Will RACF pass the Superior Group names to TPX for a user during signon?
No, RACF does not return the superior group names in a user-level profile selection environment.
RACF can use tiered levels of user groups called Superior Groups. For example: UserGroupC has a superior group of UserGroupB which has a superior user group of UserGroupA.
For dynamic or saved dynamic user signon, TPX checks the user's security access based upon the SMRT Security parameter Profile Selection:
- When profile selection is USER, TPX issues a RACROUTE VERIFY which returns the authorized group names for that user to TPX. (RACF is not returning the superior group names.)
- When profile selection is PROF, TPX issues a RACHECK on each profile name in memory.
A SECDEBG trace can be used to confirm which groups are returned to TPX from security during a user signon. SECDEBG was used to verify that Superior Groups are NOT returned to TPX for the user.