SETROPTS (Set RACF options)

Purpose

Following are the classes that can be specified in the AUDIT operand and the commands and SVCs that are logged for each class.

Most RACF functions do not require special versions or releases of the operating system or operating system components. However, some do require that your system be at a certain level.

When issued from a member of the RACF data sharing group, these commands, if successful on the member that issues them, are propagated in a controlled, synchronized manner to the other members in the group. A system in read-only mode can participate if it receives a SETROPTS command propagated from another system, but a user on a system in read-only mode cannot issue any SETROPTS commands except for the SETROPTS LIST command. For propagated SETROPTS REFRESH commands, members of the data sharing group are notified to either create, update, or delete some in-storage information. These commands are coordinated to ensure that all systems begin to use the changed information simultaneously, and to always see a consistent view of this information.

RACF serializes propagated SETROPTS commands to prevent conflicting commands of the same type (for example, SETROPTS RACLIST and SETROPTS NORACLIST) from processing simultaneously.

Issuing options

For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.

For information on issuing this command as a RACF operator command, refer to RACF operator commands.

You must be logged on to the console to issue this command as a RACF operator command.

Authorization required

When issuing this command as a RACF operator command, you might require sufficient authority to the proper resource in the OPERCMDS class. For details about OPERCMDS resources, see "Controlling the use of operator commands" in z/OS Security Server RACF Security Administrator's Guide.

Most SETROPTS command functions require you to have the SPECIAL or AUDITOR attributes.

If you have either the SPECIAL, AUDITOR or ROAUDIT attributes, you can use the LIST operand.

To specify the AT keyword, you must have READ authority to the DIRECT.node resource in the RRSFDATA class and a user ID association must be established between the specified node.userid pair(s).

To specify the ONLYAT keyword you must have the SPECIAL attribute, the userid specified on the ONLYAT keyword must have the SPECIAL attribute, and a user ID association must be established between the specified node.userid pair(s) if the user IDs are not identical.

In some situations, you can use SETROPTS even if you do not have the SPECIAL, AUDITOR, or ROAUDIT attributes. These situations are:

• You can specify the LIST operand if you have the group-SPECIAL or group-AUDITOR attribute in the current connect group or if GRPLIST is active in any group that you are connected to.
• You can specify REFRESH together with GENERIC if you have the group-SPECIAL, AUDITOR, group-AUDITOR, OPERATIONS, group-OPERATIONS attribute, or CLAUTH authority for the classes specified.
• You can specify REFRESH together with GLOBAL if you have the OPERATIONS attribute or CLAUTH authority for the classes specified.
• You can specify REFRESH together with RACLIST if you have CLAUTH authority to the specified class.
• You can specify REFRESH together with WHEN(PROGRAM) if you have the OPERATIONS attribute or CLAUTH authority for the program class.

Parameters

subsystem-prefix

Specifies that the RACF subsystem is the execution environment of the command. The subsystem prefix can be either the installation-defined prefix for RACF (1 - 8 characters) or, if no prefix has been defined, the RACF subsystem name followed by a blank. If the command prefix was registered with CPF, you can use the MVS™ command D OPDATA to display it or you can contact your RACF security administrator.

Only specify the subsystem prefix when issuing this command as a RACF operator command. The subsystem prefix is required when issuing RACF operator commands.

ADDCREATOR | NOADDCREATOR

ADDCREATOR

Specifies that if a user defines any new DATASET or general resource profile using ADDSD, RDEFINE or RACROUTE REQUEST=DEFINE, the profile creator's user ID is placed on the profile access list with ALTER authority.

NOADDCREATOR

Specifies that if a user defines any new DATASET or general resource profile using ADDSD, RDEFINE or RACROUTE REQUEST=DEFINE, or creates discrete profiles other than DATASET and TAPEVOL using RACROUTE REQUEST=DEFINE, RACF does not place the profile creator's user ID on the profile's access list. If the profile creator uses profile modeling, RACF copies the access list exactly. If the creator's user ID appears in the model's access list, RACF copies the authority to the new profile. For example, if the creator's user ID appears in the model's access list with READ, RACF copies that access authority to the new profile without changing it to ALTER.

