Manage User Groups with CA Cleanup for RACF

Use the advanced optional User Group Support feature to group and segregate user IDs. Doing so lets determine which users and groups of users are using the active permissions. This feature lets you:
cleanup121
Use the advanced optional User Group Support feature to group and segregate user IDs. Doing so lets determine which users and groups of users are using the active permissions. This feature lets you:
  • Break down and better identify the users of any existing permission.
  • Group users into user groups to identify the exact access that the user group requires.
  • Develop role-based access.
Use the database load utility to assign an optional user group number to one or more user IDs to group and segregate those user IDs from all others. Append a number from 1 to 7 when loading or reloading any user ID as shown in the following example.
User group numbers cannot be assigned to group IDs.
//S1 EXEC PGM=AT8#DBU //INCLUDE DD * CLERKA,1 CLERKB,1 TECHA,2 TECHB,2
In this example, several user IDs are assigned to user group number one, while others are assigned to user group two:
REFDATE USERID CLASS NAME ------------------------------------------------------------------ CLERKA USERID ROBERT USERGRP=1 : : : CLERKB USERID CAROLYN USERGRP=1 : : : TECHA USERID DONNA USERGRP=2 : : : TECHB USERID FRANCIOS USERGRP=2
In addition, the CA Cleanup report shows the user groups, if any, that have referenced each of the active permissions.
yyyy/mm/dd (05.272) 23:22 Referenced within 030 Days Date Date Days Item Item Loaded Referenced Unused Class Name ---------------------------------------------------------- 05.250 05.272 000 VOLUME *ALL* Ref'd by Groups=1,2 05.250 05.272 000 DATASET TESTCAT. Ref'd by Groups=1,2 05.250 05.269 003 DATASET SYS1.MAN Ref'd by Groups=1 End of Job.
A user group number can be removed from an individual user by reloading the user with user group zero.
//S1 EXEC PGM=AT8#DBU //INCLUDE DD * TECHA,0
You may want to reassign a user group number to a different set of users. A user group number can be removed from all users and resources by specifying the RESETGRP option. This option is specified with the *RELOAD* option. One or more group numbers can be specified to be removed. The group numbers must be specified within parentheses and separated with commas.
This example removes group numbers 2 and 6:
//S1 EXEC PGM=AT8#DBU //INCLUDE DD * *RELOAD*,RESETGRP=(2,6)