Implementing External Security with RACF › Define Groups Based on Function for Validation

Previous Topic: Customize Resource Classes with RACF

Next Topic: Define Groups Automatically with DEFSAF

Define Groups Based on Function for Validation

The primary purpose of a group in RACF is for validation processing. Use your defined group to represent multiple users with identical or similar functional requirements or access authority. Adding one group entry to access lists rather than many user IDs simplifies both access and maintenance.

You can define and use functional groups to describe job functions or groups.

Follow these steps:

  1. Define your job function, or groups, using any criteria necessary. For example, create a RACF group named OPSADMIN for the CA OPS/MVS administrators.

    Note: The REXX program DEFSAF does not define function-based groups.

  2. Populate the functional group with all the facilities needed for an administrator.
  3. Connect or remove users from this group as their job roles demand.

    The users acquire or lose the authority of the group without needing to refresh the profile.

    Note: A user with CONNECT group authority for a specific group can use the CONNECT and REMOVE commands to change the members of that group. This capability eliminates using the PERMIT command to change the access list of the affected profiles.

Your functional groups are defined.