Like generic profiles, resource group class profiles enable
you to
protect multiple resources with one profile. However, the resources
need not have similar names.
A resource group profile is a general resource profile with the
following special characteristics:
- Its name does not match the resources it protects.
- The ADDMEM operand (not the profile name itself) specifies the
resources it protects.
- Its class is a resource group class or grouping class (for
example, GTERMINL or GDASDVOL).
- The related member class (not the resource group class itself) must be
RACLISTed. For example, the TERMINAL class must be RACLISTed, not
the GTERMINL class. Depending on the class, RACLISTing is accomplished
using the SETROPTS command or RACROUTE REQUEST=LIST.
Example: The following command protects three terminals that have
unlike names,
M01RF267, M03RF168, and M04GG148:
RDEFINE GTERMINL DEPT35 UACC(NONE) ADDMEM(M01RF267 M03RF168 M04GG148)
Several
resource group classes and related member classes are supplied with RACF®. Each one is marked in
Supplied RACF resource classes as a member class or a grouping class,
as appropriate.
Restriction: Certain member classes listed in Supplied RACF resource classes cannot be used with RACF commands because they are associated with
resource grouping classes that have special uses. These classes are
marked with this restriction.
To use resource group profiles, perform the following steps (terminals
are used as a readily understood example):
- Create the resource group profile:
RDEFINE GTERMINL profile-name UACC(NONE)
ADDMEM(resource-name-with-or-without-generic-character...)
where:
- GTERMINL
- is the resource group class for terminals.
- profile-name
- is a discrete profile name of your choice (generic characters
are not allowed).
- resource-name...
- is the name of the resource to be protected, for example, a terminal
ID or DASD volume serial number. If you first activate generic profile
checking for the related member class, you can include a generic character
(*, **, or %) in
the resource name.
- Grant the appropriate access to the appropriate users and groups.
In the following example, READ access is given to users in group GROUPA:
PERMIT DEPT35 CLASS(GTERMINL) ID(GROUPA) ACCESS(READ)
- When you are ready to start using the protection defined in
the profiles, activate the member class. For classes other
than the CICS®1 and IMS-related classes, you must also
activate SETROPTS RACLIST processing for the member class.
For
example, for terminals, issue the following command
SETROPTS CLASSACT(TERMINAL) RACLIST(TERMINAL)
Note: Any
time you make a change to a GTERMINL profile, you must also refresh
SETROPTS RACLIST processing for the TERMINAL class for the change
to take effect.
SETROPTS RACLIST(TERMINAL) REFRESH
For CICS
1 and
IMS-related classes, you only need to activate the class (you cannot
request RACLIST processing using the SETROPTS command).
SETROPTS CLASSACT(TIMS)
Note: If
an application uses RACROUTE REQUEST=LIST,GLOBAL=YES to RACLIST a
class, you can use SETROPTS RACLIST (classname)
REFRESH to refresh the class. This includes the CICS and IMS™ classes
that can't be RACLISTed with the SETROPTS RACLIST command.