Identity

in z/OS

Enhanced Definition

In z/OS, identity refers to the unique set of attributes that authenticate and authorize a user, a started task, or a system component to access resources and perform actions. It is fundamentally established through security profiles managed by an External Security Manager (ESM) like RACF, ACF2, or Top Secret.

Key Characteristics

- Associated with a User ID (UID): Every user, batch job, or started task requiring access to protected resources must have a unique User ID defined in the ESM, serving as its primary identifier.
- Password/Passphrase Protection: User identities are typically protected by a password or passphrase for authentication, ensuring only authorized individuals or processes can assume that identity.
- Group Membership: Identities are often assigned to one or more security groups, inheriting permissions and simplifying access management for collections of users or functions.
- Authorization Attributes: An identity's profile contains specific attributes defining its access rights (e.g., READ, UPDATE, CONTROL, ALTER) to various resources like datasets, programs, CICS transactions, DB2 tables, and IMS databases.
- Auditable Actions: All actions performed under a specific identity are auditable, allowing security administrators to track resource access, system activity, and potential security breaches.
- System-level Identities (STCs): Started tasks and system components operate under specific identities (often referred to as STC user IDs) to control their access to system resources and ensure proper isolation.

Use Cases

- User Logon: A TSO user provides their User ID and password to log on, and their identity is authenticated, granting them access to TSO commands and resources based on their profile.
- Batch Job Execution: A JCL JOB statement can specify a USER parameter (e.g., //JOBNAME JOB (ACCT),USER=PRODUSER), assigning a specific identity to the batch job for resource access validation throughout its execution.
- CICS Transaction Security: A CICS transaction can be secured, requiring the user's identity (or the terminal's identity) to have specific authorization to execute it, preventing unauthorized access to critical business functions.
- Dataset Access Control: When a program attempts to open a dataset, the identity of the executing job or user is checked against the dataset's security profile to determine if READ, WRITE, or other access rights are permitted.
- DB2 Object Access: Access to DB2 tables, views, and stored procedures is controlled by checking the identity of the connecting user or application against DB2 authorization IDs and privileges.

Related Concepts

Identity is foundational to Security in z/OS, intrinsically linked with RACF (Resource Access Control Facility) or other ESMs, which manage and enforce identity-based access rules. It dictates what an Address Space, Job, or TSO Session can do by defining its Authorization to access Resources (e.g., datasets, programs, CICS transactions, DB2 objects). Identity profiles are critical for Auditing system activities and maintaining compliance.

Best Practices:

Principle of Least Privilege: Grant only the minimum necessary access rights to an identity required to perform its function, minimizing the potential impact of a compromised identity.
Strong Password/Passphrase Policies: Enforce complex, regularly changed passwords or passphrases, and consider multi-factor authentication where available, to protect identities from compromise.
Regular Review of Access Rights: Periodically review and recertify identity access permissions to ensure they remain appropriate, removing obsolete access and adjusting for role changes.
Group -Based Access Management: Utilize security groups to manage access permissions, simplifying administration, improving consistency, and reducing errors compared to assigning rights to individual users.
Separate Identities for Applications/STCs: Assign unique, non-interactive identities to started tasks and applications to isolate their privileges, improve auditability, and prevent privilege escalation.