Implementation of an existing user policy
Use the guidelines in this scenario to implement policy profiles in the specification of existing user IDs.
Continuing with the scenario used in the New User policy example in Implementation of a new user policy, you can also set up a policy to handle existing users. For this example, extend the previously defined New User policy with some additional rules:
- Central administrators can modify all users.
- Central administrators can specify any user or group as owner.
- De-centralized administrators can change the owner within their own department only.
- De-centralized administrators can return existing users to the not-in-a-department pool.
- The not-in-a-department pool is implemented through the RACF® group HOLDING.
This example does not describe the profiles that are needed to connect users to a group or to remove them, or how to change the user authorizations and attributes. The next section shows the profiles that are required to control the CONNECT and REMOVE commands. It is assumed in this case that the user IDs are somehow connected to the RACF GROUP HOLDING.
For the preceding organization the following profiles
can be implemented.
- c4r.user.dfltgrp./scope.** uacc(none) sysadmin(control)
- This profile ensures that only system administrators are allowed to change the default group to all values. The decentralized administrators can specify only groups that are within their scope of control. Because this /SCOPE profile is defined, normal users can no longer permanently change their own default groups. They can still select their current connect GROUP during logon.
- c4r.user.owner./scope.** uacc(none) sysadmin(control)
- This profile ensures that only system administrators have unrestricted authorization to change the OWNER of existing users. Decentralized administrators can change the OWNER only within their scope. They cannot give away any of their user IDs. Normal users cannot change the OWNER of any user IDs that they own because they do not have group-SPECIAL: everything is outside their scope.
- c4r.user.dfltgrp.HOLDING.* uacc(update)
- This profile identifies the RACF GROUP HOLDING as an exceptional group. All users in the system can select the RACF GROUP HOLDING as their default group if they are already connected to the GROUP.
- c4r.user.owner.HOLDING.* uacc(control)
- This profile identifies the RACF GROUP HOLDING as an exceptional group. It allows all decentralized administrators to transfer existing users from their current OWNER to the HOLDING group.