Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Establishing your RACF group structure z/OS Security Server RACF Security Administrator's Guide SA23-2289-00 |
|
You should map your groups to your organization's structure and arrange them hierarchically so that each group is a subgroup of some other group. The group SYS1 is predefined as the highest group in the hierarchy. You should document the resulting group structure as part of the implementation plan. You might want to develop a set of guidelines for your delegated security and group administrators to identify the general categories of resources and users, and the relationships between them. For groups that might become large, and for which a quick listing of members is not needed, you might want to consider defining the groups using the UNIVERSAL operand of the ADDGROUP command. See Defining large groups with the UNIVERSAL attribute. Figure 1 shows relationships that can exist
between users and groups.
Figure 1. User and group relationships
In Figure 1:
Note: If you run with list-of-groups checking inactive (that is, with
the SETROPTS NOGRPLIST option in effect), the scope of USER1's group-SPECIAL
attribute is limited to his default group or the group he specified
when logging on, and the groups below that group in the hierarchy.
For more information on list-of-groups checking, see Activating list-of-groups checking (GRPLIST option).
|
Copyright IBM Corporation 1990, 2014
|