No, that's backwards. You permit the $SYSTEMS group to the logonby.maint resource, then users who have a connect to that group automatically have the ability to use logonby to the maint id. You would need to define the resource and do the permit for any other shared id for which you wanted to do logonby. I think you could use a RACFVARS profile if you wanted to act on a group of userids. See the Security Admin's manual. In the simple case, though: 1. ADDGROUP $SYSTEMS OWNER(SYS1) 2. CONNECT USER1 GROUP($SYSTEMS) 3. CONNECT USER2 GROUP($SYSTEMS) ... 4. RDEF SURROGAT LOGONBY.MAINT UACC(NONE)... 5. PERMIT LOGONBY.MAINT CLASS(SURROGAT) ACCESS(READ) ID($SYSTEMS)
Now as your systems group membership fluctuates, you connect new members to the $systems group and remove departing ones. But per this example you'd have to repeat the RDEF/PERMIT for other service/maintenance userids. --Mike It will only be two of us, but if I'm understanding correctly, assigning any other users besides MAINT to the $SYSTEMS group would automagically give us two LOGONBY auth for those users as well. That sounds keen to me. Thanks, Leland
