Basics of Mainframe Computing Boot Camp · PDF file• IBM designers coined the word Data...
Transcript of Basics of Mainframe Computing Boot Camp · PDF file• IBM designers coined the word Data...
SECURITY & COMPLIANCE CONFERENCE 2016
Basics of Mainframe
Computing – Boot Camp
John Hilman
Vanguard Professional Services
VANGUARD SECURITY & COMPLIANCE 2016
Legal Notice
Copyright
©2016 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license
to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly
prohibited.
Trademarks
The following are trademarks of Vanguard Integrity Professionals – Nevada:
©2016 Vanguard Integrity Professionals, Inc. 2
Vanguard Administrator
Vanguard Advisor
Vanguard Analyzer
Vanguard SecurityCenter
Vanguard Offline
Vanguard Cleanup
Vanguard PasswordReset
Vanguard Authenticator
Vanguard inCompliance
Vanguard IAM
Vanguard GRC
Vanguard QuickGen
Vanguard Active Alerts
Vanguard Configuration Manager
Vanguard Configuration Manager Enterprise Edition
Vanguard Policy Manager
Vanguard Enforcer
Vanguard ez/Token
Vanguard Tokenless Authenticator
Vanguard ez/PIV Card Authenticator
Vanguard ez/Integrator
Vanguard ez/SignOn
Vanguard ez/Password Synchronization
Vanguard Security Solutions
Vanguard Security & Compliance
Vanguard zSecurity University
VANGUARD SECURITY & COMPLIANCE 2016
The following are trademarks or registered trademarks of the International Business Machines Corporation: Java and all Java-based trademarks are trademarks of Oracle and/or its affiliates. UNIX is a registered trademark of The Open Group in the United States and other countries.
Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation.
Other company, product, and service names may be trademarks or service marks of others.
Trademarks
©2016 Vanguard Integrity Professionals, Inc. 3
CICS
CICSPlex
DB2
eServer
IBM
IBM z
IBM z Systems
IBM z13
S/390
System z
System z9
System z10
System/390
VTAM
WebSphere
z Systems
z9
z10
z13
z/Architecture
z/OS
z/VM
zEnterprise
IMS
MQSeries
MVS
NetView
OS/390
Parallel Sysplex
RACF
RMF
VANGUARD SECURITY & COMPLIANCE 2016
Session Topics
• What Makes a Mainframe?
• Working in TSO
• Using ISPF
• What is an MVS™ Data Set?
• How to Create a File
• What is a Batch Job?
• Glossary of Terms
©2016 Vanguard Integrity Professionals, Inc. 4
VANGUARD SECURITY & COMPLIANCE 2016
What Makes a Mainframe?
©2016 Vanguard Integrity Professionals, Inc. 5
z/OS®
Hardware Software
TSO DB2®
JES
IMS™
Storage
Applications
UNIX®
DASD
VOL123
VOL987
CICS®
VANGUARD SECURITY & COMPLIANCE 2016
Early Operating Systems
Support for System/360
• OS/360 - 1964
– PCP (Primary Control Program)
– MFT (Multiprogramming – fixed number of tasks)
– MVT (Multiprogramming – variable number of tasks)
©2016 Vanguard Integrity Professionals, Inc. 6
VANGUARD SECURITY & COMPLIANCE 2016
History of MVS
©2016 Vanguard Integrity Professionals, Inc. 7
z/OS
2001
OS/390®
1996
MVS/ESA 1988
MVS/XA 1981
MVS/SP 1979
OS/VS2 MVS 1974 16 MB
16 MB
2 GB
2 GB
2 GB
16 EB
VANGUARD SECURITY & COMPLIANCE 2016
Mainframe Applications - TSO
• TSO – Time Sharing Option
– Allows multiple users to use the operating system at the
same time
– Powerful text editor
– Utilities to create / manage data sets / and submit batch
jobs
– Restructured Extended Executor (REXX) language
support
• REXX is a high-level procedures language that enables
inexperienced users as well as experienced programmers to write
structured programs called REXX execs.
