE 2016
Changing Users Password Intervals
81
VANGUARD SECURITY & COMPLIANCE 2016
Using Vanguard QuickGen in Batch Mode
• Let Online Administrator session generate the JCL
and Control Statements
• Need SYSEXEC for VANCLIB defined in VANLIBS
member of VANOPTS data set
• Inline Control Statements in VSSQGIN DD
• Output RACF Commands in VSSQGOUT DD
– Points to a SYSOUT spool data set
– Change DD statement to point to a sequential data set or
member of a PDS
82
VANGUARD SECURITY & COMPLIANCE 2016
Using Vanguard QuickGen in Batch
• Give PRODCTL READ access to all SYS1 Data Sets
83
VANGUARD SECURITY & COMPLIANCE 2016
Using Vanguard QuickGen in Batch Mode
84
VANGUARD SECURITY & COMPLIANCE 2016
Give PRODCTL READ Access
85
VANGUARD SECURITY & COMPLIANCE 2016
Using Vanguard QuickGen in Batch Mode
86
VANGUARD SECURITY & COMPLIANCE 2016
Command Scheduler
How Can I Automatically Remove a User From a
Group at a Future Date and Time?
1. Create the RACF Command(s)
2. Place the RACF Commands in the Command Scheduler
NOTE: Commands will execute as you (aka using your
authority) at the time of execution, not when adding to
schedule
87
VANGUARD SECURITY & COMPLIANCE 2016
Select the Command Scheduler
88
VANGUARD SECURITY & COMPLIANCE 2016
Enter “1” to Add an Event
89
VANGUARD SECURITY & COMPLIANCE 2016
Enter Information for the Event
90
VANGUARD SECURITY & COMPLIANCE 2016
Let’s Look at the Event We Scheduled
91
VANGUARD SECURITY & COMPLIANCE 2016
Let’s Look at the Event We Scheduled
92
VANGUARD SECURITY & COMPLIANCE 2016
Listing of the Event We Scheduled
93
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard Unix Manager (VUM)
94
Note:This is the original
Unix file manager option.
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard Unix Manager (VUM)
95
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard Unix Manager (VUM)
96
VANGUARD SECURITY & COMPLIANCE 2016
Option 1 – File security
97
VANGUARD SECURITY & COMPLIANCE 2016
Let’s see what the “World” has access to !
98
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard Unix Manager (VUM) File security
99
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard Unix Manager (VUM) File security
100
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard Unix Manager (VUM)
101
VANGUARD SECURITY & COMPLIANCE 2016
Option 2 – Review z/OS® access to USS files
102
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard Unix Manager (VUM)
103
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard Unix Manager (VUM)
104
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard Unix Manager (VUM)
105
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard Unix Manager (VUM)
106
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard Unix Manager (VUM)
107
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard QuickGen Tag Language
• Used to format your own reports
• Customize titles, headings, columns, fields
• Uses “tags” to determine format and content of the report
• Tags include – COMMAND to define TSO commands to be generated
– REPORT to define a report to be generated
– HEADER and FOOTER for report formatting
– INSERT to imbed a previously saved template into an existing template
– COMMENT to place comments into a template
– BREAKON to create page breaks
– PAGE1 to insert page numbers
• Fully documented in Administrator User’s Guide – Appendix A and Administrator ISPF HELP Text
108
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard QuickGen Tag Language
109
VANGUARD SECURITY & COMPLIANCE 2016
The Report Everyone Seems to Want
• User Report with the following fields
– Userid
– Username
– Installation Data
– Other fields such as Default Group and Last RACINIT
• Requirements
– User Profile Summary Report
– Batch Mode
– Enhanced Masking to get only Userids with Installation
Data
110
VANGUARD SECURITY & COMPLIANCE 2016
User Report using Vanguard QuickGen Tag Language
111
VANGUARD SECURITY & COMPLIANCE 2016
User Report using Vanguard QuickGen Tag Language
112
VANGUARD SECURITY & COMPLIANCE 2016
User Report using Vanguard QuickGen Tag Language
113
VANGUARD SECURITY & COMPLIANCE 2016
User Report using Vanguard QuickGen Tag Language
114
VANGUARD SECURITY & COMPLIANCE 2016
User Report using Vanguard QuickGen Tag Language
115
VANGUARD SECURITY & COMPLIANCE 2016
User Report using Vanguard QuickGen Tag Language
116
VANGUARD SECURITY & COMPLIANCE 2016
User Report using Vanguard QuickGen Tag Language
117
VANGUARD SECURITY & COMPLIANCE 2016
User Report using Vanguard QuickGen Tag Language
118
VANGUARD SECURITY & COMPLIANCE 2016
More on Vanguard QuickGen
119
Be sure to attend Session VSS15 on
Thursday afternoon.
Learn more features and get answers to
your questions from the creator of
Vanguard QuickGen.
VANGUARD SECURITY & COMPLIANCE 2016
That’s all folks!
120