IBM GC28-1920-01 Server User Manual


 
Actions Required
With OW08457 and OW14451, group propagation and group translation has been
fixed for NODES profiles, both for batch jobs and for SYSOUT. This change can
significantly alter the external results of your NJE environment and your installation
must decide what changes will best suit your needs.
Case 1: Nodes defined to &RACLNDE.
For nodes defined to the RACFVARS variable &RACLNDE, there is no change
(group propagation still does not occur, and group translation was never relevant).
It was determined that fixing group propagation for this case would cause too much
disruption, so it was left unchanged. Remember that if a node is defined to
&RACLNDE, no NODES profile lookup will take place.
Case 2: Getting NODES externals to work as they did prior to OW08457 and
OW14451
Your installation might decide to continue to base NJE security primarily on the
user ID, and let the resulting job or SYSOUT take that user ID's default-group for
purposes of verification. This was the case prior to these APARs. These are the
steps suggested for achieving the same effect with the revised externals:
Note: The changes listed below in steps 1 and 2 must be made on all nodes
where you want processing to work as it did prior to OW08457 and
OW14451.
Step 1:
Delete all GROUPJ and GROUPS NODES profiles that have a UACC value greater
than or equal to READ. These profiles were previously irrelevant but now could
result in failing jobs or unowned SYSOUT. Note that GROUPJ and GROUPS
NODES profiles with a UACC value of NONE already worked and still work as
documented.
Step 2:
Create a NODES profile of the format nodeid.GROUP%.* UACC(READ)
ADDMEM(&DFLTGRP) for each node for which you expect inbound work. If no
more-specific NODES profiles exist than nodeid.GROUP%.* that would protect
inbound work(e.g. nodeid.*.*), the profile *.GROUP%.* UACC(READ)
ADDMEM(&DFLTGRP) can be created instead of the individual nodeid.GROUP%.*
profiles. After the NODES profiles are created, do any necessary refresh of
in-storage profiles. The new profile(s) cause RACF to use the default group for
NJE verification after the user ID has been propagated and possibly translated.
Note that without step 1 above, there could be more specific GROUPJ and
"GROUPS" profiles so that the &DFLTGRP wouldn't be used consistently, resulting
in problems described above.
Case 3: Making use of group propagation in NJE security
Because group propagation and group translation were not functional until now,
RACF recommends the following steps for making the transition to this function.
Step 1:
58 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration