icon_CloudMgmt icon_DollarSign icon_Globe icon_ITAuto icon_ITOps icon_ITSMgmt icon_Mainframe icon_MyIT icon_Ribbon icon_Star icon_User icon_Users icon_VideoPlay icon_Workload icon_caution icon_close s-chevronLeft s-chevronRight s-chevronThinRight s-chevronThinRight s-chevronThinLeft s-chevronThinLeft s-trophy s-chevronDown

Mainframe Security Assessment: ESM - (IBM® RACF®, ACF2, Top Secret)


This Service identifies current risks and issues associated with IBM® z/OS® and the specific External Security Manager* (ESM), IBM® RACF®*, ACF2*, or Top Secret *. It includes a review of the overall security controls, site-specific operating system, and system configurations.

What you get:

BMC will perform the following for one LPAR* and one ESM:

  • Conduct interviews with key Customer staff including:
    • Security engineering
    • Security administration
    • Systems programming team
    • Customer technical management
  • Examine ESM security settings
    • ESM specific controls
    • Users (Userid, ACID, or Logonid)
    • IBM® RACF® groups or TSS profiles
    • Dataset protection
    • Resource protection
    • Security system settings (GSO, SETROPTS, and TSS Parms)
    • ESM tables and exits
  • Examine z/OS security related settings
    • Technical operational controls
    • Sensitive and critical z/OS resources
    • System dataset protection
    • ESM specific USS controls
    • ESM specific network controls
  • Examine z/OS security related processes
    • Data classification
    • Ownership
    • Role Based Access Control (RBAC)
    • Privileged access
    • Recertification
    • Joiner, Mover, Leaver (JML) process
    • Break-glass and emergency access processes
    • Alerting and monitoring
    • Security policy
  • Analyze data to identify vulnerabilities
  • Create draft Security Assessment Report detailing issues and risks identified during the security assessment
  • Finalize Security Assessment Report
  • Provide encrypted deliverables to Customer

Customer will be responsible for:

  • Providing access to key Customer staff for interviews
  • Providing remote access to the customer mainframe via Virtual Private Network (VPN) or Virtual Desktop Interface (VDI)
  • Reviewing the draft deliverables
  • Providing feedback within a timely manner 

Deliverables: Using BMC’s standard methodology and templates, the following Deliverables are in scope for this project and will be delivered:

  • Security Assessment Report

Completion Criteria: BMC will have completed these Consulting Services when the in-scope Consulting Services have been completed and the Deliverables have been delivered to the Customer Project Manager.


Prior to the redemption of this Service, Customer must provide advanced notification of internal security processes that require BMC to enter into any special terms and conditions before gaining access to Customer’s infrastructure.

  • Customer has obtained the appropriate rights and permissions of any third parties for Customer to provide information relating to such third parties’ hardware, software and solutions and allow BMC to carry out the Services on their hardware, software and solutions that are in scope.
  • Customer will provide hands-on-keyboard access to the mainframe for BMC consultants.
  • Customer will provide BMC with the privileged accounts defined to the ESM, with the appropriate attributes as per the below:
    • If IBM® RACF®
      • ROAUDIT
      • Access to a recent IRRDBU00 unload file
    • If ACF2
      • Ability to list all Logonids
      • Ability to list all resource and access rules.
    • If Top Secret
      • Ability to list all TSS User ACIDS and profiles
      • Ability to issues the WHOHAS and WHOOWNS TSS commands
      • Ability to create a TSS CFILE
  • Customer will provide BMC with “READ” access to all the system level datasets such as:
    • Usermods
    • SMP/e CSI Datasets
    • Any other systems that BMC may reasonably require
  • Customer will provide BMC with access to issue IBM® z/OS®, and JES2/3 display commands
  • Customer to provide access to TSOAUTH class CONSOLE resource

Additional information:

  • Estimated Duration: 6-8 weeks
  • In-scope Product: BMC AMI Security
  • Service Type: Advisory & Planning
  • Availability: Active
  • Success Service Code:
    • Mainframe Security Assessment: ESM – IBM® RACF – BMSS_SECA_002
    • Mainframe Security Assessment: ESM – ACF2 – BMSS_SECB_002
    • Mainframe Security Assessment: ESM – Top Secret – BMSS_SECC_002
  • Date Last Updated: 12/28/2023

z/OS, RACF, and IBM are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both.

Getting started is easy

Service Highlights..