Dec 1 ’08

Converting To & From RACF Universal Groups

by Editor in z/Journal

With RACF for z/OS 1.2, IBM introduced the RACF UNIVERSAL group. What differentiates a RACF UNIVERSAL group from a standard RACF group? A RACF UNIVERSAL group can have an unlimited number of AUTH(USE) userids connected to it, provided the AUTH(USE) userids don’t have GROUP-AUDITOR, GROUP-OPERATIONS, or GROUP-SPECIAL privileges. Since RACF maintains the group connect information for a userid with AUTH(USE) authority connected to a UNIVERSAL group only in the userid data, there’s no limit to the number of userids with AUTH(USE) authority that can be connected to a UNIVERSAL group.

Why is this significant? Since a standard RACF group is limited to 5,957 connected members, sites that use RACF that aren’t using UNIVERSAL groups are limited to connecting a maximum of 5,957 userids to a standard group. By disassociating AUTH(USE) users from a group connect entry, a UNIVERSAL group can have an almost unlimited number of connected userids.

Creating a RACF UNIVERSAL Group

It’s a simple process to create a RACF UNIVERSAL group. When adding a new group into the RACF environment, simply include the UNIVERSAL attribute on the ADDGROUP command. In its most basic format, the command to add a new UNIVERSAL group would look as follows, where “ugroup” is the name of the group to be added into the RACF environment: ADDGROUP ugroup UNIVERSAL

With standard RACF commands, group creation is the only opportunity to assign the UNIVERSAL attribute to a group. No RACF commands allow a standard group to be converted to a RACF group or vice versa.

Using a RACF UNIVERSAL Group

Under normal circumstances, the benefit or need for a RACF UNIVERSAL group may not become apparent until long after a group has been created. If you realize that a standard RACF group would be more useful as a UNIVERSAL group, what can you do? No ALTGROUP command option allows changing a standard group to a UNIVERSAL group.

How could you “convert” a standard RACF group into a UNIVERSAL group? Using available RACF commands and utilities, the process would be similar to the following:

That’s a rather daunting task list.

There are real benefits to using a RACF UNIVERSAL group. Not having to be concerned about the number of connected userids is a significant benefit and may be sufficient to warrant conversion to use of a UNIVERSAL group.

Similarly, if you need to convert a UNIVERSAL group to a standard group, there’s no ALTGROUP command option for that, either. Using RACF commands and utilities, you’d need to do the following:

• Invoke the LISTGRP command to obtain a list of the non-AUTH(USE) connected members and all connected members that have GROUPAUDITOR, GROUP-OPERATIONS, and/or GROUP-SPECIAL.

• List the defined groups and userids to collect the group connect information. This is necessary because this list will contain information about all members connected to the UNIVERSAL group, not just the non-AUTH(USE) connected members or the connected members with GROUP-AUDITOR, GROUP-OPERATIONS, or GROUPSPECIAL.

• Parse the aforementioned lists and build REMOVE commands for each connected member.

• Parse the aforementioned lists and build appropriate CONNECT commands (capture the AUTH indicator and any GROUP-ADSP, GROUPAUDITOR, GROUP-OPERATIONS, or GROUP-SPECIAL indications).

• Determine if the group in question is a candidate to be converted to a standard RACF group. If there are more than 5,957 connected members, the group in question isn’t a candidate to be converted to a standard RACF group. If the group in question is a viable candidate to convert to a standard RACF group, you could continue with the following steps. Otherwise, the conversion effort would need to stop here and you should re-evaluate the plan.

• Determine if any of the connected members have the group in question as their default group.

• Temporarily reassign members who have the group in question as their default group to a different default group.

• REMOVE all the connected members from the group in question.

• Delete the group in question.

• Add the group back into RACF without the UNIVERSAL flag.

• Reconnect all the members back into the newly defined standard group.

• Reset any members whose default group needed to be temporarily reassigned.

Again, that’s a significant task list.

Perhaps you’ll just leave the UNIVERSAL group intact.

But maybe there’s a real need to convert to a standard RACF group. After creating and using the UNIVERSAL group, maybe you realize you’ll never encroach on the member limit of a standard RACF group. Or, possibly, if the number of connected members doesn’t exceed 5,957, you’ve determined that a quick conversion to a standard group would let you obtain a connected member list and you’ll convert right back to a UNIVERSAL group. These might be reasons to convert to a standard RACF group. A tool that can be used to convert a UNIVERSAL group to a standard group, in place, would be handy.

For both conversion scenarios, wouldn’t it be nice if there was a utility that would take care of all that under the covers? This article provides two utilities for that purpose. The CNV2UGRP utility can convert a standard RACF group to a RACF UNIVERSAL group, in place. The CNV2SGRP utility can convert a RACF UNIVERSAL group to a standard RACF group, in place.

The program source for the CNV2UGRP and CNV2SGRP utilities is available at http://zjournal.tcipubs. com/issues/DouglasUtilities.html.

 

Using the CNV2UGRP Utility

You can use the CNV2UGRP utility to convert a RACF standard group to a RACF UNIVERSAL group, in place. You can do this by using a combination of RACROUTE and ICHEINTY macro calls. One of the first things the utility does is determine whether the RACF level is sufficiently high (at least at z/OS 1.2) for a conversion to a RACF UNIVERSAL group to be feasible. If the RACF level is sufficient to support UNIVERSAL groups, the utility then extracts the specified group’s connect count, UNIVERSAL group flag, and userid connect information. If the group is already a UNIVERSAL group, the utility gracefully terminates. If the current connect count is zero, the only thing that needs to happen is to set the UNIVERSAL group flag for the group. If there are connected userids, then the fun begins!

