Starting with IMS 14, you can ask that RACF record statistics when IMS Connect authenticates ODBM client connections to IMS DB. With these RACF statistics, you can define policies to improve security for your RACF-protected data in IMS DB. For example, with information on the last date and time that a user is authenticated to access IMS DB data, you can define a security policy to automatically revoke inactive users. Or, you might want to use the RACF statistics to define an interval for password changes. You can specify the RACF statistics that you want to record by using the options on the RACF command SETROPTS.

There are a couple of methods to enable RACF to record statistics when IMS Connect authenticates ODBM client connections to IMS DB, shown below. After you enable RACF statistics to be recorded, RACF updates the statistics no more than once per day to a system management facility (SMF) data set or log stream.

ODRACFST=Y – In the ODACCESS statement of the HWSCFGxx member of the IMS PROCIB data set, specify ODRACFST=Y to enable RACF statistics to be recorded. When you specify ODRACFST=Y, a message is also issued if the user logon is successful.

UPDATE IMSCON TYPE(CONFIG) – The ODRACFST(ON) keyword on the UPDATE IMSCON TYPE(CONFIG) command allows you to update the ODRACFST= RACF statistics option while IMS Connect remains online: UPD IMSCON TYPE(CONFIG) SET(ODRACFST(ON))

You can find more detailed information about how RACF records statistics when IMS Connect authenticates ODBM client connections to IMS DB in the IBM Knowledge Center.

4 comments on"Better protection for your IMS data using RACF statistics"

  1. JonathanEosze August 29, 2017

    Neat! However, the performance team will want to know how much overhead should be expected when turning on the RACF record statistics?

    • SandySherrill October 03, 2017

      Hey Jonathan! We connected our IMS performance testing team with your question, and they in turn reached out to our Z platform folks in Poughkeepsie. It turns out that your question has initiated a lively dialogue. The SMEs want to dig a bit more deeply into the nature of this enhancement, and then they’ll come back to you with a response. How does that sound?

  2. The statistics are updated, at most, once per user per day. That’s one additional daily write to the RACF database for each user authenticating. Although we do not have specific performance numbers associated with this enhancement, we believe the overhead to be minimal. Every client shop being unique, the best approach is to test it, and measure it, in your environment, on your workload. There is more information about RACF statistics in the Knowledge Center here:
    https://www.ibm.com/support/knowledgecenter/SSLTBW_2.2.0/com.ibm.zos.v2r2.icha200/inits.htm
    Please keep us posted with your results if you plan on testing. Thanks.

Join The Discussion

Your email address will not be published. Required fields are marked *