I have things as below:
--------------------------
1. User catalog: APP and APPIV
2. RACF group: APPGRP to which user ID (user1 and user2) are connected
3. Dataset profile: APP.* , whose access list is APPGRP(read) and FENG(alter)
APPIV.*, whose access list is APPGRP(read) and LIU(alter)
4. Dataset: APP.DS1 and APPIV.DS2
My confusion is that, when I wanna delete both the user catalog and RACF group, what is the correct order, which will ensure both deleting all the things and will not make any non-integrity.
And also some question is as following, correct me if I was wrong.
1. One resourse, just like dataset, whose profile's access list is user1(read), when I wanna delete the dataset profile, is it necessary to revoke user1's read authority from the dataset profile in advance? Otherwise, it will bring non-integrity?
My opinion: I used LISTUSER(user1), and find no information in the user profile about its authority of the dataset 's access. So, I think deletion of the dataset profile directly is good enough.
2. Another case, the object changes from user1 to RACF group1, and I checked the reference, and it doesn't say there will be the information just like dataset's access information, in the group profile, so, I think deletion of the dataset profile directly is good enough too, even when the dataset profile's access list has group1(read).
3. The same as deletion of dataset profile, when we wanna delete a RACF group, do we need to delete the users or groups which have been connected to this RACF group in advance? I am not sure of it. Firstly, I indeed find the link information in user profile by LISTUSER command, however, I don't know whether "the system" will maintain the relationship automatically, which means it will delete the infomation in user profile after we deleted the RACF group profile.
4. As the toppest question, when everything is deleted except the user catalog and RACF group, is their deletion order important, otherwise, anyone could be deleted first.
Joined: 06 Jun 2008 Posts: 8697 Location: Dubuque, Iowa, USA
The answers to your questions are all in the Security Server bookshelf -- which you probably should spend a LOT of time reading, since it does not appear you have the knowledge of RACF you should in order to do what you're asking.
1. If you delete a data set profile, all user profiles for access to that data set(s) are removed by RACF.
2. Individual user ids are not typically granted access; normally groups are granted access in RACF so new people can just be connected to the group to be granted the access their position requires.
3. RACF controls by access, not by user, so looking at a user to see what access they have is completely useless -- you have to look at the group(s) the user belongs to and what data sets that group (or user id) have been granted access to.
4. If you delete a RACF group, the users in that group will no longer be connected and therefore lose whatever data set access the group granted.
5. It typically won't matter if you delete the RACF profiles or the user catalog entries since without the profile only default universal access will apply, and deleting the data sets then the user catalog means the RACF profile isn't pointing at anything.
Due to some personal affair, I come back to reply late.
I am very sorry for it, and thank you very, very much for your reply, Robert, and expat.
Yes, Robert, I have little knowledge of RACF as an application developer before I took in this project. So I am so appreciated that you have given me so much advice. And I still have want to make some confirmation after your advice.
1. There's a dataset profile called d1, a TSO user ID called u1 and a RACF group called g1(u1 is not connected to g1).
Now, in d1's access list, u1 and g1 is here.
At this time, if I delete d1, there will be no non-integrity on u1 and g1 side, am I right, Robert?
2. Now, we have RACF group g1 and another TSO user ID u2.
And u2 has been connected to g1.
At this time, if I delete g1, there will be no non-integrity on u2's side.
Am I right, Robert?
I also have some doubts to ask for your confirmation. But I prefer to read more books and then come back to talk with you, and that will help me more.
Joined: 06 Jun 2008 Posts: 8697 Location: Dubuque, Iowa, USA
1. If you delete the data set, the RACF profile remains. u1 and g1 are listed as having access to a non-existent data set, so there's no integrity exposure.
2. When you delete g1, u2 will lose the membership in g1. There may be side effects -- where the system was using u2's membership in g1 to determine access to a data set, for example -- but all the other memberships of u2 remain as is. There won't be an integrity exposure, but u2 may lose some access previously held.
If the system was set up correctly, almost all access is generic (HLQ.MLQ.* in the RACF profile, for example) and given to groups not user ids. This limits the exposure as well since a new dataset created as HLQ.MLQ.NEW.DATA.SET is automatically included in the existing generic profile, whereas using fully qualified data set names in the profiles would require a RACF change for every new data set.