|
Purpose Use the SETROPTS command to set
system-wide RACF® options related
to resource protection dynamically. Specifically, you can use SETROPTS
to do the following: - Gather and display RACF statistics
- Protect terminals
- Log RACF events
- Permit list-of-groups access checking
- Display options currently in effect
- Enable or disable the generic profile
checking facility on a class-by-class basis
- Activate checking for previous passwords and password phrases
- Limit unsuccessful attempts to access the system using incorrect
passwords and password phrases
- Control change intervals for passwords and password phrases
- Control mixed-case passwords
- Warn of expiring passwords and password phrases
- Establish password syntax rules
- Activate auditing for access attempts by class
- Activate auditing for security labels
- Require that all work entering the system, including users logging
on and batch jobs, have a security label assigned
- Enable or disable the global access checking facility
- Refresh in-storage profile lists and global access checking tables
- Set the password the operator must supply in order for RACF to complete an RVARY command
that changes RACF status or
changes the RACF databases
- Enable or disable the sharing, in common storage, of discrete
and generic profiles for general resource classes
- Activate or deactivate auditing of access attempts to RACF-protected
resources based on installation-defined security levels
- Control the automatic data set protection (ADSP) attribute for
users
- Activate profile modeling for GDG, group, and user data sets
- Activate protection for data sets with single-level names
- Control logging of real data set names
- Control the job entry subsystem options
- Activate tape data set protection
- Control whether RACF is
to allow users to create or access data sets that do not have RACF protection
- Activate and control the scope of erase-on-scratch processing
- Activate program control, which includes both access control to
load modules and program access to data
- Prevent users from accessing uncataloged permanent data sets
- Establish a system-wide VTAM® session interval
- Set an installation-wide default for the RACF security retention period for tape data
sets
- Activate enhanced generic naming for data sets and entries in
the global access checking table
- Set installation defaults for primary and secondary national languages
- Activate auditing for APPC transactions
- Use the dynamic
class descriptor table.
If you specify the AUDIT operand, RACF logs all uses of the RACROUTE REQUEST=DEFINE SVC and all
changes made to profiles by RACF commands.
Following are the classes that can be specified
in the AUDIT operand and the commands and SVCs that are logged for
each class.
USER |
GROUP |
DATASET |
CDT entries |
---|
ADDUSER |
ADDGROUP |
ADDSD |
PERMIT |
ALTUSER |
ALTGROUP |
ALTDSD |
REQUEST=DEFINE SVC |
CONNECT |
CONNECT |
DELDSD |
RALTER |
DELUSER |
DELGROUP |
PERMIT |
RDEFINE |
PASSWORD |
REMOVE |
REQUEST=DEFINE SVC |
RDELETE |
REMOVE |
- |
- |
- |
Most RACF functions
do not require special versions or releases of the operating system
or operating system components. However, some do require that your
system be at a certain level.
Using SETROPTS when RACF is enabled for sysplex communication: When RACF is enabled for sysplex communication, RACF propagates
the following SETROPTS commands: - GENERIC REFRESH
- GLOBAL
- GLOBAL REFRESH
- RACLIST
- NORACLIST
- RACLIST REFRESH
- WHEN(PROGRAM)
- WHEN(PROGRAM) REFRESH
When issued from a member of the RACF data sharing group, these
commands, if successful on the member that issues them, are propagated
in a controlled, synchronized manner to the other members in the group.
A system in read-only mode can
participate if it receives a SETROPTS command propagated from another
system, but a user on a system in read-only mode cannot
issue any SETROPTS commands except for the SETROPTS LIST command.
For propagated SETROPTS REFRESH commands, members of the data sharing group are notified
to either create, update, or delete some in-storage information. These
commands are coordinated to ensure that all systems begin to use the
changed information simultaneously, and to always see a consistent
view of this information.
RACF serializes propagated SETROPTS commands to prevent conflicting
commands of the same type (for example, SETROPTS RACLIST and SETROPTS
NORACLIST) from processing simultaneously.
Refer to the specific
parameter descriptions for additional information about using these
parameters. Note: - The options you specify on SETROPTS are common on systems that
share the RACF database. All
the systems involved must have the required levels of software. If
you activate SECLABEL and the multilevel security options on one system,
they are activated on all systems.
- If RACF is not enabled for sysplex communication, the SETROPTS commands that would be propagated to all
members of a data sharing group must instead be issued on each system sharing the database.
Although the command is not propagated, RACF does record the fact that a SETROPTS RACLIST was issued.
The next time that any system sharing the database is IPLed, the SETROPTS
RACLIST is done on that sharing system.
- When the SETROPTS command is from ISPF, the TSO command buffer
(including password data) is written to the ISPLOG data set. As a
result, you should not issue the SETROPTS command from ISPF or you
must control the ISPLOG data set carefully.
- If the SETROPTS command is issued as a RACF operator command, the command and the password
data is written to the system log. Therefore, use of SETROPTS as a RACF operator command should either
be controlled or you should issue the command as a TSO command.
RACF date handling: RACF interprets dates with
2-digit years as follows. (The yy value represents the 2-digit
year.) - If 70 < yy <= 99, the date is interpreted
as 19yy.
- If 00 <= yy <= 70, the date is interpreted
as 20yy.
Issuing options The following table identifies
the eligible options for issuing the SETROPTS command:
As a RACF TSO command? |
As a RACF operator command? |
With command direction? |
With automatic command direction? |
From the RACF parameter library? |
---|
Yes |
Yes |
Yes |
Yes (See rule.) |
Yes |
Rule: The SETROPTS
LIST command without other keywords is not eligible for automatic
command direction. |
For information on issuing this command
as a RACF TSO command, refer
to RACF TSO commands.
For
information on issuing this command as a RACF operator command, refer to RACF operator commands.
You must be logged on to the console to issue this
command as a RACF operator
command.
Authorization required When issuing this command as a RACF operator command, you might require sufficient authority
to the proper resource in the OPERCMDS class. For details about OPERCMDS
resources, see "Controlling
the use of operator commands" in z/OS Security Server RACF Security Administrator's Guide.
Most SETROPTS
command functions require you to have the SPECIAL or AUDITOR attributes.
If you have the SPECIAL attribute you can use all of the operands
except those listed below that require the AUDITOR attribute: - APPLAUDIT | NOAPPLAUDIT
- AUDIT | NOAUDIT
- CMDVIOL | NOCMDVIOL
- LOGOPTIONS
- OPERAUDIT | NOOPERAUDIT
- SAUDIT | NOSAUDIT
- SECLABELAUDIT | NOSECLABELAUDIT
- SECLEVELAUDIT | NOSECLEVELAUDIT
If you have either the SPECIAL or AUDITOR attribute,
you can use the LIST operand.
To specify the AT keyword, you
must have READ authority to the DIRECT.node resource in the
RRSFDATA class and a user ID association must be established between
the specified node.userid pair(s).
To specify the ONLYAT keyword you must have the SPECIAL attribute,
the userid specified on the ONLYAT keyword
must have the SPECIAL attribute, and a user ID association must be
established between the specified node.userid pair(s) if the user IDs are not identical.
In some situations,
you can use SETROPTS even if you do not have the SPECIAL or AUDITOR
attributes. These situations are: - You can specify the LIST operand if you have the group-SPECIAL
or group-AUDITOR attribute in the current connect group or if GRPLIST
is active in any group that you are connected to.
- You can specify REFRESH together with GENERIC if you have the
group-SPECIAL, AUDITOR, group-AUDITOR, OPERATIONS, group-OPERATIONS
attribute, or CLAUTH authority for the classes specified.
- You can specify REFRESH together with GLOBAL if you have the OPERATIONS
attribute or CLAUTH authority for the classes specified.
- You can specify REFRESH together with RACLIST if you have CLAUTH
authority to the specified class.
- You can specify REFRESH together with WHEN(PROGRAM) if you have
the OPERATIONS attribute or CLAUTH authority for the program class.
Note: The syntax diagram does not indicate the defaults
that are in effect when RACF is using a newly initialized database. You can find these defaults
in the description of each operand. As you establish the system-wide
defaults your installation needs, you might find it useful to mark
the syntax diagram to reflect your choices.
Syntax For the key to the symbols used in the command
syntax diagrams, see Syntax of RACF commands and operands. The
complete syntax of the SETROPTS command is:
|
|
---|
[subsystem-prefix]{SETROPTS
| SETR} |
|
[ ADDCREATOR | NOADDCREATOR ] |
|
[ ADSP | NOADSP ] |
|
[ APPLAUDIT | NOAPPLAUDIT ] |
|
[ AT([node].userid …) | ONLYAT([node].userid …) ] |
|
[ {AUDIT | NOAUDIT} ({class-name … | *}) ] |
|
[ CATDSNS ( FAILURES | WARNING
) | NOCATDSNS ] |
|
[ {CLASSACT | NOCLASSACT} ({class-name … | *}) ] |
|
[ CMDVIOL | NOCMDVIOL ] |
|
[ COMPATMODE | NOCOMPATMODE ] |
|
[ EGN | NOEGN ] |
|
[ ERASE[(
{ ALL
| SECLEVEL(seclevel-name) | NOSECLEVEL
} )]
| NOERASE ]
|
|
[ {GENCMD | NOGENCMD} ({class-name … | *}) ] |
|
[ {GENERIC | NOGENERIC} ({class-name … | *}) ] |
|
[ GENERICOWNER | NOGENERICOWNER ] |
|
[ {GENLIST | NOGENLIST} (class-name …) ] |
|
[ {GLOBAL | NOGLOBAL} ({class-name … | *}) ] |
|
[ GRPLIST | NOGRPLIST ] |
|
[ INACTIVE(unused-userid-interval) | NOINACTIVE ] |
|
[ INITSTATS | NOINITSTATS ] |
|
[ JES(
[ BATCHALLRACF | NOBATCHALLRACF ]
[ EARLYVERIFY | NOEARLYVERIFY ]
[ XBMALLRACF | NOXBMALLRACF ]
[ NJEUSERID(userid) ]
[ UNDEFINEDUSER(userid) ]
) ]
|
|
[ KERBLVL(0|1) ] |
|
[ LANGUAGE(
[ PRIMARY(language) ]
[ SECONDARY(language) ]
) ]
|
|
[ LIST ] |
|
[ LOGOPTIONS(
{ ALWAYS(class-name, …), …
| NEVER(class-name, …), …
| SUCCESSES(class-name, …), …
| FAILURES(class-name, …), …
| DEFAULT({class-name, … | *})
} ) ]
|
|
[ MLACTIVE [( FAILURES | WARNING )] | NOMLACTIVE ] |
|
[ MLFSOBJ ( ACTIVE | INACTIVE
) ] |
|
[ MLIPCOBJ ( ACTIVE | INACTIVE
) ] |
|
[ MLNAMES | NOMLNAMES ] |
|
[ MLQUIET | NOMLQUIET ] |
|
[ MLS [( FAILURES | WARNING)] | NOMLS ] |
|
[ MLSTABLE | NOMLSTABLE ] |
|
[ MODEL(
[ GDG | NOGDG ]
[ GROUP | NOGROUP ]
[ USER | NOUSER ]
)
| NOMODEL ]
|
|
[ OPERAUDIT | NOOPERAUDIT ] |
|
[ PASSWORD(
[ HISTORY(number-previous-values) | NOHISTORY ]
[ INTERVAL(maximum-change-interval) ]
[ MINCHANGE(minimum-change-interval) ]
[ MIXEDCASE | NOMIXEDCASE ]
[ REVOKE(number-incorrect-attempts) | NOREVOKE ]
[ {RULEn(LENGTH(m1:m2) content-keyword (position))
| NORULEn
| NORULES} ]
[ WARNING(days-before-expiration) | NOWARNING ]
) ]
|
|
[ PREFIX(prefix) | NOPREFIX ] |
|
[ PROTECTALL [( FAILURES |
WARNING )] | NOPROTECTALL ] |
|
[ {RACLIST | NORACLIST} (class-name …) ] |
|
[ REALDSN | NOREALDSN ] |
|
[ REFRESH ] |
|
[ RETPD(nnnnn) ] |
|
[ RVARYPW( [SWITCH(switch-pw)] [STATUS(status-pw) ]) ] |
|
[ SAUDIT | NOSAUDIT ] |
|
[ SECLABELAUDIT | NOSECLABELAUDIT
] |
|
[ SECLABELCONTROL | NOSECLABELCONTROL
] |
|
[ SECLBYSYSTEM | NOSECLBYSYSTEM
] |
|
[ SECLEVELAUDIT (security-level) | NOSECLEVELAUDIT ] |
|
[ SESSIONINTERVAL(n) | NOSESSIONINTERVAL] |
|
[ {STATISTICS | NOSTATISTICS} ({class-name … | *}) ] |
|
[ TAPEDSN | NOTAPEDSN ] |
|
[ TERMINAL( NONE | READ ) ] |
|
[ {WHEN | NOWHEN} (PROGRAM) ] |
For information on issuing this command
as a RACF TSO command, refer
to RACF TSO commands.
For
information on issuing this command as a RACF operator command, refer to RACF operator commands.
Parameters - subsystem-prefix
- Specifies that the RACF subsystem is the execution environment of the command. The subsystem prefix can be either the installation-defined prefix
for RACF (1 - 8 characters)
or, if no prefix has been defined, the RACF subsystem name followed by a blank. If the command prefix
was registered with CPF, you can use the MVS command D OPDATA to display
it or you can contact your RACF security administrator.
