RACXTRT macro (standard form)

The RACXTRT macro is used to retrieve or replace certain specified fields from a RACF® profile or to encode certain clear-text (readable) data.

This macro is only available to authorized callers (APF-authorized, in system key 0–7, or in supervisor state).

When activated, automatic direction of application updates propagates RACXTRT TYPE=REPLACE requests on to selected remote nodes. Only RACXTRT TYPE=REPLACE requests with return code 0 are propagated.

Note:

Encoding, replacement, and extraction are mutually exclusive.
Only callers in 24-bit addressing mode can issue this macro. Callers executing in 31-bit addressing mode who want to use the RACXTRT function can code the RACROUTE macro.

The following RACXTRT functions are Programming Interfaces:

Retrieving or updating fields in any other product segment (including WORKATTR) in the user, group and resource profiles.
Retrieving or updating the following installation-reserved fields:
- USERDATA
- USRCNT
- USRDATA
- USRFLG
- USRNM
Retrieving the current or a specified user's default group or password.

The following RACXTRT function is part of the Programming Interface but is not recommended for use because the macro is not going to be enhanced in future releases.

Retrieving or updating fields in the base segment of a user, resource, or group profile.

The standard form of the RACXTRT macro is written as follows:



`name`	`name`: Symbol. Begin `name` in column 1.

␢	One or more blanks must precede RACXTRT.

RACXTRT

␢	One or more blanks must follow RACXTRT.


TYPE=EXTRACT TYPE=EXTRACTN TYPE=REPLACE TYPE=ENCRYPT

,ENTITY`=profile name`	`profile name addr`: A-type address, or register (2) – (12)
`addr`

,ACEE`=acee-address`	`acee`: A-type address, or register (2) – (12)

,VOLSER`=volser-address`	`vol address`: A-type address, or register (2) – (12)

,GENERIC=ASIS
,GENERIC=YES	Default: ASIS

,FLDACC=YES
,FLDACC=NO	Default: NO

If TYPE=EXTRACT or EXTRACTN is specified:

,SUBPOOL`=subpool`	`subpool number`: Decimal digit, 0–255
	Default: SUBPOOL=229
`number`

,DERIVE`=‘YES’`	See explanation of keyword.
	Default: Normal processing

,CLASS`=‘class name’`	`class name`: 1–8 character class name
,CLASS`=class name addr`	`class name addr`: A-type address or register (2) – (12)
	Default: ‘USER’

,SEGMENT`=‘segment`	`segment name`: 1–8 character name
`name’`
,SEGMENT`=segment`	`segment name addr`: A-type address or register (2) – (12)
`name addr`

,FIELDS`=field addr`	`field addr`: A-type address or register (2) – (12)

If TYPE=REPLACE is specified:

,CLASS`=‘class name’`	`class name`: 1–8 character class name
,CLASS=`class name addr`	`class name addr`: A-type address or Register (2) – (12)
	Default: ‘USER’

,SEGMENT`=‘segment`	`segment name`: 1–8 character name
`name’`
,SEGMENT=`segment`	`segment name addr`: A-type address or register (2) – (12)
`name addr`

,FIELDS`=field addr`	`field addr`: A-type address or register (2) – (12)

,SEGDATA=`segment`	`segment data addr`: A-type address or register (2) – (12)
`data addr`

If TYPE=ENCRYPT is specified:

,ENCRYPT=(`data`	`data address`: A-type address or register (2) – (12)
`address,DES`)
,ENCRYPT=(`data`
`data address,HASH`)
,ENCRYPT=(`data`
`address,INST`)
Note: If TYPE=ENCRYPT is specified, the only other allowable parameters are ENTITY, RELEASE, ENCRYPT, with ENCRYPT being required.

The parameters are explained as follows:

TYPE=EXTRACT

specifies the function to be performed by the extract function routine.

With Release 1.8 and later, RACXTRT can provide additional function: it can extract information from any field in any profile. See RACF database templates for a definition of the type and name of each field in each profile. If you specify EXTRACT, the macro extracts information from the profile determined by the ENTITY and CLASS keywords. Specifically, RACF extracts the fields specified in the FIELDS keyword from the segment specified by the SEGMENT keyword. If you do not specify ENTITY, RACF retrieves the desired information from the current user's profile.

