Sicherung von z/OS FTP mit RACF


Das Problem

z/​OS FTP pro­vides access to all files, datasets and batch out­put res­i­dent on a z/​OS sys­tem. How­ever, it runs with a very sim­plis­tic secu­rity model that is not ade­quate for pro­tect­ing remote access to crit­i­cal cor­po­rate data. Access to datasets, files and batch out­put via the z/​OS FTP is con­trolled by the access author­ity of the TSO ID used to log onto FTP. This secu­rity model is a holdover from the days when main­frame access was pri­mar­ily through TSO, using con­nec­tions secured on the cor­po­rate net­work.FTP con­nec­tions can come from any­where though (mobile devices, lap­tops, etc.). Any file or batch out­put that the TSO ID has read-​access to can be down­loaded to the FTP client, regard­less of where it might be located (behind or out­side the fire­wall). This cre­ates an expo­sure to breach of sen­si­tive com­pany data.

Was macht FTP/Guardian?

FTP/​Guardian enables a com­pany to con­trol exactly who can access z/​OS FTP, from where and what they are autho­rized do with it, by writ­ing SAF secu­rity rules (RACF, Top Secret or ACF2). FTP/​Guardian is in the mid­dle of every request made from an FTP client to z/​OS FTP (con­nect, change direc­tory, upload, down­load, delete, rename, etc.). FTP/​Guardian checks with SAF to see whether the FTPclient is autho­rized to issue the request, tak­ing into account the type of request and where the FTPclient is run­ning (IP address). SAF secu­rity rules can be writ­ten to allow some activ­ity and block other.

  • Access to sensitive data can be allowed to FTP clients running behind the company firewall and blocked to FTP clients running outside the firewall.
  • Downloads of sensitive data can be blocked for some TSO IDs and allowed for others, even though they all have read-​access authority for the datasets/​files.
  • Downloads of job output (which can contain sensitive data) can be enabled from some users and disabled for others.
  • Access to zFS folders can be controlled on a case-​by-​case basis and can take in account where the FTP client is running.
FTP Guardian enables imple­men­ta­tion of a much more gran­u­lar secu­rity model for access to cor­po­rate data via FTP clients.

Möchten Sie mehr erfahren? Kontaktieren Sie uns!

Wenn Sie mehr erfahren möchten, eine Trial Version bekommen möchten oder eine Produktpräsentation, dann kontaktieren Sie uns einfach. Wir werden Ihnen so schnell wie möglich antworten.

The latest Products

Intelligent Routing Platform



Follow Us






Erweiterte FTP, FTPS und SFTP Sicherheit

FTP Guardian works with IBM z/​OS FTP which supports FTP and FTPS connections. 
It also supports the SFTP server Co:Z SFTP from Dovetailed Technologies. Co:Z SFTP is free, runs on z/​OS and provides a full-​featured SFTP implementation. The same security rules that you write for controlling access to and usage of z/​OS FTP will work with Co:Z SFTP without any modifications.


Blue Sea Technology GmbH & Co. KG Beckumer Str. 152
59229 Ahlen

+49 (0) 2382 966 225