Only specify the subsystem
prefix when issuing this command as a RACF operator command. The subsystem prefix is required when
issuing RACF operator commands.
- ADDCREATOR | NOADDCREATOR
-
- ADDCREATOR
- Specifies that if a user defines any new DATASET or general
resource profile using ADDSD, RDEFINE or RACROUTE REQUEST=DEFINE,
the profile creator's user ID is placed on the profile access list
with ALTER authority.
- NOADDCREATOR
- Specifies that if a user defines any new DATASET or general
resource profile using ADDSD, RDEFINE or RACROUTE REQUEST=DEFINE,
or creates discrete profiles other than DATASET and TAPEVOL using
RACROUTE REQUEST=DEFINE, RACF does not place the profile creator's user ID on the profile's access
list. If the profile creator uses profile modeling, RACF copies the access list exactly. If the
creator's user ID appears in the model's access list, RACF copies the authority to the new profile.
For example, if the creator's user ID appears in the model's access
list with READ, RACF copies
that access authority to the new profile without changing it to ALTER.
An important exception for NOADDCREATOR occurs when the user creates
a discrete DATASET or TAPEVOL profile using RACROUTE REQUEST=DEFINE.
In this case, RACF ignores
the NOADDCREATOR options and places the profile creator's user ID
on the new profile's access list with ALTER authority. If the profile
creator uses profile modeling to define a discrete DATASET or TAPEVOL
and the creator's user ID appears in the model's access list, RACF creates the authority in the
new profile with ALTER authority. This exception to NOADDCREATOR allows
system components to allocate data sets and immediately access them
without having an administrator manipulate the profile's access list
in the interim.
Note: The initial setting of the ADDCREATOR/NOADDCREATOR
keyword depends on whether your database is new or old. When IRRMIN00
is run with PARM=NEW, the initial setting is NOADDCREATOR. When IRRMIN00
is run with anything other than PARM=NEW, RACF retains the current value of ADDCREATOR/NOADDCREATOR.
For compatibility and migration reasons, this value is set to ADDCREATOR
if no prior specification of ADDCREATOR or NOADDCREATOR had occurred.
- ADSP | NOADSP
-
- ADSP
- Specifies
that data sets created by users who have the automatic data set protection
(ADSP) attribute is RACF-protected automatically.
ADSP is in effect
when RACF is using a newly
initialized database.
Because ADSP forces the creation of a
discrete profile for each data set created by users who have the ADSP
attribute, you should normally specify NOADSP if you specify GENERIC.
- NOADSP
- Cancels automatic RACF protection for users who have
the ADSP attribute.
Because ADSP forces the creation of a discrete
profile for each data set created by users who have the ADSP attribute,
you should normally specify NOADSP if you specify GENERIC.
- APPLAUDIT | NOAPPLAUDIT
-
- APPLAUDIT
- Specifies that auditing of APPC transactions on your
system be enabled. APPC transactions are audited when they receive
authorization (start) or have authorization removed (end). You must
request auditing for the appropriate APPL profile. Otherwise, turning
APPLAUDIT on does not cause auditing of APPC transactions. See z/OS Security Server RACF Auditor's Guide for more information
on requesting auditing.
You must have the AUDITOR attribute to
specify this option.
- NOAPPLAUDIT
- Specifies that auditing of APPC transactions on your
system (starting and ending) be disabled. You must have the AUDITOR
attribute to specify this option.
- AT | ONLYAT
- The AT and ONLYAT keywords are only valid when the command is
issued as a RACF TSO command.
- AT([node].userid …)
- Specifies that the command is to be directed to the node specified
by node, where it runs under the authority
of the user specified by userid in the RACF subsystem address space.
If node is not specified, the command is
directed to the local node.
- ONLYAT([node].userid …)
- Specifies that the command is to be directed only to
the node specified by node where it runs
under the authority of the user specified by userid in the RACF subsystem
address space.
If node is not specified,
the command is directed only to the local node.
Note: SETROPTS
LIST with no other keywords specified is not eligible for automatic
command direction. Do not specify the ONLYAT and LIST keywords together
without any other keywords on a SETROPTS command.
- AUDIT | NOAUDIT
-
- AUDIT(class-name … | *)
- Specifies the names of the classes for
which you want RACF to perform
auditing. For the classes you specify, RACF logs all uses of the RACROUTE REQUEST=DEFINE SVC and all
changes made to profiles by RACF commands. When the class specified is USER, RACF logs all password and password phrase changes
made by RACROUTE REQUEST=VERIFY. (RACF adds the classes you specify to those already specified
for auditing.)
The valid class names are USER, GROUP, DATASET,
and those defined in the class descriptor table. For a list of general resource classes defined in the class descriptor
table supplied by IBM®, see Supplied RACF resource classes.
If you specify an asterisk
(*), logging occurs for all classes.
You must
have the AUDITOR attribute to enter the AUDIT operand.
Note: If
you activate auditing for a class using SETROPTS AUDIT, RACF activates auditing for all classes in the
class descriptor table that have the same POSIT value as the class
you specify. For example, the classes TIMS, GIMS, and AIMS all have
a POSIT value of 4 in their respective class descriptor
table entries. If you activate auditing for any one of these classes,
you activate auditing for all of them. For more information on
sharing a POSIT value, see the POSIT keyword of the RDEFINE command.
- NOAUDIT(class-name … | *)
- Specifies the names of the classes for which you no longer
want RACF to perform auditing.
For the classes you specify, RACF no longer logs all uses of the REQUEST=DEFINE SVC and all changes
made to profiles by RACF commands.
The valid class names are USER, GROUP, DATASET, and those classes
defined in the class descriptor table. For
a list of general resource classes defined in the class descriptor
table supplied by IBM, see Supplied RACF resource classes.
If you specify NOAUDIT(*), logging
does not occur for any class
You must have the AUDITOR attribute
to enter the NOAUDIT operand.
Note: If you deactivate auditing
for a class using SETROPTS NOAUDIT, RACF deactivates auditing for all classes in the class descriptor
table that have the same POSIT value as the class you specify. For
example, the classes TIMS, GIMS, and AIMS all have a POSIT value of 4 in their respective class descriptor table entries. If
you deactivate auditing for any one of these classes, you deactivate
auditing for all of them. For more information on sharing a POSIT
value, see the POSIT keyword of the RDEFINE command.
- CATDSNS | NOCATDSNS
-
- CATDSNS (FAILURES | WARNING)
- Specifies that uncataloged data sets, new (and not cataloged),
or system temporary data sets are not to be accessed by users.
The following exceptions apply: - The job that creates the data set can access it even if the data
set is uncataloged. If the data set is still uncataloged when the
job ends, it is inaccessible thereafter.
- Data sets with discrete profiles can be accessed - even if
uncataloged - if allowed by the profile.
- For uncataloged data sets without discrete profiles, RACF constructs a resource name of ICHUNCAT.dsname (only the first 30 characters of the dsname
is used). It checks the user's authority to this resource in the FACILITY
class. If the resource is protected by a FACILITY class profile, and
the user has access to it, the access is allowed.
- If the user has the SPECIAL attribute, the access is allowed even
if the data set is uncataloged, but a warning message and SMF record
is created.
- If you use DFSMSrmm to manage your tape data sets and the TAPEAUTHF1 option
is active (in the DEVSUPxx member of SYS1.PARMLIB), an uncataloged
tape data set might be read by a user who has access to the first
file on the tape volume when the first file is cataloged. See z/OS DFSMSrmm Implementation and Customization Guide.) (If you use a different tape management system, refer to
your product documentation.
- Write requests to tape data sets are not denied because of SETROPTS
CATDSNS.
CATDSNS might have a negative impact on RACF and system performance because RACF must verify that data sets
are cataloged before it allows them to be opened.
- FAILURES
- Specifies that RACF is
to reject any request to access a data set that is not cataloged.
FAILURES is the default.
If CATDSNS(FAILURES) is in effect
and a privileged started task or a user with the SPECIAL attribute
requests access of an uncataloged data set, RACF accepts the request and issues a warning
message.
- WARNING
- Specifies that the access is allowed even if the data set is uncataloged.
However, a warning message and SMF record is created.
- NOCATDSNS
- Specifies that data sets that are not cataloged can be accessed
by users.
NOCATDSNS is in effect when RACF is using a newly initialized database.
- CLASSACT | NOCLASSACT
-
- CLASSACT(class-name … | *)
- Specifies those classes defined by entries in the class
descriptor table for which RACF protection is to be in effect.
If you specify an asterisk ( *), you activate RACF protection for all classes defined in the class descriptor table
except for those classes with a default return code of 8. For a list of general resource classes
defined in the class descriptor table supplied by IBM, see Supplied RACF resource classes. Note: - If you activate a class using SETROPTS CLASSACT, RACF activates all classes in the class descriptor
table that have the same POSIT value as the class you specify. For
example, the classes TIMS, GIMS, and AIMS all have a POSIT value of 4 in their respective class descriptor table entries. If
you activate any one of these classes, you activate all of them.
For more information on sharing a POSIT value, see the POSIT keyword
of the RDEFINE command.
- Before activating a class that has a default return code of 8 in the class descriptor table (either explicitly or by
means of a shared POSIT value), be sure you have defined the necessary
profiles to allow your users to access resources in that class. For
example, if you activate JESINPUT without defining profiles to allow
access, no one is able to submit batch jobs.
- You need not activate the DIGTCERT, DIGTCRIT, and DIGTRING classes
to use resources in those classes. However, performance is improved
when you RACLIST the DIGTCERT and DIGTCRIT classes if you use resources
in these classes. To RACLIST a class, you must activate it.
- NOCLASSACT(class-name … | *)
- Specifies those classes defined by entries in the class
descriptor table for which RACF protection is not to be in effect. If you specify an asterisk (*), you deactivate RACF protection for all classes defined in the class descriptor table. For a list of general resource classes defined
in the class descriptor table supplied by IBM, see Supplied RACF resource classes.
NOCLASSACT is in effect when RACF is using a newly initialized database.
- CMDVIOL | NOCMDVIOL
- Specifies whether RACF is
to log violations detected by RACF commands. You must have the AUDITOR attribute to specify these options.
- CMDVIOL
- Specifies that RACF is to log violations detected by RACF commands (except LISTDSD, LISTGRP, LISTUSER, RLIST, and
SEARCH) during RACF command
processing. A violation might occur because a user is not authorized
to modify a particular profile or is not authorized to enter a particular
operand on a command.
CMDVIOL is in effect when RACF is using a newly initialized database.
- NOCMDVIOL
- Specifies that RACF is not to log violations detected by RACF commands during RACF command processing (except RVARY and SETROPTS, which are always
logged).
- COMPATMODE | NOCOMPATMODE
-
- COMPATMODE
- Allows users and jobs not using security labels to be
on a system enforcing security labels. The ACEEs of the user IDs or
jobs must have been created by a RACROUTE REQUEST=VERIFY that did
not specify the RELEASE=1.9 keyword (or later).
- NOCOMPATMODE
- Users and jobs must be running with correct security
labels to access data.
NOCOMPATMODE is in effect when RACF is using a newly initialized
database.
- EGN | NOEGN
- Specifies whether of not to activate or deactivate enhanced generic
naming (EGN).
- EGN
- Activates EGN. When you activate this option, RACF allows you to specify the
generic character ** (in addition to the generic
characters * and %) when you define
data set profile names and entries in the global access checking table.
Note: - EGN changes the meaning of the generic character *.
- When you first activate enhanced generic naming, the RACF-protection
provided by existing data set profiles and global access checking
table remains the same.
For information on EGN and its effect on profile names,
see the description of generic profiles in Naming considerations for resource profilesz/OS Security Server RACF Command Language Reference.
- NOEGN
- Specifies deactivation of EGN. When you deactivate this
option, RACF does not allow
you to specify the generic character ** when you
define data set names and entries in the global access checking table.
NOEGN is in effect when RACF is using a newly initialized database.
Important: If you protect data sets with generic profiles while EGN is active
and then deactivate this option, your resources can no longer be protected. Table 1 and Table 2 show examples of generic profiles created with enhanced generic
naming active.
Some of these profiles do not provide RACF protection when the option
is deactivated. If a data set is unprotected when EGN is deactivated,
you can protect the data set with a discrete profile - as described
in Naming considerations for resource profilesz/OS Security Server RACF Command Language Reference - either before or after the option is deactivated, or with a
generic profile after the option is deactivated.
- ERASE | NOERASE
-
- ERASE(erase-indicator)
- Specifies that data management is to
physically erase the contents of deleted data sets and scratched or
released DASD extents. Erasing the data set means overwriting its
contents with binary zeroes so that it cannot be read.
Restriction: The ERASE option applies to DASD data sets
only, not tape data sets, unless you set the TAPEAUTHDSN option
in the DEVSUPxx member of SYS1.PARMLIB. See "Erasing Scratched or Release Data (ERASE Option)" in z/OS Security Server RACF Security Administrator's Guide for more information. For details about customizing SYS1.PARMLIB,
see z/OS MVS Initialization and Tuning Reference. For details about controlling authorization for tape volume
overwriting, see z/OS DFSMSrmm Implementation and Customization Guide. (If you use a different tape management system, refer to
your product documentation.)
If you specify ERASE without any
suboperand, whether a scratched data set is erased depends on the
status of the erase indicator in the data set profile. The SETROPTS
ERASE suboperand allow you to override the erase indicator in the
data set profile, to control the scope of erase-on-scratch on an installation
level rather than leaving it to individual users.