– Ability to execute programs interactively
©2016 Vanguard Integrity Professionals, Inc. 8
VANGUARD SECURITY & COMPLIANCE 2016
“Native” TSO
©2016 Vanguard Integrity Professionals, Inc. 9
• Provides a limited command interface
to the operating system
• Ability to issue RACF® commands
directly from the READY prompt
VANGUARD SECURITY & COMPLIANCE 2016
Mainframe Applications - ISPF
• ISPF - Interactive System Productivity Facility
– Panel application navigated by entering options
– Provides full-screen text editor and browser
– Utilities for creating, locating, listing and deleting files
– Functions to manage data sets and submit jobs
– Utilize “fastpath” to functions
• Example - enter 3.4 for Data Set List Utility
– TSO command function within ISPF
• Option 6 – ISPF Command Shell
©2016 Vanguard Integrity Professionals, Inc. 10
VANGUARD SECURITY & COMPLIANCE 2016
ISPF Primary Options Menu
©2016 Vanguard Integrity Professionals, Inc. 11
VANGUARD SECURITY & COMPLIANCE 2016
Mainframe Applications - CICS & DB2
• CICS – Customer Information Control System
– Transaction processor
– Designed for rapid, high-volume online processing
– Enables the user (through the application) to access a
number of protected resources in a database (DB2) or file
system
– Isolates concurrent users from each other so that two
users cannot update the same resource at the same time
• DB2 – Data Base 2
– Relational database management system (RDMS)
– Reduces redundancy in data storage
©2016 Vanguard Integrity Professionals, Inc. 12
VANGUARD SECURITY & COMPLIANCE 2016
Mainframe Applications - z/OS UNIX®
• z/OS UNIX System Services
– Best of both worlds: UNIX and z/OS
– UNIX Kernel integrated into the operating system
– Hierarchical file system (HFS) familiar to UNIX users
– Applications can work with data in both the z/OS UNIX file
systems and traditional z/OS data sets
• FTP – File Transfer Protocol
– Protocol of choice to transfer data over the Internet
– Most widely used TCP/IP applications on z/OS
– Supports both z/OS data sets and files in the z/OS UNIX
file system
©2016 Vanguard Integrity Professionals, Inc. 13
VANGUARD SECURITY & COMPLIANCE 2016
Connecting to the Mainframe
©2016 Vanguard Integrity Professionals, Inc. 14
TCP/IP
SNA
VANGUARD SECURITY & COMPLIANCE 2016
‘Green Screen’ Terminals
©2016 Vanguard Integrity Professionals, Inc. 15
• IBM® 3270 - “Display
Device”
• Known as ‘Green Screen’
• IBM 3270 protocol used
today in Terminal Emulation
software: Attachmate
Reflection, IBM PCOMM,
Host Explorer, Passport,
and others
VANGUARD SECURITY & COMPLIANCE 2016
Today’s “Green Screen”
©2016 Vanguard Integrity Professionals, Inc. 16
VANGUARD SECURITY & COMPLIANCE 2016
Logging On
©2016 Vanguard Integrity Professionals, Inc. 17
VANGUARD SECURITY & COMPLIANCE 2016
Password Screen
©2016 Vanguard Integrity Professionals, Inc. 18
VANGUARD SECURITY & COMPLIANCE 2016
Line Mode TSO
©2016 Vanguard Integrity Professionals, Inc. 19
VANGUARD SECURITY & COMPLIANCE 2016
Issuing TSO Commands
©2016 Vanguard Integrity Professionals, Inc. 20
VANGUARD SECURITY & COMPLIANCE 2016
Using ISPF
©2016 Vanguard Integrity Professionals, Inc. 21
VANGUARD SECURITY & COMPLIANCE 2016
ISPF Main Menu
©2016 Vanguard Integrity Professionals, Inc. 22
©2016 Vanguard Integrity Professionals, Inc. 23
VANGUARD SECURITY & COMPLIANCE 2016
z/OS Files
• To Make a File we: – group characters together to form a field
– group fields together to collect information to form a record
– place records together which results in a file
• IBM designers coined the word Data Set – – Collection of logically related data records
– Stored in DASD - Direct Access Storage Device
©2016 Vanguard Integrity Professionals, Inc. 24
DASD
VOL123
VANGUARD SECURITY & COMPLIANCE 2016
A Single Record Contains Fields
©2016 Vanguard Integrity Professionals, Inc. 25
Smith, Jane 026548791 Checking $ 3,824
Fields
bank account
number
customer
name type of bank
account balance
Record
VANGUARD SECURITY & COMPLIANCE 2016
Multiple Records Make up a Data Set
©2016 Vanguard Integrity Professionals, Inc. 26
Arnold, Ben 036589294 Checking
Account $ 12,139
Black, Sally 029639211 Checking
Account $ 8,146
Mason, Bob 028538692 Checking
Account $ 9,632
Smith, Jane 026548791 Checking
Account $ 3,824
Data Set
VANGUARD SECURITY & COMPLIANCE 2016
Data Set Name Characteristics
• Length
– maximum 44 characters
• Made up of qualifiers
– 1 to 8 characters per qualifier
– qualifiers cannot start with a numeric or hyphen (–)
• First qualifier referred to as high-level qualifier (HLQ)
or high-level index (HLI)
©2016 Vanguard Integrity Professionals, Inc. 27
VANGUARD PRODUCT MONTHLY REPORT FILE . . . .
