You can use profiles in the NODES class to control how RACF® validates inbound work on
an NJE network. As with other RACF profiles,
a NODES profile consists of a profile name, a profile class, a universal
access authority, and an ADDMEM value. The profile name is a three-part
identifier that indicates the origin of the work and the type of security
information you want to validate. The universal access authority determines
the actions that RACF performs
on the inbound work. This information is described in Table 1 and Table 1.
Note: Access lists do not apply to NODES class profiles. The ADDMEM
value is used to translate to locally defined values.
A NODES profile name has the following format:
nodename.worktype.name
where:
- nodename
- Is the name of the node from which you expect inbound work. For
jobs, this is the submitting node. For SYSOUT, this is the execution
node.
Note: - If &SUSER is specified as an ADDMEM value
in a profile that controls SYSOUT, a second check is done where nodename is
the submitting node.
- If &DFLTGRP is specified as an ADDMEM value
in a profile that deals with groups (either jobs or SYSOUT), the user's
default group is used.
- It is recommended that you define a profile in the RACFVARS class named &RACLNDE,
and use &RACLNDE for all nodes that are considered
local to your system. For more information, see Setting up NODES profiles.
- worktype
- Is the type of work to be controlled by the profile.
Notice
that the last character, J or S, indicates the type of work
to be validated. J indicates jobs; S indicates SYSOUT.
- RUSER
- Controls
commands originating from NJE nodes. The nodename is
used as the name on the third qualifier.
- USERJ
- Controls
jobs by the user ID specified on the third qualifier. The job is controlled
by who the submitter is. This type of profile is also used to determine
the amount of trust the job has. For details, see Understanding mixed security environments.
- USERS
- Controls
SYSOUT by the user ID specified on the third qualifier. The SYSOUT
is controlled by who the owner is. This type of profile is also used
to determine the amount of trust the SYSOUT has. For details, see Understanding mixed security environments.
- GROUPJ
- Controls
jobs by the group name specified on the third qualifier.
- GROUPS
- Controls
SYSOUT by the group name specified on the third qualifier.
- SECLJ
- Controls
jobs by the security label specified on the third qualifier.
- SECLS
- Controls
SYSOUT by the security label specified on the third qualifier.
For example, a value of USERJ specifies that you
want RACF to use the profile
to validate inbound jobs; a value of USERS specifies that you want RACF to use the profile to validate
inbound SYSOUT.
- name
- Is the actual user ID, group name, or security label you want
validated. If you are using NODES profiles to allow the use of these
input values, you must either define these values in your RACF database or use the ADDMEM
operand to translate them into acceptable values for your system.
For jobs, the submitter information is substituted. For SYSOUT, the
owner information is used. (See Understanding mixed security environments.)
For example, the following profile controls whether jobs coming
from user ID WAYNE at node BERMUDA can be executed here:
BERMUDA.USERJ.WAYNE
You can optionally associate a local user ID with user ID WAYNE
by specifying the user ID on the ADDMEM operand.
You can specify generic characters in the profile name to control
a wider range of work. For example, if you place an asterisk in place
of the nodename value, RACF performs the requested type of validation
for work from all nodes in the network (unless a more specific profile
exists). Examples of generic profiles in the NODES class are shown
in this topic. For more information, see Choosing between discrete and generic profiles in general resource classes.
If you installed RACF and
did not activate the NODES class, JES validates jobs and SYSOUT in
the following manner:
- JES runs only those jobs that are destined for your node and that
have a valid user ID and password on the job card if BATCHALLRACF
is active. If BATCHALLRACF is not active, the job can run without
a RACF user ID.
- A security label of SYSHIGH is assigned to all SYSOUT destined
for your node (if security labels are being used) and can be printed
only on those devices permitted to SYSHIGH data. JES assigns the default
user ID to this SYSOUT. For information about default user IDs, see Understanding default user IDs.
- All work destined for another node remains unchanged.
If you choose to activate the NODES class, you must gather information
from your JES system programmer so that you can set up profiles to
control the work entering your system. The following sections identify
the appropriate values for each type of work.