The SETROPTS
ERASE erase-indicator can be: - ALL
- Specifies that data management is to erase all scratched data sets, including temporary data sets, regardless of the erase indicator,
if any, in the data set profile.
- SECLEVEL(seclevel-name)
- Specifies that data management is to erase all scratched data sets that have a security level equal to or greater than the security
level that you specify, where seclevel-name must be a member of the SECLEVEL profile in the SECDATA class.
Note: A scratched data set with a security level lower than
the level you specify is not erased unless the erase indicator (if
any) in the data set profile is on.
- NOSECLEVEL
- Specifies that RACF is
not to consider the security level in the data set profile when it
decides whether data management is to erase a scratched data set.
Note: A scratched data set, regardless of security
level, is not erased unless the erase indicator (if any) in the data
set profile is on.
NOSECLEVEL is the default if you do not
specify erase-indicator when you specify
ERASE.
- NOERASE
- Specifies that erase-on-scratch
processing is not in effect. NOERASE means that no data sets
are erased when deleted (scratched), even if the erase indicator in
the data set profile is on.
NOERASE is in effect when RACF is using a newly initialized
database.
- GENCMD | NOGENCMD
-
- GENCMD(class-name … | *)
- Activates generic profile command
processing for the specified classes. Valid class names are DATASET
and all class names except grouping classes and classes defined with
the GENERIC(DISALLOWED) attribute.
The following supplied classes in the static class
descriptor table (CDT) are defined with the GENERIC(DISALLOWED) attribute:
|
|
|
|
---|
CDT |
IDIDMAP |
REALM |
SECLABEL |
CFIELD |
KERBLINK |
SECLMBR |
|
To identify installation-defined classes in the dynamic
CDT with the GENERIC(DISALLOWED) attribute, issue the RLIST
CDT * CDTINFO command to list the attributes of all classes
in the dynamic CDT.
If you specify
an asterisk (*), you activate generic profile command
processing for the DATASET class plus all general resource classes
except grouping classes and classes defined with the GENERIC(DISALLOWED)
attribute.
When GENCMD is in effect for a class, all the command
processors can work on generic profiles, but the RACF SVC routines cannot perform generic profile
checking. This operand allows the installation to temporarily disable
generic profile checking (during maintenance, for example) and still
use the RACF commands to maintain
generic profiles.
Generic profile command processing is automatically
activated for all classes for which generic profile checking is activated.
Therefore, when you issue SETROPTS GENERIC for a class, you need not
issue SETROPTS GENCMD for the same class.
Note: If you activate
generic profile command processing for a class using SETROPTS GENCMD, RACF activates generic profile
command processing for all classes in the class descriptor table that
have the same POSIT value as the class you specify, except grouping
classes. For example, the resource classes TIMS and AIMS and the grouping
class GIMS all have a POSIT value of 4 in their respective
class descriptor table entries. If you activate generic profile command
processing for TIMS, you also activate it for AIMS. However, you cannot
activate this option for GIMS because GIMS is a grouping class. For more information on sharing a POSIT value, see the POSIT keyword
of the RDEFINE command.
- NOGENCMD(class-name … | *)
- Deactivates generic profile command processing for the
specified classes. Valid class names are DATASET and all class names
except grouping classes and classes defined with the GENERIC(DISALLOWED)
attribute.
If you specify an asterisk (*), you
deactivate generic profile command processing for the DATASET class
plus all general resource classes except grouping classes and classes
defined with the GENERIC(DISALLOWED) attribute.
NOGENCMD(*) is in effect when RACF is using a newly initialized database.
If generic profile
checking is active (GENERIC is in effect), RACF ignores this operand because GENERIC both
includes and overrides generic profile command processing.
Note: If you deactivate generic profile command processing for a class
using SETROPTS NOGENCMD, RACF deactivates generic profile command processing for all classes in
the class descriptor table that have the same POSIT value as the class
you specify, except grouping classes. For example, the resource classes
TIMS and AIMS and the grouping class GIMS all have a POSIT value of 4 in their respective class descriptor table entries. If
you deactivate generic profile command processing for TIMS, you also
deactivate it for AIMS. However, GIMS is unaffected because it is
a grouping class. For more information on sharing a POSIT value,
see the POSIT keyword of the RDEFINE command.
- GENERIC | NOGENERIC
-
- GENERIC(class-name … | *)
- Activates generic profile checking for the classes specified.
Note: Avoid activating generic profile checking for the DIGTCERT or DIGTRING
class.
Valid class names are DATASET and all class names
except grouping classes and classes defined with the GENERIC(DISALLOWED)
attribute.
The following supplied classes in the static class
descriptor table (CDT) are defined with the GENERIC(DISALLOWED) attribute:
|
|
|
|
---|
CDT |
IDIDMAP |
REALM |
SECLABEL |
CFIELD |
KERBLINK |
SECLMBR |
|
To identify installation-defined classes in the dynamic
CDT with the GENERIC(DISALLOWED) attribute, issue the RLIST
CDT * CDTINFO command to list the attributes of all classes
in the dynamic CDT.
Guidelines: - When possible, use generic profiles to protect multiple resources
and reduce administrative effort. Consider issuing SETROPTS GENERIC(classname) for the classes you use, so that generic profiles
are usable in those classes.
- If you already have general resource profiles defined in your
database, avoid issuing the SETROPTS GENERIC(*) command.
This command activates generic profile checking for all classes except
resource grouping classes and classes defined with the GENERIC(DISALLOWED)
attribute. Some classes, such as DIGTCERT and DIGTRING, do not support
generic profile checking. These and other classes might already have
profile names that contain generic characters (*, &, and %).
- If a general resource class already has discrete profiles with
names that contain generic characters (*, &, and %), enabling generic profile
checking for the class prevents RACF from using those discrete
profiles for authorization checking.
If you enable SETROPTS GENERIC
for a class that has a discrete profile name containing generic characters,
the profile will be marked UNUSABLE in RLIST and
SEARCH output listings.
Tip: Use the RDELETE command
with the NOGENERIC option to delete this profile.
- In general, once you activate generic profile checking for a class
and define generic profiles, avoid deactivating it with the NOGENERIC
operand. RACF will not use your previously defined generic profiles
for authorization checking while NOGENERIC is in effect.
Generic
profile command processing is automatically activated for all classes
for which generic profile checking is activated. Therefore, when you
issue SETROPTS GENERIC for a class, you need not issue SETROPTS GENCMD
for the same class.
If you specify GENERIC with REFRESH, only
those currently active and authorized classes are refreshed. Note: - If RACF is enabled for sysplex communication, RACF propagates
SETROPTS GENERIC(class-name) REFRESH commands
to other members of the data sharing group.
- If RACF is not enabled for sysplex communication, a SETROPTS GENERIC(class-name) REFRESH command is effective only on the system where it is issued.
- If you specify GENERIC, you should also specify NOADSP.
- If you activate generic profile checking for a class using SETROPTS
GENERIC, RACF activates generic
profile checking for all classes in the class descriptor table that
have the same POSIT value as the class you specify, except grouping
classes. For example, the resource classes TIMS and AIMS and the grouping
class GIMS all have a POSIT value of 4 in their respective
class descriptor table entries. If you activate generic profile checking
for TIMS, you also activate it for AIMS. However, you cannot activate
this option for GIMS because GIMS is a grouping class.
For more
information on sharing a POSIT value, see the POSIT keyword of the
RDEFINE command.
- NOGENERIC(class-name … | *)
- Deactivates the generic profile checking facility for
the classes specified.
Guideline: In
general, once you activate generic profile checking for a class and
define generic profiles, avoid deactivating it with the NOGENERIC
operand. RACF will not use
your defined generic profiles for authorization checking while NOGENERIC
is in effect.
Valid class names are DATASET and all class names
except grouping classes and classes defined with the GENERIC(DISALLOWED)
attribute.
If you specify an asterisk (*),
you deactivate generic profile checking for the DATASET class plus
all general resource classes except grouping classes and classes defined
with the GENERIC(DISALLOWED) attribute.
NOGENERIC (*) is in effect when RACF is using a newly initialized database.
NOGENERIC does not
automatically deactivate generic profile command processing. Therefore,
when you issue SETROPTS NOGENERIC for a class, issue SETROPTS NOGENCMD
if you want to deactivate generic profile command processing for the
same class.
If you specify GENCMD with NOGENERIC, users can
issue RACF commands to maintain
generic profiles, but RACF does
not use generic profile checking during authorization checking.
If you specify NOGENCMD with NOGENERIC, all generic profile command
processing is deactivated.
Note: If you deactivate generic profile
checking for a class using SETROPTS NOGENERIC, RACF deactivates generic profile checking for
all classes in the class descriptor table that have the same POSIT
value as the class you specify, except grouping classes. For example,
the resource classes TIMS and AIMS and the grouping class GIMS all
have a POSIT value of 4 in their respective class
descriptor table entries. If you deactivate generic profile checking
for TIMS, you also deactivate it for AIMS. However, GIMS is unaffected
because it is a grouping class. For more information on sharing
a POSIT value, see the POSIT keyword of the RDEFINE command.
- GENERICOWNER | NOGENERICOWNER
-
- GENERICOWNER
- Restricts creation of profiles in all general resource classes
except the PROGRAM class.
To create a profile that is more specific
than any existing profile protecting the same resource a user must:
- Have the SPECIAL attribute
- Be the owner of the existing profile
- Have the group-SPECIAL attribute if a group owns the profile
- Have the group-SPECIAL attribute if the owner of the profile is
in the scope of the group.
Note: - GENERICOWNER provides protection only when there is an existing
(less-specific) profile protecting the resource.
- A less-specific profile must end in *, ** or trailing % characters. A more specific
profile is a profile that matches the less-specific profile name,
character for character, up to the ending *, or **, or trailing % characters in the less-specific
name. If the less-specific profile ends in %, the
characters in the more specific profile that correspond to the contiguous
trailing % characters must not be either * or . characters. For more information, see Permitting profiles for GENERICOWNER classes.
For example: To allow USERX to RDEFINE A.B in the JESSPOOL
class, you need profile A.* in the JESSPOOL class,
which is owned by USERX. You also need profile **, owned by the system administrator, to prevent other CLAUTH users
from being able to RDEFINE A.B.
- GENERICOWNER does not prevent the creation of a more specific
profile if the more specific profile is created in the grouping class
and is specified on the ADDMEM operand. For example, profile A* exists in the TERMINAL class and is owned by a group for
which user ELAINE does not have group-SPECIAL, If the GENERICOWNER
option is in effect, user ELAINE cannot define a more specific profile
in the member class (such as, RDEF TERMINAL AA*),
but user ELAINE can define a profile if it is specified on the ADDMEM
operand for the grouping class profile - such as
RDEF GTERMINL profile-name ADDMEM(AA*).
- NOGENERICOWNER
- Cancels
the restriction on the creation of profiles for general resources.
NOGENERICOWNER is in effect when RACF is using a newly initialized database.
- GENLIST | NOGENLIST
-
- GENLIST(class-name …)
- Also see RACLIST operand.
Activates the sharing of in-storage
generic profiles for the classes specified. When GENLIST is active
for a class, the generic profiles for that class are loaded into common
storage (ECSA) instead of being resident in the private storage (ELSQA)
of each user who references the class. Before activating GENLIST for
a class, you should check with your system programmer to determine
if your system is configured with enough ECSA to contain the profiles.
The z/OS Security Server RACF System Programmer's Guide contains information about the amount of virtual storage
required for generic profiles, and other considerations about when
to use RACLIST or GENLIST. Generally, when you do not share the RACF database with RACF on a VM system, RACLIST provides the best
performance with the lowest usage of common storage.
The following classes supplied by IBM can be used with GENLIST:
|
|
|
|
|
---|
APPL |
FIELD |
LOGSTRM |
TMEADMIN |
VMNODE |
CPSMOBJ |
GXFACILI |
PRINTSRV |
VMBATCH |
VMRDR |
DASDVOL |
ILMADMIN |
RACFEVNT |
VMCMD |
VMSEGMT |
DCEUUIDS |
INFOMAN |
RRSFDATA |
VMDEV |
XFACILIT |
DSNR |
JESJOBS |
SDSF |
VMLAN |
|
FACILITY |
KEYSMSTR |
TERMINAL |
VMMDISK |
|
When you activate GENLIST processing for a class,
a generic profile in that class is copied from the RACF database into common storage the first
time an authorized user requests access to a resource protected by
the profile. The profile is retained in common storage and is available
for all authorized users, thus saving real storage because the need
to retain multiple copies of the same profile (one copy for each requesting
user) in common storage is eliminated. Also, because RACF does not have to retrieve the profile each
time a user requests access to a resource protected by it, this function
saves processing overhead.
If you want to refresh shared in-storage
generic profiles for a specific resource class, issue the SETROPTS
command with the GENERIC(class-name) and
REFRESH operands.
Note: RACF does not allow you to specify SETROPTS GENLIST and SETROPTS RACLIST
for the same general resource class. For information on sharing
a POSIT value, see the POSIT keyword of the RDEFINE command.
- NOGENLIST(class-name …)
- Also see NORACLIST operand.
Deactivates the sharing
of in-storage generic profiles for the classes specified. Deactivate
this function for general resource classes defined in the class descriptor
table that are eligible for GENLIST processing. These classes are
listed under the description for GENLIST.
