Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Avoiding the need to refresh in-storage profiles z/OS Security Server RACF Security Administrator's Guide SA23-2289-00 |
|
If your installation maintains in-storage copies of resource profiles through the SETROPTS RACLIST or SETROPTS GENLIST command, changes to those profiles do not take effect on the system until a SETROPTS RACLIST REFRESH or SETROPTS GENERIC REFRESH command is issued. For the access list of an in-storage profile that requires frequent
maintenance, you might avoid refreshing the in-storage copy by adding
a RACF® group instead of individual
user IDs to the access list. When you connect or remove a user from
a RACF group, group membership
takes effect at the user's next logon. Therefore, you can use the
CONNECT and REMOVE commands (rather than the PERMIT command) to more
quickly change the access authorities of an in-storage profile when
you connect or remove users from a group already on the profile's
access list.
Note:
In addition, you can delegate the ability to maintain the membership of the RACF group to someone else because SPECIAL authority is not needed to use the CONNECT and REMOVE commands. Give CONNECT authority for the group to an appropriate person (perhaps the owner of the resource profile) and allow her to administer the access list of the affected resource profile without involving a SPECIAL user to refresh the in-storage profile. |
Copyright IBM Corporation 1990, 2014
|