User Attributes at the Group Level
You can specify the SPECIAL, AUDITOR, OPERATIONS, GRPACC, and REVOKE user attributes at the group level by using the CONNECT command.
When you specify these attributes at the group level, they are identified as group-SPECIAL, group-AUDITOR, group-OPERATIONS, and so on, to distinguish t~em from attributes at the user level.
Group attributes are indicated in the connect profile, and are in effect for the user only when the user is connected to the group during a batch job or terminal
session. (However, when list-of groups checking is in effect, the group-SPECIAL,
II
group-OPERATIONS, and group-AUDITOR user automatically has group-related authorities in all groups to which the user is connected, regardless of the group the . user is logged on to.)
When you initially define a new user, the user's connect profile to the default group has no group-related attributes indicated. You can use the CONNECT command after you initially define the user to modify the user's connect profile to the default group.
Scope of Authority for the group-SPECIAL, group-AUDITOR, and group-OPERATIONS Users The authority of the group-SPECIAL, group-AUDITOR, and
group-OPERATIONS users is limited to the resources that are within the scope of the group. Resources that are within the scope of the group include the following:
Resources owned by the group
• Resources owned by users who are owned by the group
• Resources owned by subgroups that are owned by the group
Resources owned by subgroups owned by subgroups, owned by the group, and so on.
Note that the scope of the group does not extend to resource profiles that are owned by groups that are owned by users who are owned by the group. Neither does the scope of the group extend to resources that are owned by users who are owned by ~ who are owned by the group.
By establishing the group structure so that subgroups are owned by their superior groups, the authority of the group-SPECIAL, group-OPERATIONS, and
group-AUDITOR user can be made to percolate down through the group tree structure as far as the security administrator desires. When a user's attribute percolates down from a group to which the user is connected with the group attribute, the user's authority in the subgroups is the same as if the user was connected directly to the subgroups with the group attribute.
The limits of the security administrator, group administrator, auditor, and
operations personnel authority at the group level are described in Figure 3-2. (Of course, these users continue to have whatever authorities they possess from other sources, such as ownership and list membership, that are not covered by their group level authorities.)
Chapter 3. Defining Groups and Users
3-11
Resource Data Sets
General Resources
Users
Groups
Attribute, User, and Authority
Group-SPECIAL Attribute: A user with the group-SPECIAL attribute has full authority to access:
Data set profiles that are owned by the group
Data set profiles having a high-level qualifier equal to the group identifier
, Data set profiles owned by users or groups that are owned by the group
Data set profiles having a high-level qualifier that is a user or group identifier owned by the group
The group-SPECIAL user can also define data set profiles with a high-level qualifier that is the group identifier or a user or group identifier owned by the group.
Group-AUDITOR and Group-OPERA nONS Attributes: A user with the group-AUDITOR or group-OPERATIONS attribute can perform all of the functions of an auditor or operator, but is restricted to the same subset of data sets as the user with the group-SPECIAL attribute.
Group-SPECIAL Attribute: A user having the group-SPECIAL attribute has full authority to access:
Resource profiles that are owned by that group
Resource profiles belonging to users or groups that are owned by the group
To create new resources, the user must have the CLAUTH attribute in the applicable class.
Group-AUDITOR and Group-OPERA nONS attributes: A user having the AUDITOR or OPERA nONS attribute can perform all of the functions of an auditor or operator, but is restricted to the same above subset of resources as the user with the group-SPECIAL attribute.
Group-SPECIAL Attribute: A user with the group-SPECIAL attribute has full authority to access:
User profiles of users owned by the group
User profiles of users owned by a subgroup owned by the group, by a subgroup owned by a subgroup that is owned by the group, and so on The group-SPECIAL user must have the CLAUTH attribute in a class in order to give the CLAUTH attribute to another user in that class. The group-SPECIAL user cannot give a user the SPECIAL, AUDITOR, or OPERATIONS attribute at a user level, but can assign these attributes at the group level. To create new users, the group-SPECIAL user must have the CLAUTH attribute in the USER class.
Group-AUDITOR Attribute: A user having the group-AUDITOR attribute can perform all of the functions of an auditor, but is restricted to the same subset of users as the user with the group-SPECIAL attribute.