To use TYPE=EXTRACT to extract field information from a profile, you must specify RELEASE=1.8 or later.

Note: If you specify TYPE=EXTRACT, do not specify ENCRYPT.

Upon return, register 1 contains the address of a result area that begins with a fullword containing the area's subpool number and length. It is your responsibility to issue a FREEMAIN to release the area after you are through using it.

The fields in the result area are in the order below:

Offset (Dec)	Data	Length (Dec)
0	Subpool of area	1
1	Length of area	3
4	Offset to start of optional field to contain segment data	2
6	Flag	1
7	Reserved	17
24	Specified or current user's user ID, if CLASS=USER	8
32	Specified user's default connect group or current user's current connect group, if CLASS=USER	8

In general, RACF returns field data in the order it was specified, with a 4-byte length field preceding each profile field. For example, if you are extracting a single field, you receive a 4-byte length field that contains the length of the field that follows. If the requested field is a variable length field, there is no additional length byte.

If you are extracting a combination field (representing one or more fields), you receive:

A 4-byte length field that contains the combined length of all the fields that follow
A combination field made up of 4-byte length fields followed by their respective individual data fields.

What is returned for a combination field

If you are extracting a single field within a repeat group, you receive:

A 4-byte length field that contains the combined length of all the fields that follow.
A 4-byte length field that indicates the length of the specified field in the first occurrence of the repeat group. This is followed by a 4-byte length field that indicates the length of the specified field in the second occurrence of the repeat group. The pattern repeats until all the occurrences of the repeat group are accounted for.

What is returned for a single field within a repeat group

If you are extracting a combination field (representing one or more fields) within a repeat group, you receive:

A 4-byte length field that contains the combined length of all the fields that follow.
A combination field consisting of a 4-byte length field indicating the length of the individual data field that follows it, followed by the next 4-byte length field indicating the length of the next individual data field. The pattern repeats until all the individual fields that make up the combination field are accounted for. At the next occurrence of the repeat group the pattern begins again.

What is returned for a combination field within a repeat group

Specifying the name of a repeat-group count field retrieves only the 4-byte length followed by the 4-byte repeat group count.

When a field to be extracted is empty, the following results:

For fixed-length fields, RACF returns the default as specified by the template definitions. The default for flag fields is X'00'. The default for fixed-length fields in the base segment of the profile in binary ones. The default for fixed-length fields in other segments is binary zeros.
For variable-length fields, RACF returns a length of zero and no data.
If CLASS=USER, when you specify EXTRACT, the macro extracts the user ID, connect group and, optionally, the encoded password from the user profile.

TYPE=EXTRACTN

specifies the function to be performed by the EXTRACT function routine.

Note: If you specify TYPE=EXTRACTN, do not specify ENCRYPT=.

Upon return, register 1 contains the address of a result area that begins with a fullword containing the area's subpool number and length. To see the format of the result area, see the explanation of TYPE=EXTRACT, above. At offset 6 in the result area, there is a flag. If the flag has a X'80', the name returned is generic.

If you specify EXTRACTN, the macro extracts information from the profile that follows the profile determined by the ENTITY and CLASS keywords. From that next profile, RACF extracts the fields specified in the FIELDS keyword from the segment specified by the SEGMENT keyword. In addition, RACF returns the name of the profile from which it extracted the data.

TYPE=REPLACE

specifies the function to be performed by the EXTRACT function routine.

Note: If you specify TYPE=REPLACE, do not specify ENCRYPT=.

Use of the REPLACE option to update a profile requires a thorough knowledge of the interrelationships of fields within a profile and of the potential relationships between profiles. For instance, if you use RACXTRT to update a password, you should also update the password change date and password history information.

If you specify TYPE=REPLACE, RACF takes the information in the fields specified in the FIELDS parameter and pointed to by SEGDATA, and places that information in the designated SEGMENT. (The SEGMENT is within the profile determined by the ENTITY and CLASS keywords.) If you specify TYPE=REPLACE, you must specify FIELDS, SEGDATA=, and RELEASE=1.8 or later. If you want to replace a segment other than the base segment, you must specify the SEGMENT keyword with the segment you want. If you do not specify SEGMENT, the segment defaults to the base segment.

