Filter
Top Products
List all GROUPJ and GROUPS NODES profiles that have a UACC value greater
than or equal to READ, recording the profile names and all keywords necessary to
add them back later. Then delete them. These profiles were previously irrelevant
but now could result in failing jobs or unowned SYSOUT. Note that GROUPJ and
GROUPS NODES profiles with a UACC value of NONE already worked and still
work as documented.
Step 2:
Create the NODES profile *.GROUP%.* with UACC(READ) and
ADDMEM(&DFLTGRP), then do any necessary refresh of in-storage profiles. This
profile causes RACF to use the default group for NJE verification, after the user ID
has been propagated and possibly translated. This profile acts as a catch-all until
all other GROUP NODES profiles have been verified.
Step 3:
Add more specific GROUP NODES profiles. Perhaps you are adding GROUP
NODES profiles for the first time; see
OS/390 Security Server (RACF) Security
Administrator's Guide
for their intended uses and externals. Take note of any
batch job failures or SYSOUT owners assigned by SYSOUT FAILSAFE processing
(SYSOUT message IRR808I will be displayed). Correct any problems in your
profiles to accurately reflect corresponding users and groups on the different NJE
nodes.
Step 4:
When your installation is confident that the GROUP profiles are set up correctly,
change the one from step 2 to a UACC(NONE) with no ADDMEM. This generic
profile now fails jobs or disowns SYSOUT when a more specific profile is not found.
APAR OW15408
If you are using NODES class profiles of the form
nodeid
.RUSER.
nodeid
to allow
JOBs to enter a node, you can remove those RUSER nodes profiles. This form of
NODES profile has been used as a problem bypass by users, to allow the copy of
a second NJE Job into the JES internal reader using two /*XEQs.
Chapter 12. NJE Considerations 59