When you specify
NOGENLIST, RACF deletes in-storage
generic profiles for the specified classes from common storage.
NOGENLIST is in effect for all classes defined in the class descriptor
table when RACF is using a
newly initialized database.
For information on sharing a POSIT
value, see the POSIT keyword of the RDEFINE command.
- GLOBAL | NOGLOBAL
-
- GLOBAL(class-name … | *)
- Specifies those classes eligible for global access checking. If you
specify an asterisk (*), you activate global access
checking for all valid classes.
Valid classes you may specify
are: - The DATASET class
- The NODES grouping class
- The SECLABEL grouping class
- All other classes defined in the class descriptor table, except
for the remaining grouping classes.
For a list of general resource classes
defined in the class descriptor table supplied by IBM, see Supplied RACF resource classes.
If you specify GLOBAL with REFRESH, only those currently
active and authorized classes are refreshed. If you have deleted the
GLOBAL profile for a class, you should issue the SETROPTS command
with the NOGLOBAL operand specified, rather than GLOBAL with REFRESH
specified. Note: - If you activate global access checking for a class using SETROPTS
GLOBAL, RACF activates global
access checking for all classes in the class descriptor table that
have the same POSIT value as the class you specify, except the excluded
grouping classes. For example, the resource classes TIMS and AIMS
and the grouping class GIMS all have a POSIT value of 4 in their respective class descriptor table entries. If you activate
global access checking for TIMS, you also activate it for AIMS. However,
you cannot activate this option for GIMS because GIMS is a grouping
class.
For more information on sharing a POSIT value, see the
POSIT keyword of the RDEFINE command.
- If RACF is enabled for sysplex communication, it propagates the SETROPTS GLOBAL and SETROPTS GLOBAL
REFRESH commands to other systems in the sysplex if the command is
successful on the system on which it was entered. If RACF is not enabled for sysplex communication,
the command has to be issued on each system sharing the database.
- Global access checking is bypassed if the user ID has the RESTRICTED
attribute.
- NOGLOBAL(class-name … | *)
- Deactivates global access checking for the specified
classes. For more information on valid classes that are processed
by the NOGLOBAL operand, see the GLOBAL operand description.
NOGLOBAL(*) is in effect when RACF is using a newly initialized database.
Note: If you deactivate
global access checking for a class using SETROPTS NOGLOBAL, RACF deactivates global access
checking for all classes in the class descriptor table that have the
same POSIT value as the class you specify, except for the excluded
grouping classes. For example, the resource classes TIMS and AIMS
and the grouping class GIMS all have a POSIT value of 4 in their respective class descriptor table entries. If you deactivate
global access checking for TIMS, you also deactivate it for AIMS.
However, GIMS is unaffected because it is a grouping class. For
more information on sharing a POSIT value, see the POSIT keyword of
the RDEFINE command.
- GRPLIST | NOGRPLIST
-
- GRPLIST
- Specifies that authorization
checking processing is to perform list-of-groups access checking for
all system users. When you specify GRPLIST, a user's authority to
access or define a resource is not based only on the authority of
the user's current connect group; access is based on the authority
of any group to which the user is connected.
- NOGRPLIST
- Specifies that the user's authority to access a resource
is based on the authority of the user's current connect group.
NOGRPLIST is in effect when RACF is using a newly initialized database.
- INACTIVE | NOINACTIVE
-
- INACTIVE(unused-userid-interval)
- Specifies the number of days (1 - 255) that
a user ID can remain unused and still be considered valid. RACF user verification checks the
number of days since the last successful time the user accessed the
system against the INACTIVE value and, if the former is larger, revokes
the user's right to use the system. INACTIVE applies to new users
based on creation date. If you specify INACTIVE, INITSTATS must be
in effect.
If the backup database is needed but does not contain
current information, some user IDs can be revoked because they appear
to have been unused beyond the number of days specified on the INACTIVE
operand. For more information, see z/OS Security Server RACF System Programmer's Guide.
- NOINACTIVE
- Specifies that RACF user verification is not to check user IDs against an unused-userid-interval.
NOINACTIVE is in effect
when RACF is using a newly
initialized database.
- INITSTATS | NOINITSTATS
-
- INITSTATS
- Specifies that statistics available during RACF user verification are to be recorded. These
statistics include the date and time the user was verified by RACF, the number of user verifications
that specified a particular group, and the date and time of the user
last requested verification with a particular group. If you specify
INACTIVE, REVOKE, HISTORY, or WARNING, INITSTATS must be in effect.
For applications that specify the APPL operand on the RACROUTE
REQUEST=VERIFY macro, you can define a profile in the APPL class to
specify that the application needs only daily statistics recorded
for its users. To do this, specify the RACF-INITSTATS(DAILY) string in the APPLDATA field. For more information about statistics
collection, see z/OS Security Server RACF Security Administrator's Guide.
INITSTATS is in effect when RACF is using a newly initialized database.
- NOINITSTATS
- Specifies that statistics available during user verification
are not to be recorded.
- JES
- Controls job entry subsystem (JES) options. The JES
options are:
- BATCHALLRACF | NOBATCHALLRACF
-
- BATCHALLRACF
- Specifies that JES is to test for the presence of a user ID and
password on the job statement or for propagated RACF identification information for all batch
jobs. If the test fails, JES is to fail the job.
- NOBATCHALLRACF
- Specifies that JES is not to test for the presence of a user ID
and a password on the statement, or propagated RACF identification information for all batch
jobs.
NOBATCHALLRACF is in effect when RACF is using a newly initialized database.
- EARLYVERIFY | NOEARLYVERIFY
- This setting is ignored.
- XBMALLRACF | NOXBMALLRACF
-
- XBMALLRACF
- Specifies that JES is to test for the presence of either a user
ID and password on the JOB statement, or JES-propagated RACF identification information for all jobs
to be run with an execution batch monitor. If the test fails, JES
is to fail the job.
XBMALLRACF is only used on JES2.
- NOXBMALLRACF
- Specifies that JES is not to test for the presence of either a
user ID and password on the JOB statement, or JES-propagated RACF identification information
for all jobs to be run with an execution batch monitor.
NOXBMALLRACF
is in effect when RACF is using
a newly initialized database.
- NJEUSERID(userid)
- Defines the name (user ID) associated with SYSOUT or jobs that
arrive through the network without an RTOKEN or UTOKEN.
The initial
user ID (default user ID) after RACF data set initialization is ???????? (eight
question marks).
- UNDEFINEDUSER(userid)
- Defines the name (user ID) that is associated with local jobs
that enter the system without a user ID.
The initial user ID (default
user ID) after RACF data set
initialization is ++++++++ (eight plus signs).
- KERBLVL
- Specifies what level of key encryption processing should
occur when a KERB segment is being processed for user and realm profiles.
Beginning with z/OS Version 1 Release 9, the
KERBLVL setting is ignored.
See z/OS Integrated Security Services Network Authentication Service Administration for information about how z/OS Network Authentication Service uses
keys and how to customize environment variables related to keys.
- LANGUAGE
- Specifies the system-wide defaults for national languages (such
as American English or Japanese) to be used on your system. You can
specify a primary language, a secondary language, or both. The languages
you specify depend on which products, when installed on your system,
check for primary and secondary languages (using RACROUTE REQUEST=EXTRACT).
- If this user establishes an extended MCS console session, the
languages you specify should be the same as the languages specified
on the LANGUAGE LANGCODE statements in the MMSLSTxx PARMLIB member.
See your MVS system programmer for this information.
- If this is a CICS® user,
see your CICS administrator
for the languages supported by CICS on your system.
The SETROPTS LANGUAGE operand does not affect the language in which the RACF ISPF panels are displayed. The order in which the RACF ISPF panel libraries are allocated
determines the language used. If your installation ordered a translated
feature of RACF, the RACF program directory gives instructions
for setting up the ISPF panels. - PRIMARY(language)
- Specifies the installation's default primary language.
The
variable language can be a quoted or unquoted
string.
If the PRIMARY suboperand is not specified, the primary
language is not changed.
- SECONDARY(language)
- Specifies the installation's default secondary language.
The
language name can be a quoted or unquoted string.
If the SECONDARY
suboperand is not specified, the secondary language is not changed.
Note: - For both the PRIMARY and SECONDARY suboperands, specify the installation-defined
name of a currently active language (a maximum of 24 characters) or
one of the language codes (3 characters in length) that is installed
on your system. For a list of valid codes, see National Language
Design Guide, Volume 2, National Language Support Reference Manual, SE09-8002.
- If the MVS message service is not active, the PRIMARY and SECONDARY
values must be a 3-character language code.
- The same language can be specified for both PRIMARY and SECONDARY.
- RACF is shipped with both
the primary and secondary language defaults set to ENU, meaning United
States English.
- LIST
- Specifies that the current RACF options are to be displayed. If you specify
operands in addition to LIST on the SETROPTS command, RACF processes the other operands before it
displays the current set of options.
If RACF is enabled for sysplex communication and
the system is in read-only mode,
users on that system can issue the SETROPTS LIST command. All other
operands are ignored.
You must have the SPECIAL, AUDITOR, group-SPECIAL,
or group-AUDITOR attribute to enter the LIST operand.
If you
have the SPECIAL or group-SPECIAL attribute, RACF displays all operands except these auditing
operands: - APPLAUDIT | NOAPPLAUDIT
- AUDIT | NOAUDIT
- CMDVIOL | NOCMDVIOL
- LOGOPTIONS
- OPERAUDIT | NOOPERAUDIT
- SAUDIT | NOSAUDIT
- SECLABELAUDIT | NOSECLABELAUDIT.
If you have the AUDITOR or the group-AUDITOR attribute, RACF displays all operands.
Note: SETROPTS LIST with no other keywords specified is not eligible
for automatic command direction. Do not specify the ONLYAT and LIST
keywords together without any other keywords on a SETROPTS command.
- LOGOPTIONS (auditing-level (class-name …) …)
- Audits access attempts to resources in specified classes according
to the auditing level specified. You must have the AUDITOR attribute.
You can specify the DATASET class and any classes in the class descriptor
table. The resources need not have profiles created in order for auditing
to occur. See z/OS Security Server RACF Auditor's Guide for more information on when auditing occurs.
The SUCCESSES
and FAILURES operands result in auditing in addition to any auditing
specified in profiles in the class. In contrast, the ALWAYS and NEVER
operands override any auditing specified in profiles in the class.
Note that LOG=NONE, specified on a RACROUTE REQUEST=AUTH, takes precedence
(auditing is not performed). - auditing-level
- Specifies the access attempts to be logged for class-name. These options are processed in the order listed below.
Thus, if class-name is specified with both
SUCCESSES and ALWAYS in the same command, auditing takes place at
the SUCCESSES level because option SUCCESSES is processed after ALWAYS.
- ALWAYS
- All access attempts to resources protected by the class are audited.
- NEVER
- No access attempts to resources protected by the class are audited.
(All auditing is suppressed.)
- SUCCESSES
- All successful access attempts to resources protected by the class
are audited.
- FAILURES
- All failed access attempts to resources protected by the class
are audited.
- DEFAULT
- Auditing is controlled by the profile protecting the resource,
if a profile exists. You can specify DEFAULT for all classes by specifying
an asterisk (*) with DEFAULT.
LOGOPTIONS(DEFAULT) is in effect when RACF is using a newly initialized database.
- class-name
- The RACF class to which auditing-level applies. The class-name value can be DATASET and any classes in the class descriptor
table. Each class can have only one auditing level associated with
it. The auditing levels are processed in the following order:
- ALWAYS
- NEVER
- SUCCESSES
- FAILURES
- DEFAULT.
This processing order occurs independently of the order you
specify the auditing levels. If you specify two or more auditing levels
for a class in the same command, only the last option processed
takes effect. Thus, if you specify the following command: SETR LOGOPTIONS (FAILURES (DATASET,SECLABEL),
ALWAYS (DATASET, APPL),
DEFAULT (DATASET, GLOBAL))
The options in effect
for the classes is: - ALWAYS for the APPL class
- FAILURES for the SECLABEL class
- DEFAULT for the DATASET and GLOBAL classes
The DATASET and APPL classes are first assigned auditing-level
ALWAYS. The DATASET class is then assigned auditing-level FAILURES,
as is class SECLABEL. Finally, the DATASET class is assigned DEFAULT
auditing-level, as is class GLOBAL.
If you specify one auditing-level for class-name and in a separate command specify a new auditing level for
the same class name, the new auditing-level take effects.
SETROPTS LOGOPTIONS(DEFAULT(*)) is in effect when RACF is
using a newly initialized database.
For information on sharing
a POSIT value, see the POSIT keyword of the RDEFINE command.
- MLACTIVE | NOMLACTIVE
- For the relationships among the SECLABEL class and the MLS, MLACTIVE,
MLNAMES, MLQUIET, and SECLBYSYSTEM options, see z/OS Security Server RACF Security Administrator's Guide.
- MLACTIVE (FAILURES | WARNING)
- Causes security labels to be required on all work entering the
system and on all resources defined to USER, DATASET, and all classes
defined in the class descriptor table that require security labels.
Rules: - This option is available only if the SECLABEL class is active.
Activation of MLACTIVE will fail if the SECLABEL class is not active
or being activated by the command activating MLACTIVE.
- With MLACTIVE, user tasks running in a server address space must
have a security label that is equivalent to the address space's security
label.
