BCSC RACF add-on tools for OS390: FixCon



Home
Products
	RACF-Offline
	FixCon
	FixOwner
Services
	Security Reviews
		Attention Areas
	RACF Database Merge
	RACF Implementation
Presentations
About BCSC
Partners
News

FixCon

Especially in larger installations there are often mismatches and inconsistencies in the connections between RACF user-profiles, connection-profiles and group-profiles. You notice them through the ICH3003I messages in the output of the RACF LISTUSER or LISTGRP commands. Or you may become aware of them through problems with access that is not being granted while you thought it was. Or on the other hand: access was granted unexpectedly when it shouldn’t.

These problems usually result from :

the fact that no referential integrity is enforced in the RACF database
the introduction and use of UNIVERSAL GROUPS in RACF

To correct these problems a sequence of CONNECT- and REMOVE-commands needs to be issued, sometimes in combination with reassignment of ownership of dataset profiles.

However, it is not always that easy, or even possible, to correct the error. What happens for instance when the group involved is the DFLTGRP of the user, or when the group has been deleted but the connection data is still present in the user-profile?

The possible problems caused by these administrative pitfalls, and by the absence of a standard fix, turn this process into an administrative hassle.

Common examples, illustrated below, are missing references from users to groups (and vice versa), and orphan references from users to groups that have been deleted.

RACF connection errors

FixCon is a command that lists the known inconsistencies and fixes them automatically. You don’t need an in-depth understanding of the internal relationships in the RACF database in order to fix the connections, prevent connection-errors and keep being in control. The command can be used on a detailed level (one user/one group) or for many groups and many users.

The second function the product provides is a conversion of STANDARD GROUPS to UNIVERSAL GROUPS and vice versa. RACF itself does not offer the possibility to do so: the easiest way still involves creation of a new group and execution of many (often thousands) of commands. FixCon lets you do this using only two commands in a controlled way.

FixCon can be run as an online command or in the batch by a user with the RACF SPECIAL attribute.

How it works:

To fix connection data, FixCon can:

Verify and correct the connection of one user to one group
Verify and correct all connections for one user and all groups
Verify and correct all connections for all users and one group
Manipulate detailed connection information per profile that you cannot edit using RACF in case you don't want a completely automatic correction of the connect problems.

FixCon handles STANDARD GROUPS as well as UNIVERSAL GROUPS and their specific issues.

For group-conversions FixCon can:

Convert a STANDARD GROUP to a UNIVERSAL GROUP
Convert a UNIVERSAL GROUP to a STANDARD GROUP