z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Considerations for resource group profiles

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

When you work with resource group profiles, keep these considerations in mind:
  • There are limitations on the size of resource access lists and profiles, particularly for profiles that are processed in storage by the SETROPTS RACLIST command or the RACROUTE REQUEST=LIST macro. For more information, see Limiting the size of your access lists.
  • Do not issue the SETROPTS RACLIST command for the resource group class (for example, GTERMINL or GDASDVOL).

    Instead, specify the related member class (for example, TERMINAL or DASDVOL). When you RACLIST the TERMINAL class, RACF® RACLISTs the GTERMINL class for you.

  • You cannot use the SETROPTS command to RACLIST resource classes for these resources:
    • CICS® resources (except FCICSFCT)
    • All IMS™ resources.
    These CICS and IMS resources issue RACROUTE REQUEST=LIST at initialization time.
    To refresh CICS classes that are not RACLISTed with RACROUTE REQUEST=LIST,GLOBAL=YES or SETROPTS RACLIST, issue this CICS command from the operator console: 
    CEMT PERFORM SECURITY REBUILD

    When IMS is refreshed, the IMS classes are refreshed as well.

  • You cannot specify generic profile names in the resource group class.
  • You can specify generic names on the ADDMEM operand. However, you should consider defining your generics in the MEMBER class so that the RLIST command can be used to find the generic profile that protects a resource.
  • A resource group profile, which is associated with only one resource class, cannot be used to group resources from two different classes.
  • If you use resource grouping profiles, consider avoiding the use of the related member class.

    For example, if you use GTERMINL profiles, convert entirely to using GTERMINL profiles, and delete all TERMINAL profiles. This can ease the administration of terminal authorizations. For example, the SEARCH command lists profile names for only one class at a time: GTERMINL or TERMINAL.

    Note: Remember that you can use RLIST to find the generic that matches a name only if you use member class profiles. RLIST does not provide this support for members of grouping class profiles. Therefore, you must decide which approach is easier to administer. It might be better to define all discrete names as members of grouping profiles and all generic names as member class profiles. That allows you to use multiple SEARCH or RLIST commands when necessary.

    When converting generic TERMINAL profiles to GTERMINL profiles, you can specify generic characters on the ADDMEM operand to obtain the same coverage.

Parent topic: Creating resource group profiles

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014