With 1.8 and later, if you want to create a TSO segment, you can do so by specifying the RACXTRT macro in the following way:

TYPE=REPLACE  SEGMENT=TSO

,SUBPOOL=subpool number

specifies the storage subpool from which the extract-function routine obtains an area needed for the extraction. If this parameter is not specified, it defaults to 229.

Note: Care should be taken in selecting a subpool. Selecting a fetch-protected subpool or subpool 0 might result in programs being unable to access or free retrieved data.

,DERIVE=YES

specifies that the desired field is obtained from the DFP segment of the appropriate profile. To specify DERIVE, you must also specify RELEASE=1.8.1.

DERIVE requests are limited to the DFP segment of the data set and user profiles. The following information is an explanation of the DERIVE processing for both DATASET and USER requests.

DATASET
Specifying the DERIVE=YES keyword with CLASS=DATASET and FIELDS=RESOWNER causes RACF to perform additional processing, other than simply extracting the data set resource owner from the data set profile.

DFP uses this retrieved information for authority checking when allocating a new data set.

To process the request, RACF first attempts to extract the RESOWNER field from the DATASET profile specified by the ENTITY keyword. If the profile exists and the RESOWNER field contains data, RACF checks to see whether that data is the user ID of a USER or GROUP currently defined to RACF. If so, RACF returns that user ID along with a reason code that indicates whether the user ID is that of a USER or GROUP.

If RACF does not find a profile that matches the data set name specified by the ENTITY keyword, RACF attempts to locate the generic data set profile that protects that data set name.

If it finds the generic profile, and the RESOWNER field contains data, RACF checks to see whether that data is the user ID of a USER or GROUP currently defined to RACF. If so, RACF returns that user ID along with a reason code that indicates whether the user ID is that of a USER or GROUP.

If RACF does not find a generic profile or the retrieved data is neither a USER nor a GROUP, RACF returns the high-level qualifier from the name specified on the ENTITY keyword, along with a reason code that indicates whether that high-level qualifier matches a defined USER or GROUP, or neither.
You specify a DERIVE request for RESOWNER as follows:
```
 RACROUTE REQUEST=EXTRACT,TYPE=EXTRACT,
 ENTITY=DSNAME,
 VOLSER=MYDASD,
 CLASS='DATASET',
 FIELDS=RESFLDS,
 SEGMENT='DFP',
 DERIVE=YES,
 RELEASE=1.8.1
    ⋮
 DSNAME   DC CL44'USER1.DATASET'
 MYDASD   DC CL6'DASD1'
 RESFLDS  DC A(1)
          DC CL8'RESOWNER'
```
Note: You must specify all the keywords in the example, for the DERIVE request to work.
User
The purpose of specifying the DERIVE=YES keyword with CLASS=USER is to obtain the desired DFP-field information (STORCLAS or MGMTCLAS) from the profile of the user. If the user's profile does not contain the desired DFP fields, RACF goes to the user's default group and attempts to obtain the information for the remaining fields from the GROUP profile (the remaining fields being those that do not contain information in the USER profile).
You specify a DERIVE request for information from a USER profile as follows:
```
 RACROUTE REQUEST=EXTRACT,TYPE=EXTRACT,
 ENTITY=USER01,
 CLASS='USER',
 FIELDS=STRFLDS,
 SEGMENT='DFP',
 DERIVE=YES,
 RELEASE=1.8.1
    ⋮
 USER01   DC CL8'USER01'
 STRFLDS  DC A(1)
          DC CL8'STORCLAS'
```

RACF processes the DERIVE keyword only if it is specified with the DATASET or USER class. In addition, for DERIVE processing to occur, SEGMENT=DFP and RELEASE=1.8.1 must also be specified.

,FIELDS=address

Specifies the address of a variable-length list. The first field is a 4-byte field that contains the number of profile-field names in the list that follows. Each profile-field name is 8 bytes long, left-justified, and padded to the right with blanks. The allowable field names for each type of profile are in the template listings in RACF database templates. To see how to specify the FIELDS keyword, see the TYPE=REPLACE example that follows.

