Will RACF pass the Superior Group names to TPX for a dynamic user during signon?
search cancel

Will RACF pass the Superior Group names to TPX for a dynamic user during signon?

book

Article ID: 32023

calendar_today

Updated On:

Products

TPX - Session Management Vman Session Management for z/OS

Issue/Introduction

Will RACF pass the Superior Group names to TPX for a user during signon?

Environment

Release: NVINAM00200-5.3-TPX-Session Management-Access Management package
Component:

Resolution

No, RACF does not return the superior group names in a user-level profile selection environment.

RACF can use tiered levels of user groups called Superior Groups.  For example: UserGroupC has a superior group of UserGroupB which has a superior user group of UserGroupA.

For dynamic or saved dynamic user signon, TPX checks the user's security access based upon the SMRT Security parameter Profile Selection:

  • When profile selection is USER, TPX issues a RACROUTE VERIFY which returns the authorized group names for that user to TPX. (RACF is not returning the superior group names.)
  • When profile selection is PROF, TPX issues a RACHECK on each profile name in memory.

A SECDEBG trace can be used to confirm which groups are returned to TPX from security during a user signon.  SECDEBG was used to verify that Superior Groups are NOT returned to TPX for the user. 

 

Additional Information

- Programming Guide - Profile Selection for Dynamic Users)

Powered by Wolken Software