On Friday, 08/06/2010 at 10:22 EDT, "McKown, John" <john.mck...@healthmarkets.com> wrote: > RACF, at least on z/OS, does not allow a GROUP to be a member of a group.. A > RACF group can only contain RACF userids. Eg: > > AG GROUP1 > AG GROUP2 > ADDUSER USER1 > > You can do a CONNECT of USER1 to GROUP1 and GROUP2. But you cannot do a
> CONNECT of GROUP2 to GROUP1. You are correct that you can't add a group to a group, but let's not throw the baby out with the bath water, eh? What is the objective? If it is to create a hierarchy of groups, then you use the SUPGROUP() option on the ADDGROUP AG GROUP1 SUPGROUP(SYS1) AG GROUP1A SUPGROUP(GROUP1) AG GROUP1B SUPGROUP(GROUP1) AG GROUP2 SUPGROUP(SYS1) AG GROUP3 SUPGROUP(SYS1) (watch out for SUPGROUP defaults!!) So if you connect a user to GROUP1B, they will have access to resources permitted to GROUP1B, GROUP1, and SYS1. If you have a user who is a member of both GROUP2 and GROUP3 (i.e. not in the same hierarchy), then SETROPTS GRPLIST will cause RACF to check permission of both GROUP2 and GROUP3, not just the user's current group. Alan Altmark z/VM Development IBM Endicott