qualifier separator
VANGUARD SECURITY & COMPLIANCE 2016
Types of Data Sets
• Sequential Data Set
– A file which is a collection of records written and read in
sequential order from start to finish
• Partitioned Data Set or Library
– A data set containing one or more members, similar to a
directory or folder in other types of file systems
• VSAM Data Set (Virtual Storage Access Method)
– A data set that is a collection of records, grouped into
control intervals, accessible by applications using the
VSAM access method
©2016 Vanguard Integrity Professionals, Inc. 28
VANGUARD SECURITY & COMPLIANCE 2016
Viewing a Data Set – Option 1
©2016 Vanguard Integrity Professionals, Inc. 29
VANGUARD SECURITY & COMPLIANCE 2016
The View Panel
©2016 Vanguard Integrity Professionals, Inc. 30
VANGUARD SECURITY & COMPLIANCE 2016
Alternate Way to Enter Data Set Name
©2016 Vanguard Integrity Professionals, Inc. 31
VANGUARD SECURITY & COMPLIANCE 2016
Display ISPF Profile
©2016 Vanguard Integrity Professionals, Inc. 32
VANGUARD SECURITY & COMPLIANCE 2016
Profile Settings
©2016 Vanguard Integrity Professionals, Inc. 33
Turn off PREFIX with PROFILE command:
TSO PROFILE NOPREFIX
VANGUARD SECURITY & COMPLIANCE 2016
Viewing the Data Set
©2016 Vanguard Integrity Professionals, Inc. 34
VANGUARD SECURITY & COMPLIANCE 2016
Editing a Data Set – Option 2
©2016 Vanguard Integrity Professionals, Inc. 35
VANGUARD SECURITY & COMPLIANCE 2016
The Edit Panel
©2016 Vanguard Integrity Professionals, Inc. 36
VANGUARD SECURITY & COMPLIANCE 2016
Alternate Way to Enter Data Set
©2016 Vanguard Integrity Professionals, Inc. 37
With PREFIX off, must specify full data set name
VANGUARD SECURITY & COMPLIANCE 2016
Editing the Data Set
©2016 Vanguard Integrity Professionals, Inc. 38
VANGUARD SECURITY & COMPLIANCE 2016
Creating a New Data Set – Option 3
©2016 Vanguard Integrity Professionals, Inc. 39
VANGUARD SECURITY & COMPLIANCE 2016
Data Set Utility
©2016 Vanguard Integrity Professionals, Inc. 40
VANGUARD SECURITY & COMPLIANCE 2016
Allocating a New Data Set
©2016 Vanguard Integrity Professionals, Inc. 41
If PREFIX is on, you must use quotes around data set name if the prefix is specified
VANGUARD SECURITY & COMPLIANCE 2016
Specify Allocation Information
©2016 Vanguard Integrity Professionals, Inc. 42
VANGUARD SECURITY & COMPLIANCE 2016
Another Way to Allocate a Data Set
©2016 Vanguard Integrity Professionals, Inc. 43
VANGUARD SECURITY & COMPLIANCE 2016
Copy All Members From a Data Set
©2016 Vanguard Integrity Professionals, Inc. 44
VANGUARD SECURITY & COMPLIANCE 2016
Specify the Copy-To Data Set
©2016 Vanguard Integrity Professionals, Inc. 45
VANGUARD SECURITY & COMPLIANCE 2016
Use the Same Allocation Attributes
©2016 Vanguard Integrity Professionals, Inc. 46
VANGUARD SECURITY & COMPLIANCE 2016
Using Data Set List
©2016 Vanguard Integrity Professionals, Inc. 47
VANGUARD SECURITY & COMPLIANCE 2016
Specify the HLQ (PREFIX)
©2016 Vanguard Integrity Professionals, Inc. 48
VANGUARD SECURITY & COMPLIANCE 2016
Use the '/' to Select Action
©2016 Vanguard Integrity Professionals, Inc. 49
VANGUARD SECURITY & COMPLIANCE 2016
List of Actions
©2016 Vanguard Integrity Professionals, Inc. 50
©2016 Vanguard Integrity Professionals, Inc. 51
VANGUARD SECURITY & COMPLIANCE 2016
Batch Jobs
• Batch - deferred processing
• Online - now and interactive
• z/OS has unique capacity to handle lots of jobs
concurrently
