Administering

This section provides information about using RACF profiles and groups.

• • RACF profiles and groups
  • RACF Profiles for Security Breakglass
  • Breakglass SMF data

RACF profiles and groups

BMC AMI Security Breakglass uses RACF profiles to manage access and permissions for projects, groups, and user IDs. Security Breakglass automatically converts profile and group names to uppercase to prevent RACF conflicts.

The RACF profiles are defined in the BGLASS member of the Resident Security Server configuration file. For more information, see the Security Breakglass topic Configuring-after-installation.

RACF profiles

Security Breakglass RACF profiles define the access level required to request user IDs from a particular project. Use the RACFProfile parameter to indicate which RACF profile applies to the project. If you omit RACFProfile, the project default is RSM.RSS.projectName .

• RACF profiles are defined in the FACILITY class by default, although you can use an alternate class.
• To request access to a project (user level), users must have read access to the RACF profile.
• To approve access to a project (manager level), users must have alter access to the RACF profile.

RACF groups

Every Security Breakglass project must have an associated RACF group. Use the RACFGroup parameter to indicate the name of the group you want associated with the project. If you omit RACFGroup, the default is the project name.

You cannot define a Security Breakglass RACF Group as a universal group.

RACF groups have the following purposes:

1. User IDs defined for a particular project must be connected to the group defined for that project. No other user IDs should be connected to that group.
2. If the CommandUserID parameter is defined as Group, the owning user ID for the group requires RACF with the SPECIAL attribute.

User IDs

When creating Security Breakglass user IDs, consider the following points:

• User IDs should be assigned the appropriate privileges for the intended system maintenance.
• The user ID is displayed in the Security Breakglass status panels, so you can give it a meaningful name.
• The user ID must be connected to the RACF group associated with the project.

RACF Profiles for Security Breakglass

To request a Security Breakglass ID, users must have READ access (at least) to the RACF resource, RSM.RSS.BGLASS. The default location of this resource is the FACILITY class profile. We highly recommend that you specify a value of UACC(NONE) for RSM.RSS.BGLASS.

If you choose to add RSM.RSS.BGLASS to a different class profile (other than FACILITY), to take advantage of the slight performance benefit of using a unique profile, ensure that you specify the class in the ClassName parameter in the RSS configuration member. For more information, see the RSS topic Configuring after installation.

RSM.RSS.BGLASS defines the project from which a user can request a Security BreakglassID. It does not define the permissions of the Security Breakglass ID itself.

Breakglass SMF data

(SPE2110) The default SMF type used to identify Security Breakglass records is 175. This default is used if no SMF type is defined in the Global configuration parameters for RSS. If you choose to define an SMF type for RSS, we recommend that you use any number between 128 and 255 that is available to be collected by SMF.

(SPE2104)

Security Breakglass uses a standard SMF record header with subtypes. For more information, see Table 2 in the IBM Knowledge Center topic: Standard and Extended SMF record headers.

The Security Breakglass SMF fields are as follows: