z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Understanding NODES profiles

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

You can use profiles in the NODES class to control how RACF® validates inbound work on an NJE network. As with other RACF profiles, a NODES profile consists of a profile name, a profile class, a universal access authority, and an ADDMEM value. The profile name is a three-part identifier that indicates the origin of the work and the type of security information you want to validate. The universal access authority determines the actions that RACF performs on the inbound work. This information is described in Table 1 and Table 1.

Note: Access lists do not apply to NODES class profiles. The ADDMEM value is used to translate to locally defined values.
A NODES profile name has the following format: 
nodename.worktype.name
where:
nodename
Is the name of the node from which you expect inbound work. For jobs, this is the submitting node. For SYSOUT, this is the execution node.
Note:
  1. If &SUSER is specified as an ADDMEM value in a profile that controls SYSOUT, a second check is done where nodename is the submitting node.
  2. If &DFLTGRP is specified as an ADDMEM value in a profile that deals with groups (either jobs or SYSOUT), the user's default group is used.
  3. It is recommended that you define a profile in the RACFVARS class named &RACLNDE, and use &RACLNDE for all nodes that are considered local to your system. For more information, see Setting up NODES profiles.
worktype
Is the type of work to be controlled by the profile.

Notice that the last character, J or S, indicates the type of work to be validated. J indicates jobs; S indicates SYSOUT.

RUSER
Controls commands originating from NJE nodes. The nodename is used as the name on the third qualifier.
USERJ
Controls jobs by the user ID specified on the third qualifier. The job is controlled by who the submitter is. This type of profile is also used to determine the amount of trust the job has. For details, see Understanding mixed security environments.
USERS
Controls SYSOUT by the user ID specified on the third qualifier. The SYSOUT is controlled by who the owner is. This type of profile is also used to determine the amount of trust the SYSOUT has. For details, see Understanding mixed security environments.
GROUPJ
Controls jobs by the group name specified on the third qualifier.
GROUPS
Controls SYSOUT by the group name specified on the third qualifier.
SECLJ
Controls jobs by the security label specified on the third qualifier.
SECLS
Controls SYSOUT by the security label specified on the third qualifier.

For example, a value of USERJ specifies that you want RACF to use the profile to validate inbound jobs; a value of USERS specifies that you want RACF to use the profile to validate inbound SYSOUT.

name
Is the actual user ID, group name, or security label you want validated. If you are using NODES profiles to allow the use of these input values, you must either define these values in your RACF database or use the ADDMEM operand to translate them into acceptable values for your system. For jobs, the submitter information is substituted. For SYSOUT, the owner information is used. (See Understanding mixed security environments.)
For example, the following profile controls whether jobs coming from user ID WAYNE at node BERMUDA can be executed here: 
BERMUDA.USERJ.WAYNE

You can optionally associate a local user ID with user ID WAYNE by specifying the user ID on the ADDMEM operand.

You can specify generic characters in the profile name to control a wider range of work. For example, if you place an asterisk in place of the nodename value, RACF performs the requested type of validation for work from all nodes in the network (unless a more specific profile exists). Examples of generic profiles in the NODES class are shown in this topic. For more information, see Choosing between discrete and generic profiles in general resource classes.

If you installed RACF and did not activate the NODES class, JES validates jobs and SYSOUT in the following manner:
  • JES runs only those jobs that are destined for your node and that have a valid user ID and password on the job card if BATCHALLRACF is active. If BATCHALLRACF is not active, the job can run without a RACF user ID.
  • A security label of SYSHIGH is assigned to all SYSOUT destined for your node (if security labels are being used) and can be printed only on those devices permitted to SYSHIGH data. JES assigns the default user ID to this SYSOUT. For information about default user IDs, see Understanding default user IDs.
  • All work destined for another node remains unchanged.

If you choose to activate the NODES class, you must gather information from your JES system programmer so that you can set up profiles to control the work entering your system. The following sections identify the appropriate values for each type of work.

Parent topic: Authorizing inbound work

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014