On Tuesday, 11/25/2008 at 03:50 EST, Rob van der Heij <[EMAIL PROTECTED]> wrote: > On Tue, Nov 25, 2008 at 5:40 PM, Alan Altmark <[EMAIL PROTECTED]> wrote: > > > 2. Create a list of target of target IDs so that you can change the list > > of target IDs without have to do PERMITs. > > How's that with RACF ? You can't group the targets unless they are so > similar that a generic profile does it?
Through the use of a RACFVARS profile. You can use it when the resource names don't have a pattern and there is no grouping profile (such as GTERMINAL). >From the new example on pp. 71-72 in the RACF 5.4 Security Admin Guide, pp 71-72: * Allow generic profiles to be defined for SURROGAT class SETROPTS GENERIC(SURROGAT) * Define variable &MNTIDS to contain list of users for whom LOGON BY is required RDEFINE RACFVARS &MNTIDS ADDMEM(MAINT TCPMAINT RSCS PERFSVM) * Create the generic profile. RDEFINE SURROGAT LOGONBY.&MNTIDS UACC(NONE) * Give all users in SYSPROGS group LOGON BY authority to maintenence ids PERMIT LOGONBY.&MNTIDS CL(SURROGAT) ID(SYSPROGS) ACCESS(READ) * Turn on SURROGAT and RACFVARS class processing SETROPTS CLASSACT(SURROGAT RACFVARS) * Cache the resource definitions in memory * Add REFRESH if already active SETROPTS RACLIST(SURROGAT RACFVARS) To change the list: * Use ADDMEM or DELMEM RALTER RACFVARS &MNTIDS ADDMEM(TCPIP) * Refresh the in-memory cache SETROPTS RACLIST(RACFVARS) REFRESH Alan Altmark z/VM Development IBM Endicott
