z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Creating resource group profiles

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

Like generic profiles, resource group class profiles enable you to protect multiple resources with one profile. However, the resources need not have similar names.

A resource group profile is a general resource profile with the following special characteristics:
  • Its name does not match the resources it protects.
  • The ADDMEM operand (not the profile name itself) specifies the resources it protects.
  • Its class is a resource group class or grouping class (for example, GTERMINL or GDASDVOL).
  • The related member class (not the resource group class itself) must be RACLISTed. For example, the TERMINAL class must be RACLISTed, not the GTERMINL class. Depending on the class, RACLISTing is accomplished using the SETROPTS command or RACROUTE REQUEST=LIST.
Example: The following command protects three terminals that have unlike names, M01RF267, M03RF168, and M04GG148: 
RDEFINE GTERMINL DEPT35 UACC(NONE) ADDMEM(M01RF267 M03RF168 M04GG148)
Several resource group classes and related member classes are supplied with RACF®. Each one is marked in Supplied RACF resource classes as a member class or a grouping class, as appropriate.

Restriction: Certain member classes listed in Supplied RACF resource classes cannot be used with RACF commands because they are associated with resource grouping classes that have special uses. These classes are marked with this restriction.

To use resource group profiles, perform the following steps (terminals are used as a readily understood example):
  1. Create the resource group profile: 
    RDEFINE GTERMINL profile-name UACC(NONE)
    ADDMEM(resource-name-with-or-without-generic-character...)
    where:
    GTERMINL
    is the resource group class for terminals.
    profile-name
    is a discrete profile name of your choice (generic characters are not allowed).
    resource-name...
    is the name of the resource to be protected, for example, a terminal ID or DASD volume serial number. If you first activate generic profile checking for the related member class, you can include a generic character (*, **, or %) in the resource name.
  2. Grant the appropriate access to the appropriate users and groups. In the following example, READ access is given to users in group GROUPA: 
    PERMIT DEPT35 CLASS(GTERMINL) ID(GROUPA) ACCESS(READ)
  3. When you are ready to start using the protection defined in the profiles, activate the member class. For classes other than the CICS®1 and IMS-related classes, you must also activate SETROPTS RACLIST processing for the member class.
    For example, for terminals, issue the following command 
    SETROPTS CLASSACT(TERMINAL) RACLIST(TERMINAL)
    Note: Any time you make a change to a GTERMINL profile, you must also refresh SETROPTS RACLIST processing for the TERMINAL class for the change to take effect. 
    SETROPTS RACLIST(TERMINAL) REFRESH
    For CICS1 and IMS-related classes, you only need to activate the class (you cannot request RACLIST processing using the SETROPTS command). 
    SETROPTS CLASSACT(TIMS)
    Note: If an application uses RACROUTE REQUEST=LIST,GLOBAL=YES to RACLIST a class, you can use SETROPTS RACLIST (classname) REFRESH to refresh the class. This includes the CICS and IMS™ classes that can't be RACLISTed with the SETROPTS RACLIST command.
Parent topic: Protecting general resources
1 The FCICSFCT class is an exception. You can use SETROPTS RACLIST with that class.

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014