pyRACF Logo

 

Python interface into the RACF management application programming interface.

 

pyRACF is currently in Beta, meaning that a subset of functionality is available and considered more or less Stable and ready for production, but there is still functionality that is Experimental or still needs to be implemented. Please see the annotation below on Experimental features.

 

Functionality that is considered Experimental will be accompanied by this annotation. This means that the functionality is not tested and or is subject to major changes including even being removed entirely.

 

The following dependencies are required in order to use pyRACF:

  • z/OS 2.4 and higher.
  • R_SecMgtOper (IRRSMO00): Security Management Operations.
  • The appropriate RACF authorizations. For many common commands, READ access to the IRR.IRRSMO00.PRECHECK resource in the XFACILIT class is required. Details for all authorizations for IRRSMO00 can be found here.

Install

 

Ensure that IRRSMO00 Precheck is Setup before you start using pyRACF.

 

You may also optionally Download & Install pyRACF From GitHub.

 

pip install pyracf

Use 

>>> from pyracf import UserAdmin
>>> user_admin = UserAdmin()
>>> user_admin.get_omvs_uid("squidwrd")
2424
>>> user_admin.set_omvs_uid("squidwrd", 1919)
>>> user_admin.get_omvs_uid("squidwrd")
1919

Mission Statement

As automation becomes more and more prevalent, the need to manage the security environment programmaticaly increases. On z/OS that means managing a security product like the IBM Resource Access Control Facility (RACF). RACF is the primary facility for managing identity, authority, and access control for z/OS. There are more than 50 callable services with assembler interfaces that are part of the RACF API. The complete set of interfaces can be found here.

 

While there are a number of languages that can be used to manage RACF, (from low level lnaguages like Assembler to higher level languages like REXX), the need to have it in a language that is used to manage other platforms is paramount. The pyRACF project is focused on making the RACF management tasks available to Python programmers. This will make it easier to manage RACF from management tools like Ansible and Tekton.

 

  • pyRACF encodes the data it passes to RACF in Code Page IBM-1047.
  • If you are entering information with special or national characters, users viewing or altering this information from terminals using differnt or international codepages may see unexpected data.
  • Please consult a list of invariant characters to use for such information if this applies to you.

Architecture

 

  graph LR
    subgraph Python
        access[Access Admin] --> parent
        dataset[DataSet Admin] --> parent
        resource[Resource Admin] --> parent
        group[Group Admin] --> parent
        groupconnect[Group Connection Admin] --> parent
        setropts[Setropts Admin] --> parent
        user[User Admin] --> parent
    end
    subgraph C
        parent[Security Admin] --> IRRSMO00
    end
    subgraph System
        IRRSMO00 --> RACF
    end