To set up NODES profiles, you must activate the RACFVARS class
first, issue SETROPTS RACLIST, and, if you are going to define generics,
make sure that SETROPTS GENERIC is active for the RACFVARS class.
You should consider the following approach to setting up NODES profiles:
- Define a profile for each node for which you want to control
inbound work. (If you have several nodes that you are treating identically,
consider creating RACFVARS profiles and using the RACF® variables in NODES profile names. This
can reduce the number of NODES profiles that you must maintain.)
- Define a top generic profile to control all work not controlled
by more specific NODES profiles.
- For each node, define profiles with USERx, SECLx or GROUPx qualifiers
only if you want to:
- Prevent work with the specified user ID, security label, or group
name from entering your node (determined by the UACC of the profile).
- Translate the specified user ID, security label, or group name
to a local value (specify the ADDMEM operand to do this).
- Define the local node or nodes in the &RACLNDE profile
in the RACFVARS class. Enter:
RDEFINE RACFVARS &RACLNDE ADDMEM(nodea nodeb...)
In
effect, this allows security information to be accepted for verification
without the use of NODES profiles. That is, the information is used
as passed because it is considered local.
For SYSOUT, this allows
the owner information to be used without a NODES lookup, or automatically
allows the submitter to become the SYSOUT owner when &SUSER is
used. (See How SYSOUT requests are verified.)
For jobs, this
allows the special JES2 pre-execution reroute case to use the information
as passed without translation, and allows the spool unload and reload
of jobs to propagate the information automatically without requiring
NODES profiles. See Defining nodes as local input sources.
Note: Group
names are not propagated when the node is defined to &RACLNDE.
The default group of the execution user is used.
- If an inbound job has been submitted as a surrogate job on its originating
system (see Allowing surrogate job submission), the PASSWORD parameter
is not specified on its JOB statement. Therefore, you must specify
UACC(CONTROL) or higher in the NODES profile controlling such jobs,
or UACC(UPDATE) or higher if the job is from an uplevel node to prevent
requiring password verification. (See Understanding mixed security environments.)