If you specify RELEASE=1.6 or later, or allow the keyword to default, the following options exist:
- The only acceptable value of the count field is 1.
- The only acceptable field name is PASSWORD. Use this parameter when you want to extract the user's encoded password in addition to the user ID and connect group. RACF returns the encoded password in the result area at an offset from the start of the area specified by the halfword at offset 4. (See the result area under TYPE=EXTRACT.)
If you specify RELEASE=1.8 or later, the following options exist:
- The count field can contain numbers from 1 through 255.
- The field names can be any of the field names in the template listings.

If you specify TYPE=EXTRACT or EXTRACTN, RACF retrieves the contents of the named fields from the RACF profile indicated by the CLASS= and ENTITY= parameters, and returns the contents in the result area. (See result area explained under the EXTRACT keyword.)

With Release 1.8, you can specify TYPE=REPLACE. RACF replaces or creates the indicated fields in the profile specified on the CLASS and ENTITY keywords with the data pointed to by the SEGDATA keyword.

Note:

Do not replace a repeat group count field. Doing so causes unpredictable results.
You cannot replace an entire repeat group, a single occurrence of a repeat group, or a single existing field in a repeat group. If you attempt to do so, RACF adds the data to the existing repeat group or groups.
The only things you can do is retrieve all occurrences of specified fields within a repeat group or add a new occurrence of a repeat group.
If you add occurrences of a repeat group, RACF places those additions at the beginning (front) of the repeat group.

The following example of TYPE=REPLACE replaces fields in the base segment. It shows one way to code the macro and the declarations necessary to make the macro work.

       RACXTRT  TYPE=REPLACE,
                CLASS='USER',
                ENTITY=USERID,
                FIELDS=FLDLIST,
                SEGDATA=SEGDLIST,
                SEGMENT=BASE
                ⋮
        USERID   DC  CL8,'BILL'
        FLDLIST  DC  A(3)
                 DC  CL8'AUTHOR'
                 DC  CL8'DFLTGRP'
                 DC  CL8'NAME'
        SEGDLIST DC  AL4(6),CL6'JSMITH'
                 DC  AL4(8),CL8'SECURITY'
                 DC  AL4(11),CL11'BILL THOMAS'
        BASE     DC  CL8'BASE'

When the replacement action takes place, the following results occur:

JSMITH is placed in the AUTHOR field in the profile.
SECURITY is placed in the DFLTGRP field in the profile.
BILL THOMAS is placed in the NAME field in the profile.

The following example of TYPE=EXTRACT retrieves the universal access from a fully-qualified generic data set profile. The information is retrieved in a work area created in SUBPOOL 1.

   RACXTRT    TYPE=EXTRACT,
              CLASS='DATASET',
              ENTITY=DSN,
              FIELDS=FLDS,
              GENERIC=YES,
              SUBPOOL=1
              RELEASE=1.8,
              SEGMENT='TSO'
              ⋮
  DSN  DC  CL44'SYS1.LINKLIB'
  FLDS DC  A(1)
       DC  CL8 'UACC'

TYPE=ENCRYPT

specifies the function to be performed by the extract-function routine.

If TYPE=ENCRYPT is specified, the operation performed is data encoding. The ENCRYPT keyword specifies the data to be encoded and the encoding method used. The first eight bytes of the area pointed to by the ENTITY operand are used by the data encryption standard (DES) encoding routine. If ENTITY is not specified, the user ID from the current ACEE is used instead. If TYPE=ENCRYPT is specified, no work area is returned.

,ENCRYPT=(data address,DES)

,ENCRYPT=(data address,HASH)

,ENCRYPT=(data address,INST)

specifies the data to be authenticated, and a method of authentication. The address points to a 1-byte length field followed by 1 to 255 bytes of clear-text data to be used as the user-authentication key. The second subparameter specifies the authentication method: the RACF data encryption standard algorithm, the RACF hashing algorithm, or whatever scheme the installation uses (INST value). Upon return to the macro issuer, the first subparameter contains the address of an area that contains a 1-byte length followed by the encoded version of the data. Neither the address itself nor the length is changed.

