Background

Many customers migrate applications from mainframes to Windows or Unix platforms on the cloud or on-premise. In addition to applications, certain peripheral systems in the mainframe also need to be migrated. One such peripheral system is the security setup which is used for protection of datasets (files). Dataset security setup in mainframe systems involves implementing measures to control and restrict access to datasets, which are fundamental units for storing data on the mainframe. Controlling dataset access is crucial for maintaining data integrity, confidentiality, and compliance with regulatory requirements. Hence the security setup needs to be migrated with utmost care in any rehosting program. To setup security, IBM RACF (Resource Access Control Facility) is the typical product used in the mainframe, and Active Directory is usually used in target state. In this blog, we shall discuss various approaches for the migration of dataset profiles from RACF to Active Directory.

Basics of RACF setup for dataset protection

For protecting datasets in mainframe, “dataset profiles” are defined in RACF. A profile contains a dataset name – either a complete name, or a partial name with wildcards. Access will be granted in RACF for each dataset profile to appropriate set of users or groups.

RACF maintains a database containing access levels for various protected resources, and this database  can be unloaded using a utility.

When a user or a job attempts to access a dataset, RACF locates the corresponding dataset profile responsible for its protection. In cases where there is no profile for the precise dataset name, then RACF searches for the matching profiles with wildcard-defined dataset names and selects the closest match. Subsequently, it verifies whether the user ID attempting access has the required authorization to perform that action. If the required authorization is lacking, RACF will deny that operation.

Options for migration

Option 1: Bottom-up approach

In this approach, we migrate the exact configuration of dataset profiles from the RACF database to Active Directory. To achieve this, a tool-based approach becomes essential for migrating RACF profiles and groups to Active Directory ACLs and groups.

Certain Mainframe application re-hosting platforms feature a security manager emulating the mainframe RACF, with Micro Focus Enterprise Server being an example. In such instances, the preferred method is bottom-up approach, as the rehosting product vendor equips users with tools for migrating profiles from RACF to AD. These tools facilitate migration of RACF database unloads to .idf files, which can subsequently be integrated into Active Directory LDS (Lightweight Directory Services).

In other scenarios where there is no tool provided by the vendor for RACF migration, the development of bespoke tools becomes imperative for executing a smooth migration from RACF to Active Directory. Notably, Microsoft offers a dedicated tool designed for the automated conversion of user IDs from RACF, further streamlining the migration process. Refer to this article for details about this tool: https://techcommunity.microsoft.com/t5/modernization-best-practices-and/migrating-mainframe-racf-user-identities-to-azure-active/ba-p/3104286

This tool can be further enhanced to manage dataset profile migration as well.

Advantages of Bottom-up approach:

• This option is preferable for complex RACF setup which needs to be migrated as-is. Understanding the rationale behind the current state’s rule definitions is unnecessary; the primary goal is to migrate them exactly as they are.

Disadvantages of Bottom-up approach:

• As the mainframe applications are typically old, there could be thousands of profiles in the RACF database which are no longer necessary. Identifying and removing them is challenging, leading to unnecessary increase in migration efforts.
• When target platforms lack tools for RACF migration, it becomes essential to develop new custom tools for the process The development of a tool is complex due to below reasons:

  – RACF profiles can have wildcards (‘%’ or ‘*’ to indicate single or multiple characters respectively). But wildcards cannot be used in Active Directory ACLs.
  – When multiple profiles are matching the same dataset, RACF has a particular algorithm to choose the profile which matches maximum number of characters. These profiles cannot be migrated as-is to Active Directory.

Option 2: Top-down approach

In this approach, we examine the applications and datasets from a top-down perspective and create new and simpler rules to ensure access protection for the datasets. It can be performed through below steps:

1. Identify the relationship between datasets and applications:
Inventory analysis tools like Infosys Live Enterprise Application Development Platform or other third-party analysis tools can be used to generate a cross reference report showing the relationship between batch jobs and datasets. Based on the type of access – Create / Read, we can perform further analysis to assign the “owning application” and “referring applications” (if any) for each dataset

2. Identify naming convention patterns:
Utilize Excel-based and other scripting tools to ascertain the naming conventions / patterns associated with datasets for each application. This exercise aims at minimizing the number of definitions required in the target state file structure

3. Identify user groups and roles:
Identify the list of user groups and roles – for example, Developers of app A, Support team for App A, Operators, etc. Create an Active Directory Group for each of the logical role or team that will be accessing the data in the target state. Include the respective users and service accounts into each of these AD groups

4. Create the assignment of folder / file access to the required groups / users:
Using the analysis above, generate a spreadsheet outlining the folders / files in the target state and the corresponding AD groups requiring access to each. The approach for this step will vary depending on the target state and the overall mainframe migration strategy. For example, In certain rehosting solutions, dataset names will be transformed into a folder structure in the target state. For example, a dataset ‘SYS2.APP1.CTLCARDS’ will be stored in <base mount folder>\SYS2\APP1\CTLCARDS in the target state. In alternative migration solutions, datasets might be substituted using Windows or Unix file structures through other methods. In other migration solutions, the datasets could be replaced with Windows or Unix file structure in other ways. Understanding of this transformation of dataset name will be required to create the spreadsheet mentioned above

Also, it is crucial to consider the default inheritance rules of the client’s installation, as the access granted to a folder may be inherited to all its sub folders by default, based on those rules

5. Implementation of the assignments:
With the help of security access management team, implement the assignment rules determined in the previous step. To reduce efforts, we can build automation scripts to perform bulk update of Access Control Lists (ACLs) on the target file system.

Advantages of Top-down approach:

• This is a more straightforward approach, as there is no need to analyze the complex setup of the current state RACF rules.
• This provides an opportunity to clean up the obsolete access rules setup in the current RACF.
• Helps in establishing a protection setup that is more accurate and optimal, which aligns with the actual usage of the files by application processes and users.

Disadvantages of Top-down approach:

• If the naming conventions of datasets in the current state are not followed properly, we will not be able to logically group all datasets of same application under the same folder, thus leading to substantial increase in the number of rules to be setup in the target state.

Conclusion

Dataset security setup in mainframe systems is essential for safeguarding valuable data assets, ensuring compliance with regulations, and mitigating the risk of unauthorized access or data breaches. By implementing robust access controls, encryption, and audit mechanisms, organizations can effectively manage dataset security in mainframe environments. Hence, security migration is a critical piece during mainframe modernization engagements. We discussed the various approaches used for security migrations above, namely Top-down and Bottom-up approaches. Depending on the mainframe migration approach and current environment setup, appropriate approach needs to be selected. For example, during mainframe migrations where no readymade tools are available for migrating RACF, the top-down approach provides a simpler and optimal way to setup the security of datasets in target state. Conversely, when a rehosting product vendor provides tools for migrating profiles from RACF to AD, the bottom-up approach becomes the preferred method for migrating the dataset security.