Examples of debugging complex RACF variables and member lists

The following three examples illustrate working with complex RACF® variables and RACFVARS member lists.

Example 1

RDEFINE RACFVARS &CTM ADDMEM(TEST TESTA)
RDEFINE SURROGAT &CTM.SUBMIT UACC(NONE)
PERMIT  &CTM.SUBMIT CLASS(SURROGAT) ID(USER1) ACCESS(READ)

The job TESTA1 submitted by USER1 on system PLPSC, with USER=TESTA on the job card, results in a failure and the following error message.

$HASP165  TESTA1 ENDED AT PLPSC - SECURITY VIOLATION

The failure occurs because RACF checking stops when the first four characters of the specified resource name, TESTA, match the first RACFVARS member, TEST, leaving the letter A. The remaining letter A is considered a specific part of the resource name and there is no corresponding specific part in the profile name to which it can be matched.

As a precaution, when adding RACFVARS members, order the member names. The member names that are a subset of other names should follow the names of which they are a subset.

In the example, TEST is a subset of TESTA. Therefore, to obtain the expected result, reverse the members in the RACFVARS member list.

RDEFINE RACFVARS &CTM UACC(NONE) ADDMEM(TESTA TEST)

Note: Ordering the members solves the problem in the example. However, this might not be the desired order in all cases.

Example 2

RDEFINE RACFVARS &R ADDMEM(AB A)
RDEFINE ACCTNUM  &R%.X UACC(NONE)
PERMIT  &R%.X CLASS(ACCTNUM) ID(USER1) ACCESS(READ)

In this example, TSO user USER1 attempts to log on with account number AB.X, but profile &R%.X does not match. This results in the following error message:

IKJ56486I  THE ACCOUNT NUMBER AB.X HAS NOT BEEN DEFINED FOR USE

The AB matches appropriately. However, no characters remain in the resource name to match with the generic character, %.

To obtain the expected result, reverse the members in the RACFVARS member list as follows:

RDEFINE RACFVARS &R ADDMEM(A AB)

or redefine the generic profile as follows:

RDEFINE ACCTNUM &R*.X UACC(NONE)

When you use any of the following to define a profile name, unexpected results can occur:

Multiple RACFVARS
A combination of RACFVARS and generic characters
A combination of RACFVARS and specific names

Example 3

RDEFINE SURROGAT &A&B.SUBMIT UACC(NONE)
PERMIT  &A&B.SUBMIT CLASS(SURROGAT) ID(USER1) ACCESS(READ)
RDEFINE RACFVARS &A UACC(NONE) ADDMEM(AB A)
RDEFINE RACFVARS &B UACC(NONE) ADDMEM(B C)

The job AB1 submitted by USER1 on system PLPSC, with USER=AB on the job card, results in a failure and the following error message:

$HASP165  AB1 ENDED AT PLPSC - SECURITY VIOLATION

The failure occurs because RACF checking for the resource name AB matches the first member of &A which is AB. Because there is no part of the resource name to match the second part of the profile name specified by &B, the compare fails.

The resource name must match with a member of each of the RACFVARS used to define a profile.

To obtain the expected results, reverse the members in the RACFVARS member list of &A:

RDEFINE RACFVARS &A UACC(NONE) ADDMEM(A AB)

However, the set of resource names that was valid has now changed. For example, the specific resource name, ABB, was valid and is no longer valid.

Guideline: To avoid unexpected results, reduce the complexity of profiles.

If you decide to remove a member from a RACFVARS member list, be sure to issue the SETROPTS RACLIST REFRESH or GENERIC REFRESH commands for any classes that contain profiles that use the RACFVARS value affected by your change.