Setting up NODES profiles
Use the following approach to setting up NODES profiles:
- Define a profile for each node for which you want to control inbound work. (If you have several nodes that you are treating identically, consider creating RACFVARS profiles and using the RACF® variables in NODES profile names. This can reduce the number of NODES profiles that you must maintain.)
- Define a "top" generic profile to control all work not controlled by more specific NODES profiles.
- For each node, define profiles with USERx, SECLx or GROUPx keywords.
- Prevent work with the specified userID, security label, or group ID from entering your node (determined by the UACC of the profile).
- Translate the specified userID, security label, or group ID to a local value (specify the ADDMEM operand).
- Define the local node or nodes in the &RACLNDE
profile in the RACFVARS class. The syntax is:
This allows security information to be accepted for verification without the use of NODES profiles. That is, the information is used as passed because it is considered local. For SYSOUT, this allows the owner information to be used without a NODES lookup, or automatically allows the submitter to become the SYSOUT owner when &SUSER is used (see How SYSOUT requests are verified). For jobs, this allows the special JES2 pre-execution reroute case to use the information as passed without translation, and allows the spool unload and reload of jobs to propagate the information automatically without requiring NODES profiles. See Defining Nodes as Local Input Sources.RDEFINE RACFVARS &RACLNDE ADDMEM (nodea nodeb...) - If an inbound job has been submitted as a surrogate job on itsoriginating system (see How RACF Validates Users) the PASSWORD parameter will not be specified on its JOB statement. Therefore, you must specify UACC(CONTROL) or higher in the NODES profile controlling such jobs, or UACC(UPDATE) or higher if the job is from an uplevel node to prevent requiring password verification (see Understanding Mixed Security Environments).