An important exception for NOADDCREATOR occurs when the user creates a discrete DATASET or TAPEVOL profile using RACROUTE REQUEST=DEFINE. In this case, RACF ignores the NOADDCREATOR options and places the profile creator's user ID on the new profile's access list with ALTER authority. If the profile creator uses profile modeling to define a discrete DATASET or TAPEVOL and the creator's user ID appears in the model's access list, RACF creates the authority in the new profile with ALTER authority. This exception to NOADDCREATOR allows system components to allocate data sets and immediately access them without having an administrator manipulate the profile's access list in the interim.

Note: The initial setting of the ADDCREATOR/NOADDCREATOR keyword depends on whether your database is new or old. When IRRMIN00 is run with PARM=NEW, the initial setting is NOADDCREATOR. When IRRMIN00 is run with anything other than PARM=NEW, RACF retains the current value of ADDCREATOR/NOADDCREATOR. For compatibility and migration reasons, this value is set to ADDCREATOR if no prior specification of ADDCREATOR or NOADDCREATOR had occurred.

ADSP | NOADSP

ADSP

Specifies that data sets created by users who have the automatic data set protection (ADSP) attribute is RACF-protected automatically.

ADSP is in effect when RACF is using a newly initialized database.

Because ADSP forces the creation of a discrete profile for each data set created by users who have the ADSP attribute, you should normally specify NOADSP if you specify GENERIC.

NOADSP

Cancels automatic RACF protection for users who have the ADSP attribute.

Because ADSP forces the creation of a discrete profile for each data set created by users who have the ADSP attribute, you should normally specify NOADSP if you specify GENERIC.

APPLAUDIT | NOAPPLAUDIT

APPLAUDIT

Specifies that auditing of APPC transactions on your system be enabled. APPC transactions are audited when they receive authorization (start) or have authorization removed (end). You must request auditing for the appropriate APPL profile. Otherwise, turning APPLAUDIT on does not cause auditing of APPC transactions. See z/OS Security Server RACF Auditor's Guide for more information on requesting auditing.

You must have the AUDITOR attribute to specify this option.

NOAPPLAUDIT

Specifies that auditing of APPC transactions on your system (starting and ending) be disabled. You must have the AUDITOR attribute to specify this option.

AT | ONLYAT

The AT and ONLYAT keywords are only valid when the command is issued as a RACF TSO command.

AT([node].userid ...)

Specifies that the command is to be directed to the node specified by node, where it runs under the authority of the user specified by userid in the RACF subsystem address space.

If node is not specified, the command is directed to the local node.

ONLYAT([node].userid ...)

Specifies that the command is to be directed only to the node specified by node where it runs under the authority of the user specified by userid in the RACF subsystem address space.

If node is not specified, the command is directed only to the local node.

Note: SETROPTS LIST with no other keywords specified is not eligible for automatic command direction. Do not specify the ONLYAT and LIST keywords together without any other keywords on a SETROPTS command.

AUDIT | NOAUDIT

AUDIT(class-name ... | *)

Specifies the names of the classes for which you want RACF to perform auditing. For the classes you specify, RACF logs all uses of the RACROUTE REQUEST=DEFINE SVC and all changes made to profiles by RACF commands. When the class specified is USER, RACF logs all password and password phrase changes made by RACROUTE REQUEST=VERIFY. (RACF adds the classes you specify to those already specified for auditing.)

The valid class names are USER, GROUP, DATASET, and those defined in the class descriptor table. For a list of general resource classes defined in the class descriptor table supplied by IBM®, see Supplied RACF resource classes.

If you specify an asterisk (*), logging occurs for all classes.

You must have the AUDITOR attribute to enter the AUDIT operand.

Note: If you activate auditing for a class using SETROPTS AUDIT, RACF activates auditing for all classes in the class descriptor table that have the same POSIT value as the class you specify. For example, the classes TIMS, GIMS, and AIMS all have a POSIT value of 4 in their respective class descriptor table entries. If you activate auditing for any one of these classes, you activate auditing for all of them.