• Jobs are controlled by JES – Job Entry Subsystem
©2016 Vanguard Integrity Professionals, Inc. 52
VANGUARD SECURITY & COMPLIANCE 2016
Getting Work Done in z/OS
©2016 Vanguard Integrity Professionals, Inc. 53
JES receives jobs into the operating system, schedules them for
processing, and controls their output processing
z/OS
INPUT
OUTPUT
SYSOUT
RJE/RJP
NJE
Line & PSF Printers
JES
SYSIN
JOB
SUBMIT
BATCH
RJE/RJP
NJE
TSO
VANGUARD SECURITY & COMPLIANCE 2016
Executing Programs in Batch
• Executing a program means running it to accomplish
what you intend to do
• To run, a program must be:
– copied from disk into memory
– associated with the data sets it will use
– given control by z/OS
• To execute a program in batch, the job is submitted
– Job Control Language (JCL) tells JES how to execute the
program
©2016 Vanguard Integrity Professionals, Inc. 54
VANGUARD SECURITY & COMPLIANCE 2016
A Sample Batch Job
©2016 Vanguard Integrity Professionals, Inc. 55
VANGUARD SECURITY & COMPLIANCE 2016
SDSF Provides:
• Information to monitor, manage, and control the
output of jobs in the z/OS system
• Current information about jobs, output, devices and
system resources
©2016 Vanguard Integrity Professionals, Inc. 56
VANGUARD SECURITY & COMPLIANCE 2016
SDSF Allows You To:
• Control job processing (hold, release, cancel jobs)
• Control output, and browse jobs without printing
• Control devices such as printers, lines, and initiators
• Browse the syslog
• Manage system resources, such as members of the
MAS (Multi-Access Spool), job classes, and WLM
(Work Load Manager) enclaves
• Monitor and control the IBM Health Checker for
z/OS checks
©2016 Vanguard Integrity Professionals, Inc. 57
VANGUARD SECURITY & COMPLIANCE 2016
SDSF Main Menu
©2016 Vanguard Integrity Professionals, Inc. 58
VANGUARD SECURITY & COMPLIANCE 2016
Working with JES Queues
SDSF Panel JES Queue
DA (displays the execution queue) Provides information about each job,
started task, and TSO user that is being
processed by the system
I (input queue) Provides information about each job,
started task, and TSO user that is on the
JES input queue
O (output queue) Provides information about the output
data sets from jobs, started tasks, and
TSO users
H (held output queue) Provides information about the output
from jobs that are on hold
ST (status queues) Provides information about the jobs that
are on any JES queue
©2016 Vanguard Integrity Professionals, Inc. 59
VANGUARD SECURITY & COMPLIANCE 2016
Viewing Job Output
©2016 Vanguard Integrity Professionals, Inc. 60
VANGUARD SECURITY & COMPLIANCE 2016
Viewing Job Output
©2016 Vanguard Integrity Professionals, Inc. 61
VANGUARD SECURITY & COMPLIANCE 2016
Glossary of Terms
A
access authority
One of a range of possible authority levels that control access to protected resources. In RACF, the access authorities are: NONE, EXECUTE,
READ, UPDATE, CONTROL, and ALTER.
access group
A type of member group used to define access control.
access list
The part of a resource profile that specifies the users and groups that may access the resource and the level of access granted to each.
ACEE - access control environment element
A control block containing details of the current user, including user ID, current connect group, user attributes, and group authorities. An ACEE is
constructed during user identification and verification.
address space
(1) The actual memory used by an active program.
