Passing the Superior Group names to TPX for a dynamic user during signon with RACF

search cancel

Passing the Superior Group names to TPX for a dynamic user during signon with RACF

book

Article ID: 32023

calendar_today

Updated On:

Products

TPX - Session Management Vman Session Management for z/OS

Issue/Introduction

Will RACF pass the Superior Group names to TPX for a user during signon?

Environment

TPX® Session Management for z/OS

Resolution

No, RACF does not return the superior group names in a user-level profile selection environment.

RACF can use tiered levels of user groups called Superior Groups. For example: UserGroupC has a superior group of UserGroupB which has a superior user group of UserGroupA.

For dynamic or saved dynamic user signon, TPX checks the user's security access based upon the SMRT Security parameter Profile Selection:

When profile selection is USER, TPX issues a RACROUTE VERIFY which returns the authorized group names for that user to TPX. (RACF is not returning the superior group names.)
When profile selection is PROF, TPX issues a RACHECK on each profile name in memory.

A SECDEBG trace can be used to confirm which groups are returned to TPX from security during a user signon. SECDEBG was used to verify that Superior Groups are NOT returned to TPX for the user.

Additional Information

Programming Profile Selection for Dynamic Users

How to set a SECDEBG security debugging trace in TPX?

Feedback

thumb_up Yes

thumb_down No