Breakglass provides temporary emergency access control in a fully secured and audited manner. Different user groups can request temporary additional security permissions in order to complete a specific task.
Breakglass software enables fast and easy emergency access control for authorised users in a secure and flexible manner, supporting multiple user groups with different access and privilege levels. User groups, permitted requesters and authorised managers are fully controlled by RACF profiles, and all requests and approvals are fully audited via SMF records and console messages.
Breakglass temporarily enables one or more users to perform essential or emergency administration tasks: temporarily elevating their own privileges or providing an alternative user ID with special privileges. Both approaches are secure and fully auditable.
User interface via standard web browser over encrypted HTTPS connection
Authorised users requiring Breakglass access to applications either request access to a Breakglass user ID or request elevated privileges for their own user ID
Allows multiple users concurrent access to Breakglass
Depending on time of day, requests are granted automatically or require manager approval
If using Breakglass IDs with elevated privileges, passwords are not known and IDs can optionally be kept in a revoked state
All requests for access include a change/incident number plus optional descriptive text - all viewable by the approving manager and saved in audit logs
No non-mainframe software installation required
Only users with READ access to a Breakglass resource in RACF can access Breakglass services. For each project type the user is allowed to request, the user must also have READ access to the Breakglass project resource in RACF.
Only users with ALTER access to the Breakglass project resource can authorize Breakglass access requests.
All Breakglass security controls are defined and saved in the RACF database.
Yes. For each activity or project, a set of userids can be defined with differing access rights. This ensures that when Breakglass access is assigned, the user is only given the necessary privileges required for the activity.
Yes. This is controlled entirely by RACF permits.
A Breakglass userid is assigned to a user until that user tells the Breakglass service the access is no longer required. The assignment will automatically be revoked after a configuration period of time if it has not been released by the user.
When not in use, the Breakglass userid has its password set to an unknown, automatically generated value and the userid revoked.
Only the user to whom the Breakglass userid has been temporarily assigned controls the Breakglass password. The password is automatically reset to an unknown value after a configurable period of time.
Yes. All Breakglass activity is performed over encrypted SSL connections (https://).
Breakglass only requires a standard web browser. It can therefore not only be used from normal workstations and laptops, but also from tablet devices and even smart phones.
Breakglass requests and assignments are fully audited. Audit log records contain all details of the Breakglass requests, including the change control id and change description text. The audit log can be viewed online by authorized personnel or downloaded to a CSV file. Breakglass activity can optionally be written to the MVS console or to SMF.
The audit log is stored in a VSAM KSDS.
Yes. All details of Breakglass requests, assignments and releases can optionally be written to SMF.
Not today. Breakglass currently supports RACF only.
The only reason RSM decided to develop Breakglass is to address the significant problems we regularly encounter with the implementation of the mainframe interface for any given enterprise solution. From a mainframe perspective we find these solutions are not fully secure, notauditable and not truly self-service. Breakglass is developed to provide an easily implementable solution for the mainframe that is secure, fullyauditable and truly self-service.
Notifications of requests/approvals are automatically shown on the GUI panels, but can also be sent by email.
Requests for Breakglass access can be rejected by the authoriser and notification of the refusal sent to the requester.
To request a download of this software or to raise a question, please complete the following details: