Implementing External Security with RACF › Define Groups Automatically with DEFSAF

Previous Topic: Define Groups Based on Function for Validation

Next Topic: Generate the SAF Resources with RACF

Define Groups Automatically with DEFSAF

Groups let you add and remove users from a single point for validation processing. You can automatically define RACF administrative groups with the DEFSAF REXX utility.

By default, the DEFSAF program defines SAF resource names and groups and adds them to the RACF database. If you decide not to use RACF groups, specify the parameter GROUPS(N) on the DEFSAF utility. The resource names are still defined but the default group names are not generated.

Follow these steps:

  1. Log in to TSO.
  2. Access the DEFSAF REXX utility that is distributed with CA OPS/MVS in the opshlq.CCLXEXEC data set.
  3. Execute DEFSAF from a user ID that has the RACF SPECIAL attribute.

    The following actions occur:

  4. Review and modify the example definitions to meet the security requirements of your site.
  5. Use the tailored the definitions as batch input to RACF.

    Note: Member BATRACF in opshlq.OPS.CNTL is provided as a sample. For more information about executing RACF commands in batch, see the Security Server RACF Command Language Reference (SA22-7687-15).

Example: DEFSAF Execution

These examples generate the opshlq.OPSS.DEFSAF(DEFRACF) file containing all of the required resource definitions to begin using CA OPS/MVS external security with RACF.

Note: For a complete example of DEFSAF execution with RACF security, review the contents of data set member OPSHLQ.OPSS.DEFSAF(DEFRACF).

More information:

Commands and Functions that Generate External Security Events