Will RACF pass the Superior Group names to TPX for a dynamic user during signon?

Document ID : KB000032023
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:

Will RACF pass the Superior Group names to TPX for a user during signon?

 

 

Answer: 

No, RACF does not return the superior group names in a user-level profile selection environment.

RACF can use tiered levels of user groups called Superior Groups.  For example: UserGroupC has a superior group of UserGroupB which has a superior user group of UserGroupA.

For dynamic or saved dynamic user signon, TPX checks the user's security access based upon the SMRT Security parameter Profile Selection:

  • When profile selection is USER, TPX issues a RACROUTE VERIFY which returns the authorized group names for that user to TPX. (RACF is not returning the superior group names.)
  • When profile selection is PROF, TPX issues a RACHECK on each profile name in memory.

A SECDEBG trace can be used to confirm which groups are returned to TPX from security during a user signon.  SECDEBG was used to verify that Superior Groups are NOT returned to TPX for the user. 

 

Additional Information:

Programming Guide: Programming Profile Selection for Dynamic Users  (TPX 5.4 wiki:  Programming Guide - Profile Selection for Dynamic Users)

TEC509062: How to start a SECDEBG trace?