In addition to defining individual user profiles in RACF®, you can define group profiles.
A group profile defines a group of users. (This is not the same thing as a resource group profile, which defines a group of resources and is explained in RACF general resource profiles.) A group profile can contain information about the group, such as who owns it; what subgroups it has; a list of connected users; and other information. For details of how to define and use group profiles, see the z/OS Security Server RACF Security Administrator's Guide .
Aim to make your point of control the presence (or absence) of a userid within a group, not the access list of the resource profile. When someone leaves a department, simply removing the userid from the department's user group revokes all privileges. No other administration of profiles is required. Doing this keeps RACF administration to a minimum and avoids an excessive number of resource profiles.
RACF maintains in-storage copies of resource profiles, so changes to those profiles do not take effect on the system until the in-storage profiles are refreshed.
The authority to access a resource is kept in an access list that is part of the resource profile. The authority can be granted to a user or to a group. To add or remove a user from the access list, refresh the profile in main storage. For more information see Refreshing resource profiles in main storage.
If you connect and remove a user from a group that is already in the access list, that user acquires or loses the authority of the group without needing to refresh the profile. Any user with CONNECT group authority in that group can change the membership of the group (using the CONNECT and REMOVE commands). This avoids the need to change the access list of the affected profiles (through the use of the PERMIT command). If you do not actually change a CICS general resource profile, you need not refresh its in-storage copy. However, users may need to sign on again, if their group membership has been changed.
For other benefits obtained from creating groups, see the z/OS Security Server RACF Security Administrator's Guide .
ADDGROUP group_name2
REMOVE user1 GROUP(group_name1)
CONNECT user1 GROUP(group_name2)
Note
that in an ISC or MRO environment, the interval that elapses before a remote userid is deleted is determined by the CICS system
initialization parameter USRDELAY, which specifies how long an unused userid
can remain signed on. (This can be up to 7 days.) For information about specifying
USRDELAY, see the CICS System Definition Guide.