I am able to do the DEF USER, DEF VIEW commands but my RACF Group does NOT have any access rights from a RACF perspective.
I'm assuming I can do that because reading the manual it states "if I am a user in the master directory I have authority".
THIS SHOULD NOT HAPPEN. RACF should stop me from issuing the commands if my RACF group is not in the profiles needed for these commands (DEF USER, DEF VIEW, etc.). This tells me external security is NOT working.
View, 14.0, security, external, master
External Security is working as expected.
The SARINIT parameter MASTER has the highest priority, for executing the DSEF xxx commands, no matter what is defined in the SECURITY parameters.
So in further detail, in the case of this environment, when the MASTER=<USER123>
This indicates that ONLY <USER123> is able to execute the DEF VIEW command and that even though SECURITY=EXTERNAL specified, it stops after the first check and no other calls are made.
If you want the EXTERNAL Security package to determine who is able to issue the DEF VIEW command then you would need to specify SARINIT MASTER=ALL
* This would then require the proper rules to be setup and used by the External Security package.