For more information on sharing a POSIT value, see the POSIT keyword of the RDEFINE command.

NOAUDIT(class-name ... | *)

Specifies the names of the classes for which you no longer want RACF to perform auditing. For the classes you specify, RACF no longer logs all uses of the REQUEST=DEFINE SVC and all changes made to profiles by RACF commands. The valid class names are USER, GROUP, DATASET, and those classes defined in the class descriptor table. For a list of general resource classes defined in the class descriptor table supplied by IBM, see Supplied RACF resource classes.

If you specify NOAUDIT(*), logging does not occur for any class

You must have the AUDITOR attribute to enter the NOAUDIT operand.

Note: If you deactivate auditing for a class using SETROPTS NOAUDIT, RACF deactivates auditing for all classes in the class descriptor table that have the same POSIT value as the class you specify. For example, the classes TIMS, GIMS, and AIMS all have a POSIT value of 4 in their respective class descriptor table entries. If you deactivate auditing for any one of these classes, you deactivate auditing for all of them.

For more information on sharing a POSIT value, see the POSIT keyword of the RDEFINE command.

CATDSNS | NOCATDSNS

CATDSNS (FAILURES | WARNING)

Specifies that uncataloged data sets, new (and not cataloged), or system temporary data sets are not to be accessed by users.

The following exceptions apply:

1. The job that creates the data set can access it even if the data set is uncataloged. If the data set is still uncataloged when the job ends, it is inaccessible thereafter.
2. Data sets with discrete profiles can be accessed - even if uncataloged - if allowed by the profile.
3. For uncataloged data sets without discrete profiles, RACF constructs a resource name of ICHUNCAT.dsname (only the first 30 characters of the dsname is used). It checks the user's authority to this resource in the FACILITY class. If the resource is protected by a FACILITY class profile, and the user has access to it, the access is allowed.
4. If the user has the SPECIAL attribute, the access is allowed even if the data set is uncataloged, but a warning message and SMF record is created.
5. If you use DFSMSrmm to manage your tape data sets and the TAPEAUTHF1 option is active (in the DEVSUPxx member of SYS1.PARMLIB), an uncataloged tape data set might be read by a user who has access to the first file on the tape volume when the first file is cataloged. See z/OS DFSMSrmm Implementation and Customization Guide.) (If you use a different tape management system, refer to your product documentation.
6. Write requests to tape data sets are not denied because of SETROPTS CATDSNS.

CATDSNS might have a negative impact on RACF and system performance because RACF must verify that data sets are cataloged before it allows them to be opened.

Note: For additional information about accessing uncataloged data sets, refer to SETROPTS command in z/OS Security Server RACF Security Administrator's Guide.

FAILURES

Specifies that RACF is to reject any request to access a data set that is not cataloged.

FAILURES is the default.

If CATDSNS(FAILURES) is in effect and a privileged started task or a user with the SPECIAL attribute requests access of an uncataloged data set, RACF accepts the request and issues a warning message.

WARNING

Specifies that the access is allowed even if the data set is uncataloged. However, a warning message and SMF record is created.

NOCATDSNS

Specifies that data sets that are not cataloged can be accessed by users.

NOCATDSNS is in effect when RACF is using a newly initialized database.

CLASSACT | NOCLASSACT

CLASSACT(class-name ... | *)

Specifies those classes defined by entries in the class descriptor table for which RACF protection is to be in effect.

If you specify an asterisk (*), you activate RACF protection for all classes defined in the class descriptor table except for those classes with a default return code of 8. For a list of general resource classes defined in the class descriptor table supplied by IBM, see Supplied RACF resource classes.

Note:

1. If you activate a class using SETROPTS CLASSACT, RACF activates all classes in the class descriptor table that have the same POSIT value as the class you specify. For example, the classes TIMS, GIMS, and AIMS all have a POSIT value of 4 in their respective class descriptor table entries. If you activate any one of these classes, you activate all of them.

   For more information on sharing a POSIT value, see the POSIT keyword of the RDEFINE command.

