Converting universal groups to normal Racf group

[aarvalar1]

Hi Team,
I have a requirement to delete the universal RACF groups and recreate them as normal group I. Universal attribute
As there are hardly 2000 users in the system. So there is no requirement for universal group.

I have read some posts regarding RACKILL utility so thought of making use of this utility to delete the universal groups and recreate them as this will delete the entry '0100' from RACF flatfile so the user connection and the profile Permissions to the group remain as it is.

Can somet assist if this is the right option to do as I don't find many materials about this utility?

[Robert Hansel]

BTDT many times. Do NOT use RACKILL. The safe and proper way to replace a Universal group with a normal group is to REMOVE all the users from the Universal group, DELGROUP the Universal group, ADDGROUP the replace group, and CONNECT the users to the new group with the same connect attributes they had previously. If a Universal group is the default group for any users, you will need to temporarily change the default group for these users to another group before you proceed with replacing the Universal group. Create all your commands in advance so all you have to do is submit batch jobs to perform these actions in short order. We've used the RACF database unload to automate the generation of the commands. I suggest doing this during a system maintenance period when the affected users are not likely to be online. Special handling is required if any of the IDs affected are active Started Tasks to avoid disrupting them.

[aarvalar1]

Hi Robert, thanks for the clarification.

In our shop, DB2 security is not administered by RACF.
If I am deleting and recreating the group which is having DB2 permissions attached to it., will that affect the DB2 permission, of the group?

[Robert Hansel]

If your RACF groups are DB2 secondary AUTHID groups, then for the brief period when you remove users from the UNIVERSAL group and before you connect them to the new non-UNIVERSAL group, these users will not have the access provided by secondary AUTHID groups. If you schedule this task during a system maintenance period, it is doubtful anyone will be affected. The RACF group delete/recreate process should have no effect on the access of the groups within DB2.

Regards, Bob

[aarvalar1]

We are using vanguard rename option to replace universal group with normal group.
For eg, universal group is -UGRP1
Using vanguard we rename the UGRP1 With TEMP1 group
and delete the UGRP1
Then rename TEMP1 with UGRP1 without universal attribute
What are all the steps (or) prerequisites need to be taken in case if either started task/ application/Batch account connected to the universal group.

[Robert Hansel]

Does the vanguard option merely automate the process I outlined or does it also mirror the UGRP1 permissions in the TEMP1 group? In either case, I would still only do this during a system maintenance period. For batch IDs, perform this activity during a system maintenance period when batch activity is suspended. As for the effect on Started Tasks, they would need evaluated in detail and addressed on a case-by-case basis. Too complicated to offer general advice in this forum.