Security

Next, assemble a project team. The composition of this team transcends RACF administration. The z/OS systems programmers often need to make changes to configuration options, tables, and exits in z/OS, RACF, and other system products. Storage administration may get involved in dedicating DASD volumes to the new database. Application developers, resource owners, and users will need to be consulted about proposed profile changes. Everyone should be expected to help with testing. Due to the level of effort, risk, and complexity associated with this type of project, many installations find it beneficial to engage experienced consultants to provide guidance and assistance.

The next step is to develop a plan with detailed tasks, timeframes, and staff assignments. You’ll need to perform an initial high-level comparison of the system images and RACF databases to identify issues to address during the merge project. Review both RACF and system exits, RACF tables, Class Descriptor Table (CDT) class entries, STARTED class entries, SETROPTS options, OPERATIONS assignments, and active resource classes along with their profiles, especially FACILITY class profiles, to identify significant differences to resolve. Also identify data set High Level Qualifiers (HLQs) common to all systems because their profiles and access lists will need to be integrated. The primary objective of this review is to give you a feel for the level of effort you’ll need to devote to each of the major synchronization tasks.

Now you can determine the methodology and tools you plan to use in merging the contents of the databases. You might simply copy certain profiles from one database to the others over an extended time period using RACF commands, or you could use a utility to combine databases all at once. You may opt for some combination of the two. The methodology you select will determine the tools you will employ. These will include some combination of RACF utilities, free IBM RACF software tools, and commercial software products for creating commands to copy profiles, comparing databases profiles, comparing system and RACF configuration options and tables, and combining databases. (IBM’s free RACF utilities are available via their RACF Downloads Webpage at www-03.ibm.com/servers/ eserver/zseries/zos/racf/goodies.html.)

Database Cleanup

Database cleanup is an important first step. You want to get rid of the dead wood that can waste valuable analysis time. Focus on resource classes and profiles the merging databases have in common. For instance, if two databases contain profiles with the HLQ SYS2, determine if any of the profiles is obsolete and can be deleted before proceeding with synchronization and merge tasks. Figure 1 shows a list of cleanup actions to perform.

As part of cleanup, verify the integrity of the RACF databases and fix any errors. RACF utilities that will alert you to various types of database errors include:

• IRRUT200: Database Verification

 • IRRUT400: Database Split/Merge/ Extend

• IRRDBU00: Database Unload. IRRDBU00 is especially effective for this task; it must look at almost every field in every profile.

5 Pages