Identification

Enhanced Definition

In the z/OS environment, identification refers to the process of asserting and verifying the identity of a user, program, or system component attempting to access system resources or services. It is the foundational step in the security chain, ensuring that only known entities can proceed to authentication and authorization.

Key Characteristics

- User Identification: Primarily involves a unique USERID (User Identifier) and often a corresponding password or other credentials for interactive logons (e.g., TSO, CICS, IMS) or batch job submission.
- Resource Identification: Every managed resource, such as a data set, volume, device, or transaction, possesses a unique identifier (e.g., DSN for data sets, VOLSER for volumes).
- Program Identification: Programs are identified by their name, library location, and sometimes by attributes like being APF-authorized or digitally signed, which grants them specific privileges.
- System Component Identification: Internal z/OS components and subsystems (e.g., JES2, DB2, CICS) also have unique identifiers that allow them to interact securely.
- Precursor to Authentication: Identification establishes *who* or *what* is claiming access, which is then verified during the authentication phase.

Use Cases

- TSO Logon: A user provides their USERID and password to gain access to the Time Sharing Option (TSO) and ISPF environment.
- Batch Job Submission: The JOB statement in JCL specifies a JOBNAME and often a USERID (via USER= parameter) under which the job will execute and access resources.
- CICS Sign-on: An application user enters their USERID and password to sign into a CICS region to execute transactions.
- Data Set Access: When a program or user attempts to open a data set, z/OS identifies the data set by its DSN and the user by their USERID to check access permissions.
- Program Execution: z/OS identifies a program by its name and library to determine if it is authorized to run, especially if it requires elevated privileges.

Related Concepts

Identification is inextricably linked to authentication, where the claimed identity is proven (e.g., by verifying a password), and authorization, which determines what actions the now-authenticated entity is permitted to perform. It relies heavily on External Security Managers (ESMs) like IBM's RACF (Resource Access Control Facility) or Broadcom's ACF2/Top Secret, which store and manage user profiles, group memberships, and resource definitions. Effective identification is crucial for auditing and accountability, as all actions are attributed to an identified entity.

Best Practices:

Unique User IDs: Assign a unique USERID to each individual for clear accountability and auditing purposes.
Strong Password Policies: Enforce complex password rules (length, character mix, history) and regular password changes for user identification.
Leverage ESMs: Fully utilize the capabilities of your ESM (e.g., RACF) for defining and managing user, group, and resource profiles.
Principle of Least Privilege: Identify users and programs with only the minimum necessary privileges required for their function to reduce the attack surface.
Regular Review of Privileges: Periodically review and reconcile USERIDs, group memberships, and resource access rules to ensure they remain appropriate.