Portal | Manuals | References | Downloads | Info | Programs | JCLs | Mainframe wiki | Quick Ref
IBM Mainframe Computers Forums Index
 
Register
 
IBM Mainframe Computers Forums Index Mainframe: Search IBM Mainframe Forum: FAQ Memberlist Profile Log in to check your private messages Log in
 
About deleting both user catalog and RACF group

 
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> All Other Mainframe Topics
View previous topic :: :: View next topic  
Author Message
feng hao

New User


Joined: 26 Mar 2008
Posts: 44
Location: China

PostPosted: Mon Mar 22, 2010 11:47 am    Post subject: About deleting both user catalog and RACF group
Reply with quote

Background: Application sunset.

I have things as below:
--------------------------
1. User catalog: APP and APPIV
2. RACF group: APPGRP to which user ID (user1 and user2) are connected
3. Dataset profile: APP.* , whose access list is APPGRP(read) and FENG(alter)
APPIV.*, whose access list is APPGRP(read) and LIU(alter)
4. Dataset: APP.DS1 and APPIV.DS2

My confusion is that, when I wanna delete both the user catalog and RACF group, what is the correct order, which will ensure both deleting all the things and will not make any non-integrity.

And also some question is as following, correct me if I was wrong.
1. One resourse, just like dataset, whose profile's access list is user1(read), when I wanna delete the dataset profile, is it necessary to revoke user1's read authority from the dataset profile in advance? Otherwise, it will bring non-integrity?
My opinion: I used LISTUSER(user1), and find no information in the user profile about its authority of the dataset 's access. So, I think deletion of the dataset profile directly is good enough.

2. Another case, the object changes from user1 to RACF group1, and I checked the reference, and it doesn't say there will be the information just like dataset's access information, in the group profile, so, I think deletion of the dataset profile directly is good enough too, even when the dataset profile's access list has group1(read).

3. The same as deletion of dataset profile, when we wanna delete a RACF group, do we need to delete the users or groups which have been connected to this RACF group in advance? I am not sure of it. Firstly, I indeed find the link information in user profile by LISTUSER command, however, I don't know whether "the system" will maintain the relationship automatically, which means it will delete the infomation in user profile after we deleted the RACF group profile.

4. As the toppest question, when everything is deleted except the user catalog and RACF group, is their deletion order important, otherwise, anyone could be deleted first.

Thank you very much!
Back to top
View user's profile Send private message

expat

Global Moderator


Joined: 14 Mar 2007
Posts: 8593
Location: Back in jolly old England

PostPosted: Mon Mar 22, 2010 5:03 pm    Post subject:
Reply with quote

1) Delete the dataset - also removes the entry from the USERCAT
2) Delete ALL RACF profiles that protect the dataset.
Back to top
View user's profile Send private message
Robert Sample

Global Moderator


Joined: 06 Jun 2008
Posts: 8165
Location: East Dubuque, Illinois, USA

PostPosted: Mon Mar 22, 2010 5:16 pm    Post subject:
Reply with quote

The answers to your questions are all in the Security Server bookshelf -- which you probably should spend a LOT of time reading, since it does not appear you have the knowledge of RACF you should in order to do what you're asking.

1. If you delete a data set profile, all user profiles for access to that data set(s) are removed by RACF.
2. Individual user ids are not typically granted access; normally groups are granted access in RACF so new people can just be connected to the group to be granted the access their position requires.
3. RACF controls by access, not by user, so looking at a user to see what access they have is completely useless -- you have to look at the group(s) the user belongs to and what data sets that group (or user id) have been granted access to.
4. If you delete a RACF group, the users in that group will no longer be connected and therefore lose whatever data set access the group granted.
5. It typically won't matter if you delete the RACF profiles or the user catalog entries since without the profile only default universal access will apply, and deleting the data sets then the user catalog means the RACF profile isn't pointing at anything.
Back to top
View user's profile Send private message
feng hao

New User


Joined: 26 Mar 2008
Posts: 44
Location: China

PostPosted: Wed Apr 21, 2010 9:13 pm    Post subject:
Reply with quote

Due to some personal affair, I come back to reply late.
I am very sorry for it, and thank you very, very much for your reply, Robert, and expat.

Yes, Robert, I have little knowledge of RACF as an application developer before I took in this project. So I am so appreciated that you have given me so much advice. And I still have want to make some confirmation after your advice.

1. There's a dataset profile called d1, a TSO user ID called u1 and a RACF group called g1(u1 is not connected to g1).
Now, in d1's access list, u1 and g1 is here.
At this time, if I delete d1, there will be no non-integrity on u1 and g1 side, am I right, Robert?

2. Now, we have RACF group g1 and another TSO user ID u2.
And u2 has been connected to g1.
At this time, if I delete g1, there will be no non-integrity on u2's side.
Am I right, Robert?

I also have some doubts to ask for your confirmation. But I prefer to read more books and then come back to talk with you, and that will help me more.

Thank you very much!!
Back to top
View user's profile Send private message
Robert Sample

Global Moderator


Joined: 06 Jun 2008
Posts: 8165
Location: East Dubuque, Illinois, USA

PostPosted: Wed Apr 21, 2010 10:54 pm    Post subject:
Reply with quote

1. If you delete the data set, the RACF profile remains. u1 and g1 are listed as having access to a non-existent data set, so there's no integrity exposure.

2. When you delete g1, u2 will lose the membership in g1. There may be side effects -- where the system was using u2's membership in g1 to determine access to a data set, for example -- but all the other memberships of u2 remain as is. There won't be an integrity exposure, but u2 may lose some access previously held.

If the system was set up correctly, almost all access is generic (HLQ.MLQ.* in the RACF profile, for example) and given to groups not user ids. This limits the exposure as well since a new dataset created as HLQ.MLQ.NEW.DATA.SET is automatically included in the existing generic profile, whereas using fully qualified data set names in the profiles would require a RACF change for every new data set.
Back to top
View user's profile Send private message
feng hao

New User


Joined: 26 Mar 2008
Posts: 44
Location: China

PostPosted: Thu Apr 22, 2010 8:43 am    Post subject:
Reply with quote

Thank you so much, Robert.

I have got the answer from your advice.
Back to top
View user's profile Send private message
View previous topic :: :: View next topic  
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> All Other Mainframe Topics All times are GMT + 6 Hours
Page 1 of 1

 

Search our Forum:

Similar Topics
Topic Author Forum Replies Posted
No new posts User access certification In Mainfram... Virendra Shambharkar All Other Mainframe Topics 4 Tue Oct 03, 2017 12:32 pm
No new posts column with count of rows within dist... ronald wouterson DB2 4 Sun Sep 17, 2017 9:48 pm
This topic is locked: you cannot edit posts or make replies. Limit access to certain RACF group cvnlynn CLIST & REXX 5 Wed Aug 23, 2017 2:28 am
No new posts Job failing with USER = 4093 REASON C... Pradeepa S ABENDS & Debugging 1 Wed May 17, 2017 3:35 pm
No new posts find RACF group for access to spooled... jzhardy JCL & VSAM 1 Mon May 08, 2017 11:46 am

Facebook
Back to Top
 
Job Vacancies | Forum Rules | Bookmarks | Subscriptions | FAQ | Polls | Contact Us