2. Before activating a class that has a default return code of 8 in the class descriptor table (either explicitly or by means of a shared POSIT value), be sure you have defined the necessary profiles to allow your users to access resources in that class. For example, if you activate JESINPUT without defining profiles to allow access, no one is able to submit batch jobs.
3. You need not activate the DIGTCERT, DIGTCRIT, and DIGTRING classes to use resources in those classes. However, performance is improved when you RACLIST the DIGTCERT and DIGTCRIT classes if you use resources in these classes. To RACLIST a class, you must activate it.

NOCLASSACT(class-name ... | *)

Specifies those classes defined by entries in the class descriptor table for which RACF protection is not to be in effect. If you specify an asterisk (*), you deactivate RACF protection for all classes defined in the class descriptor table. For a list of general resource classes defined in the class descriptor table supplied by IBM, see Supplied RACF resource classes.

NOCLASSACT is in effect when RACF is using a newly initialized database.

Rules:

• If you deactivate a class using SETROPTS NOCLASSACT, RACF deactivates all classes in the class descriptor table that have the same POSIT value as the class you specify. For example, the classes TIMS, GIMS, and AIMS all have a POSIT value of 4 in their respective class descriptor table entries. If you deactivate any one of these classes, you deactivate all of them.

  For more information on sharing a POSIT value, see the POSIT keyword of the RDEFINE command.

• If MLACTIVE, MLS, MLIPCOBJ, MLFSOBJ or SECLBYSYSTEM is active, you may not deactivate the SECLABEL class. Issuing SETROPTS NOCLASSACT(SECLABEL) will fail.

CMDVIOL | NOCMDVIOL

Specifies whether RACF is to log violations detected by RACF commands. You must have the AUDITOR attribute to specify these options.

CMDVIOL

Specifies that RACF is to log violations detected by RACF commands (except LISTDSD, LISTGRP, LISTUSER, RLIST, and SEARCH) during RACF command processing. A violation might occur because a user is not authorized to modify a particular profile or is not authorized to enter a particular operand on a command.

CMDVIOL is in effect when RACF is using a newly initialized database.

NOCMDVIOL

Specifies that RACF is not to log violations detected by RACF commands during RACF command processing (except RVARY and SETROPTS, which are always logged).

COMPATMODE | NOCOMPATMODE

COMPATMODE

Allows users and jobs not using security labels to be on a system enforcing security labels. The ACEEs of the user IDs or jobs must have been created by a RACROUTE REQUEST=VERIFY that did not specify the RELEASE=1.9 keyword (or later).

NOCOMPATMODE

Users and jobs must be running with correct security labels to access data.

NOCOMPATMODE is in effect when RACF is using a newly initialized database.

EGN | NOEGN

Specifies whether of not to activate or deactivate enhanced generic naming (EGN).

EGN

Activates EGN. When you activate this option, RACF allows you to specify the generic character ** (in addition to the generic characters * and %) when you define data set profile names and entries in the global access checking table.

Note:

1. EGN changes the meaning of the generic character *.
2. When you first activate enhanced generic naming, the RACF-protection provided by existing data set profiles and global access checking table remains the same.

For information on EGN and its effect on profile names, see the description of generic profiles in Naming considerations for resource profilesz/OS Security Server RACF Command Language Reference.

NOEGN

Specifies deactivation of EGN. When you deactivate this option, RACF does not allow you to specify the generic character ** when you define data set names and entries in the global access checking table.

NOEGN is in effect when RACF is using a newly initialized database.

Important:

If you protect data sets with generic profiles while EGN is active and then deactivate this option, your resources can no longer be protected. Table 1 and Table 2 show examples of generic profiles created with enhanced generic naming active.

Some of these profiles do not provide RACF protection when the option is deactivated. If a data set is unprotected when EGN is deactivated, you can protect the data set with a discrete profile - as described in Naming considerations for resource profilesz/OS Security Server RACF Command Language Reference - either before or after the option is deactivated, or with a generic profile after the option is deactivated.

ERASE | NOERASE

ERASE(erase-indicator)

Specifies that data management is to physically erase the contents of deleted data sets and scratched or released DASD extents. Erasing the data set means overwriting its contents with binary zeroes so that it cannot be read.