For each userid in the connect list for this group, a check is made to determine whether the userid has AUTH(USE) authority. If it does, a check is made against the GROUPAUDITOR, GROUP-OPERATIONS, and GROUP-SPECIAL flags. If the userid doesn’t have AUTH(USE) authority, or if any of the GROUP-AUDITOR, GROUP-OPERATIONS or GROUPSPECIAL flags are set, this userid is left connected to the group. If the userid does have AUTH(USE) authority and none of the GROUP-AUDITOR, GROUP-OPERATIONS, or GROUPSPECIAL flags are set, the userid is unconnected from the group. (This applies to just the group, not the group connect information maintained in the userid itself.)

When all the group connected userids have been processed, the UNIVERSAL group flag is turned on for the specified group and, like magic, the standard group has been converted into a UNIVERSAL group.

Using the CNV2SGRP Utility

You can use the CNV2SGRP utility to convert a RACF UNIVERSAL group to a RACF standard group, in place, via a combination of RACROUTE and ICHEINTY macro calls. The utility determines whether the RACF level is sufficiently high (at least at z/OS 1.2) for a feasible conversion from a RACF UNIVERSAL group. If the RACF level is sufficient, the utility extracts the specified group’s connect count, UNIVERSAL group flag, and userid connect information. If the group isn’t a UNIVERSAL group, the utility gracefully terminates. The defined userid list is then examined to collect the group connect information and to determine if the connected userid count exceeds 5,957. If the connected userid count is in excess of 5,957, the utility terminates with a message indicating this.

For each userid found to be an AUTH(USE) connected userid without the GROUP-AUDITOR, GROUPOPERATIONS, or GROUP-SPECIAL flag set, a group connect operation is performed. This creates a group connect entry in the specified group. When these userids have been connected into the group, the UNIVERSAL group flag is turned on and the UNIVERSAL group has been converted to a standard group.

Preparing CNV2UGRP and CNV2SGRP for Action

Assemble CNV2UGRP and CNV2SGRP with a standard assembly job that includes SYS1.MACLIB and SYS1.MODGEN in the SYSLIB data set concatenation. Figure 1 provides Job Control Language (JCL) to linkedit the two utilities.

Using the CNV2UGRP Utility

When the CNV2UGRP load module is created, the utility is ready to use. To convert a RACF standard group to a RACF UNIVERSAL group, run the JCL in Figure 2.

Use the GROUPNAME parameter to specify the name of the group you want to convert to a UNIVERSAL group. If the specified group exists and isn’t already a UNIVERSAL group, there’s nothing that will prevent a successful conversion unless the system crashes while the batch utility is running. When the utility completes the conversion, a message will be issued to the SYSPRINT output DD as follows: UNVG000I - Specified group STDGRP has been converted to a RACF UNIVERSAL group.

Other messages that could be issued from CNV2UGRP, depending on the status of the system and the group itself, include those shown in Figure 3. In these messages, ‘xxxxxxxx’ will be the name of the group specified in the GROUPNAME PARMLIB parameter. Other messages can be issued related to the PARMLIB data entry. You can review the utility’s source code for the specific parameter errors that are reported on.

Using the CNV2SGRP Utility

When the CNV2SGRP load module is created, the utility is ready to use. To convert a RACF UNIVERSAL group to a RACF standard group, run the JCL in Figure 4.

Use the GROUPNAME parameter to specify the name of the group you want to convert to a standard group. If the specified group exists, it isn’t already a standard group, and the connected userid count doesn’t exceed 5,957, there’s nothing that will prevent a successful conversion unless the system crashes while the batch utility is running. When the utility completes the conversion, a message will be issued to the SYSPRINT output DD as follows:

UNVG000I - Specified group UNIVGRP has been converted to a RACF standard group.

Other messages that could be issued from CNV2SGRP, depending on the status of the system and the group itself, are shown in Figure 5. In these messages, ‘xxxxxxxx’ is the name of the group specified in the GROUPNAME PARMLIB parameter. Other messages can be issued related to the PARMLIB data entry. You can review the utility’s source code for the specific parameter errors that are reported on.

Be Careful

Consider two words of caution when using these two conversion utilities:

• There is no locking of the RACF database during these conversions, so the utilities should be run when there’ll be no other updates occurring against the group in question.

• These utilities are coded with no ESTAE, so there’ll be no recovery in the event of a program abend. Don’t fret too much about that; the programs have been thoroughly tested against all possible scenarios. The most likely issue (and this is remote) is a total system crash while a conversion is running.

Try things out on some test groups until you’re comfortable with what the utilities can do.

Conclusion

Being able to convert to and from a RACF UNIVERSAL group on the fly is a powerful capability. If you’re pushing the limits on the number of connected userids to a standard group, the CNV2UGRP utility may just be the answer to that limitation. In addition, if you have a RACF UNIVERSAL group that no longer requires that attribute, you can use the CNV2SGRP utility to easily convert things over to a standard group. In either case, these are handy utilities to include in your systems support toolbox.