RACF group profiles

In addition to defining individual user profiles in RACF®, you can define group profiles. A group profile defines a group of users. By adding a user to a group, the user has access to all the resources to which the group has access. Users can be connected to one or more groups.

A group profile can contain information about the group, for example, who owns it, which subgroups it has, and a list of connected users. For details of how to define and use group profiles, see the z/OS Security Server RACF Security Administrator's Guide. A group profile is different from a resource group profile, which defines a group of resources and is explained in RACF general resource profiles.

Users who are members of groups can share common access authorities to protected resources. For example, you might want to set up groups as follows:
  • Users who work in the same department
  • Users who work with the same sets of transactions, files, terminals, or other resources that you choose to protect with RACF
  • Users who sign on to the same regions (if you have more than one CICS region)
In a CICS environment, group profiles offer a number of advantages:
  • Easier control of access to resources
  • The ability to assign authorities using the group-SPECIAL attribute or CONNECT group authority
  • Fewer refreshes to in-storage profiles.

Aim to make your point of control the presence (or absence) of a user ID in a group, not the access list of the resource profile. When someone leaves a department, removing the user ID from the department user group revokes all privileges. No other administration of profiles is required. Thus, you keep RACF administration to a minimum and avoid an excessive number of resource profiles.

RACF maintains in-storage copies of resource profiles, so changes to those profiles do not take effect on the system until the in-storage profiles are refreshed.

The authority to access a resource is kept in an access list that is part of the resource profile. The authority can be granted to a user or to a group. To add or remove a user from the access list, refresh the profile in main storage. For more information, see Refreshing resource profiles in main storage.

If you connect and remove a user from a group that is already in the access list, that user acquires or loses the authority of the group without needing to refresh the profile. Any user with CONNECT group authority in that group can change the membership of the group, using the CONNECT and REMOVE commands. In this way, you do not have to change the access list of the affected profiles (through the use of the PERMIT command). If you do not change a CICS general resource profile, you do not have to refresh its in-storage copy. However, users might have to sign on again, if their group membership has been changed.

For other benefits obtained from creating groups, see the z/OS Security Server RACF Security Administrator's Guide.

The following command sequence creates a new group of users and moves a user from an existing group to the new group: 
ADDGROUP group_name2
REMOVE user1 GROUP(group_name1)
CONNECT user1 GROUP(group_name2)

CICS is notified of certain changes in the RACF profile of a signed-on remote user, or a signed-on user who is not directly using a physical terminal or console, through a type 71 RACF Event Notification (ENF).