Restriction: The ERASE option applies to DASD data sets only, not tape data sets, unless you set the TAPEAUTHDSN option in the DEVSUPxx member of SYS1.PARMLIB. See "Erasing Scratched or Release Data (ERASE Option)" in z/OS Security Server RACF Security Administrator's Guide for more information. For details about customizing SYS1.PARMLIB, see z/OS MVS Initialization and Tuning Reference. For details about controlling authorization for tape volume overwriting, see z/OS DFSMSrmm Implementation and Customization Guide. (If you use a different tape management system, refer to your product documentation.)

If you specify ERASE without any suboperand, whether a scratched data set is erased depends on the status of the erase indicator in the data set profile. The SETROPTS ERASE suboperand allow you to override the erase indicator in the data set profile, to control the scope of erase-on-scratch on an installation level rather than leaving it to individual users.

The SETROPTS ERASE erase-indicator can be:

ALL

Specifies that data management is to erase all scratched data sets, including temporary data sets, regardless of the erase indicator, if any, in the data set profile.

SECLEVEL(seclevel-name)

Specifies that data management is to erase all scratched data sets that have a security level equal to or greater than the security level that you specify, where seclevel-name must be a member of the SECLEVEL profile in the SECDATA class.

Note: A scratched data set with a security level lower than the level you specify is not erased unless the erase indicator (if any) in the data set profile is on.

NOSECLEVEL

Specifies that RACF is not to consider the security level in the data set profile when it decides whether data management is to erase a scratched data set.

Note: A scratched data set, regardless of security level, is not erased unless the erase indicator (if any) in the data set profile is on.

NOSECLEVEL is the default if you do not specify erase-indicator when you specify ERASE.

NOERASE

Specifies that erase-on-scratch processing is not in effect. NOERASE means that no data sets are erased when deleted (scratched), even if the erase indicator in the data set profile is on.

NOERASE is in effect when RACF is using a newly initialized database.

GENCMD | NOGENCMD

GENCMD(class-name ... | *)

Activates generic profile command processing for the specified classes. Valid class names are DATASET and all class names except grouping classes and classes defined with the GENERIC(DISALLOWED) attribute.

The following supplied classes in the static class descriptor table (CDT) are defined with the GENERIC(DISALLOWED) attribute:

CDT	IDIDMAP	REALM	SECLABEL
CFIELD	KERBLINK	SECLMBR

To identify installation-defined classes in the dynamic CDT with the GENERIC(DISALLOWED) attribute, issue the RLIST CDT * CDTINFO command to list the attributes of all classes in the dynamic CDT.

If you specify an asterisk (*), you activate generic profile command processing for the DATASET class plus all general resource classes except grouping classes and classes defined with the GENERIC(DISALLOWED) attribute.

When GENCMD is in effect for a class, all the command processors can work on generic profiles, but the RACF SVC routines cannot perform generic profile checking. This operand allows the installation to temporarily disable generic profile checking (during maintenance, for example) and still use the RACF commands to maintain generic profiles.

Generic profile command processing is automatically activated for all classes for which generic profile checking is activated. Therefore, when you issue SETROPTS GENERIC for a class, you need not issue SETROPTS GENCMD for the same class.

Note: If you activate generic profile command processing for a class using SETROPTS GENCMD, RACF activates generic profile command processing for all classes in the class descriptor table that have the same POSIT value as the class you specify, except grouping classes. For example, the resource classes TIMS and AIMS and the grouping class GIMS all have a POSIT value of 4 in their respective class descriptor table entries. If you activate generic profile command processing for TIMS, you also activate it for AIMS. However, you cannot activate this option for GIMS because GIMS is a grouping class.

For more information on sharing a POSIT value, see the POSIT keyword of the RDEFINE command.

NOGENCMD(class-name ... | *)

Deactivates generic profile command processing for the specified classes. Valid class names are DATASET and all class names except grouping classes and classes defined with the GENERIC(DISALLOWED) attribute.

If you specify an asterisk (*), you deactivate generic profile command processing for the DATASET class plus all general resource classes except grouping classes and classes defined with the GENERIC(DISALLOWED) attribute.

