Policy profiles selection for the default group
Use these guidelines to implement policy profiles for the default group.
- The place of the ID in the RACF hierarchy (the OWNER).
- The default group of the ID (DFLTGRP).
The default group as such is not exceptional in any way. It is only important when you define a user because it controls the authorization to create the user. In RACF®, the terminal user must either have JOIN authority in that group, the group must be within the scope of a group-SPECIAL attribute, or the terminal user must own the group. zSecure™ Command Verifier implements some additional controls on the default group. To define new User profiles, the terminal user also needs system special or CLAUTH in the User class. The next paragraphs describe how the zSecure Command Verifier profiles from the preceding tables are used.
The first set of profiles controls the default group DFLTGRP of the new userid for the ADDUSER command. zSecure Command Verifier does not use the Mandatory or Default Value profiles for the OWNER and DFLTGRP on the ALTUSER command. Because the ALTUSER command does not force these existing values to change, it is not necessary enforce a specific value.
When you define a new user profile, zSecure Command Verifier also verifies the authorization to CONNECT the new user to the specified DFLTGRP. The specification of a GROUP as DFLTGRP during the creation of a new user results in an automatic CONNECT of the userid to the GROUP. The required authorization is verified independently. See CONNECT management for details.