Skip to main content
CUI

STIG Rule - V-223665

Back to STIG Browser

V-223665

SV-223665r1195461_rule

CAT II

IBM RACF Global Access Checking must be restricted to appropriate classes and resources.

From: IBM z/OS RACF Security Technical Implementation Guide (V9R8)

Description

<VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Check Procedure

From a command input screen, enter: RL Global * If Global * is specified in SETROPTS, this is a finding. The following entries may be allowed with the approval of the information system security manager (ISSM): Dataset Class - ALTER access level to &RACUID.** (Allows users all access to their own datasets) OPERCMDS Class - READ access to MVS.MCSOPER.&RACUID (Allows users access to console for their jobs) JESJOBS Class - ALTER access to CANCEL.*.*.&RACUID (Allows users to cancel their own jobs) JESJOBS Class - ALTER access to SUBMIT.*.*.&RACUID (Allows users to submit their own jobs) The ISSM may allow other classes to be included after evaluation with the system programmer. Note: Be careful when adding any resource requiring auditing to Global Access Checking. RACF performs no logging other than that requested by the SETROPTS LOGOPTIONS command. There are other special consideration for global access checking found in the z/OS Security Server RACF Security Administrator's Guide. If any other members are included for Global Access Checking, this is a finding. If written approval by the ISSM is not provided, this is a finding.

Fix Text

Configure Global Access Checking to be appropriately administered. Note: Special consideration should be followed as indicated in z/OS Security Server RACF Security Administrator's Guide. Evaluate the impact associated with implementation of the control option. Develop approval documentation and a plan of action to implement the control option as specified in the example below: RALT GLOBAL class-name ADDMEM (resourcename)/accesslevel)

CCI Reference

CCI-000213
Created
2026-04-07 20:08:20
Last Updated
2026-04-07 20:08:20
Back to Browse
CUI