(2) A range of up to two gigabytes of contiguous virtual storage addresses that the system creates for the user.
AUDITOR attribute
A user attribute that allows the user to specify logging options on the RACF commands and list any profile (including its auditing options) using the
RACF commands.
B
base segment
The portion of a RACF profile that contains basic information needed to define a user, group, or resource to RACF. Also called RACF segment.
batch job
A predefined group of processing actions submitted to the system to be performed with little or no interaction between the user and the system.
batch processing
A method of running a program or a series of programs in which one or more records (a batch) are processed with little or no action from the user
or operator.
©2016 Vanguard Integrity Professionals, Inc. 62
VANGUARD SECURITY & COMPLIANCE 2016
Glossary of Terms
C
CICS (Customer Information Control System)
An IBM licensed program that provides online transaction-processing services and management for business applications.
class
A collection of defined entities (users, groups, and resources) with similar characteristics. The class names are USER, GROUP, DATASET,
and the classes that are defined in the class descriptor table.
class authority (CLAUTH)
An authority that allows a user to define RACF profiles in a class defined in the class descriptor table. A user can have class authority to one
or more classes.
class descriptor
An entry in the CDT. Each class descriptor associates a class name with one or more CICS resources. A class descriptor should exist for
every class except USER, GROUP, and DATASET.
CDT - class descriptor table
A table containing class descriptors. The CDT contains descriptors with default class names for CICS resources. Users can modify the
supplied descriptors and add new ones.
console
An input/output device on a computer, reserved for communication between the computer operator or maintenance engineer and the
computer.
current connect group
During a terminal session or batch job, the group with which a user is associated for access checking purposes. On MVS, if a user does not
specify the current connect group on the LOGON command or batch JOB statement, the current connect group is the user's default group.
©2016 Vanguard Integrity Professionals, Inc. 63
VANGUARD SECURITY & COMPLIANCE 2016
Glossary of Terms
D
DASD volume
A direct access storage device (DASD) space identified by a common label and accessed by a set of related addresses.
DES - Data Encryption Standard
A cryptographic algorithm designed to encrypt and decrypt data using a private key
DFP - Data Facility Product
A program that isolates applications from storage devices, storage management and storage device hierarchy management.
DFSMS - Data Facility Storage Management Subsystem
An operating environment that helps automate and centralize the management of storage. To manage storage, DFSMS provides the storage
administrator with control over data class, storage class, management class, storage group, and automatic class selection routine definitions.
data set
The name that refers to files on an IBM mainframe computer, typically stored on DASD or magnetic tape.
data set profile
A profile that provides RACF protection for one or more data sets. The information in the profile can include the data set profile name, profile
owner, universal access authority, access list, and other data.
data space
A range of up to two gigabytes of contiguous virtual storage addresses that a program can directly manipulate. Unlike an address space, a data
space can hold only data; it does not contain common areas or system data or programs.
DB2
A family of IBM licensed programs for relational database management.
default group
In RACF, the group specified in a user profile that is the default current connect group.
discrete profile
A resource profile that provides RACF protection for a single resource.
DSMON – Data Security Monitor
A RACF auditing tool that produces reports enabling an installation to verify its basic system integrity and data security controls.
©2016 Vanguard Integrity Professionals, Inc. 64
VANGUARD SECURITY & COMPLIANCE 2016
Glossary of Terms
E
ESA - Enterprise Systems Architecture
A hardware architecture that reduces the effort required for managing data sets and extends addressability for system, subsystem, and
application functions.
ESA/390 Enterprise Systems Architecture/390
An IBM architecture for mainframe computers and peripherals. Processor systems that follow the ESA/390 architecture include the ES/9000
family
erase-on-scratch
A Resource Access Control Facility (RACF) and DFSMSdfp function that overwrites the space occupied by a data set when the data set is
deleted (scratched) from a direct access storage device (DASD).
exabyte (EB)
For processor, real and virtual storage capacities and channel volume: 1,152,921,504,606,846,976 bytes, or 2 to the power of 60, or 1024 to
the power of 6.
extended addressing
The use of 31-bit addresses (above the 16MB line), which multiplies by 128 the range of virtual storage that can be addressed.