Data set and general resource profiles in WARNING
mode: A user or task can access a resource that is in WARNING
mode and has no security label even when MLACTIVE(FAILURES) is in
effect and the class requires security labels. The user or task receives
a warning message and gains access. (A data set or general resource
is in WARNING mode when you define or modify the profile that protects
it and you specify the WARNING operand.)
- FAILURES
- Specifies that RACF is
to reject any request to create or access any resource that requires
a security label in the profile that protects it, and does not have
one, and to reject any work entering the system that does not have
a security label.
The only exception is if MLS(FAILURES) and MLACTIVE(FAILURES)
are in effect, and a privileged started task or a user with the SPECIAL
attribute and the SYSHIGH SECLABEL attempts to access a resource that
requires a security label and does not have one. In this case, RACF allows the request as long
as the request does not declassify data.
- WARNING
- Specifies that when a user requests access to a resource that
does not have a security label and the resource belongs to a class
that requires security labels, access is allowed but a warning is
issued. Also, when work enters the system without a security label,
access is allowed but a warning is issued.
MLACTIVE(WARNING) is
the default value.
- NOMLACTIVE
- Allows work to enter the system without a security label and allows
requests to access a resource that does not have a security label
and the resource belongs to a class that requires security labels.
NOMLACTIVE is in effect when RACF is using a newly initialized database.
- MLFSOBJ
-
- MLFSOBJ (ACTIVE | INACTIVE )
-
- ACTIVE
- Specifies that security labels are required for files and directories.
When the SECLABEL class is active, and MLFSOBJ is active, access to
files and directories without security labels is denied except by
trusted or privileged started tasks. This option cannot be activated
if the SECLABEL class is not active.
If you do not specify ACTIVE
or INACTIVE, MLFSOBJ(ACTIVE) is the default.
- INACTIVE
- Specifies that security labels are not required for files and
directories.
INACTIVE is in effect when RACF is using a newly initialized database.
- MLIPCOBJ
-
- MLIPCOBJ (ACTIVE | INACTIVE )
-
- ACTIVE
- Specifies that security labels are required for interprocess communication.
When the SECLABEL class is active, and MLIPCOBJ is active, access
to semaphores, message queues and shared memory without associated
security labels is denied except by trusted or privileged started
tasks. This option cannot be activated if the SECLABEL class is not
active.
If you do not specify ACTIVE or INACTIVE, MLIPCOBJ(ACTIVE)
is the default.
- INACTIVE
- Specifies that security labels are not required for interprocess
communication.
INACTIVE is in effect when RACF is using a newly initialized database.
- MLNAMES | NOMLNAMES
-
- MLNAMES
- Specifies that users are restricted to viewing only the names
of files and directories that could be read from their current security
label, and to viewing data set names that they have access to from
their current security label. When MLNAMES is active, users listing
catalogs or directories will not see names of resources that they
cannot currently access.
- NOMLNAMES
- Specifies that users are not restricted to viewing only the names
of files and directories that they cannot currently access.
If
you do not specify MLNAMES or NOMLNAMES, NOMLNAMES is the default.
NOMLNAMES is in effect when RACF is using a newly initialized database.
- MLQUIET | NOMLQUIET
- For the relationships among SECLABEL, MLS, MLACTIVE, and MLQUIET,
see z/OS Security Server RACF Security Administrator's Guide.
- MLQUIET
- Allows only started tasks, console operators, or users with the
SPECIAL attribute to log on, start new jobs, or access resources.
Actions requiring user verification, resource access checking, or
resource definition are available only to the security administrator
(SPECIAL user), a trusted computer base job (as indicated in the token),
or the console operator.
When this option is enabled, the system
is in a tranquil state.
- NOMLQUIET
- Allows all users access to the system.
NOMLQUIET is in effect
when RACF is using a newly
initialized database.
- MLS | NOMLS
- For the relationships among SECLABEL, MLS, MLACTIVE, and MLQUIET,
see z/OS Security Server RACF Security Administrator's Guide.
- MLS (FAILURES |WARNING )
- Prevents a user from declassifying data. In order to copy data,
the security label of the target must encompass the security label
of the source.
Rules: - This option is available only if the SECLABEL class is active.
- Activation of MLS will fail if the SECLABEL class is not active
or being activated by the command activating MLS.
- FAILURES
- Specifies that RACF is
to reject any request to declassify data.
- WARNING
- Specifies that when a user attempts to declassify data, RACF is to allow the request but
issue warning messages to the user and the security administrator.
MLS(WARNING) is the default value if you do not specify either FAILURES
or WARNING.
- NOMLS
- Allows users to declassify data within the same CATEGORY.
NOMLS is in effect when RACF is using a newly initialized database.
- MLSTABLE | NOMLSTABLE
-
- MLSTABLE
- Allows the installation to indicate that no one on the system
is allowed to alter the security label of an object or alter the definition
of the security label, unless MLQUIET is in effect.
- NOMLSTABLE
- Allows the alteration of security label definitions or the security
labels within a profile without requiring MLQUIET to be in effect.
NOMLSTABLE is in effect when RACF is using a newly initialized database.
- MODEL | NOMODEL
-
- MODEL
- Specifies, through the following
suboperands, the model profile processing options. For information
about automatic profile modeling, refer to the z/OS Security Server RACF Security Administrator's Guide.
- GDG | NOGDG
- Specifies that RACF should attempt to protect RACF-indicated
members of a generation data group (GDG) using a base profile with
the same name as the GDG data set base name. If a base profile exists
for a particular RACF-indicated member, then RACF uses the base profile when determining
whether the user can access or create the member. Otherwise, RACF uses, or creates, an individual
profile for the model. MODEL(GDG) has no effect on GDG members that
are protected by generic profiles.
NOGDG specifies that
GDG members should not be treated specially by RACF; they are processed as any other data set
would be.
- GROUP | NOGROUP
- Specifies that when creating a new profile for a group-named
data set, RACF should check
whether a model profile is specified in the group profile. If so,
that model profile should be used to complete the definition of the
new data set profile.
NOGROUP specifies that RACF should not use model profiles to complete
the definition of new group-named data sets.
- USER | NOUSER
- Specifies that when creating a new profile
for all user ID-named data sets, RACF should check whether a model profile is specified in the
user profile. If so, that model profile should be used to complete
the definition of the new data set profile.
NOUSER specifies
that RACF should not use model
profiles to complete the definition of new user ID-named data sets.
- NOMODEL
- Specifies that there is no model profile processing for
GDG, GROUP, or USER data sets.
NOMODEL is in effect when RACF is using a newly initialized
database.
- OPERAUDIT | NOOPERAUDIT
- Specifies whether RACF is
to log all actions allowed only because a user has the OPERATIONS
(or group-OPERATIONS) attribute. You must have the AUDITOR attribute
to enter these operands.
- OPERAUDIT
- Specifies that RACF is to log all actions, such as accesses to resources and commands,
allowed only because a user has the OPERATIONS or group-OPERATIONS
attribute.
- NOOPERAUDIT
- Specifies that RACF is not to log the actions allowed only because a user has the OPERATIONS
or group-OPERATIONS attribute.
NOOPERAUDIT is in effect when RACF is using a newly initialized
database.
- PASSWORD (suboperands)
- Specifies options to monitor
and check passwords and password phrases:
- HISTORY | NOHISTORY
-
- HISTORY(number-of-previous-values)
- Specifies the number (1 - 32) of
previous passwords and password phrases that RACF saves for each user and compares with each
new intended value. When RACF finds a match with a previous value, or with the current password
or password phrase, RACF rejects
the new intended value.
For passwords, RACF stores only previous passwords in each user's history. For password phrases, RACF saves
the user's current password phrase in addition to the user's
previous password phrases. Therefore, for password phrases, RACF
saves one fewer previous value than the number you specify for history.
For example, if you specify 12 for your HISTORY number, RACF
saves up to 12 previous passwords and up to 11 previous password phrases
for each user. SETROPTS PASSWORD(HISTORY(12))
If you increase the HISTORY number, RACF saves and compares that number of passwords
and password phrases to the new intended value. If you subsequently
reduce the HISTORY number, any previous passwords and password phrases
stored in the user profile in excess of the newly specified HISTORY
number are not deleted and continue to be used for comparison.
For example, if you specify 12 for your HISTORY number and subsequently
reduce it to 8, RACF compares
the old passwords and password phrases 9 - 12 with
the new intended value.
If you specify HISTORY, INITSTATS must
be in effect.
- NOHISTORY
- Specifies that new password and password phrase values
are only compared with the current password or password phrase. If
prior history information exists in the user profile, it is neither
deleted nor changed.
NOHISTORY is in effect when RACF is using a newly initialized database.
- INTERVAL(maximum-change-interval)
- Specifies the maximum number of days (1 - 254) each
user's password and password phrase are valid. For example, if you
specify 90 for your INTERVAL number, each user's password is valid
for 90 days and each user's password phrase (if set) is valid for
90 days.
RACF uses the value
you specify for maximum-change-interval as
both: - The default value for new users defined to RACF through the ADDUSER command.
- The upper limit for users who specify the INTERVAL operand on
the PASSWORD command.
When a user logs on to the system, RACF compares this INTERVAL value (the system interval) with
the interval value specified in the user's profile (the user's interval). RACF uses the lower of the two
values to determine if the user's password and password phrase have
expired.
The initial default at RACF initialization is 30 days. The maximum change interval
cannot be less than the minimum change interval set with the MINCHANGE
keyword.
- MINCHANGE(minimum-change-interval)
- Specifies the number of days that must pass between a
user's password and password phrase changes. Acceptable values are
0 - 254
(days), providing the number of days between changes does not exceed
the maximum change interval specified by the INTERVAL keyword. For
example, if you specify 5 for your MINCHANGE number, users cannot
change their passwords more than once in 5 days, nor can they change
their password phrases (if assigned) more than once in 5 days.
The initial default is 0 days, allowing users to
change their passwords and password phrases more than once on the
same day.
Users can not change their own passwords and
password phrases within the minimum change interval. However, you
can use the ALTUSER command to change another user's password
within the minimum change interval if you have at least one of the
following authorities: - You have the SPECIAL attribute.
- The user is within the scope of a group in which you have the
group-SPECIAL attribute.
- You are the owner of the user's profile.
- You have at least CONTROL authority to the IRR.PASSWORD.RESET
resource in the FACILITY class, and the other user does not have the
SPECIAL, OPERATIONS, AUDITOR, or PROTECTED attribute.
- You have at least CONTROL access to an appropriate resource in
the FACILITY class (IRR.PWRESET.OWNER.owner or IRR.PWRESET.TREE.owner), and both of the following conditions are also
true:
- The other user does not have the SPECIAL, OPERATIONS, AUDITOR,
or PROTECTED attribute.
- You are not excluded from altering the user by the IRR.PWRESET.EXCLUDE.excluded-user resource in the FACILITY class.
For more information about the IRR.PWRESET profiles, see z/OS Security Server RACF Security Administrator's Guide.
- MIXEDCASE | NOMIXEDCASE
-
- MIXEDCASE
- Indicates that all applications on this system and those that
share the RACF database support
mixed-case and lowercase passwords. The syntax rules must be modified
to allow mixed-case and lowercase characters. (See the RULE section in topic RULEn | NORULEn | NORULES for more information.) When
this option is activated, the RACF ALTUSER, ADDUSER, PASSWORD and RACLINK commands do not translate
passwords to uppercase, nor do applications that provide mixed-case
password support, such as TSO/E and z/OS® UNIX Systems Services.
This option is inactive by default.
If you are propagating passwords with RRSF, see "RRSF Considerations for Mixed-Case Passwords" in z/OS Security Server RACF Security Administrator's Guide.
Important: The MIXEDCASE option is intended to be activated - after
evaluating and updating applications and implementing appropriate
password syntax rules - and never
deactivated. Deactivate it only if problems are encountered. If you
deactivate MIXEDCASE after it was active, any users who changed their
passwords to mixed or lower case (when MIXEDCASE was active) will
no longer be able to enter the system until an authorized user resets
their passwords to uppercase. If you subsequently reactivate MIXEDCASE,
the same users must enter their passwords in upper case.
- NOMIXEDCASE
- Indicates that mixed-case and lowercase passwords are
not supported. This is the default setting.
Important: If
you issue SETR NOMIXEDCASE after MIXEDCASE was active, any users who
changed their passwords to mixed-case or lowercase (when MIXEDCASE
was active) can no longer enter the system until an authorized user
resets their passwords to uppercase. See the important note for the
MIXEDCASE operand.
- REVOKE | NOREVOKE
-
- REVOKE(number-of-unsuccessful-attempts)
- Specifies the number of consecutive unsuccessful
attempts (1 - 255) to access the system (using an incorrect password or password
phrase) before RACF revokes
the user ID on the next unsuccessful attempt. If you specify REVOKE,
INITSTATS must be in effect.
The REVOKE number you specify applies
to the combination of incorrect passwords and password phrases RACF allows. For example, if you
specify 5 as your REVOKE number, a user will be revoked upon three
consecutive incorrect passwords followed by three consecutive incorrect
password phrases.
- NOREVOKE
- Specifies that RACF ignores the number of consecutive unsuccessful attempts to access
the system using an incorrect password or password phrase.
- RULEn | NORULEn | NORULES
Tip: You might find the ISPF panels easier to use
for entering password rules.
- RULEn (LENGTH (m1:m2) content-keyword (position))
-
Specifies an individual syntax rule for new passwords
that users specify at logon, on JCL job cards, or on the PASSWORD
command. Also applies to passwords specified on the ALTUSER commands
that have the NOEXPIRED operand. Eight syntax rules are allowed. Therefore,
for the RULEn suboperand, the value of n is 1 - 8.
