Identify

Enhanced Definition

In the mainframe and z/OS context, "identify" refers to the initial process where a user or a system component asserts its unique identity to the operating system or a security manager. This assertion typically involves providing a `USERID` (User Identifier) to gain access to the system or its resources, preceding the authentication step.

Key Characteristics

- User-Centric: Primarily associated with users (individuals, applications, or system tasks) presenting their USERID to the system.
- Pre-Authentication Step: It is the foundational step before authentication (proving the asserted identity) and authorization (determining what the identified and authenticated entity can access).
- System-Wide Recognition: The USERID provided must be known and defined within the system's security database, typically managed by a Security Server like RACF (Resource Access Control Facility).
- Trigger for Security Checks: Successfully identifying oneself initiates the security manager's process to validate the identity and subsequently check access permissions.
- Associated with Credentials: While Identify is the assertion of the USERID, it is immediately followed by the provision of associated credentials (e.g., password, passphrase, digital certificate) for authentication.

Use Cases

- TSO/ISPF Logon: A user entering their USERID at the TSO logon screen to gain interactive access to the z/OS system and ISPF panels.
- Batch Job Submission: A batch job's JCL specifying a USERID on the JOB statement (e.g., //JOBNAME JOB (ACCT),MSGCLASS=X,USER=MYUSERID) to identify the job's owner for security and resource accounting.
- CICS Transaction Access: A user logging into a CICS terminal or an application program connecting to CICS, presenting a USERID to access CICS transactions and resources.
- DB2 Connection: An application or user attempting to connect to a DB2 subsystem, providing a USERID for database access control and auditing.
- API or Service Calls: External applications using z/OS Connect or other APIs to interact with mainframe services, where the calling entity identifies itself with a USERID for security validation.

Related Concepts

"Identify" is the crucial first step in the security triad of Identify, Authenticate, and Authorize. A user first *identifies* themselves with a USERID. Then, they *authenticate* by proving they are who they claim to be (e.g., with a password). Finally, the system *authorizes* them to access specific resources based on their authenticated identity and defined permissions in the security manager (like RACF or ACF2). The USERID is the primary key used by the security manager to retrieve and enforce these permissions.

Best Practices:

Unique USERIDs: Ensure every user, application, and system task has a unique USERID to maintain accountability and granular access control.
Meaningful Naming Conventions: Use clear and consistent naming conventions for USERIDs (e.g., departmental prefixes, role-based identifiers) to simplify management and auditing.
Strong Credential Requirements: Enforce strong password/passphrase policies or utilize digital certificates to ensure that the subsequent authentication step is robust.
Regular Auditing: Periodically review USERID definitions, their associated groups, and access permissions to ensure they align with current roles and security policies.
Implement Multi-Factor Authentication (MFA): Where possible, augment USERID and password identification with MFA solutions to significantly enhance security against unauthorized access.