Adding RACF groups

You can issue the ADDGROUP command to add a new RACF® group.

About this task

You need first to issue the following ADDUSER command to add user DB2OWNER and give it class authorization for DSNR and USER.

ADDUSER  DB2OWNER  CLAUTH(DSNR USER) UACC(NONE)

DB2OWNER can now add users to RACF and issue the RDEFINE command to define resources in class DSNR. It also has control over and responsibility for the entire Db2 security plan in RACF.

To add group Db2 to the existing SYS1 group and make DB2OWNER the owner of the new group, issue the following RACF command: 

ADDGROUP DB2 SUPGROUP(SYS1) OWNER(DB2OWNER)

To connect DB2OWNER to group Db2 with the authority to create new subgroups, add users, and manipulate profiles, issue the following RACF command: 

CONNECT DB2OWNER GROUP(DB2) AUTHORITY(JOIN) UACC(NONE)

To make Db2 the default group for commands issued by DB2OWNER, issue the following RACF command: 

ALTUSER DB2OWNER DFLTGRP(DB2)

To create the group DB2USER and add five users to it, issue the following RACF commands: 

ADDGROUP DB2USER SUPGROUP(DB2)
ADDUSER (USER1 USER2 USER3 USER4 USER5) DFLTGRP(DB2USER)

To define a user to RACF, use the RACF ADDUSER command. That invalidates the current password. You can then log on as a TSO user to change the password.

Db2 considerations when using RACF groups:

  • When a user is newly connected to, or disconnected from, a RACF group, the change is not effective until the next logon. Therefore, before using a new group name as a secondary authorization ID, a TSO user must log off and log on, or a CICS® or IMS user must sign on again.
  • A user with the SPECIAL, JOIN, or GROUP-SPECIAL RACF attribute can define new groups with any name that RACF accepts and can connect any user to them. Because the group name can become a secondary authorization ID, you should control the use of those RACF attributes.
  • Existing RACF group names can duplicate existing Db2 authorization IDs. That duplication is unlikely for the following reasons:
    • A group name cannot be the same as a user name.
    • Authorization IDs that are known to Db2 are usually known to RACF.

    However, you can create a table with an owner name that is the same as a RACF group name and use the IBM®-supplied sample connection exit routine. Then any TSO user with the group name as a secondary ID has ownership privileges on the table. You can prevent that situation by designing the connection exit routine to stop unwanted group names from being passed to Db2.