When you work with resource group profiles, keep these considerations
in mind:
- There are limitations on the size of resource access lists and
profiles, particularly for profiles that are processed in storage
by the SETROPTS RACLIST command or the RACROUTE REQUEST=LIST macro.
For more information, see Limiting the size of your access lists.
- Do not issue the SETROPTS RACLIST command for
the resource group class (for example, GTERMINL or GDASDVOL).
Instead,
specify the related member class (for example, TERMINAL or DASDVOL).
When you RACLIST the TERMINAL class, RACF® RACLISTs
the GTERMINL class for you.
- You cannot use the SETROPTS command to RACLIST resource
classes for these resources:
- CICS® resources (except FCICSFCT)
- All IMS™ resources.
These CICS and IMS resources issue RACROUTE REQUEST=LIST
at initialization time. To refresh CICS classes
that are
not RACLISTed with RACROUTE REQUEST=LIST,GLOBAL=YES
or SETROPTS RACLIST, issue this CICS command
from the operator console:
CEMT PERFORM SECURITY REBUILD
When IMS is refreshed, the IMS classes are refreshed as well.
- You cannot specify generic profile names in the resource
group class.
- You can specify generic names on the ADDMEM operand. However,
you should consider defining your generics in the MEMBER class so
that the RLIST command can be used to find the generic profile that protects a resource.
- A resource group profile, which is associated with only one resource
class, cannot be used to group resources from two different
classes.
- If you use resource grouping profiles, consider avoiding the use
of the related member class.
For example, if you use GTERMINL profiles,
convert entirely to using GTERMINL profiles, and delete all TERMINAL
profiles. This can ease the administration of terminal authorizations.
For example, the SEARCH command lists profile names for only one class
at a time: GTERMINL or TERMINAL.
Note: Remember that you can use
RLIST to find the generic that matches a name only if you use member
class profiles. RLIST does not provide this support for members of
grouping class profiles. Therefore, you must decide which approach
is easier to administer. It might be better to define all discrete
names as members of grouping profiles and all generic names as member
class profiles. That allows you to use multiple SEARCH or RLIST commands
when necessary.
When converting generic TERMINAL profiles
to GTERMINL profiles, you can specify generic characters on the ADDMEM
operand to obtain the same coverage.