I'm working on moving our ISFPRMxx member to RACF. I have a question
for the group (posted to IBM-MAIN and RACF-L).
How are people handling the "default SDSF user"? The IDs that don't
fall into any other group (in our case it's ISFUSER). We do have
TSOAUTH(JCL) in the ISFPRMxx for ISFUSER. Are you creating a
CLASS(SDSF) GROUP.ISFUSER.* profile and with UACC(READ) and NOT creating
a ISFUSER group and COnnecting all other users to the ISFUSER group?
This method seems to provide SDSF access to EVERY user (who doesn't fall
into another group) even those without TSOAUTH(JCL). This does have the
advantage that security doesn't have to explicitly add new users to a
ISFUSER group.
Or are people creating an ISFUSER group, creating a SDSF GROUP.ISFUSER.*
profile with UACC(NONE), creating the ISFUSER group and COnnecting only
those users with TSOAUTH(JCL) and permitting the ISFUSER group READ to
the SDSF GROUP.ISFUSER.* profile? This means that every new TSO user
will need to be connected to the ISFUSER group or they won't get access
to SDSF (another assumption on my part).
Or foregoing the creation of a SDSF GROUP.ISFUSER.* profile and the
ISFUSER group altogether? I'm assuming that anyone not connected to any
other group will fall into the ISFRMxx's ISFUSER section even though
they don't have TSOAUTH(JCL).
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
