Altering RACF group in batch or thru EXEC

vasanthz · Posted: Thu Oct 30, 2008 4:52 pm

Hi,

Could you please let me know if is possible to change my RACF by executing a batch job or a REXX exec.

We have a requirement to change our RACF groups whenever we submit specific jobs. So wanted to know if this can be done by some utility or EXEC.

expat · Posted: Thu Oct 30, 2008 4:59 pm

I think not, unless you have RACF SPECIAL privileges.

Your default group would be used as default.

enrico-sorichetti · Posted: Thu Oct 30, 2008 5:03 pm

wht' s wrong with using the "GROUP" parameter in the JOB card

expat · Posted: Thu Oct 30, 2008 5:12 pm

But if you are connected to the group anyway, any authority related to that group and not your default group should be picked up as a matter of course.

vasanthz · Posted: Thu Oct 30, 2008 5:18 pm

Thanks for the swift reply,

I have not come across GROUP parameter

, I will read about it and try it out now.

We have many RACF groups like GCDCOM4,GCDSRSUP, and some other GCD thingies

We change the RACF groups through the option 6(command) from ISPF with the following command "ALU XK89 DFLTGRP(RACFNAME)"

I was about to explain my situation to "EXPAT", but in the process found a technique for doing this.
I have come across executing TSO commands through batch and I guess that could solve the problem.

//XK89CA7 JOB 1,'BATCH CA7',MSGCLASS=Y,CLASS=1,NOTIFY=&SYSUID
//PS010 EXEC PGM=IKJEFT01
//SYSTSIN DD *
ALU XK89 DFLTGRP(GCDCOM4)
/*
//SYSTSPRT DD SYSOUT=*

This worked fine.

Nice coming across GROUP parameter.

Apologies if I had wasted your time

enrico-sorichetti · Posted: Thu Oct 30, 2008 5:45 pm

I wonder why You need to change the default group...
never had the need to do it ( if the racf setup has been done properly)

the security auditors will be certainly be happy for all the alter group commands being given without reason

vasanthz · Posted: Thu Oct 30, 2008 5:55 pm

Hi Enrico,

Its a little complex to explain my situation.
We have many interfacing systems at our shop and each system files have their own RACF group associated with them.
The access is not tailored for individual TSO user.

The system files are restricted only to specific RACF groups.

So when we want to access some other sytem files, we are forced to change the RACF.

enrico-sorichetti · Posted: Thu Oct 30, 2008 5:58 pm

does You support know about the GRPACC option ????

vasanthz · Posted: Thu Oct 30, 2008 6:01 pm

GRPACC?

No.

Never heard of it. Is it some RACF control command?

enrico-sorichetti · Posted: Thu Oct 30, 2008 6:10 pm

it' s an attribute of a racf user by which a user can access all the resources
for all groups to which is connected...

without grpacc at logon or job initiation
the user MUST choose using the GROUP keyword the group to work with
and access will be granted only to the resources of that group

with grpacc the user will access with the proper privileges all the resources
for all groups to which the user is connected

vasanthz · Posted: Thu Oct 30, 2008 6:21 pm

Hi Enrico,
Thanks for sharing the GRPACC,

I gave "lu" command on ISPF option 6. It displays the below information. I belive there are no attributes set for my ID

.

enrico-sorichetti · Posted: Thu Oct 30, 2008 8:00 pm

Hi Vasanthz
I had another issue going on where GRPACC was involved
and I mixed up things a bit
GRPACC might be involved, but usually at the very end of the chain
( rough explanation... it concerns the permission for others members of the group to access resources created by a user when connected to that group)

I have been running some test with two users and two groups to find
out if there was any reason to change the default group

as far as datasets are concerned by having the two users connected to the
two groups with the proper permissions

the test for both users were ...
create, read, delete dataset for the primary/default group
the same for the other connect group
without even changing the group with the job card

I have been researching but was not able to find any reason
for dataset access , at least , to change the default connect group

Pedro · Posted: Thu Oct 30, 2008 9:17 pm

The system RACF options have to allow list-of-groups access checking. Then the permissions will work for any group you are connected to, regardless of your current group. I think that is preferred rather than having each person do meticulous things to get their job done.

The system programmer has to issue this command:

enrico-sorichetti · Posted: Thu Oct 30, 2008 10:24 pm

well said Pedro !!

vasanthz · Posted: Thu Oct 30, 2008 10:42 pm

Hi Enrico,

Actuallty I am a software programmer and am not aware of the security RACF very much.
I have had the perception that the only way to access multiple sytem files is to change the RACF, I will check with my info security buddies and try to get SETROPTS GRPLIST option ON.

I hope they don't kick me out since this being Christmas critical period.