BCSC RACF add-on tools for OS390: RACF-Offline



Home
Products
	RACF-Offline
	FixCon
	FixOwner
Services
	Security Reviews
		Attention Areas
	RACF Database Merge
	RACF Implementation
Presentations
About BCSC
Partners
News

RACF Offline

This first BCSC product offers you the possibility to issue almost any RACF command 'offline', without any impact on your production RACF environment or the need for a separate LPAR.

Offline, because the RACF database with which the product works is another one than the database protecting your system. The product can work with an exact copy of your online database, with a copy of a RACF database from another z/OS system, or even with a freshly initialized RACF database without any profiles yet.

This offline environment does not involve simulation - the database is a real, genuine RACF database and the commands you issue are the real RACF commands! So the RACF-Offline database can even replace the active RACF database if you want it to.

RACF-Offline can be used for a wide range of functions, from the checking of a single command to the preparation of major changes in your RACF environment - again, without any impact on your production environment. It offers a solution for several operational problems because it does not impact the production environment, because it does not need to run on a separate LPAR, and because it can reduce extended downtime when used for the preparation of larger security changes.

RACF-Offline can be used to issue all RACF commands to add, delete, display, list, search or modify profiles in the RACF database. Results can be inspected using regular RACF commands, or using the RACF DB UNLOAD utility. The product also has limited support for the modification of system options, command authorization verification and resource access verification. Version 2 will also provide the possibility to simulate execution of a previous job against the Offline RACF database, based on existing SMF data.

RACF-Offline works together with RACF add-on products from other vendors that support an offline RACF database, for instance Consul zAdmin or Vanguard Administrator™.

RACF-Offline commands

Some examples:

The system administrator needs to add a better fitting profile to cover the right resources using a complicated generic pattern. With RACF-Offline several profiles may be added, deleted or modified to test several different options, without any impact to the real RACF database.
The system staff needs to execute a major change to your RACF-environment, like the merging of two RACF databases, or the reorganization of the RACF group names or –hierarchy. These changes can now be prepared and checked in the controlled RACF-Offline environment. At the time of the change itself the prepared and tested Offline database is turned into the active production RACF database by using the native RACF RVARY command. Alternatively, the prepared RACF commands may be re-executed against the system RACF database.
Students need to gain experience in executing RACF commands – they need to be able to experiment with issuing commands and checking their results. The big advantage of using RACF-Offline in an educational situation like this is that you do not need a separate 'play-pen’ with its operational impact. You also don't have to worry about the possible impact of a student’s RACF commands on your production environment.