Note: When the DES algorithm is used, RACF actually encrypts the data pointed to by the ENTITY profile or by the user ID, using the data as the encryption key. Data is one-way encrypted, that is, no facility is provided to recover the data in readable form. If HASH is specified, the RACF hashing algorithm is used and data is masked instead of encrypted.

,ENTITY=resource name address

specifies the address of an area containing the resource name. The resource name is a 44-byte DASD data set name for CLASS=‘DATASET’, an 8-byte area containing the user ID for CLASS=‘USER’, an 8-byte area containing the group name for CLASS=‘GROUP’, or a 17-byte area for CLASS=‘CONNECT’. The length of all other resource names is determined from the class descriptor table. The name must be left-justified in the field and padded with blanks. For CLASS=‘USER’, the user ID from the current ACEE or the ACEE specified for ACEE= is used if ENTITY= is not specified.

,ACEE=acee address

specifies an alternate ACEE for RACF to use rather than the current ACEE. For example, if the ENTITY parameter has not been specified, RACF refers to the ACEE during extract processing of user data. If you want to use the ACEE parameter, you must specify RELEASE=1.8 or later.

,VOLSER=vol-address (valid only with ,CLASS=‘DATASET’)

specifies the volume serial as follows:

For MVS/VSAM DASD data sets and tape data sets, specifies the volume serial number of the catalog controlling the data set.
For non-VSAM DASD data sets and tape data sets, specifies the volume serial number of the volume on which the data set resides.

The field pointed to by the vol-address variable contains the volume serial number. If necessary, you must pad it to the right with blanks so it contain six characters.

If you specify VOLSER, you must specify RELEASE=1.8 or later.

,GENERIC=ASIS|YES

When CLASS is DATASET, specifies whether RACF is to treat the entity name as a generic profile name.

If GENERIC=YES is specified, the resource name is considered a generic profile name, even if it does not contain a generic character: an asterisk (*) or a percent sign (%). If you specify GENERIC=YES, the resource name in the macro will match only a generic resource name in the RACF database. It will not match a discrete name.
If GENERIC=ASIS is specified, the resource name is considered a generic only if it contains a generic character: an asterisk (*) or a percent sign (%).

If you specify GENERIC, you must specify RELEASE=1.8 or later.

,FLDACC=NO|YES

specifies whether field-level access checking should be performed. If you specify FLDACC=YES, the RACF database manager checks to see that the user running your program has the authority to extract or modify the fields that are specified in the RACXTRT macro.

Note:

For field-level access checking to occur, you must specify RELEASE=1.8 or later when you code the macro. In addition, before the program executes, the security administrator must activate and RACLIST the FIELD class using the SETROPTS command. If you code FLDACC=YES and the FIELD class is not active and RACLISTed, the request is failed with a return code 8, reason code 4.
In addition, the security administrator must issue the RDEFINE and PERMIT commands to designate those users who have the authority to access the fields designated in the RACXTRT macro.
If you specify FLDACC=NO or omit the parameter, the manager ignores field-level access checking.

,CLASS=‘class name’

,CLASS=class name addr

specifies the class the entity is in. The class name can be USER, GROUP, CONNECT, DATASET, or any general-resource class defined in the class descriptor table. If you specify CLASS, you must specify RELEASE=1.8 or later.

,SEGMENT=‘segment name’

,SEGMENT=segment name address

specifies the RACF profile segment that RACF is to update or from which it is to extract data. If you specify SEGMENT, you must also specify the CLASS and FIELDS keywords, and RELEASE=1.8 or a later release number. If you allow the SEGMENT parameter to default, RACF assumes that you want to extract information from the base segment.

,SEGDATA=segment data addr

specifies the address of a list of data items to be placed in the fields named by the FIELDS= parameter. You use the SEGDATA parameter when you specify TYPE=REPLACE. If you specify SEGDATA, you must also specify CLASS, FIELDS, and RELEASE=1.8 or a later release number. The stored data is paired in the following format:

A 4-byte length field that contains the length of the data field that follows
A data field of variable length.

Each length field is followed immediately by a data field until you reach the end of the replacement data. The count field, which is pointed to by the first field in the FIELDS parameter, contains the total number of length-data pairs.