F
failsoft processing
Processing that occurs when no data sets in the primary RACF database are available (RACF is installed but inactive).
fully-qualified data set name
A data set in which all the qualifiers are completely spelled out.
©2016 Vanguard Integrity Professionals, Inc. 65
VANGUARD SECURITY & COMPLIANCE 2016
Glossary of Terms
G
general resource
Any system resource, other than an MVS data set, that is defined in the class descriptor table (CDT). On MVS, general resources include DASD
volumes, tape volumes, load modules, terminals, IMS and CICS transactions and other CICS resources, and installation-defined resource classes.
general resource profile
A profile that provides protection for one or more general resources. The information in the profile can include the general resource profile name,
profile owner, universal access authority, access list, and other data.
generic profile
A resource profile that can provide RACF protection for zero or more resources. The resources protected by a generic profile have similar names
and identical security requirements.
gigabyte (GB, Gbyte)
For processor, real and virtual storage capacities and channel volume: 1,073,741,824 bytes, or 2 to the power of 30, or 1024 to the power of 3.
global access checking
A RACF feature that permits access to protected, frequently opened files much faster than otherwise possible. After the establishment of an in-
storage table of default values containing authorization levels for selected resources, access to those resources is granted without performing
security checks as long as the requested access authority does not exceed the global value. Global access checking can grant a user access to
the resource, but it cannot deny access
group data set
A RACF-protected data set in which either the high-level qualifier of the data set name or the qualifier supplied by an installation exit routine is a
RACF group name.
H
hiperspace
A high-performance, virtual-storage space of up to 2 gigabytes (GB). Unlike an address space, a Hiperspace contains only user data and does not
contain system control blocks or common areas; code does not execute in a Hiperspace. Unlike a data space, data in a Hiperspace cannot be
referenced directly; data must be moved to an address space in blocks of 4 KB before being processed. The 4-KB blocks can be backed up by
expanded storage or auxiliary storage, but never by virtual storage.
HLQ
High-level qualifier. The first qualifier of a data set name.
©2016 Vanguard Integrity Professionals, Inc. 66
VANGUARD SECURITY & COMPLIANCE 2016
Glossary of Terms
I
IBM – International Business Machines
IMS - Information Management System
Any of several system environments available with a database manager and transaction processing, capable of managing complex
databases and terminal networks.
IPL - initial program load
(1) The process that loads the system programs from the system auxiliary storage, checks the system hardware, and prepares the system
for user operations.
(2) The initialization procedure that causes an operating system to begin operation.
(3) The process of loading system programs and preparing a system to run applications.
I/O - input/output
Pertaining to a device, process, channel, or communication path involved in data input, data output, or both.
ISPF - Interactive System Productivity Facility
An IBM licensed program that serves as a full-screen editor and dialog manager. Used for writing application programs, it provides a means
of generating standard screen panels and interactive dialogs between the application programmer and terminal user.
©2016 Vanguard Integrity Professionals, Inc. 67
VANGUARD SECURITY & COMPLIANCE 2016
Glossary of Terms
J
JCL - job control language
A command language that is used to identify a job to an operating system and to describe the job's requirements.
JES - Job Entry Subsystem
An IBM licensed program that receives jobs into the system and processes all output data that is produced by jobs.
JES2
An MVS subsystem that receives jobs into the system, converts them to internal format, selects them for execution, processes their output,
and purges them from the system. In an installation with more than one processor, each JES2 processor independently controls its job
input, scheduling, and output processing.
JES3
An MVS subsystem that receives jobs into the system, converts them to internal format, selects them for execution, processes their output,
and purges them from the system. In complexes that have several loosely coupled processing units, the JES3 program manages
processors so that the global processor exercises centralized control over the local processors and distributes jobs to them via a common
job queue.
job
(1) A resource that consists of a task and its preconfigured parameters. Among other things, the parameters specify the targets on which the
job is to run.
(2) A separately executable unit of work defined by a user, and run by a computer.
©2016 Vanguard Integrity Professionals, Inc. 68
VANGUARD SECURITY & COMPLIANCE 2016
Glossary of Terms
L
list-of-groups checking
A RACF option that allows a user to access all resources available to all groups of which the user is a member, regardless of the user's current
connect group. For any particular resource, RACF allows access based on the highest access authority among the groups of which the user is a
member.
load library
A library containing load modules.
load module
A program in a form suitable for loading into main storage for execution. A load module is the output of the linkage editor.
load module library
A partitioned data set (PDS) used to store and retrieve load modules.
logging
The recording of audit data about specific events.
