Solving the Mainframe Administration Challenge with an IAM Solution

Administrators of z/OS are responsible for a wide range of tasks to ensure the smooth operation and maintenance of the z/OS environment, including user and permission management, security administration, monitoring, software administration, and problem resolution. While some tasks, such as problem resolution, require in-depth knowledge of the mainframe system, others can be delegated.

In this article, we will focus on Identity Access Management (IAM), as it also reduces the compliance and security management workload for z/OS administrators. When delegating mainframe administration tasks, it is crucial to ensure that the reduction in workload is not offset by additional maintenance tasks.

The market offers a wide range of IAM solutions, like Beta Systems’ Garancy Suite, but those with dedicated support for z/OS security systems like ACF2, TopSecret, and RACF are rare. Some solutions utilize the LDAP interface of RACF for their tasks. For the manufacturer, this approach has the advantage that implementation and maintenance require less expert knowledge on z/OS. However, the administrative depth is limited by the capabilities of the LDAP interface, and achieving a satisfying level of access management usually requires additional extensions to be installed on z/OS.

More comprehensive solutions like Garncy take a different approach by relying directly on an agent program running on z/OS to perform administration. This method allows for greater administrative depth, limited only by the capabilities implemented in the agent.

In principle, a third approach is possible: using an omnipotent bridge to the z/OS system, such as a 3270 terminal, to send commands directly. However, this method requires the same expertise as implementing an agent on z/OS and opens up the system completely to the IAM solution without any additional security measures being taken.

The z/OS platform supports various identity management systems, with RACF being the most widely used. RACF’s access model extends far beyond the basic scheme of assigning users to groups to grant access to resources. Permissions can be conveyed through user or connection attributes, such as AUDITOR or SPECIAL, defined in access lists like UACC, granted through security classifications, resources, or ownership. This list is not exhaustive.

RACF offers more granular security control than any system outside the mainframe. This superior cybersecurity is a significant factor in the business case for using mainframes for critical applications like for example in core banking systems. Reducing the level of security to integrate RACF into an overarching IAM solution is usually not an option. Therefore, the administrative depth of the chosen IAM solution is crucial for delegating administrative work away from the mainframe.

An IAM solution will provide easily accessible reports on the security structure of the z/OS system, with granularity depending on the administrative depth of the software. Garancy logs all changes made to the z/OS security system in a central location, making them much more easily accessible than SMF records on z/OS. Further our IAM Solution offers a helpdesk functionality without requiring RACF access for the helpdesk administrators.

The core of IAM is account administration. Any IAM system with RACF support can create or delete user accounts, but in RACF, this is not sufficient enough. An employee cannot work with a bare RACF account in the Time Sharing Options (also known as TSO) if he lacks an alias in the master catalog. Therefore, managing the master catalog is essential for RACF administration, even for the simplest tasks. The IAM system should also recognize that the master catalog might be shared across several RACF systems.

Just as alias definitions are necessary for new users to make the user account usable, changes in conditions for general resources will not be effective until they are reloaded. It is crucial for an IAM system to process such changes automatically. Otherwise, the apparent permissions shown by the IAM system will not match the active permissions in RACF which makes it crucial to run a live balancing like Garancy in order to keep the IAM-System as single point of truth.

Deleting user accounts in RACF is also more complex than on other platforms. Users will have dataset profiles that must be deleted along with the account. If RACLINK is used to share user IDs and passwords across several systems, this link must also be removed before the user can be deleted.

IAM systems can manage the connections between users and groups. Groups often reflect the company’s organizational structure. This can be leveraged to automate the creation and deletion of groups and resources with a sufficiently powerful IAM solution to reflect changes in the organizational structure.