NOGENCMD(*) is in effect when RACF is using a newly initialized database.

If generic profile checking is active (GENERIC is in effect), RACF ignores this operand because GENERIC both includes and overrides generic profile command processing.

Note: If you deactivate generic profile command processing for a class using SETROPTS NOGENCMD, RACF deactivates generic profile command processing for all classes in the class descriptor table that have the same POSIT value as the class you specify, except grouping classes. For example, the resource classes TIMS and AIMS and the grouping class GIMS all have a POSIT value of 4 in their respective class descriptor table entries. If you deactivate generic profile command processing for TIMS, you also deactivate it for AIMS. However, GIMS is unaffected because it is a grouping class.

For more information on sharing a POSIT value, see the POSIT keyword of the RDEFINE command.

GENERIC | NOGENERIC

GENERIC(class-name ... | *)

Activates generic profile checking for the classes specified.

Note: Avoid activating generic profile checking for the DIGTCERT or DIGTRING class.

Valid class names are DATASET and all class names except grouping classes and classes defined with the GENERIC(DISALLOWED) attribute.

The following supplied classes in the static class descriptor table (CDT) are defined with the GENERIC(DISALLOWED) attribute:

CDT	IDIDMAP	REALM	SECLABEL
CFIELD	KERBLINK	SECLMBR

To identify installation-defined classes in the dynamic CDT with the GENERIC(DISALLOWED) attribute, issue the RLIST CDT * CDTINFO command to list the attributes of all classes in the dynamic CDT.

Guidelines:

• When possible, use generic profiles to protect multiple resources and reduce administrative effort. Consider issuing SETROPTS GENERIC(classname) for the classes you use, so that generic profiles are usable in those classes.
• If you already have general resource profiles defined in your database, avoid issuing the SETROPTS GENERIC(*) command. This command activates generic profile checking for all classes except resource grouping classes and classes defined with the GENERIC(DISALLOWED) attribute. Some classes, such as DIGTCERT and DIGTRING, do not support generic profile checking. These and other classes might already have profile names that contain generic characters (*, &, and %).
• If a general resource class already has discrete profiles with names that contain generic characters (*, &, and %), enabling generic profile checking for the class prevents RACF from using those discrete profiles for authorization checking.

  If you enable SETROPTS GENERIC for a class that has a discrete profile name containing generic characters, the profile will be marked UNUSABLE in RLIST and SEARCH output listings.

  Tip: Use the RDELETE command with the NOGENERIC option to delete this profile.

• In general, once you activate generic profile checking for a class and define generic profiles, avoid deactivating it with the NOGENERIC operand. RACF will not use your previously defined generic profiles for authorization checking while NOGENERIC is in effect.

Generic profile command processing is automatically activated for all classes for which generic profile checking is activated. Therefore, when you issue SETROPTS GENERIC for a class, you need not issue SETROPTS GENCMD for the same class.

If you specify GENERIC with REFRESH, only those currently active and authorized classes are refreshed.

Note:

1. If RACF is enabled for sysplex communication, RACF propagates SETROPTS GENERIC(class-name) REFRESH commands to other members of the data sharing group.
2. If RACF is not enabled for sysplex communication, a SETROPTS GENERIC(class-name) REFRESH command is effective only on the system where it is issued.
3. If you specify GENERIC, you should also specify NOADSP.
4. If you activate generic profile checking for a class using SETROPTS GENERIC, RACF activates generic profile checking for all classes in the class descriptor table that have the same POSIT value as the class you specify, except grouping classes. For example, the resource classes TIMS and AIMS and the grouping class GIMS all have a POSIT value of 4 in their respective class descriptor table entries. If you activate generic profile checking for TIMS, you also activate it for AIMS. However, you cannot activate this option for GIMS because GIMS is a grouping class.

   For more information on sharing a POSIT value, see the POSIT keyword of the RDEFINE command.

NOGENERIC(class-name ... | *)

Deactivates the generic profile checking facility for the classes specified.