These syntax rules do not apply to: - Password phrases
- Logon passwords that are currently in effect for a user
- Logon passwords specified on the ADDUSER command
- Logon passwords specified on the ALTUSER command with the PASSWORD
operand and with the EXPIRED operand either specified or defaulted
- Default passwords set by the PASSWORD USER(userid) command, which are set to the user's default group name.
If multiple rules are defined, a password that passes
at least one rule is accepted.
Restriction: Changes
to password syntax rules will not force users to immediately change
their passwords. RACF does
not apply new password rules to users until users change their passwords - either
voluntarily or at password expiration.
- LENGTH(m1:m2)
- Specifies the minimum and maximum password lengths to
which this particular rule applies (m2 must
be greater than or equal to m1). Because RACF allows passwords no longer
than 8 alphanumeric characters, the value for m2 must be less than or equal to 8. If you omit the m2 value, the rule applies to a password of one
length only.
- content-keyword(position)
- Specifies the syntax rules for the positions indicated by the
LENGTH suboperand. Rules specifying mixed-case characters should only
be set when the MIXEDCASE option is in effect. New passwords will
not match these rules when mixed-case passwords are not supported,
either because the MIXEDCASE option is not in effect or because an
application is used that does not support mixed-case passwords. The
possible values for content-keyword are:
- ALPHA
- Includes uppercase alphabetic characters and the national characters # (X'7B'), $ (X'5B'),
and @ (X'7C')
- ALPHANUM
- Includes the ALPHA characters - uppercase
alphabetic characters and the national characters # (X'7B'), $ (X'5B'), and @ (X'7C') - and NUMERIC
characters.
If the password syntax rule requires only one ALPHANUM
character, passwords must contain either one ALPHA character or one
NUMERIC character.
If the password syntax rule
requires two or more ALPHANUM characters, passwords must contain at
least one ALPHA character and at least one NUMERIC character in the
specified ALPHANUM positions.
- VOWEL
- Includes uppercase vowel characters, namely A, E, I, O, and U
- NOVOWEL
- Includes characters that are not vowels, such as
- Uppercase alphabetic characters that are consonants, not vowels
- National characters
- Numeric characters
- CONSONANT
- Includes uppercase non-vowel characters
- NUMERIC
- Includes numeric characters
- NATIONAL
- Includes the national characters # (X'7B'), $ (X'5B'), and @ (X'7C')
- MIXEDCONSONANT
- Includes uppercase and lowercase non-vowel characters
- MIXEDVOWEL
- Includes the uppercase and lowercase vowel characters, A, E, I, O, U, and a, e, i, o, u
- MIXEDNUM
- Includes all characters of the following three types of MIXEDNUM
characters:
- ALPHA characters - includes
uppercase alphabetic characters and the national characters # (X'7B'), $ (X'5B'),
and @ (X'7C')
- Lowercase alphabetic characters
- NUMERIC characters.
If the password syntax rule requires only one MIXEDNUM character,
passwords must contain at least one character of any one of
the three MIXEDNUM character types.
If the password syntax
rule requires two MIXEDNUM characters, passwords must contain two
characters of different MIXEDNUM character types, in one of
the following valid combinations: - An ALPHA character and a lowercase alphabetic
- An ALPHA character and a NUMERIC character
- A lowercase alphabetic character and a NUMERIC character.
If the password syntax rule requires three
or more MIXEDNUM characters, passwords must contain three or more
MIXEDNUM characters including at least one character of each MIXEDNUM character type in the specified MIXEDNUM positions.
If the values in the content-keywords do not define every position specified by the LENGTH value,
the undefined positions can consist of any combination of alphanumeric
characters.
Each content-keyword is
followed by a position (in the form of k, not greater than 8), list of positions (form of k1,k2,k3… in any order), or a range (form of k4:k5, where k5 must be greater
than or equal to k4). - Example:
RULE1(LENGTH(8) CONSONANT(1,3,5:8) NUMERIC(2,4))
- Result:
Syntax RULE1 applies to passwords
eight characters in length with consonants in positions 1, 3, 5, 6,
7, and 8 and numbers in positions 2 and 4. The password B2D2GGDD obeys RULE1, and C3PIBOLO does
not.
- Example:
RULE2(LENGTH(6) NATIONAL(3) MIXEDNUM(4:6))
- Result:
Syntax RULE2 applies to passwords
6 characters in length with a national character in position 3 and
requires an uppercase alphabetic, a lowercase alphabetic, and a numeric
in positions 4, 5, and 6. The password AB@1tD obeys RULE2.
- NORULEn
- Specifies that RACF is to delete the particular rule identified by n.
- NORULES
- Specifies that RACF is to delete all password syntax rules established by the installation.
NORULES is in effect when RACF is using a newly initialized database.
- WARNING | NOWARNING
-
- WARNING(days-before-password-expires)
- Specifies the number of days (1 - 255) before
a password or password phrase expires, indicating that RACF is to issue a warning message
to the TSO user or to the job log of a batch job that specified the
expiring password or password phrase.
If you specify
a WARNING value that exceeds the INTERVAL value, a warning message
is issued at each logon. If you do not want the warning with each
logon, specify a value for WARNING that is less than the value you
specify for INTERVAL. If you specify WARNING, INITSTATS must be in
effect.
- NOWARNING
- Specifies that RACF is
not to issue the warning message for expiring passwords or password
phrases.
NOWARNING is in effect when RACF is using a newly initialized database.
- PREFIX | NOPREFIX
-
- PREFIX(prefix)
- Activates RACF protection for data sets that have single-qualifier
names, and specifies the 1 - 8 character
prefix to be used as the high-level qualifier in the internal form
of the names. The variable prefix should
be a predefined group name, and it must not be the high-level qualifier
of any actual data sets in the system.
- NOPREFIX
- Deactivates RACF protection for data sets that have single-level names.
When
EGN is active and NOPREFIX is in effect, a data set can be protected
with a generic profile of the form ABC.**, where
ABC equals the data set name.
NOPREFIX is in effect when RACF is using a newly initialized
database.
- PROTECTALL | NOPROTECTALL
-
- PROTECTALL(FAILURES | WARNING)
- Activates PROTECTALL processing.
When PROTECTALL processing is active, the system automatically rejects
any request to create or access a data set that is not RACF-protected.
This processing includes DASD data sets, tape data sets, catalogs,
and GDG basenames. Temporary data sets that comply with standard MVS
temporary data set naming conventions are excluded from PROTECTALL
processing.
Note that PROTECTALL requires all data sets to be
RACF-protected. This includes tape data sets if your installation
specifies the TAPEDSN operand on the SETROPTS command.
In order
for PROTECTALL to work effectively, you must specify GENERIC to activate
generic profile checking. Otherwise, RACF would allow users to create or access only data sets protected
by discrete profiles. If your installation uses nonstandard names
for temporary data sets, you must also predefine entries in the global
access checking table that allow these data sets to be created and
accessed.
The WARNING suboperand enables you to specify a warning
message to the requestor in place of rejecting the request. - FAILURES
- Specifies that RACF is
to reject any request to create or access a data set that is not RACF-protected.
The default value is FAILURES.
If PROTECTALL(FAILURES)
is in effect and a user with the SPECIAL attribute requests access
to an unprotected data set, RACF accepts the request, audits the event, and issues a PROTECTALL warning
message.
If PROTECTALL(FAILURES) is in effect and a trusted
started task requests access to an unprotected data set, RACF accepts the request, audits the event,
and no warning message is issued.
If PROTECTALL(FAILURES) is
in effect and a privileged started task requests access to an unprotected
data set, RACF accepts the
request, the event is not audited, and no warning message is issued.
- WARNING
- Specifies that when a user requests creation of, or access to,
a data set that is not RACF-protected, RACF is to allow the request but issue warning messages to the
user and the security administrator.
- NOPROTECTALL
- Specifies that a user can create or access a data set
that is not protected by a profile.
NOPROTECTALL is in effect
when RACF is using a newly
initialized database.
- RACLIST | NORACLIST
-
- RACLIST(class-name …)
- Activates the sharing of in-storage profiles, both generic and discrete,
for the classes specified. Also see GENLIST operand.
Activate
this function to improve the performance of resource access checking
for a general resource class. With the profiles for the class in storage, RACF requires no database I/O when
making an access decision.
A valid class-name is any member class for which the class descriptor table
allows or requires RACLIST processing. Grouping classes are not valid,
except for RACFVARS and NODES. If class-name is valid, not only the specified class-name, but all classes that share the same POSIT are processed. If some
classes sharing the same POSIT do not allow RACLIST processing, those
classes are skipped.
Only active classes are RACLISTed. Be
sure to activate each class you want to RACLIST. For example: SETROPTS RACLIST(DIGTCERT) CLASSACT(DIGTCERT)
If REFRESH is also specified, member classes for which the class
descriptor table does not allow RACLIST processing are also valid
because the SETROPTS RACLIST(class-name)
REFRESH command refreshes classes that were RACLISTed by RACROUTE
REQUEST=LIST,GLOBAL=YES or SETROPTS RACLIST. Likewise, classes for
which SETROPTS GENLIST was specified are also valid.
You cannot
SETROPTS RACLIST and SETROPTS GENLIST for the same general resource
class.
Rule: If the following supplied classes are active,
you must issue the SETROPTS RACLIST command to share them:
|
|
|
|
|
---|
APPCSERV |
DIGTCRIT |
OPERCMDS |
RDATALIB |
VTAMAPPL |
APPCTP |
DIGTNMAP |
PROPCNTL |
SECLABEL |
XCSFKEY |
CRYPTOZ |
FIELD |
PSFMPL |
SERVAUTH |
|
CSFKEYS |
FSACCESS |
PTKTDATA |
STARTED |
|
CSFSERV |
IDIDMAP |
RACFHC |
SYSMVIEW |
|
DEVICES |
NODES |
RACFVARS |
UNIXPRIV |
|
In-storage profiles for the following supplied classes
can be optionally shared by using SETROPTS RACLIST.
|
|
|
|
|
---|
ACCTNUM * |
DBNFORM |
JESINPUT |
PERFGRP * |
TERMINAL * |
ALCSAUTH |
DCEUUIDS |
JESJOBS |
PTKTVAL |
TMEADMIN |
APPCPORT |
DIGTCERT * |
JESSPOOL |
PRINTSRV * |
TSOAUTH * |
APPCSI |
DIGTRING |
KEYSMSTR |
RRSFDATA * |
TSOPROC * |
APPL * |
DLFCLASS |
LDAPBIND * |
SDSF |
VMBATCH |
CBIND |
DSNR |
LFSCLASS |
SERVER |
VMCMD |
CDT * |
FACILITY * |
LOGSTRM |
SMESSAGE |
VMDEV |
CONSOLE |
FCICSFCT |
MGMTCLAS |
SOMDOBJS |
VMLAN |
CPSMOBJ |
INFOMAN |
MQCMDS |
STORCLAS |
VMNODE |
CPSMXMP |
JAVA |
MQCONN |
SUBSYSNM |
VMSEGMT |
DASDVOL |
|
NETCMDS |
SURROGAT |
WRITER |
Important: For each class marked with an asterisk
(*), you might incur performance degradation or missing
function if you do not issue the SETROPTS RACLIST command when you
define profiles in the class and activate it. For important details
about each class, see z/OS Security Server RACF Security Administrator's Guide (for classes used for RACF functions) or the appropriate program
documentation.
If you have,
or are considering, authorizing a large number of users for a resource
in a class that can be processed to an in-storage profile using the
SETROPTS RACLIST command, you must consider the number of entries
in the access list, because RACLIST processing merges profiles and
the access lists of each profile. The combined number of access-list
entries might cause the profile to become too large to be processed,
and RACLIST processing might fail. See z/OS Security Server RACF Security Administrator's Guide for more information about limiting the size of access lists
and profile sizes.
Note: - When you activate RACLIST processing for a class, RACF copies both discrete and generic profiles
for that class into a data space.
- When the RACGLIST class is active and class-name profiles
have been specified in the RACGLIST class, SETROPTS RACLIST(class-name) stores the RACLISTed results from
the data space in the RACGLIST classname_nnnnn profiles on
the RACF database, enabling
all systems sharing the database to access the same level of profile
information.
For example if you issue the commands: SETR CLASSACT(RACGLIST)
RDEFINE RACGLIST TERMINAL
Then either when you
issue: SETROPTS RACLIST(TERMINAL)
or at the
next IPL, if the TERMINAL class was RACLISTed before the RACGLIST
class was activated, RACF creates
RACGLIST TERMINAL_00001, RACGLIST TERMINAL_00002, and so on, to hold the results of the SETROPTS RACLIST processing.
The profiles are available to all authorized users, thereby eliminating
the need for RACF to retrieve
a profile each time a user requests access to a resource protected
by that profile. Thus, when you activate this function, you reduce
processing overhead.
The SETROPTS RACLIST(class-name) command overrides a RACROUTE REQUEST=LIST,GLOBAL=YES request
for the same class. The data space and RACGLIST classname_nnnnn profiles, if any, are refreshed by the SETROPTS RACLIST. SETROPTS
LIST output will list the class in the SETR RACLIST CLASSES
= line rather than the GLOBAL=YES RACLIST ONLY = line.
