July 22, 2003
Migration Series for South Users
CIT plans to shut down the South system effective January 12, 2004. Watch two Web sites regularlyTitan/South System News and the Titan Transition. Both Web pages are continually updated.
This is the third article in the series on the migration processsso that you don't miss important news and you do have a smooth transition to Titan. These articles are reprinted from Titan Transition Migration Process Web page.
Topics to be covered in this series over the next months
3. Review Your Data Security Needs
This page is divided into three sections:
For more information on setting up RACF profiles, go to the RACF tutorial.
- KEYWORDS: There is no keyword protection of data. South system keywords do not exist on Titan.
- RACF: All data on Titan, both tape and disk, is protected by RACF via data set profiles.
- RACF DATA SET PROFILES: On Titan, a high level RACF data set profile has been established for all USERids.
- On Titan, the default level of access (Universal Access or UACC) for your data (determined by the RACF high level profile) is READ, meaning that anyone can look at your data, but only you can create, delete or modify it. You can change this default via Web RACF.
- RACF data set profiles created or modified on the South system via South Web RACF will flow over to Titan and replace or modify the profile on Titan with the same name.
- RACF data set profiles created or modified on Titan via Titan Web RACF will affect the profiles on Titan but NOT anything on the South system.
- PASSWORDS:
- Your Titan password expires every 180 days and is not case sensitive (no change from South).
- On Titan you may not reset your password to any of its 5 previous values.
- Your Titan RACF password initially matches your South system RACF password.
- If you change your password on the South system, your new password is automatically propagated to the USERids on Titan associated with your South system initials.
- If you wish to change your password it is best to change it using South Web RACF. This will change the passwords for both South and all associated Titan USERids.
- If you change your password on Titan it does not change it on the South system UNLESS the change was required because of password expiration.
- To establish the password for a Titan project userid you must first change the password for the associated project initials on the South system. If you wish, in South Web RACF you may change the password to a different value, then back to the original South value. These changes will flow over to Titan. After the initial password setting, you will not need to change your project USERid password on Titan again.
NOTE: You may find it useful to review the
Glossary of RACF terms before
reading further.
Data Security
One of the biggest changes that you will face in moving to Titan is making sure that your RACF data set profiles are appropriate. You have two options:
If you do NOT share your data with others:
- If you are satisfied with the default level of security (UACC of READ) for all of your data:
- You do not need to do anything. This is the default UACC for all Titan high level profiles.
- If you want more protection for your data:
- Change the UACC of your RACF high-level profile to NONE, meaning that no one else can even see your data. This can be done in Web RACF through Create/Maintain Profile of aaaaiii.**.
- If not all of your data should be treated the same -- for example, if some of it is sensitive but most is not:
- Create more specific data set profiles in addition to your high-level profile (through Web RACF -- RACF Profiles/Protect a data set). These additional profiles may have a UACC different from your high-level profile, and will enable you to grant specific USERids their individual level of access.
If you DO share your data with others:
- If others only need to READ your data:
- You do not need to do anything.
- If only certain people need a different level of access to your data:
- Create access lists for your data set profile(s) (use Web RACF -- Add user to access list to data set).
- Create @groups to simplify maintenance of the access lists (use Web RACl -- Create a RACF group).
- If not all of your data should be treated the same: -- for example, if you only share some of your data, use Web RACF to:
- Create more specific data set profiles in addition to your high-level profile.
- These additional profiles may have a different UACC or access lists.
If you are UNSURE whether anyone needs access to your data:
- Create a high level data set profile on the South system in WARN mode.
- You can see who is currently accessing your data.
- WARN continues to allow complete access to all data protected by the profile but issues a warning to the job accessing your data.
- You can review the log of warning messages to see who might need access to your data by going to South Web RACF and clicking on RACF Profiles/Display/Show warnings received for prior 7 days. With this information you can determine if you need additional data set profiles and/or if you need access lists on your data set profile(s).
The RACF tutorial provides more information on levels of access and creating data set profiles, access lists and user defined groups. If you are not sure how to proceed, call TASC.
RACFid: an id to identify you to RACF -- On the South this is your initials (iii). On Titan your RACFid is the same as your Titan USERid (aaaaiii).
RACF data set profile: defines the RACF protection for data sets with similar names and identical security requirements. A RACF data set profile defines the Universal ACCess (UACC) of a data set or group of data sets and allows you to identify individuals or groups whose access should be different from the universal access. Once the profiles are set up, there is generally little maintenance required. Web RACF provides an easy way to set up, display, and maintain RACF protection.
RACF high-level data set profile: The default profile that defines the RACF protection for all data sets under a particular USERid (aaaaiii) unless they are protected by a more specific data set profile. If you have data sets that need different levels of access, you can create additional RACF profiles for those data sets via Web RACF.
User defined @group: a facility that allows you to manage a collection of USERids that all have the same access authorities for protected resources. They are created and managed by Web RACF.
Access list: In a data set profile, the users and @groups that have been given specific access authority to the data set(s) protected by the profile, and the level of access granted to each. Userids not in the access list receive the Universal Access.
Universal Access Authority (UACC): The default data set access authority given to any userid not identified via an access list.
Comments | NIH Computer Center | Transition to Titan | Subscribe/Unsubscribe | Current Issues | Archive |