IBM RACF assignment of the RACF OPERATIONS attribute to individual userids must be fully justified.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-223714 | SRG-OS-000480-GPOS-00227 | RACF-ES-000670 | SV-223714r991589_rule | 2025-03-11 | 9 |
| Description |
|---|
| This requirement is intended to cover both traditional interactive logons to information systems and general accesses to information systems that occur in other types of architectural configurations (e.g., service-oriented architectures). |
| ℹ️ Check |
|---|
| From the ISPF Command Shell enter: ListUser * If authorization to the SYSTEM OPERATIONS attribute is restricted to key systems personnel such as individuals responsible for continuing operations, Storage Management, and emergency recovery, this is not a finding. If any users connected to sensitive system dataset HLQ (e.g., SYS1, SYS2, ETC) groups with the Group-OPERATIONS are key systems personnel, such as individuals responsible for continuing operations, Storage Management, and emergency recovery, this is a finding. Otherwise, Group-OPERATIONS is allowed. |
| ✔️ Fix |
|---|
| Review all USERIDs with the OPERATIONS attribute. Ensure documentation providing justification for access is maintained and filed with the ISSO, and that unjustified access is removed. A sample command to remove the OPERATIONS attribute from a userid is shown here: ALU <userid> NOOPERATIONS To remove the Group-Operations attribute: CO <user> GROUP(<groupname>) NOOPERATIONS |