z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Setting up NODES profiles

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

To set up NODES profiles, you must activate the RACFVARS class first, issue SETROPTS RACLIST, and, if you are going to define generics, make sure that SETROPTS GENERIC is active for the RACFVARS class. You should consider the following approach to setting up NODES profiles:
  1. Define a profile for each node for which you want to control inbound work. (If you have several nodes that you are treating identically, consider creating RACFVARS profiles and using the RACF® variables in NODES profile names. This can reduce the number of NODES profiles that you must maintain.)
  2. Define a top generic profile to control all work not controlled by more specific NODES profiles.
  3. For each node, define profiles with USERx, SECLx or GROUPx qualifiers only if you want to:
    • Prevent work with the specified user ID, security label, or group name from entering your node (determined by the UACC of the profile).
    • Translate the specified user ID, security label, or group name to a local value (specify the ADDMEM operand to do this).
  4. Define the local node or nodes in the &RACLNDE profile in the RACFVARS class. Enter: 
    RDEFINE RACFVARS &RACLNDE ADDMEM(nodea nodeb...)

    In effect, this allows security information to be accepted for verification without the use of NODES profiles. That is, the information is used as passed because it is considered local.

    For SYSOUT, this allows the owner information to be used without a NODES lookup, or automatically allows the submitter to become the SYSOUT owner when &SUSER is used. (See How SYSOUT requests are verified.)

    For jobs, this allows the special JES2 pre-execution reroute case to use the information as passed without translation, and allows the spool unload and reload of jobs to propagate the information automatically without requiring NODES profiles. See Defining nodes as local input sources.

    Note: Group names are not propagated when the node is defined to &RACLNDE. The default group of the execution user is used.
  5. If an inbound job has been submitted as a surrogate job on its originating system (see Allowing surrogate job submission), the PASSWORD parameter is not specified on its JOB statement. Therefore, you must specify UACC(CONTROL) or higher in the NODES profile controlling such jobs, or UACC(UPDATE) or higher if the job is from an uplevel node to prevent requiring password verification. (See Understanding mixed security environments.)
Parent topic: Authorizing inbound work

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014