M
MAC - mandatory access control
A means of restricting access to objects on the basis of the sensitivity (as represented by a label) of the information contained in the objects and
the formal authorization (clearance) of subjects to access information of such sensitivity.
mainframe
A computer, usually in a computer center, with extensive capabilities and resources to which other computers may be connected so that they can
share facilities.
main storage
Program-addressable storage from which instructions and other data can be loaded directly into registers for subsequent execution or processing.
multilevel security
A security policy that allows the classification of data and users based on a system of hierarchical security levels (for example: unclassified, secret,
top secret) combined with a system of non-hierarchical security categories
MVS - Multiple Virtual Storage
The mainframe operating system that allows multiple users to work simultaneously using the full amount of virtual storage.
©2016 Vanguard Integrity Professionals, Inc. 69
VANGUARD SECURITY & COMPLIANCE 2016
Glossary of Terms
O
OPERATIONS attribute
A user attribute that grants the equivalent of ALTER access to all data sets unless the user or one of the user’s connect groups appears
explicitly in the access list of a data set’s profile.
operating system (OS)
A collection of system programs that control the overall operation of a computer system.
OS/390
Pertaining to the IBM operating system that includes and integrates functions previously provided by many IBM software products (including
the MVS operating system) and (a) is an open, secure operating system for the IBM S/390 family of enterprise servers, (b) complies with
industry standards, (c) is enabled for network computing and e-business, and (d) supports technology advances in networking server
capability, parallel processing, and object-oriented programming.
owner
The user or group that creates a profile, or is named the owner of a profile. The owner can modify, list, or delete the profile.
P
PDS - partitioned data set
In a z/OS environment, a data set in direct-access storage that is divided into partitions, which are called members. Each partition can
contain a program, part of a program, or data.
POSIT
A keyword in the ICHERCDE macro that determines the position of a resource class in the RACF class descriptor table (CDT). All classes
with the same POSIT value are controlled together by the SETROPTS command.
profile
Data that describes the significant characteristics of a user, a group of users, or one or more computer resources. A profile contains a base
segment, and optionally, a number of other segments.
protected user ID
A user ID that cannot enter the system by any means that requires a password, and cannot be revoked by invalid password attempts.
©2016 Vanguard Integrity Professionals, Inc. 70
VANGUARD SECURITY & COMPLIANCE 2016
Glossary of Terms
R
RACF - Resource Access Control Facility
An IBM licensed program that provides access control by identifying users to the system; verifying users of the system; authorizing access
to protected resources; logging detected, unauthorized attempts to enter the system; and logging detected accesses to protected resources.
RACF database
The repository for the security information that RACF maintains.
RACF data set
One of the data sets comprising the RACF database.
RACF report writer
A RACF function that produces reports on system use and resource use from information found in the RACF SMF records.
RACF segment
The portion of a RACF profile that contains basic information needed to define a user, group, or resource to RACF. Also called base
segment.
RACINIT request
In RACF, the issuing of the RACINIT macro or the RACROUTE macro with REQUEST=VERIFY or REQUEST=VERIFYX specified. A
RACINIT request is used to verify the authority of a user to enter work into the system.
RACROUTE
In RACF, a macro that provides a means of calling RACF to provide security functions.
©2016 Vanguard Integrity Professionals, Inc. 71
VANGUARD SECURITY & COMPLIANCE 2016
Glossary of Terms
resource authorization
The facility for checking a user's level of access to a resource against the user's desired access or the result of that check.
resource group class
A RACF class in which resource group profiles can be defined. A resource group class is related to another class, sometimes called a
member class. For example, resource group class GCICSTRN is related to class TCICSTRN.
resource group profile
A general resource profile in a resource group class. A resource group profile can provide RACF protection for one or more resources with
unlike names.
resource manager
An application, program, or transaction that manages and controls access to shared resources such as memory buffers and data sets.
WebSphere MQ, CICS, and IMS are resource managers.
resource profile
A profile that provides RACF protection for one or more resources. User, group, and connect profiles are not resource profiles. The
information in a resource profile can include the data set profile name, profile owner, universal access authority, access list, and other data.
Resource profiles can be discrete profiles or generic profiles.
