Delegation of RACF administrative responsibility

As CICS® security administrator, you perform the following tasks (if you do not have the system-SPECIAL attribute, obtain the necessary authority):
  • Define and maintain profiles in CICS-related general resource classes. In general, you grant authority to do this by assigning a user the CLAUTH (class authority) attribute in the specified classes. For example, the RACF® security administrator could issue the following command: 
    ALTUSER your_userid CLAUTH(TCICSTRN)

    This command gives access to all classes of the same POSIT number. The POSIT number is an operand of the ICHERCDE macro of the class descriptor table (CDT). For more information, see Activating the CICS classes.

  • Define and maintain profiles in other resource classes. Many of the general resource classes mentioned in this book (such as APPL, APPCLU, FACILITY, OPERCMDS, SURROGAT, TERMINAL, and VTAMAPPL) affect the operation of products other than CICS. If you are not the RACF security administrator, you may need to ask that person to define profiles at your request.
  • Add RACF user profiles to the system. In general, you grant this authority by assigning the CLAUTH (class authority) attribute for “USER” in the user's profile. For example, the RACF security administrator could issue the following command: 
    ALTUSER your_userid CLAUTH(USER)

    Whenever you add a user to the system, assign that user a default connect group. This changes the membership of the group (by adding the user as a member of the group). Therefore, if you have JOIN group authority in a group, the group-SPECIAL attribute in a group, or are OWNER of a group, CLAUTH(USER) lets you add users to the system and connect them to groups that are within the scope of the group.

  • List RACF system-wide settings and work with all profiles related to CICS. You grant authority to do this by setting up a RACF group, ensuring that certain CICS-related RACF profiles are in the scope of that group, and connecting a user to the group with the group-SPECIAL attribute. For example, the RACF security administrator could issue the following command: 
    CONNECT your_userid GROUP(applicable-RACF_groupid) SPECIAL
With the SETROPTS GENERICOWNER command in effect and with prefixing active, administrators can be assigned. You do this by creating a generic profile in each class using the prefix as a high-level qualifier. For example: 
RDEFINE TCICSTRN cics_region_id.** UACC(NONE)
        OWNER(cics_region_administrator_userid)

The SETROPTS GENERIC command must be used before defining generic profiles, as described in Summary of RACF commands.

For more information on delegating RACF administration, see the z/OS Security Server RACF Security Administrator's Guide.