With ongoing mergers, and the growing capacity of hardware, there is a need for consolidating multiple systems into one. Part of the overall project is the consolidation of the RACF database.  There are several scenarios for this task. Most of these require re-defining users and their access into already existing systems. The process should have as little impact as possible on the normal user.

The first step in a RACF consolidation is an assessment of the various RACF options, tables and exits on the systems involved. After harmonizing these, the RACF database information may be merged into the new system. Now may also be a good time to correct minor problems in your RACF database, like ownership and user default-groups. There are several different approaches to performing the merge:

• Use IBM-utility IRRUT400 to combine the RACF databases. Do this in a test environment, and analyze the resulting database problems. Then generate multiple commands to fix the errors introduced during the IRRUT400 merge. The main advantage of this approach is that users and their password are carried over without any problems. By choosing the right sequence of the input RACF databases, you can select which system takes precedence in case the same profile (user, group or resource) exists on multiple systems.

  This approach is strongly discouraged by IBM. The resulting RACF database will have all types of referential integrity problems that may  sometimes be hard to correct. However, in some organizations and situations this merge approach does work and provides quick results.

• Use IBM provided tools like DBSYNC and PWDCOPY. The main advantage of these tools is that they are free. However, they also need some attention before using them. In our experience the main concern is that they implement an "overlay" approach. The commands generated contain keywords to define profiles on the target system identical to those on the source system. Of course, since DBSYNC is provided in source, you can always adapt it to fit your specific needs. To handle the problem of password synchronization, there are several options. The easiest one is to use the PWDCOPY utility. Alternatively, it may be possible to define the users, setup an RRSF connection between the two systems and wait for the users to change their password on the source system. RRSF will then synchronize the password on the target system. Although completely transparent, the process may take along time to complete (depending on the password change interval of your user population).

• Use RACF add-on tools that provide a dedicated database merge function, like Consul/zAdmin does. These products generate commands based on an actual comparison of the RACF profiles involved. They also provide a way to control the merge process. For instance, for merging an access list, commands can be generated providing the highest access, the lowest access, the source system access, or the target system access. Of course they also provide a way to synchronize user passwords.

BCSC has experience in merging RACF databases using all of the three methods mentioned above. We can help you choose a process that is best for your specific situation. Also we provide a timing estimate for the entire project, depending on the complexity and the system resources available for the process.