maximizing your use of the vanguard administrator · –which report should i use to be able to...

SECURITY & COMPLIANCE CONFERENCE 2016

Maximizing Your Use of the

Vanguard Administrator

Doug Behrends

Sr Professional Services Consultant

VSS-1 & VSS-2

VANGUARD SECURITY & COMPLIANCE 2016

Legal Notice

Copyright

©2016 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license

to view these materials for your organization’s internal purposes. Any unauthorized

reproduction, distribution, exhibition or use of these copyrighted materials is expressly

prohibited.

Trademarks

The following are trademarks of Vanguard Integrity Professionals – Nevada:

2

Vanguard Administrator

Vanguard Advisor

Vanguard Analyzer

Vanguard SecurityCenter

Vanguard Offline

Vanguard Cleanup

Vanguard PasswordReset

Vanguard Authenticator

Vanguard inCompliance

Vanguard IAM

Vanguard GRC

Vanguard QuickGen

Vanguard Active Alerts

Vanguard Configuration Manager

Vanguard Configuration Manager Enterprise Edition

Vanguard Policy Manager

Vanguard Enforcer

Vanguard ez/Token

Vanguard Tokenless Authenticator

Vanguard ez/PIV Card Authenticator

Vanguard ez/Integrator

Vanguard ez/SignOn

Vanguard ez/Password Synchronization

Vanguard Security Solutions

Vanguard Security & Compliance

Vanguard zSecurity University


The following are trademarks or registered trademarks of the International Business Machines Corporation: Java and all Java-based trademarks are trademarks of Oracle and/or its affiliates. UNIX is a registered trademark of The Open Group in the United States and other countries.

Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation.

Other company, product, and service names may be trademarks or service marks of others.

Trademarks

3

CICS

CICSPlex

DB2

eServer

IBM

IBM z

IBM z Systems

IBM z13

S/390

System z

System z9

System z10

System/390

VTAM

WebSphere

z Systems

z9

z10

z13

z/Architecture

z/OS

z/VM

zEnterprise

IMS

MQSeries

MVS

NetView

OS/390

Parallel Sysplex

RACF

RMF


Why is this session important?

• Too much work, too little time

• Work smarter, not harder

• Be happy in your work

• Never say never

• Professional development

• Impress your colleagues and your boss

• Return on Investment

4


Session Topics

• Transfer a user to another department

• Automatically define alias when cloning a TSO user

• Eliminate obsolete profiles and redundant access list entries

• Purpose of Rebuild

• Rebuild Basics and Usage

• Vanguard QuickGen™ Basics and Usage

• Automatically remove a user from a group at a future date

and time (Command Scheduler)

• Vanguard UNIX® Manager (VUM) – A new way to look at your USS environment

• Be a power user with Vanguard QuickGen

5


Transferring a User to a New Department

• This applies to situations where a user keeps the

same userid in the new job

• Using Task Oriented Administration, you model

the user being transferred to be the same as one

of the users in the new department

• You may need to choose a replacement user for

any OWNERs and NOTIFYs

• Example - we will transfer DOUGB and model

him like ARTM

6


Select Task Oriented Administration

7


Select Option 4 to Transfer a User

8


Model DOUGBHD after DOUGBX

9

Optional

Fields


Here Are the Generated RACF® Commands - 1

10


Here Are the Generated RACF Commands - 2

11


How to Implement Exit to Define Alias

• Locate the member CMDEXIT in the Vanguard Sample Library (VANSAMP).

• Edit statement 42 to replace ‘YOUR.USER.CATALOG.NAME’ with the appropriate catalog name for your installation.

• Copy your edited version of CMDEXIT to VANCLIB

• CMDEXIT will – Generate a DEF ALIAS statement whenever you clone a

user that has a TSO segment

– Generate a DEL ALIAS statement whenever you delete a user

12


Sample Exit Code

13

Replace with your user

catalog name


Sample Exit Code - 2

14


Results of CMDEXIT (add & delete User)

15


Information and Analysis Services

Eliminate Access List Redundancies

Remove Obsolete User and Group Profiles

16


What is an Access List Anomaly?

