Security

Converting To & From RACF Universal Groups

5 Pages

With RACF for z/OS 1.2, IBM introduced the RACF UNIVERSAL group. What differentiates a RACF UNIVERSAL group from a standard RACF group? A RACF UNIVERSAL group can have an unlimited number of AUTH(USE) userids connected to it, provided the AUTH(USE) userids don’t have GROUP-AUDITOR, GROUP-OPERATIONS, or GROUP-SPECIAL privileges. Since RACF maintains the group connect information for a userid with AUTH(USE) authority connected to a UNIVERSAL group only in the userid data, there’s no limit to the number of userids with AUTH(USE) authority that can be connected to a UNIVERSAL group.

Why is this significant? Since a standard RACF group is limited to 5,957 connected members, sites that use RACF that aren’t using UNIVERSAL groups are limited to connecting a maximum of 5,957 userids to a standard group. By disassociating AUTH(USE) users from a group connect entry, a UNIVERSAL group can have an almost unlimited number of connected userids.

Creating a RACF UNIVERSAL Group

It’s a simple process to create a RACF UNIVERSAL group. When adding a new group into the RACF environment, simply include the UNIVERSAL attribute on the ADDGROUP command. In its most basic format, the command to add a new UNIVERSAL group would look as follows, where “ugroup” is the name of the group to be added into the RACF environment: ADDGROUP ugroup UNIVERSAL

With standard RACF commands, group creation is the only opportunity to assign the UNIVERSAL attribute to a group. No RACF commands allow a standard group to be converted to a RACF group or vice versa.

Using a RACF UNIVERSAL Group

Under normal circumstances, the benefit or need for a RACF UNIVERSAL group may not become apparent until long after a group has been created. If you realize that a standard RACF group would be more useful as a UNIVERSAL group, what can you do? No ALTGROUP command option allows changing a standard group to a UNIVERSAL group.

How could you “convert” a standard RACF group into a UNIVERSAL group? Using available RACF commands and utilities, the process would be similar to the following:

  • List the group and capture the connected userids and authority information.
  • Parse the list output to build REMOVE commands for each userid.
  • Parse the list output to build CONNECT commands for each userid (capturing the AUTH indicator and any GROUP-AUDITOR, GROUPOPERATIONS, and/or GROUPSPECIAL indications).
  • List the affected userids to determine if their default group is the group in question.
  • Temporarily reassign userids who have this group as their default group to a different default group.
  • REMOVE all the userids from the group in question.
  • Delete the group in question.
  • Add the group back into RACF with the UNIVERSAL flag.
  • Reconnect all the userids back into the newly defined UNIVERSAL group.
  • Reset any userids whose default group needed to be temporarily reassigned.

That’s a rather daunting task list.

There are real benefits to using a RACF UNIVERSAL group. Not having to be concerned about the number of connected userids is a significant benefit and may be sufficient to warrant conversion to use of a UNIVERSAL group.

5 Pages