Breakglass software enables fast and easy emergency access control for authorised users in a secure and flexible manner, supporting multiple user groups with different access and privilege levels. User groups, permitted requesters and authorised managers are fully controlled by RACF profiles, and all requests and approvals are fully audited via SMF records and console messages.
Breakglass temporarily enables one or more users to perform essential or emergency administration tasks: temporarily elevating their own privileges or providing an alternative user ID with special privileges. Both approaches are secure and fully auditable.
Who can request Breakglass access?
Only users with READ access to a Breakglass resource in RACF can access Breakglass services. For each project type the user is allowed to request, the user must also have READ access to the Breakglass project resource in RACF.
Who can authorise Breakglass access requests?
Only users with ALTER access to the Breakglass project resource can authorize Breakglass access requests.
Where are the Breakglass access controls saved?
All Breakglass security controls are defined and saved in the RACF database.
Can different Breakglass userids be created for different projects groups or activities?
Yes. For each activity or project, a set of userids can be defined with differing access rights. This ensures that when Breakglass access is assigned, the user is only given the necessary privileges required for the activity.
Can different groups of people access different Breakglass userids?
Yes. This is controlled entirely by RACF permits.
For how long is a Breakglass userid assigned to a user?
A Breakglass userid is assigned to a user until that user tells the Breakglass service the access is no longer required. The assignment will automatically be revoked after a configuration period of time if it has not been released by the user.
What is the state of a Breakglass userid when not in use?
When not in use, the Breakglass userid has its password set to an unknown, automatically generated value and the userid revoked.
Who controls the Breakglass userid passwords?
Only the user to whom the Breakglass userid has been temporarily assigned controls the Breakglass password. The password is automatically reset to an unknown value after a configurable period of time.
Are all Breakglass requests and assignments encrypted?
Yes. All Breakglass activity is performed over encrypted SSL connections (https://).
What software do I need on my workstation to use Breakglass?
Breakglass only requires a standard web browser. It can therefore not only be used from normal workstations and laptops, but also from tablet devices and even smart phones.
How is Breakglass access audited?
Breakglass requests and assignments are fully audited. Audit log records contain all details of the Breakglass requests, including the change control id and change description text. The audit log can be viewed online by authorized personnel or downloaded to a CSV file. Breakglass activity can optionally be written to the MVS console or to SMF.
Where is the audit log stored?
The audit log is stored in a VSAM KSDS.
Does Breakglass write SMF records?
Yes. All details of Breakglass requests, assignments and releases can optionally be written to SMF.
Does Breakglass work with TSS or ACF2?
Not today. Breakglass currently supports RACF only.
Does this not conflict with my company's investment in an enterprise solution for this functionality such as Cyberark?
The only reason RSM decided to develop Breakglass is to address the significant problems we regularly encounter with the implementation of the mainframe interface for any given enterprise solution. From a mainframe perspective we find these solutions are not fully secure, not auditable and not truly self-service. Breakglass is developed to provide an easily implementable solution for the mainframe that is secure, fully auditable and truly self-service.
Are Requests for authorisation and authorisation acceptance notified in any way?
Notifications of requests/approvals are automatically shown on the GUI panels, but can also be sent by email.
Can a request be refused?
Requests for Breakglass access can be rejected by the authoriser and notification of the refusal sent to the requester.