IBM RACF assignment of the RACF OPERATIONS attribute to individual userids must be fully justified.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-223714 | RACF-ES-000670 | SV-223714r991589_rule | Medium |
| Description |
| This requirement is intended to cover both traditional interactive logons to information systems and general accesses to information systems that occur in other types of architectural configurations (e.g., service-oriented architectures). |
| STIG | Date |
| IBM z/OS RACF Security Technical Implementation Guide | 2025-06-24 |
Details
| Check Text (C-25387r571992_chk) |
| From the ISPF Command Shell enter: ListUser * If authorization to the SYSTEM OPERATIONS attribute is restricted to key systems personnel such as individuals responsible for continuing operations, Storage Management, and emergency recovery, this is not a finding. If any users connected to sensitive system dataset HLQ (e.g., SYS1, SYS2, ETC) groups with the Group-OPERATIONS are key systems personnel, such as individuals responsible for continuing operations, Storage Management, and emergency recovery, this is a finding. Otherwise, Group-OPERATIONS is allowed. |
| Fix Text (F-25375r514831_fix) |
| Review all USERIDs with the OPERATIONS attribute. Ensure documentation providing justification for access is maintained and filed with the ISSO, and that unjustified access is removed. A sample command to remove the OPERATIONS attribute from a userid is shown here: ALU <userid> NOOPERATIONS To remove the Group-Operations attribute: CO <user> GROUP(<groupname>) NOOPERATIONS |