- If you specify RACLIST with REFRESH, RACF rebuilds the discrete and generic profiles
for the class and places them in the new data space. If the RACGLIST
class is active and contains a profile for class-name, the classname_nnnnn profiles for the class are also
rebuilt, or are created if they had not been built previously.
SETROPTS RACLIST(class-name) REFRESH can
also be used to refresh classes RACLISTed by RACROUTE REQUEST=LIST,GLOBAL=YES,
as well as classes that are RACLISTed. It refreshes the class, but
has no effect on SETROPTS LIST output. If the class was processed
using SETROPTS RACLIST solely by RACROUTE REQUEST=LIST,ENVIR=CREATE,GLOBAL=YES,
the class are listed in the GLOBAL=YES RACLIST ONLY = line. Regardless of whether the class was RACLISTed by GLOBAL=YES,
if it was RACLISTed by SETROPTS RACLIST (classname) then the class is listed only in the SETR RACLIST
CLASSES = line.
SETROPTS RACLIST(classname) REFRESH can also be issued to create the RACGLIST profiles
for the class, even if the class were not RACLISTed by either RACROUTE
REQUEST=LIST,GLOBAL=YES or by SETROPTS RACLIST. Then the first RACROUTE
REQUEST=LIST,GLOBAL=YES uses the RACLIST profiles to build the RACLIST
data space, rather than accessing the database for each individual
discrete and generic profile.
While the rebuild is in progress, RACF continues to use the old in-storage
profiles for authorization requests until the new ones are created.
When all systems have completed rebuilding the local data spaces,
the coordinator signals the members of the data sharing group to discard
the old ones, and to begin using the new one.
- When RACF is enabled for sysplex communication, RACF propagates
a SETROPTS RACLIST(class-name) or SETROPTS
RACLIST(class-name) REFRESH command issued
from any one system (coordinator) to other systems in the data sharing group (peers)
if the command is successful on the system on which it was entered.
If the RACGLIST classname_nnnnn profiles were built for the
class, peer members of the sysplex use the results to build the RACLIST
data space on their system, but do not rebuild the RACGLIST profiles.
If a refresh is being done, RACF continues to use the old in-storage profiles for authorization
requests until the new ones are created. When all systems have completed
rebuilding the local data spaces, the coordinator signals the members
of the data sharing group to discard the old ones, and to begin using the new one.
If RACF is not enabled for sysplex communication, you must issue the SETROPTS RACLIST(class-name) command and the SETROPTS RACLIST(class-name) REFRESH command on each system sharing the database.
- When you activate RACLIST processing for the CDT class, the dynamic
class descriptor table is built in a dataspace instead of in-storage
profiles. The information in the dataspace is not used for authorization
checking. If authorization checking using RACROUTE REQUEST=FASTAUTH
is required for the CDT class, you must use RACROUTE REQUEST=LIST,GLOBAL=NO
to locally RACLIST the CDT class profiles. Alternatively, RACROUTE
REQUEST=AUTH may be used for the CDT class, and RACF will use CDT profiles in the RACF database for authorization checking. For
more information on the dynamic CDT, see z/OS Security Server RACF Security Administrator's Guide.
- NORACLIST(class-name …)
- Deactivates the sharing of in-storage profiles, both
generic and discrete, for the classes specified. Also see the NOGENLIST
operand.
When you specify NORACLIST, RACF deletes the data space containing the generic
and discrete profiles for the specified classes. The data space might
have been created by specifying the class with either a SETROPTS RACLIST
command or a RACROUTE REQUEST=LIST,GLOBAL=YES request. In the latter
case, all applications that issued a RACROUTE REQUEST=LIST,ENVIR=CREATE,GLOBAL=YES for the class should issue a RACROUTE REQUEST=LIST,ENVIR=DELETE
before a SETROPTS NORACLIST is issued that processes the class. The
SETROPTS NORACLIST should be used to delete the data space only after
all applications have relinquished their access to it.
For
both the SETROPTS RACLIST and RACROUTE REQUEST=LIST,GLOBAL=YES cases,
if RACGLIST classname_nnnnn profiles exist for the class, they
are deleted. Even if the class was not RACLISTed, SETROPTS NORACLIST
can be used to delete these profiles. In all cases, the RACGLIST classname profile remains.
A valid class-name is any member class in the class descriptor table. Grouping
classes are not valid, except for RACFVARS and NODES. If class-name is valid, not only the specified class but
all classes that share the same POSIT are processed. For a list of general resource classes defined
in the class descriptor table supplied by IBM, see Supplied RACF resource classes.
Because SETROPTS NORACLIST, like SETROPTS RACLIST
REFRESH, operates on classes that are RACLISTed by RACROUTE REQUEST=LIST,GLOBAL=YES,
or SETROPTS RACLIST, member classes in the class descriptor table
that do not allow RACLIST processing are now valid classes for the
command. Both these conditions are still invalid for SETROPTS RACLIST.
When RACF is enabled for sysplex communication, RACF propagates
the SETROPTS NORACLIST command to other systems in the data sharing group, if the
command was successful on the system in which it was entered. If RACF is not enabled for sysplex communication,
you must issue the SETROPTS NORACLIST command on each system sharing
the database.
NORACLIST is in effect for all classes defined
in the class descriptor table when RACF is using a newly initialized database.
When SETROPTS
NORACLIST(CDT) is issued, the dataspace containing the dynamic class
descriptor table is deactivated, but not deleted. The dataspace remains
until the system is restarted. For more information on the dynamic
CDT, see z/OS Security Server RACF Security Administrator's Guide.
- REALDSN | NOREALDSN
-
- REALDSN
- Specifies that RACF is to record, in any SMF log records and operator messages, the
real data set name (not the naming-conventions name) used on the data
set commands and during resource access checking and resource definition.
- NOREALDSN
- Specifies that RACF is to record, in any SMF log records and operator messages, the
data set names modified according to RACF naming conventions.
NOREALDSN is in effect when RACF is using a newly initialized
database.
- REFRESH
- Refreshes the in-storage generic profiles when specified with GENERIC,
GLOBAL or RACLIST, or the in-storage program control tables when specified
with WHEN(PROGRAM).
- RETPD(nnnnn)
- Specifies
the default RACF security retention
period for tape data sets, where nnnnn is
a 1-5 digit number in the range of 0 through 65533 or 99999 to indicate
a data set that never expires. The security retention period is the
number of days that RACF protection
is to remain in effect for a tape data set; RACF stores the value in the tape data set profile.
If you specify RETPD, you must also specify TAPEDSN to activate
tape data set protection. If you omit TAPEDSN, RACF records the value you specify for security
retention period in the list of RACF options. However, without tape data set protection activated,
this value is meaningless.
If you specify RETPD and TAPEDSN,
the value you specify for security retention period is the default
for your installation; RACF places the value in each tape data set profile unless the user specifies
one of the following: - An EXPDT in the JCL other than the current date
- An RETPD other than 0 on the ADDSD command.
If you specify TAPEDSN and do not specify RETPD, RACF uses a value of 0 for the default security
retention period.
- RVARYPW([SWITCH(switch-pw)] [STATUS(status-pw) ])
- Specifies the passwords that the operator is to use to respond to
requests to approve RVARY command processing, where switch-pw is the response to a request to switch RACF databases or change the operating mode
of RACF, and status-pw is the response to a request to change RACF or database status from ACTIVE to INACTIVE
or from INACTIVE to ACTIVE. You can specify different passwords for
each response. Note that NO is not a valid password for either SWITCH
or STATUS.
When RACF is
using a newly initialized database, the switch password and the status
password are both set to YES.
- SAUDIT | NOSAUDIT
- Specifies whether RACF is
to log RACF commands issued
by users with the SPECIAL or group-SPECIAL attribute. You must have
the AUDITOR attribute to specify these operands.
- SAUDIT
- Specifies
that RACF is to log RACF commands (except LISTDSD,
LISTGRP, LISTUSER, RLIST, and SEARCH) issued by users who either had
the SPECIAL attribute or who gained authority to issue the command
through the group-SPECIAL attribute.
SAUDIT is in effect when RACF is using a newly initialized
database.
- NOSAUDIT
- Specifies that RACF is not to log the commands issued by users with the SPECIAL or group-SPECIAL
attribute.
- SECLABELAUDIT | NOSECLABELAUDIT
- You must have the AUDITOR attribute to specify these options.
- SECLABELAUDIT
- Specifies that the SECLABEL profile's auditing options
are to be used in addition to the auditing options specified for the
user or resource. This additional auditing occurs whenever an attempt
is made to access or define a resource protected by a profile, FSP,
or ISP that has a security label specified, or when a user running
with a security label attempts to access or define a resource.
The SECLABEL profile requires SETROPTS RACLIST processing. If SECLABEL
profile audit options are not specified, SECLABEL auditing is not
done.
For more information, refer to z/OS Security Server RACF Auditor's Guide.
- NOSECLABELAUDIT
- Disables auditing by SECLABEL.
NOSECLABELAUDIT is
in effect when RACF is using
a newly initialized database.
- SECLABELCONTROL | NOSECLABELCONTROL
-
- SECLABELCONTROL
- Limits the users who can specify the SECLABEL operand on RACF commands. Those allowed to
specify the operand are:
- Users with the SPECIAL attribute can specify the SECLABEL operand
on any RACF command.
- Users with the group-SPECIAL attribute can specify the SECLABEL
operand on the ADDUSER and ALTUSER commands when adding a user to
a group within their scope of control (provided the group-SPECIAL
is permitted to the SECLABEL).
- NOSECLABELCONTROL
- Allows any user to change the SECLABEL field in a profile, as
long as the user has at least READ access authority to the associated
SECLABEL profile.
NOSECLABELCONTROL is in effect when RACF is using a newly initialized
database.
- SECLBYSYSTEM | NOSECLBYSYSTEM
-
- SECLBYSYSTEM
- Specifies that security labels can be activated on a system image
basis. When SECLBYSYSTEM is active, the SMF ID values specified in
the member list of the profiles in the SECLABEL class will determine
whether or not the security label is valid for each system. Security
labels that are not valid for a system are considered inactive and
cannot be used or listed by users without SPECIAL or AUDITOR on that
system. After activating SECLBYSYSTEM, SETR RACLIST(SECLABEL) REFRESH
must be issued to complete the activation of security labels by system.
This option cannot be activated if the SECLABEL class is not active.
- NOSECLBYSYSTEM
- Specifies that security labels are not activated on a system image
basis.
NOSECLBYSYSTEM is in effect when RACF is using a newly initialized database.
- SECLEVELAUDIT | NOSECLEVELAUDIT
- You must have the AUDITOR attribute to specify these operands.
- SECLEVELAUDIT (security-level)
- Activates auditing of access attempts to all RACF-protected
resources based on the specified installation-defined security level. RACF audits all access attempts
for the specified security level and higher.
You can specify only
a security level name defined by your installation as a SECLEVEL profile
in the SECDATA class. (For information on defining security levels,
see the description of the RDEFINE and RALTER commands.)
- NOSECLEVELAUDIT
- Deactivates auditing of access attempts to RACF-protected
resources based on a security level.
NOSECLEVELAUDIT is in effect
when RACF is using a newly
initialized database.
- SESSIONINTERVAL | NOSESSIONINTERVAL
-
- SESSIONINTERVAL(n)
- Sets the maximum value that can be specified by RDEFINE or RALTER
for session key intervals. This n value
must be a number in the range of 1 - 32767
(inclusive).
The SESSIONINTERVAL value after RACF data set initialization is 30. This value
is used for: - A default if SESSION is specified without INTERVAL on RDEFINE
when defining an APPCLU class profile.
- An upper limit if INTERVAL is specified on RDEFINE or RALTER for
APPCLU class profiles.
- NOSESSIONINTERVAL
- Disables the global limit on the number of days before a session
key expires. The internal value is set to zero.
- STATISTICS | NOSTATISTICS
- Use these operands to cause RACF to record or not record statistical information for the
specified class name. The valid class names are DATASET and those
classes defined in the class descriptor table. For a list of general resource classes defined in the class descriptor
table supplied by IBM, see Supplied RACF resource classes.
Note: If you
activate or deactivate statistics processing for a class, all other
classes in the class descriptor table with the same POSIT number are
also be activated or deactivated. If, for instance, you activate statistics
processing for the TIMS class, statistics processing is activated
for classes AIMS and GIMS because they share POSIT number 4. For more information on sharing a POSIT value, see
the POSIT keyword of the RDEFINE command.
- STATISTICS(class-name … | *)
- Specifies that RACF is to
record statistical information for class-name.
If you specify an asterisk (*), you activate
the recording of statistical information for the DATASET class and
all classes defined in the class descriptor table.
When RACF is using a newly initialized
database, the recording of class statistics is turned off. Because
statistics recording has an impact on system performance, it is recommended
that you do not activate this option for any class until your installation
evaluates the need to use it versus the potential performance impact.
For more information, see z/OS Security Server RACF System Programmer's Guide.
- NOSTATISTICS(class-name … | *)
- Specifies the names of the classes to be deleted from
those previously defined to have statistical information recorded.
If you specify an asterisk (*), you deactivate
the recording of statistical information for the DATASET class and
all classes defined in the class descriptor table.
- TAPEDSN | NOTAPEDSN
-
- TAPEDSN
- Activates tape data set protection.
When tape data set protection is in effect, RACF can protect individual tape data sets as
well as tape volumes.
If you activate tape data set protection,
you should also activate the TAPEVOL class. If you do not also activate
TAPEVOL, RACF does not check
the retention period before it deletes a tape data set, and you must
provide your own protection for tape data sets that reside on a volume
that contains more than one data set.
