Thursday, February 19, 2009

Quick and Dirty Guide to Adding Users and Groups to the RACF Database

On occasion you may have the need to give a new user access to your system. As with anything else on the mainframe, there are about a million options but thankfully you really only need to concern yourself with a few of them. The first thing you need to understand is the concept of groups. RACF groups are a collection of users, grouped together to allow the system programmer (that's you!) an easy way to manage access lists. In other words, if you have 50 users that require access to a data set, rather than grant them access individually, you can put them in a group and give the group access to the data set. Cool, huh?

When creating a group, there are two attributes that you need to think about. They are

1) who the group owner is (can be another group)

2) whether or not this is a Unix System Services group (if it is, you may need to specify a GID)

It should be noted that it is not required that a group is created when a new user is added to the RACF database. Use the ADDGROUP command to add a RACF group. Here are a few examples from the RACF Security Administrator's Guide (ch 3, pg 59)

For example, to create a group for Department A called DEPTA whose owner and superior group is to be a group called ALLDEPT, enter:


To then connect users to that group, use the CONNECT command. For example, to connect department members SUE, LIZ, and GENE to the DEPTA group and also give LIZ and SUE authority to add new users to the group, enter:



If the group is to own group data sets create a top generic profile for the group data sets in the DATASET class. For example:


If the group requires access to RACF-protected resources, give the group the required access using the PERMIT command. For example:


If the group requires access to z/OS UNIX resources, alter the profile to include an OMVS segment with an z/OS UNIX group identifier (GID). For example:


The next thing you need to dig is the concept of profiles. RACF is made up of profiles, and profiles are composed of segments. The base segment is composed of RACF specific stuff. Products also have segments in the profile. When you define a user to the RACF database, you also can define segments of that profile that specify what kind of access that user has to various products that are installed on the system. For example, when you define a new user to RACF, you may also want to define a TSO segment so TSO knows to use RACF (as opposed to its own UADS (User Attribute Dataset) dataset) to authenticate said user at login time. Use the ADDUSER command to add a user. Here are some things to remember when adding a new user:

1) Unless you specify a default password, the password for the new user will be the name of the group to which you add the user make sure you use a valid logon proc (IKJACCNT and ISPFPROC are good basic ones to start with)

2) You can apply the attributes SPECIAL, OPERATIONS, and AUDIT to a new user to give them access to protected system resources.
- SPECIAL does not automatically give the user access to data, but does give him/her the ability to grant him/herself permission to said data. Another way to look at the SPECIAL user is someone who has the ability to execute protected system commands.
- OPERATIONS has access to data, but not to protected system commands
- AUDIT gives the user the ability to view logs, and specify logging options

Here's more of the ADDUSER command, again from RACF Security Administrator's Guide (ch3 pg 92)

To create the user profile, you can use any of the following methods:

1) Issuing the ADDUSER command.
2) Enrolling the user through the TSO/E Information Center Facility (ICF) panels.

Here is an example of using the ADDUSER command to create a user profile. Suppose you want to create a user profile for user Steve H., a member of Department A. You want to assign the following values: STEVEH for the user ID DEPTA for the default connect group DEPTA for the owner of the STEVEH user profile R3I5VQX for the initial password Steve H. for the user’s name Steve H. does not require any of the user profile segments except TSO. The TSO segment values that you want to set to start with are 123456 for the account number and PROC01 for the logon procedure. To create a user profile with these values, enter:


You then want to create a top generic profile for the user in the DATASET class using the ADDSD command. For example, if the user’s user ID is STEVEH, enter:


Well, that's about it. Note that you can use generic RACF profiles to protect more than one resource. This can be done with the use of the '*' wildcard (also known as the splat). Generic profiles saves you the trouble of having to create a unique profile for every little thing on the system. Last but not least, if you want RACF to protect all non-defined system resources, issue the command:


No comments:

Post a Comment