Translating security information

You can avoid having to maintain identical user IDs, group names, and security labels in RACF® databases throughout a network by translating inbound user IDs, group names, and security labels into predefined values defined at your node.

Use the ADDMEM operand on the RDEFINE or RALTER command to specify the translation values for inbound security information. For example, if you want all inbound work with a security label of VERYCONF to be translated to a security label of NOLOOKAT at your system, enter:

RDEFINE NODES *.SECL*.VERYCONF ADDMEM(NOLOOKAT) UACC(READ)

Note:

Specify only one value with the ADDMEM operand. If you specify multiple values, RACF stores them in the NODES profile but translates using only the last one specified.
Restriction: When more than one value is defined in a NODES profile, you cannot use the RLIST command to determine which value was the last one specified.

Guideline: If one or more values are already defined in a NODES profile, use the DELMEM operand to remove them before specifying the new value.
For jobs, an ADDMEM of &SUSER is ignored, as the NODES profile lookup for jobs automatically deals with submitter information. It would be treated as though no ADDMEM were specified for the profile. For more information on &SUSER, see Validating SYSOUT based on the submitter.

If you do not define profiles that translate inbound user IDs, group names, and security labels, those inbound values must be defined in your RACF database or the work does not pass RACF validation.

Note: If the SECLABEL class is not active on your system, inbound security labels are ignored.