For an exercise to learn which NODES profiles are used, see Figure 1.
Figure 1. Which NODES profiles
are used?
Assume the following profiles:
(1) POKMVS.SECLJ.A ADDMEM(ALPHA) UACC(READ)
(2) POKMVS.SECLS.A ADDMEM(ALPHA) UACC(READ)
(3) POKMVS.SECL%.A UACC(NONE) /*never used*/
(4) POKMVS.USERJ.JOHN ADDMEM(JOHNNY) UACC(UPDATE)
(5) POKMVS.USERS.JOHN ADDMEM(JOHNNY) UACC(UPDATE)
(6) POKMVS.USER%.JOHN UACC(NONE) /*never used*/
(7) POKMVS.USER%.TOM UACC(NONE)
(8) POKMVS.USER%.* ADDMEM(NONAME) UACC(UPDATE)
(9) POKMVS.*.* ADDMEM(X) UACC(READ)
(10a) * UACC(NONE)
(10b) *.USERJ.* UACC(NONE)
- If a job is submitted from user JOHN at node POKMVS with SECLABEL
A, profiles (1), (4), and (9) are used.
- Profile (4) translates the user ID to JOHNNY.
- Profile (9) translates the group name to X. (There is no profile
with the GROUP operand.)
- Profile (1) translates the SECLABEL to ALPHA.
- Profile (3) would never be used because profiles (1) and (2) are
discrete profiles that cover all work from node POKMVS that has security
label A.
Profile (6) would never be used because profiles (4) and
(5) are discrete profiles that cover all work from user JOHN at node
POKMVS.
- If jobs or SYSOUT come in from user TOM at POKMVS, profile (7)
fails the job or purges the output.
- If a job comes in from anyone other than JOHN or TOM at POKMVS,
with SECLABEL A, profiles (1), (8), and (9) are used.
- Profile (8) translates the user ID to NONAME.
- Profile (9) translates the group name to X (there is no profile
with the GROUP operand.)
- Profile (1) translates the SECLABEL to ALPHA.
Note: Profile (8) translates many user IDs to one. You might
do this to create a guest user ID that can be used by any otherwise
unknown user coming in from POKMVS. With such a user ID, you can allow
people from POKMVS to access certain resources without having to give
each of them a user ID on your system.
- Because there is no POKMVS profile with the GROUP operand, profile
(9) is the generic that is used to translate group names. Therefore
all jobs and SYSOUT that come from POKMVS get group X. (If profile
(9) did not have ADDMEM specified, there would be no translation of
group names.)
Also, all security labels from POKMVS, except security
label A, are translated to X.
- Profile (10a) fails all NJE jobs and SYSOUT for any other user,
group, or security label that is not covered by a more specific NODES
profile. If you want to have just default control for any NJE jobs,
and not control SYSOUT, use profile (10b) instead.