Restrict access to encryption key for SECURITY privilege in ACF2
search cancel

Restrict access to encryption key for SECURITY privilege in ACF2

book

Article ID: 244981

calendar_today

Updated On:

Products

ACF2 - z/OS

Issue/Introduction

A logonid with SECURITY privilege can access all encrypted datasets. How to restrict this access?

Environment

Release : 16.0

Component : ACF2 for z/OS

Resolution

The following checks are done to check if access to an encrypted dataset is allowed:

  1. Access to dataset HLQ (NO SMS validations)
  2. Access to CSFSERV resource CSFKRR2
  3. Access to CSFKEYS resource key label

To prevent a logonid with SECURITY privilege from accessing an encrypted dataset, one option is to add RSRCVLD bit on a logonid and a resource rule needs to be written to prevent the access to key label as shown below :

ACF 
CHANGE logonid RSRCVLD

SET RESOURCE(CSK)                                                 
RECKEY ABCD ADD(TEST.KEY UID(uid of logonid) PREVENT -
WHEN(CRITERIA(SMS(DSENCRYPTION))))                                
F ACF2,REBUILD(CSK)

 

Additional Information

ACF2 logonids with NON-CNCL and SECURITY are allowed access to all resources. The STGADMIN resource in FACILITY class is used to authorize users to allocate encrypted data sets for dataset types shown below:

STGADMIN.SMS.ALLOW.DATASET.ENCRYPT à        for Sequential and VSAM extended datasets
STGADMIN.SMS.ALLOW.DATASET.SEQ.ENCRYPT
à     for Sequential large and sequential basic format data sets
STGADMIN.SMS.ALLOW.PDSE.ENCRYPT
à            for Version 2 PDSE datasets
STGADMIN.SMS.FAIL.INVALID.DSNTYPE.ENCRYPT
à  for fail/nofail encrypt processing check

The STGADMIN.SMS.ALLOW.DATASET.SEQ.ENCRYPT and STGADMIN.SMS.ALLOW.PDSE.ENCRYPT resources are checked for RACROUTE EXTRACT calls rather than RACROUTE AUTH calls. The entire resource name must be in the $KEY rule for EXTRACT call. Also, there must be $USERDATA specified and the resource rules must exist, so logonids with SECURITY or NON-CNCL privilege alone will not allow data set encryption unless a rule exists.

The following SAFDEF record can be added to ignore STGADMIN.SMS.ALLOW.DATASET.ENCRYPT resource call for logonid with SECURITY privilege: 

ACF
SET CONTROL(GSO)
INSERT SAFDEF.NETRC1 FUNCRET(8) FUNCRSN(0) ID(STGADMIN) MODE(IGNORE)
NOAPFCHK RACROUTE(REQUEST=AUTH CLASS=FACILITY ENTITY=STGADMIN.SMS.ALLOW.DATASET.ENCRYPT)
RETCODE(8) USERID(uid of logonid)
F ACF2,REFRESH(SAFDEF) 

The STGADMIN.SMS.FAIL.INVALID.DSNTYPE.ENC resource is checked to determine what processing occurs when any of the three STGADMIN.SMS.ALLOW… FACILITY class resource checks fail. If access is allowed no data set is allocated, if not allowed the allocation of a NON-ENCRYPTED data set will be done and the data set key label is ignored.