• ID=* in access list with same access as the

UACC

• User in access list with same access as UACC or

ID=* and not connected to a group with different

access

• Group in access list with same access as UACC

or ID=* and having no user connected to it in the

access list having a different access

• User in access list with same access as a group

and is not connected to a group with higher

access

17


Select Option 8 - Information and Analysis Services

18


Select Access List Anomaly Analysis

19


Select 1 to Generate RACF Commands

20


You Can Omit Users With OPERATIONS &

Limit The CLASSES Analyzed

21


Limit the scope

22


We Keyed PF1 for Help

23


Help (continued)

24


Let’s Submit the Job

25


The Access List Anomaly Report

26


Let’s See What Commands Were Generated

27


The Generated RACF Commands

28


What is an Obsolete Profile?

• A user who no longer exists, but still is in Access

Lists, NOTIFY fields, or OWNER fields

• A group that no longer exists, but still is in Access

Lists or OWNER fields

• How to avoid this situation?

– Delete users and groups with the Administrator’s Task

Oriented Administration

– Periodically, run Obsolete

29


Select Option 8 - Information and Analysis Services

30


Select Option 2 - Obsolete Command

31


Select Option 1 for Obsolete

32


We Enter S to Submit the OBSOLETE Job

33


After the Job Completes,

Select 2 to See the RACF Commands

34


The Generated RACF Commands

35


Now We Can Execute the RACF Commands to

Clean up the RACF Database

36

Edit the ??

Before

Executing the

commands


Purpose of Exclude/Rebuild and Vanguard QuickGen

Efficient and effective manipulation of large numbers of profiles on the RACF Database

Done in 60 seconds

37


Rebuild Usage

• Recreating a deleted User

• Renaming a User

• Populating a new CICS® Transaction Class

• Populating a new CICS Transaction “Prefix”

• Creating a new HLQ for System Data Set

Profiles

• Changing the Logon Proc value in TSO

Segments

• Changing the UID value in OMVS Segments

38


Differences between EXCLUDE/REBUILD and Vanguard QuickGen™

• Exclude/Rebuild

– Panel driven

– Rebuild one, some, or all entries from a report

– Generally requires changes to generated

commands

• Vanguard QuickGen

– TSO and generally RACF command driven

– Source report is usually more granular

– Use of variables for command field replacements

• &USERID

• &PROFILE

– Can be executed from any Security Server Report

39


Rebuild Basics

• Original Purpose of Rebuild – Recovery of RACF profiles

• Users, Groups, Data Set HLQs, Classes of Resources

– Required the Extract Data Sets

• Current Purpose of Rebuild – Recovery of RACF profiles

– Massage large numbers of profiles quickly • Populate new CICS Transaction Classes

• Rename Users

– Combined with Exclude to increase granularity • Change Default Group for a large number of Users

• Change all profiles from WARNING to NOWARNING

40


Rebuild Basics

• Question - Where can Rebuild be used?

• Answer - Security Server Reports – Profile Summary Reports

• User, Group, Data Set, General Resource

– Profile Segment Reports

– RRSF Reports

– Connect Reports

• What’s the difference between – The REBUILD Command

– RB in the CMD Column

– (B)RB in the CMD Column?

41


Rebuild Basics (example)

• Before you Rebuild, you have to create the right report from which to Rebuild – Which report should I use to be able to connect

everyone in Group VANGUARD to the new VIP Group?

• Group Profile Summary

• Connect Summary

– Limit the size of the report using Masking Fields

– Isolate entries in a report using Sort and Sort List within a report

• You have to know how to use the ISPF CHANGE and Edit mode line commands

42


Using the REBUILD Command

43


Using RB in the CMD Column

44


Using BRB in the CMD Column

45


Let’s Go Thru an Example;

We’ll Connect Users in the VANGUARD Group to VIP Group

46


Connect Users in Vanguard Group to VIP Group

47



48



49



50



51


OR

52



53



54



55



56


Rebuild Usage in Review

• Recreating a deleted User

• Renaming a User

• Populating a new CICS Transaction Class

• Populating a new CICS Transaction “Prefix”

• Creating a new HLQ for System Data Set

Profiles

• Changing the Logon Proc value in TSO

Segments

• Changing the UID value in OMVS Segments

57


Exclude Basics

• Purpose of Exclude

– Extend the usefulness of Rebuild

– Change only certain fields in RACF Profiles

– Reduce the number of RACF commands

generated when using Rebuild

– Massage large numbers of profiles quickly

• Change Default Group for a large number of Users

• Change all profiles from WARNING to

NOWARNING

58


Exclude Basics

• Question - Where can Exclude be used?

• Answer - Security Server Reports – Profile Summary Reports

– Profile Segment Reports

– Connect Reports

– Not RRSF Reports

• How do you invoke Exclude?

