As promised, here is the discussion about RACF MODEL users that has been going on at UK GSE Security meetings this year. The more observant of you will have noticed that the title of this post is somewhat more dramatic, however. This is because the discussion moved on from one about MODEL or TEMPLATE users to the discussion of a new entity, the RACF ROLE object.
FIrst, let me recap. In February, IBMer and z Security expert Lennie Dymoke-Bradshaw proposed a new keyword on the RACF User profile, which he called MODEL. This keyword or attribute would mark the profile as a MODEL user, used only as a model from which to copy other users. Marking as MODEL would make the user ineligible for logon, thus an improvement on current techniques (which include using REVOKE, RESTRICTED and PROTECTED for purposes they were not intended).
We discussed this back then and came to no consensus. However, I liked the idea and posted it up on LinkedIn here, where there was much useful discussion of using model or template users, and managing RBAC in RACF. When GSE reconvened in June there was not only greater support but the discussion moved on rapidly. What if we took it one step further? What if we created a whole new RACF class, like USER, to define a role, but allow USERs to be connected to it thus inheriting their RACF permissions, group connections, attributes and class authorities? Like connecting to a group but more powerful? Then we would no longer have to change hundreds of users when a role changes (e.g. a new team adopts User Admin responsibilities and needs CLAUTH(USER)) but you would change one ROLE definition, from which hundreds of IDs inherit their rights.
I think I'll leave Lennie to discuss this now, in the attached slide deck. Lennie and I will continue to drive this in the UK but we would be interested in your feedback. Comments welcome below. Thanks