One of the most frequent tasks for administrators without an IAM system is managing resource definitions. Classes and resource definitions regulate user permissions within RACF and are a crucial part of RACF security management. New versions and features of products installed on the mainframe usually come with changes in resource definitions. These changes are typically provided by the respective software manufacturer in a form that can be applied directly within the mainframe.
Therefore, it might not be feasible to apply these changes via an IAM system initially. However, it is desirable to see the changes in the IAM system, correct errors, and adjust them. It should be possible to generate reports for an overview and log any permission changes in a central, mainframe-independent location.

Apart from the initial effort to introduce and customize an IAM system, there are ongoing maintenance efforts to consider. These efforts can be categorized into three types:

1. Maintaining the IAM agent and its required environment

2. Maintaining individual extensions on z/OS

3. Efforts for manual tasks that could have been automated

Agents for IAM systems are typically not considered standalone software products. Manufacturers of IAM solutions usually require the agent to be updated along with the main installation within a specified time period. This necessitates coordinated maintenance efforts by the z/OS administration team, in addition to general monitoring of running tasks. The workload depends on the software release schedule and the frequency of hotfixes.

An exception is the IAM solution made by Beta Systems: Garancy does not require any updates of the agent on z/OS. The agent’s software state is centrally controlled by the IAM system, while the design still ensures that attackers cannot exploit this mechanism for unauthorized changes to the software on z/OS.

Maintenance of the agent’s environment is necessary in any case. This includes the operating system and software the agent relies on, such as a Java Runtime Environment or administration of the LDAP interface.

Even if an IAM system claims to support RACF, it is crucial to examine the details. If the administrative depth is too shallow, even basic tasks might require individual customization or extension of the product.

Minimizing individual adaptations on z/OS is essential to reduce the burden on z/OS administration. The primary reason for this is maintenance responsibility. All code requires maintenance. The IAM system manufacturer is responsible for maintaining the code of the agent they deliver, which does not bind resources on the customer’s side and spreads costs among all customers of the product.

Conversely, the customer is responsible for maintaining their individual code or paying for its maintenance. Additionally, custom code increases the scarcity of expert knowledge. There are already few z/OS programmers, and even fewer will be familiar with the custom code, further increasing the cost of maintaining custom code on z/OS.

Given the shortage of z/OS experts, the ultimate goal for an IAM system is to automate tasks to the extent that the person initiating them does not need to understand the underlying processes. If full automation is not feasible, it is beneficial to automate tasks to reduce the time z/OS experts spend on them.

Typically, the decision to automate is based on comparing the cost of automation with the cost of repetitive manual execution. However, considering the scarcity of z/OS experts, of if an expert is retiring, this approach is incomplete. It might be possible to find a contractor for automation, although this is challenging in the current market. If the automation is related to an IAM system, the vendor’s consultant would be the most helpful approach. This strongly depends on the vendor’s experience with mainframes. If a task is not automated, it will be nearly impossible to find a contractor to perform it sporadically.

Therefore, automation is a way to offload work from the z/OS staff that cannot be otherwise delegated. The time spent by the company’s z/OS administrators might be more valuable than the financial cost of software or external consultants for automation.

While the mainframe remains a robust platform for business-critical tasks, the scarcity of expert z/OS administrators presents a significant risk. Implementing a non-z/OS based IAM system can mitigate this risk by reducing the workload on z/OS administrators.

The key to success is ensuring the IAM system provides comprehensive administrative capabilities without requiring individual extensions. Such extensions can significantly increase future costs as individual solutions reduce maintainability, especially on z/OS where the scarcity of z/OS programmers makes maintenance more difficult than on other platforms. Another crucial factor is the level of support and consulting the manufacturer can provide for mainframe systems, which is closely related to their professional abilities and experience through practical implementations.

The Beta Systems Garancy Suite offers one of the most comprehensive RACF management capabilities out-of-the-box among major IAM vendors. Alongside IBM, Beta Systems is one of the only two IAM software vendors that also provide RACF management software, thus possessing unparalleled knowledge of RACF in the IAM market. Additionally, the Garancy Suite’s innovative approach to agent maintenance results in lower maintenance workloads compared to competitors.