A logonid with SECURITY privilege can access all encrypted datasets. How to restrict this access?
Release : 16.0
Component : ACF2 for z/OS
The following checks are done to check if access to an encrypted dataset is allowed:
1. Access to dataset HLQ (NO SMS validations)
2. Access to CSFSERV resource CSFKRR2
3. Access to CSFKEYS resource key label
To prevent a logonid with SECURITY privilege from accessing an encrypted dataset, one option is to add RSRCVLD bit on a logonid and a resource rule needs to be written to prevent the access to key label as shown below :
ACF
CHANGE logonid RSRCVLD
SET RESOURCE(CSK)
RECKEY ABCD ADD(TEST.KEY UID(uid of logonid) PREVENT -
WHEN(CRITERIA(SMS(DSENCRYPTION))))
F ACF2,REBUILD(CSK)
ACF2 logonids with NON-CNCL and SECURITY are allowed access to all resources. The STGADMIN resource in FACILITY class is used to authorize users to allocate encrypted data sets for dataset types shown below:
STGADMIN.SMS.ALLOW.DATASET.ENCRYPT à for Sequential and VSAM extended datasets
STGADMIN.SMS.ALLOW.DATASET.SEQ.ENCRYPTà for Sequential large and sequential basic format data sets
STGADMIN.SMS.ALLOW.PDSE.ENCRYPTà for Version 2 PDSE datasets
STGADMIN.SMS.FAIL.INVALID.DSNTYPE.ENCRYPTà for fail/nofail encrypt processing check
The STGADMIN.SMS.ALLOW.DATASET.SEQ.ENCRYPT and STGADMIN.SMS.ALLOW.PDSE.ENCRYPT resources are checked for RACROUTE EXTRACT calls rather than RACROUTE AUTH calls. The entire resource name must be in the $KEY rule for EXTRACT call. Also, there must be $USERDATA specified and the resource rules must exist, so logonids with SECURITY or NON-CNCL privilege alone will not allow data set encryption unless a rule exists.
The following SAFDEF record can be added to ignore STGADMIN.SMS.ALLOW.DATASET.ENCRYPT resource call for logonid with SECURITY privilege:
ACF
SET CONTROL(GSO)
INSERT SAFDEF.NETRC1 FUNCRET(8) FUNCRSN(0) ID(STGADMIN) MODE(IGNORE) -
NOAPFCHK RACROUTE(REQUEST=AUTH CLASS=FACILITY ENTITY=STGADMIN.SMS.ALLOW.DATASET.ENCRYPT) -
RETCODE(8) USERID(uid of logonid)
F ACF2,REFRESH(SAFDEF)
The STGADMIN.SMS.FAIL.INVALID.DSNTYPE.ENC resource is checked to determine what processing occurs when any of the three STGADMIN.SMS.ALLOW… FACILITY class resource checks fail. If access is allowed no data set is allocated, if not allowed the allocation of a NON-ENCRYPTED data set will be done and the data set key label is ignored.