Refreshing user cache

Edit online

This topic provides information on how to enable the parameter that allows UMS to use the R_admin to refresh the user cache when using IBM® z/OS Resource Access Control Facility (RACF).

The components.izp.security.userCacheRefresh.useRAdmin parameter is set to false by default. Although this value can be used, it may result in generating misleading reports when using zSecure Access Monitor. This is because access checks are performed for all users on the system.

When the components.izp.security.userCacheRefresh.useRAdmin parameter is set to true, UMS uses R_admin interface to refresh the user cache when using RACF. To use this feature, the user must have specific access permissions.

Additionally, you can disable name retrieval to improve the performance of environments with large number of users. To do this, set the components.izp.security.userCacheRefresh.disableNames parameter to true.

Identifying and extracting the user profiles

  • UMS extracts the access list for profiles in the IZP class (IZP.SUPER*, IZP.ADMIN*, and IZP.USER*) to find all UMS users. This list contains users, groups, or both.
    • Users in the access list are added to the UMS users set.
    • Groups in the access list are extracted to view their members, and those members are then added to the UMS users set.
  • UMS extracts each user profile in the UMS users set to get their 'NAME' (if not disabled).

Defining access permissions

UMS performs mandatory authorization checks when using the R_admin interface.

To use the R_admin interface, the logged-in user must have 'READ' access to the following profiles in the FACILITY class:

  • IRR.RADMIN.RLIST
  • IRR.RADMIN.LISTUSER
  • IRR.RADMIN.LISTGRP

Additionally, to refresh users, the logged-in user must have 'READ' access to the following profile in the IZP class:

  • IZP.FUNCTION.USERS.GET

Additional requirements

Access for profiles, groups, and user profiles can be configured individually. These recommendations help to ensure access is sufficient to extract all the required profiles. To ensure full compatibility and functionality with Db2® CI/CD Expert, the user running the refresh must be able to:
  • Provide the profile access list for IZP.SUPER*, IZP.ADMIN*, and IZP.USER*.
    This is achieved by having:
    • The SPECIAL or AUDITOR attribute.
    • The ownership of IZP.SUPER*, IZP.ADMIN*, and IZP.USER*.
    For more information on RLIST, refer to RLIST (List general resource profile).
    Note: If IZP.SUPER*, IZP.ADMIN*, or IZP.USER* cannot be listed, the user IDs displayed on the Users page will be incomplete.
  • List any group(s) in the profile access list for IZP.SUPER*, IZP.ADMIN*, and IZP.USER*.
    For example, if the access list for IZP.SUPER* is:
    • GROUPA
    • GROUPB
    The user running the refresh must be able to issue LISTGRP GROUPA and LISTGRP GROUPB. This is achieved by having:
    • The SPECIAL or AUDITOR attribute.
    • The GROUP-SPECIAL or GROUP-AUDITOR attribute for GROUPA and GROUPB.
    • The JOIN or CONNEC authority for GROUPA and GROUPB.
    • The ownership of GROUPA and GROUPB.
    For more information on LISTGRP, refer to LISTGRP (List group profile).
    Note: If GROUPA and GROUPB cannot be listed, the user IDs displayed on the Users page will be incomplete.
  • List the names of users in the profile access list for IZP.SUPER*, IZP.ADMIN*, and IZP.USER*.
    For example, if the UMS user set contains:
    • USERA
    • USERB
    The user running the refresh must be able to issue LISTUSER USERA and LISTUSER USERB. This is achieved by having:
    • The SPECIAL or AUDITOR attribute.
    For more information on LISTUSER, refer to LISTUSER (List user profile).
    Note: If USERA and USERB cannot be listed, the usernames displayed on the Users page will be incomplete.

If you encounter 'R_admin failed' message, refer to Failure when using R_admin.