– Only from the report command line

• What does it show? – All fields eligible for Rebuild in the profile

59


Let’s Go Back to Our Earlier Example;

Connect Users in the VANGUARD Group to VIP Group

60


Exclude Example

61


Exclude Example

62


Exclude Example

63


Exclude Example

64


Exclude Example

65


Using Rebuild in Batch Mode

• JCL found in member VRARBLDJ in JCL

library (VANJLIB)

• JCL must be customized

• Control Statement formats found in Chapter

3 of User Guide

• Inputs

– SYSIN Data Set

– Required REBUILD and END control statements

– Required profile name control statement

– Optional EXCLUDE/INCLUDE control statements

66


Using Exclude/Rebuild in Batch Mode

• Output

– VIPOUT Data Set with processing messages

– COMMAND Data Set with generated RACF

commands

67


Batch Mode Sample JCL

68


Batch Mode Generated RACF Commands

69


REBUILD Summary

• Exclude/Rebuild

– Panel driven

– Rebuild one, some, or all entries from a report

– Generally requires changes to generated

commands

70


Vanguard QuickGen™ Basics

• Changing Users Password Interval

• Eliminating Non-expiring Passwords

• Changing Users Default Group

• Setting UAUDIT on for SPECIAL Users

• Resolving Breaks in Scope of Group

• Changing WARNING to NOWARNING

• Correcting Audit Settings in Data Set Profiles

• Changing the Logon Proc value in TSO Segments

• Adding/Removing Entries from Access Lists

71


Changing Users Password Intervals

72



73


QuickGen Templates

74


QuickGen with Default Options

75


QuickGen Options

76


QuickGen with New Options

77



78



79



80



81


Using Vanguard QuickGen in Batch Mode

• Let Online Administrator session generate the JCL

and Control Statements

• Need SYSEXEC for VANCLIB defined in VANLIBS

member of VANOPTS data set

• Inline Control Statements in VSSQGIN DD

• Output RACF Commands in VSSQGOUT DD

– Points to a SYSOUT spool data set

– Change DD statement to point to a sequential data set or

member of a PDS

82


Using Vanguard QuickGen in Batch

• Give PRODCTL READ access to all SYS1 Data Sets

83



84


Give PRODCTL READ Access

85



86


Command Scheduler

How Can I Automatically Remove a User From a

Group at a Future Date and Time?

1. Create the RACF Command(s)

2. Place the RACF Commands in the Command Scheduler

NOTE: Commands will execute as you (aka using your

authority) at the time of execution, not when adding to

schedule

87


Select the Command Scheduler

88


Enter “1” to Add an Event

89


Enter Information for the Event

90


Let’s Look at the Event We Scheduled

91


Let’s Look at the Event We Scheduled

92


Listing of the Event We Scheduled

93


Vanguard Unix Manager (VUM)

94

Note:This is the original

Unix file manager option.



95



96


Option 1 – File security

97


Let’s see what the “World” has access to !

98


Vanguard Unix Manager (VUM) File security

99


Vanguard Unix Manager (VUM) File security

100



101


Option 2 – Review z/OS® access to USS files

102



103



104



105



106



107


Vanguard QuickGen Tag Language

• Used to format your own reports

• Customize titles, headings, columns, fields

• Uses “tags” to determine format and content of the report

• Tags include – COMMAND to define TSO commands to be generated

– REPORT to define a report to be generated

– HEADER and FOOTER for report formatting

– INSERT to imbed a previously saved template into an existing template

– COMMENT to place comments into a template

– BREAKON to create page breaks

– PAGE1 to insert page numbers

• Fully documented in Administrator User’s Guide – Appendix A and Administrator ISPF HELP Text

108


Vanguard QuickGen Tag Language

109


The Report Everyone Seems to Want

• User Report with the following fields

– Userid

– Username

– Installation Data

– Other fields such as Default Group and Last RACINIT

• Requirements

– User Profile Summary Report

– Batch Mode

– Enhanced Masking to get only Userids with Installation

Data

110


User Report using Vanguard QuickGen Tag Language

111



112



113



114



115



116



117



118


More on Vanguard QuickGen

119

Be sure to attend Session VSS15 on

Thursday afternoon.

Learn more features and get answers to

your questions from the creator of

Vanguard QuickGen.


That’s all folks!

120

maximizing your use of the vanguard administrator · –which report should i use to be able to...

Documents