Security

Converting To & From RACF Universal Groups

5 Pages

Using the CNV2UGRP Utility

You can use the CNV2UGRP utility to convert a RACF standard group to a RACF UNIVERSAL group, in place. You can do this by using a combination of RACROUTE and ICHEINTY macro calls. One of the first things the utility does is determine whether the RACF level is sufficiently high (at least at z/OS 1.2) for a conversion to a RACF UNIVERSAL group to be feasible. If the RACF level is sufficient to support UNIVERSAL groups, the utility then extracts the specified group’s connect count, UNIVERSAL group flag, and userid connect information. If the group is already a UNIVERSAL group, the utility gracefully terminates. If the current connect count is zero, the only thing that needs to happen is to set the UNIVERSAL group flag for the group. If there are connected userids, then the fun begins!

For each userid in the connect list for this group, a check is made to determine whether the userid has AUTH(USE) authority. If it does, a check is made against the GROUPAUDITOR, GROUP-OPERATIONS, and GROUP-SPECIAL flags. If the userid doesn’t have AUTH(USE) authority, or if any of the GROUP-AUDITOR, GROUP-OPERATIONS or GROUPSPECIAL flags are set, this userid is left connected to the group. If the userid does have AUTH(USE) authority and none of the GROUP-AUDITOR, GROUP-OPERATIONS, or GROUPSPECIAL flags are set, the userid is unconnected from the group. (This applies to just the group, not the group connect information maintained in the userid itself.)

When all the group connected userids have been processed, the UNIVERSAL group flag is turned on for the specified group and, like magic, the standard group has been converted into a UNIVERSAL group.

Using the CNV2SGRP Utility

You can use the CNV2SGRP utility to convert a RACF UNIVERSAL group to a RACF standard group, in place, via a combination of RACROUTE and ICHEINTY macro calls. The utility determines whether the RACF level is sufficiently high (at least at z/OS 1.2) for a feasible conversion from a RACF UNIVERSAL group. If the RACF level is sufficient, the utility extracts the specified group’s connect count, UNIVERSAL group flag, and userid connect information. If the group isn’t a UNIVERSAL group, the utility gracefully terminates. The defined userid list is then examined to collect the group connect information and to determine if the connected userid count exceeds 5,957. If the connected userid count is in excess of 5,957, the utility terminates with a message indicating this.

For each userid found to be an AUTH(USE) connected userid without the GROUP-AUDITOR, GROUPOPERATIONS, or GROUP-SPECIAL flag set, a group connect operation is performed. This creates a group connect entry in the specified group. When these userids have been connected into the group, the UNIVERSAL group flag is turned on and the UNIVERSAL group has been converted to a standard group.

Preparing CNV2UGRP and CNV2SGRP for Action

Assemble CNV2UGRP and CNV2SGRP with a standard assembly job that includes SYS1.MACLIB and SYS1.MODGEN in the SYSLIB data set concatenation. Figure 1 provides Job Control Language (JCL) to linkedit the two utilities.

Using the CNV2UGRP Utility

5 Pages