Group-SPECIAL Attribute: A user having the group-SPECIAL attribute has authority over that group, over subgroups owned by that group, and so on. The group-SPECIAL user can connect any user to, or remove any user from, any group that is included in this authority.
Figure 3-2. Scope of Authority for User Attributes at the Group Level
)
Assumptions:
The following two figures show the scope of authority of a group-SPECIAL user.
Figure 3-3 shows a typical authority structure containing three major groups, group 1, group 2, and group 3.
GROUPI
GROUP2
SYSI
X.DATA GROUP1.DATA
/ USER2.DATA / Y.DATA / /
/ /
Z.DATA ROUP2.DATA
GROUP3
USER3.DATA ROUP2.CLlST
USER4.DATA U4A in class TIMS
1) User's default groups are their owning groups, except for USERS who is owned by another user in GROUP2.
2) Groups X & Y exist and are owned by GROUP1; group Z exists and is owned by GROUP2.
Figure 3-3. Group Level Authority Structure
Figure 3-4 shows the addition of a new element: a new user, USER1, is connected to group 1. The resultant authority USER 1 receives as a group-SPECIAL user is highlighted in Figure 3-4.
Chapter 3. Defining Groups and Users
3-13
GROUPl
GROUP2
/
"
/ /
/
DATA OUP2.DATA
Figure 3-4. Scope of Authority of a Group-SPECIAL user
In Figure 3-4, USER 1 has authority to the indicated resource profiles for the reasons listed in Figure 3-2. USERl does not have authority to any of the resources in the shaded area for the following reasons:
GROUP3 is not owned by GROUPl.
USER3 is not owned by GROUPl.
• USER4 is not owned by GROUPl.
USERS is not owned by GROUPl or GROUP2.
USER3.DATA is not a data set owned by a user who is owned by GROUP1.
• USER4.DATA is not a data set owned by a user who is owned by GROUPl.
USER 1 cannot display the profile information for this data set with LISTDSD, even if USER2, for example, is in its access list. (However, by using
ICHUTIOO, USERI would be informed that USER2 is in the access list of USER4.DATA.
Suggestions for Assigning User Attributes
When defining users to RACF with the ADDUSER command, or when modifying user attributes with the AL TUSER command, RACF Security and group
administrators should assign:
SPECIAL, AUDITOR, and OPERATIONS attributes to only those users responsible for administering RACF on a system-wide basis.
• CLAUTH attributes to only those users who will define other users and general resources.
Note that you cannot assign the ADSP attribute to a user who allocates space for data sets that do not meet the RACF or installation naming conventions.
Verifying User Attributes
The data security monitor (OSMON) generates reports that describe the current status of the data security environment at your installation. Two of these reports, the selected user attribute report and the selected user attribute summary report, are useful for verifying the attributes that you have assigned.
The selected user attribute report lists all RACF users with the SPECIAL, OPERATIONS, AUDITOR, or REVOKE attributes and specifies whether they possess these attributes on a system-wide (user) or group level. You can use this report to verify that only those users who you want authorized to perform certain functions have been assigned the corresponding attribute.
The selected user attribute summary report shows the number of
installation-defined users and totals for users with the SPECIAL, OPERATIONS, AUDITOR, and REVOKE attributes, both at the system and group level. You can use this report to verify that the number of users with each of these attributes, on either a system or group level, is the number that your installation wants.
Default Universal Access Authority (UACC)
Each user in a group is assigned a default universal access authority (UACC) of NONE, READ, UPDATE, CONTROL, or ALTER. The value of NONE is used as a user's default universal access authority unless you specifically assign the user another value on the ADDUSER, ALTUSER, or CONNECT command. This value is always assigned (unless modeling is used) as the universal access authority to a data set profile that is automatically defined when a user who has the ADSP attribute allocates a new DASD data set, and to a DASD data set profile or tape volume profile when the PROTECT parameter is specified on the JCL DO statement. It is also in effect when the user RACF-protects a resource with the ADDSD or RDEFINE command and does not specify a value in the UACC operand.
Chapter 3. Defining Groups and Users
3-15
Chapter 4. Defining Resources
This chapter contains in-depth information on defining resources to be protected.
Among the major topics included are: