Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Examples of debugging complex RACF variables and member lists z/OS Security Server RACF Security Administrator's Guide SA23-2289-00 |
|
The following three examples illustrate working with complex RACF® variables and RACFVARS member lists. Example 1
The
job TESTA1 submitted by USER1 on system PLPSC, with USER=TESTA on
the job card, results in a failure and the following error message.
The failure occurs because RACF checking stops when the first four characters of the specified resource name, TESTA, match the first RACFVARS member, TEST, leaving the letter A. The remaining letter A is considered a specific part of the resource name and there is no corresponding specific part in the profile name to which it can be matched. As a precaution, when adding RACFVARS members, order the member names. The member names that are a subset of other names should follow the names of which they are a subset. In
the example, TEST is a subset of TESTA. Therefore, to obtain the expected
result, reverse the members in the RACFVARS member list.
Note: Ordering
the members solves the problem in the example. However, this might
not be the desired order in all cases.
Example 2
In
this example, TSO user USER1 attempts to log on with account number AB.X,
but profile &R%.X does not match. This results
in the following error message:
The AB matches appropriately. However, no characters remain in the resource name to match with the generic character, %. To
obtain the expected result, reverse the members in the RACFVARS member
list as follows:
or
redefine the generic profile as follows:
When
you use any of the following to define a profile name, unexpected
results can occur:
Example 3
The
job AB1 submitted by USER1 on system PLPSC, with USER=AB on
the job card, results in a failure and the following error message:
The failure occurs because RACF checking for the resource name AB matches the first member of &A which is AB. Because there is no part of the resource name to match the second part of the profile name specified by &B, the compare fails. The resource name must match with a member of each of the RACFVARS used to define a profile. To obtain the expected results, reverse
the members in the RACFVARS member list of &A:
However, the set of resource names that was valid has now changed. For example, the specific resource name, ABB, was valid and is no longer valid. Guideline: To avoid unexpected results, reduce the complexity of profiles. If you decide to remove a member from a RACFVARS member list, be sure to issue the SETROPTS RACLIST REFRESH or GENERIC REFRESH commands for any classes that contain profiles that use the RACFVARS value affected by your change. |
Copyright IBM Corporation 1990, 2014
|