z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Learning which NODES profiles are used

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

For an exercise to learn which NODES profiles are used, see Figure 1.

Figure 1. Which NODES profiles are used?

 

Assume the following profiles: 
(1)   POKMVS.SECLJ.A      ADDMEM(ALPHA)    UACC(READ)
(2)   POKMVS.SECLS.A      ADDMEM(ALPHA)    UACC(READ)
(3)   POKMVS.SECL%.A                       UACC(NONE)  /*never used*/
(4)   POKMVS.USERJ.JOHN   ADDMEM(JOHNNY)   UACC(UPDATE)
(5)   POKMVS.USERS.JOHN   ADDMEM(JOHNNY)   UACC(UPDATE)
(6)   POKMVS.USER%.JOHN                    UACC(NONE)  /*never used*/
(7)   POKMVS.USER%.TOM                     UACC(NONE)
(8)   POKMVS.USER%.*      ADDMEM(NONAME)   UACC(UPDATE)
(9)   POKMVS.*.*          ADDMEM(X)        UACC(READ)
(10a) *                                    UACC(NONE)
(10b) *.USERJ.*                            UACC(NONE)
  1. If a job is submitted from user JOHN at node POKMVS with SECLABEL A, profiles (1), (4), and (9) are used.
    • Profile (4) translates the user ID to JOHNNY.
    • Profile (9) translates the group name to X. (There is no profile with the GROUP operand.)
    • Profile (1) translates the SECLABEL to ALPHA.
  2. Profile (3) would never be used because profiles (1) and (2) are discrete profiles that cover all work from node POKMVS that has security label A.

    Profile (6) would never be used because profiles (4) and (5) are discrete profiles that cover all work from user JOHN at node POKMVS.

  3. If jobs or SYSOUT come in from user TOM at POKMVS, profile (7) fails the job or purges the output.
  4. If a job comes in from anyone other than JOHN or TOM at POKMVS, with SECLABEL A, profiles (1), (8), and (9) are used.
    • Profile (8) translates the user ID to NONAME.
    • Profile (9) translates the group name to X (there is no profile with the GROUP operand.)
    • Profile (1) translates the SECLABEL to ALPHA.
    Note: Profile (8) translates many user IDs to one. You might do this to create a guest user ID that can be used by any otherwise unknown user coming in from POKMVS. With such a user ID, you can allow people from POKMVS to access certain resources without having to give each of them a user ID on your system.
  5. Because there is no POKMVS profile with the GROUP operand, profile (9) is the generic that is used to translate group names. Therefore all jobs and SYSOUT that come from POKMVS get group X. (If profile (9) did not have ADDMEM specified, there would be no translation of group names.)

    Also, all security labels from POKMVS, except security label A, are translated to X.

  6. Profile (10a) fails all NJE jobs and SYSOUT for any other user, group, or security label that is not covered by a more specific NODES profile. If you want to have just default control for any NJE jobs, and not control SYSOUT, use profile (10b) instead.
Parent topic: Setting up NODES profiles

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014