IBM RACF assignment of the RACF OPERATIONS attribute to individual userids must be fully justified.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-223714 | RACF-ES-000670 | SV-223714r991589_rule | CCI-000366 | medium |
| Description | ||||
| This requirement is intended to cover both traditional interactive logons to information systems and general accesses to information systems that occur in other types of architectural configurations (e.g., service-oriented architectures). | ||||
| STIG | Date | |||
| IBM z/OS RACF Security Technical Implementation Guide | 2025-06-24 | |||
Details
Check Text (C-223714r991589_chk)
From the ISPF Command Shell enter:
ListUser *
If authorization to the SYSTEM OPERATIONS attribute is restricted to key systems personnel such as individuals responsible for continuing operations, Storage Management, and emergency recovery, this is not a finding.
If any users connected to sensitive system dataset HLQ (e.g., SYS1, SYS2, ETC) groups with the Group-OPERATIONS are key systems personnel, such as individuals responsible for continuing operations, Storage Management, and emergency recovery, this is a finding.
Otherwise, Group-OPERATIONS is allowed.
Fix Text (F-25375r514831_fix)
Review all USERIDs with the OPERATIONS attribute. Ensure documentation providing justification for access is maintained and filed with the ISSO, and that unjustified access is removed.
A sample command to remove the OPERATIONS attribute from a userid is shown here:
ALU <userid> NOOPERATIONS
To remove the Group-Operations attribute:
CO <user> GROUP(<groupname>) NOOPERATIONS