Before you activate tape
data set protection, see z/OS Security Server RACF Security Administrator's Guide for a complete description of the relationship
between TAPEDSN and activating the TAPEVOL class.
- NOTAPEDSN
- Deactivates tape data set protection. When NOTAPEDSN
is in effect, RACF cannot protect
individual tape data sets, though it can protect tape volumes.
NOTAPEDSN is in effect when RACF is using a newly initialized database.
- TERMINAL(READ | NONE)
- Is used to set the universal access authority (UACC)
associated with undefined terminals. If you specify TERMINAL but do
not specify READ or NONE, the system prompts you for a value.
- WHEN | NOWHEN
-
- WHEN(PROGRAM)
- Activates RACF program control, which includes both access control to load modules
and program access to data sets.
To set up access control to load
modules, you must identify your controlled programs by creating a
profile for each in the PROGRAM class. To set up program access to
data sets, you must add a conditional access list to the profile of
each program-accessed data set. Then, when program control is active, RACF ensures that each controlled
load module is executed only by callers with the defined authority. RACF also ensures that each program-accessed
data set is opened only by users who are listed in the conditional
access list with the proper authority and who are executing the program
specified in the conditional access list entry.
When RACF is enabled for sysplex communication, the
SETROPTS WHEN(PROGRAM) command and the SETROPTS WHEN(PROGRAM) REFRESH
command are propagated to other members of the data sharing group if the
command was successful on the system on which it was entered. When RACF is not enabled for sysplex communication,
you must issue the SETROPTS WHEN(PROGRAM) command and the SETROPTS
WHEN(PROGRAM) REFRESH command on each system sharing the database.
For more information about program control, see z/OS Security Server RACF Security Administrator's Guide.
Note: The PROGRAM class does
not have to be active.
- NOWHEN(PROGRAM)
- Specifies that RACF program control is not to be active.
NOWHEN(PROGRAM)
is in effect when RACF is using
a newly initialized database.
Examples
|
|
|
---|
Example 1 |
Operation |
User FRG34 wants to establish logging options
that causes RACF to log all
activity in the USER and GROUP classes, log the activities of users
with the SPECIAL and group-SPECIAL attributes, log all accesses allowed
only because the user has the OPERATIONS or group-OPERATIONS attribute,
log all command violations, and audit all attempts to access RACF-protected
resources based on the installation-defined security level SECRET. |
Known |
User FRG34 has the AUDITOR attribute. SECRET is
defined as a SECLEVEL profile in the SECDATA class. User FRG34
wants to issue this command as a RACF TSO command.
|
Command |
SETROPTS AUDIT(USER GROUP) OPERAUDIT SECLEVELAUDIT(SECRET) |
Defaults |
SAUDIT CMDVIOL |
Example 2 |
Operation |
User RVU03 wants to establish a set of syntax
rules for passwords that obey the following rules: - The minimum password length is 4 characters
- Four character passwords must have at least one numeric and one
alphabetic character
- Five character passwords must contain at least one numeric character
or be completely alphabetic
- Passwords of 6 or more characters consist of any combination of
alphabetic and numeric characters.
|
Known |
User RVU03 has the SPECIAL attribute. User
RVU03 wants to issue this command as a RACF TSO command.
|
Command |
SETROPTS PASSWORD(RULE1(LENGTH(4:5) ALPHANUM(1:5))
RULE2(LENGTH(5) ALPHA(1:5)) RULE3(LENGTH(6:8) ALPHANUM(1:8)) RULE4(LENGTH(6:8)
NUMERIC(1:8)) RULE5(LENGTH(6:8) ALPHA(1:8))) |
Defaults |
None. |
Example 3 |
Operation |
User ADM1 wants to display the RACF options currently in effect. MVS and VM
systems share the RACF database. |
Known |
User ADM1 has the SPECIAL and AUDITOR attributes.
User ADM1 wants to issue this command as a RACF TSO command.
|
Command |
SETROPTS LIST |
Defaults |
None. |
Output |
See Figure 1 for
a sample listing. |
Example 4 |
Operation |
User RVU02 wants to establish system-wide options
for an installation. The installation requires tape data set protection
and tape volume protection, and the maximum change interval is to
be 60 days. The default RACF security retention period for tape data sets is to be 360 days. |
Known |
User RVU02 has the SPECIAL attribute. User
RVU02 wants to issue this command as a RACF TSO command.
|
Command |
SETROPTS PASSWORD(INTERVAL(60)) CLASSACT(TAPEVOL)
TAPEDSN RETPD(360) |
Defaults |
None. |
Example 5 |
Operation |
User ADM1 wants to enable the generic profile
checking facility for the DATASET class. |
Known |
User ADM1 has the SPECIAL attribute. User
ADM1 wants to issue this command as a RACF TSO command.
|
Command |
SETROPTS GENERIC(DATASET) |
Defaults |
None. |
Example 6 |
Operation |
User ADM1 wants to activate global access checking
for the DATASET class. |
Known |
User ADM1 has the SPECIAL attribute. User
ADM1 wants to issue this command as a RACF TSO command.
|
Command |
SETROPTS GLOBAL(DATASET) |
Defaults |
None. |
Example 7 |
Operation |
User ADM1 wants to activate erase-on-scratch processing
for all resources with a security level of CONFIDENTIAL or higher
and set the SWITCH and STATUS passwords for the RVARY command. |
Known |
User ADM1 has the SPECIAL attribute. The CONFIDENTIAL
security level name is known to RACF. User ADM1 wants to issue this command as a RACF TSO command.
|
Command |
SETROPTS ERASE(SECLEVEL(CONFIDENTIAL))
RVARYPW(SWITCH(LINUS) STATUS(LUCY)) |
Defaults |
None. |
Example 8 |
Operation |
The RACF system administrator wants to activate installation defaults for
the primary and secondary national languages. The primary language
is Japanese and the secondary language is Canadian French. |
Known |
The system administrator has the SPECIAL attribute.
The MVS message service is not active. The 3-character language code
for Japanese is JPN. The language code for Canadian French is FRC. The system administrator wants to issue this command as a RACF TSO command.
|
Command |
SETROPTS LANGUAGE(PRIMARY(JPN) SECONDARY(FRC)) |
Defaults |
None. |
Figure 1. Output
for SETROPTS LISTSETROPTS LIST1
ATTRIBUTES = INITSTATS NOWHEN(PROGRAM) TERMINAL(READ) SAUDIT CMDVIOL NOOPERAUDIT
STATISTICS = DATASET AIMS APPL DASDVOL GCICSTRN GIMS PCICSPSB QCICSPSB TAPEVOL
TCICSTRN TERMINAL TIMS
AUDIT CLASSES = DATASET USER GROUP AIMS APPL DASDVOL GCICSTRN GIMS
PCICSPSB QCICSPSB TAPEVOL TCICSTRN TERMINAL TIMS
ACTIVE CLASSES = DATASET USER GROUP ACICSPCT AIMS APPL BCICSPCT CCICSCMD DASDVOL
DCICSDCT ECICSDCT FCICSFCT GCICSTRN GIMS GLOBAL GMBR HCICSFCT
JCICSJCT KCICSJCT MCICSPPT NCICSPPT PCICSPSB QCICSPSB RACGLIST
SCICSTST TAPEVOL TCICSTRN TERMINAL TIMS UCICSTST VCICSCMD VMRDR
VMMDISK
GENERIC PROFILE CLASSES = DATASET ACICSPCT AIMS APPL CCICSCMD DASDVOL DCICSDCT
FCICSFCT GMBR JCICSJCT MCICSPPT PCICSPSB SCICSTST
TAPEVOL TCICSTRN TERMINAL TIMS VMBATCH VMCMD VMMDISK
VMNODE VMRDR
GENERIC COMMAND CLASSES = DATASET ACICSPCT AIMS APPL CCICSCMD DASDVOL DCICSDCT
FCICSFCT GMBR JCICSJCT MCICSPPT PCICSPSB SCICSTST
TAPEVOL TCICSTRN TERMINAL TIMS VMBATCH VMCMD VMMDISK
VMNODE VMRDR
GENLIST CLASSES = NONE
GLOBAL CHECKING CLASSES = VMMDISK
SETR RACLIST CLASSES = ACCTNUM DASDVOL
GLOBAL=YES RACLIST ONLY = JCICSJCT TCICSTRN
LOGOPTIONS "ALWAYS" CLASSES = DASDVOL GDASDVOL SECLABEL
LOGOPTIONS "NEVER" CLASSES = FACILITY VMXEVENT VXMBR
LOGOPTIONS "SUCCESSES" CLASSES = APPCLU RACFVARS RVARSMBR
LOGOPTIONS "FAILURES" CLASSES = DATASET PMBR PROGRAM PROPCNTL
LOGOPTIONS "DEFAULT" CLASSES = GTERMINL TAPEVOL TERMINAL
AUTOMATIC DATASET PROTECTION IS IN EFFECT
ENHANCED GENERIC NAMING IS IN EFFECT
REAL DATA SET NAMES OPTION IS ACTIVE
JES-BATCHALLRACF OPTION IS INACTIVE
JES-XBMALLRACF OPTION IS INACTIVE
JES-EARLYVERIFY OPTION IS INACTIVE
PROTECT-ALL OPTION IS NOT IN EFFECT
TAPE DATA SET PROTECTION IS ACTIVE
SECURITY RETENTION PERIOD IN EFFECT IS 365 DAYS
ERASE-ON-SCRATCH IS INACTIVE
SINGLE LEVEL NAME PREFIX IS RDSPRFX
LIST OF GROUPS ACCESS CHECKING IS ACTIVE.
INACTIVE USERIDS ARE NOT BEING AUTOMATICALLY REVOKED.
DATA SET MODELLING NOT BEING DONE FOR GDGS.
USER DATA SET MODELLING IS BEING DONE.
GROUP DATA SET MODELLING IS BEING DONE.
- 1
- The second line of this display, ATTRIBUTES =, refers to global RACF attributes
in effect. These attributes can be set only with the SETROPTS command.
They are different from, and should not be confused with, the RACF user attributes.
PASSWORD PROCESSING OPTIONS:
PASSWORD CHANGE INTERVAL IS 254 DAYS.
PASSWORD MINIMUM CHANGE INTERVAL IS 2 DAYS.
MIXED CASE PASSWORD SUPPORT IS IN EFFECT.
13 GENERATIONS OF PREVIOUS PASSWORDS BEING MAINTAINED.
AFTER 4 CONSECUTIVE UNSUCCESSFUL PASSWORD ATTEMPTS, A USERID WILL BE REVOKED.
PASSWORD EXPIRATION WARNING LEVEL IS 186 DAYS.
INSTALLATION PASSWORD SYNTAX RULES:
RULE 1 LENGTH(4:5) LLLLL
RULE 2 LENGTH(5) AAAAA
RULE 3 LENGTH(6:8) LLLLLLLL
RULE 4 LENGTH(6:8) NNNNNNNN
RULE 5 LENGTH(6:8) AAAAAAAA
LEGEND:
A-ALPHA C-CONSONANT L-ALPHANUM N-NUMERIC V-VOWEL W-NOVOWEL *-ANYTHING
c-MIXED CONSONANT m-MIXED NUMERIC v-MIXED VOWEL $-NATIONAL
DEFAULT RVARY PASSWORD IS IN EFFECT FOR THE SWITCH FUNCTION.
DEFAULT RVARY PASSWORD IS IN EFFECT FOR THE STATUS FUNCTION.
SECLEVELAUDIT IS INACTIVE
SECLABEL AUDIT IS IN EFFECT
SECLABEL CONTROL IS IN EFFECT
GENERIC OWNER ONLY IS IN EFFECT
COMPATIBILITY MODE IS IN EFFECT
MULTI-LEVEL QUIET IS IN EFFECT
MULTI-LEVEL STABLE IS IN EFFECT
NO WRITE-DOWN IS IN EFFECT. CURRENT OPTIONS:
"MLS WARNING" OPTION IS IN EFFECT
MULTI-LEVEL SECURE IS IN EFFECT. CURRENT OPTIONS:
"MLS WARNING" OPTION IS IN EFFECT
MULTI-LEVEL ACTIVE IS IN EFFECT. CURRENT OPTIONS:
"MLACTIVE FAIL" OPTION IS IN EFFECT
CATALOGUED DATA SETS ONLY, IS IN EFFECT. CURRENT OPTIONS:
"CATDSNS WARNING" OPTION IS IN EFFECT
USER-ID FOR JES NJEUSERID IS : ????????
USER-ID FOR JES UNDEFINEDUSER IS : ++++++++
PARTNER LU-VERIFICATION SESSIONKEY INTERVAL MAXIMUM/DEFAULT IS 30 days
APPLAUDIT IS IN EFFECT
ADDCREATOR IS IN EFFECT
KERBLVL = 0
MULTI-LEVEL FILE SYSTEM IS IN EFFECT
MULTI-LEVEL INTERPROCESS COMMUNICATIONS IS IN EFFECT
MULTI-LEVEL NAME HIDING IS NOT IN EFFECT
SECURITY LABEL BY SYSTEM IS NOT IN EFFECT
PRIMARY LANGUAGE DEFAULT : ENU / AMERICAN
SECONDARY LANGUAGE DEFAULT : ENU / AMERICAN
Note: The language name (in this example, AMERICAN) only appears
if the MVS message service is active.
|