RESTRICTED attribute
A user attribute that can be assigned to a shared user ID, such as PUBLIC or ANONYMOS, or a user ID used with a certificate name filter,
to prevent the user ID from being used to access protected resources it is not specifically authorized to access.
REVOKE attribute
A user attribute that prevents a RACF-defined user from entering the system.
RRSF – RACF Remote Sharing Facility
The RACF remote sharing facility allows RACF to communicate via APPC with other MVS systems that use RACF, allowing you to maintain
remote RACF databases and synchronize passwords across the systems.
©2016 Vanguard Integrity Professionals, Inc. 72
VANGUARD SECURITY & COMPLIANCE 2016
Glossary of Terms
S
S/390
IBM enterprise servers based on Enterprise Systems Architecture/390 (ESA/390). The S/390 has been superseded by the IBM System z.
SAF - system authorization facility
An interface defined by MVS that enables programs to use system authorization services in order to control access to resources, such as data
sets and MVS commands.
security policy
A written document that defines the security controls that you institute for your computer systems. A security policy describes the risks that you
intend these controls to minimize and the actions that should be taken if someone breaches your security controls.
sequential data set
A data set whose records are organized on the basis of their successive physical positions, such as on magnetic tape.
SMF - System Management Facility
A z/OS facility that collects and records a variety of system and job-related information. Examples of information collected by SMF are statistics,
accounting information, and performance data.
SPECIAL attribute
A user attribute that gives the user full control over all of the RACF profiles in the RACF database and allows the user to issue all RACF
commands, except for commands and operands related to auditing.
Sysplex
A set of z/OS systems that communicate with each other through certain multisystem hardware components and software services.
System z
IBM enterprise servers based on z/Architecture.
T
TSO - Time Sharing Option
In a z/OS or OS/390 environment, software that provides interactive communications, allowing a user or programmer to start an application from a
terminal and work with the application.
task
A basic unit of work to be performed or a process and the procedures that run the process.
©2016 Vanguard Integrity Professionals, Inc. 73
VANGUARD SECURITY & COMPLIANCE 2016
Glossary of Terms
U
UACC - universal access authority
The default access authority that applies to a resource if the user or group is not specifically permitted access to the resource. The universal
access authority can be any of the access authorities.
UADS - user attribute data set
In TSO, a partitioned data set with a member for each authorized user. Each member contains the appropriate passwords, user
identifications, account numbers, LOGON procedure names, and user characteristics that define the user.
USS - UNIX System Services
A component of z/OS or OS/390 that provides a UNIX environment.
user data set
A data set defined to RACF in which either the high-level qualifier of the data set name or the qualifier supplied by an installation exit routine
is a RACF user ID.
user identification and verification
The acts of identifying and verifying a RACF-defined user to the system during logon or batch job processing. RACF identifies the user by
the user ID and verifies the user by the password or operator identification card supplied during logon processing or the password supplied
on a batch JOB statement.
©2016 Vanguard Integrity Professionals, Inc. 74
VANGUARD SECURITY & COMPLIANCE 2016
Glossary of Terms
V
volume
(1) A representation of an actual physical storage device or unit on which the objects in your system are stored.
(2) A storage medium that is put on or taken off the system as a unit, for example, magnetic tape or diskette.
(3) A unit of storage on disk, tape, or other data-recording media.
VIP - Vanguard Integrity Professionals
VTOC - volume table of contents
A table on a direct access volume that describes the location, size and other characteristics of each data set on the volume.
VSAM - Virtual Storage Access Method
An access method for direct or sequential processing of fixed-length and varying-length records on direct access devices. The records in a
VSAM data set or file can be organized in logical sequence by a key field (key sequence), in the physical sequence in which they are written
on the data set or file (entry-sequence), or by relative-record number.
Z
z/Architecture
An IBM architecture for mainframe computers and peripherals. The System z family of servers uses the z/Architecture. It is the successor to
the S/390 and 9672 family of servers.
z/OS
An operating system for the IBM eServer product line that uses 64-bit real storage.
z/OS UNIX System Services
The set of functions provided by the shell and utilities, kernel, debugger, file system, C/C++ Run-Time Library, Language Environment, and
other elements of z/OS that allows users to write and run application programs that conform to UNIX standards.
©2016 Vanguard Integrity Professionals, Inc. 75