Guideline: In general, once you activate generic profile checking for a class and define generic profiles, avoid deactivating it with the NOGENERIC operand. RACF will not use your defined generic profiles for authorization checking while NOGENERIC is in effect.

Valid class names are DATASET and all class names except grouping classes and classes defined with the GENERIC(DISALLOWED) attribute.

If you specify an asterisk (*), you deactivate generic profile checking for the DATASET class plus all general resource classes except grouping classes and classes defined with the GENERIC(DISALLOWED) attribute.

NOGENERIC (*) is in effect when RACF is using a newly initialized database.

NOGENERIC does not automatically deactivate generic profile command processing. Therefore, when you issue SETROPTS NOGENERIC for a class, issue SETROPTS NOGENCMD if you want to deactivate generic profile command processing for the same class.

If you specify GENCMD with NOGENERIC, users can issue RACF commands to maintain generic profiles, but RACF does not use generic profile checking during authorization checking.

If you specify NOGENCMD with NOGENERIC, all generic profile command processing is deactivated.

Note: If you deactivate generic profile checking for a class using SETROPTS NOGENERIC, RACF deactivates generic profile checking for all classes in the class descriptor table that have the same POSIT value as the class you specify, except grouping classes. For example, the resource classes TIMS and AIMS and the grouping class GIMS all have a POSIT value of 4 in their respective class descriptor table entries. If you deactivate generic profile checking for TIMS, you also deactivate it for AIMS. However, GIMS is unaffected because it is a grouping class.

For more information on sharing a POSIT value, see the POSIT keyword of the RDEFINE command.

GENERICOWNER | NOGENERICOWNER

GENERICOWNER

Restricts creation of profiles in all general resource classes except the PROGRAM class.

To create a profile that is more specific than any existing profile protecting the same resource a user must:

• Have the SPECIAL attribute
• Be the owner of the existing profile
• Have the group-SPECIAL attribute if a group owns the profile
• Have the group-SPECIAL attribute if the owner of the profile is in the scope of the group.

Note:

1. GENERICOWNER provides protection only when there is an existing (less-specific) profile protecting the resource.
2. A less-specific profile must end in *, ** or trailing % characters. A more specific profile is a profile that matches the less-specific profile name, character for character, up to the ending *, or **, or trailing % characters in the less-specific name. If the less-specific profile ends in %, the characters in the more specific profile that correspond to the contiguous trailing % characters must not be either * or . characters. For more information, see Permitting profiles for GENERICOWNER classes.

   For example: To allow USERX to RDEFINE A.B in the JESSPOOL class, you need profile A.* in the JESSPOOL class, which is owned by USERX. You also need profile **, owned by the system administrator, to prevent other CLAUTH users from being able to RDEFINE A.B.

3. GENERICOWNER does not prevent the creation of a more specific profile if the more specific profile is created in the grouping class and is specified on the ADDMEM operand. For example, profile A* exists in the TERMINAL class and is owned by a group for which user ELAINE does not have group-SPECIAL, If the GENERICOWNER option is in effect, user ELAINE cannot define a more specific profile in the member class (such as, RDEF TERMINAL AA*), but user ELAINE can define a profile if it is specified on the ADDMEM operand for the grouping class profile - such as RDEF GTERMINL profile-name ADDMEM(AA*).

NOGENERICOWNER

Cancels the restriction on the creation of profiles for general resources.

NOGENERICOWNER is in effect when RACF is using a newly initialized database.

GENLIST | NOGENLIST

GENLIST(class-name ...)

Also see RACLIST operand.

Activates the sharing of in-storage generic profiles for the classes specified. When GENLIST is active for a class, the generic profiles for that class are loaded into common storage (ECSA) instead of being resident in the private storage (ELSQA) of each user who references the class. Before activating GENLIST for a class, you should check with your system programmer to determine if your system is configured with enough ECSA to contain the profiles.

The z/OS Security Server RACF System Programmer's Guide contains information about the amount of virtual storage required for generic profiles, and other considerations about when to use RACLIST or GENLIST. Generally, when you do not share the RACF database with RACF on a VM system, RACLIST provides the best performance with the lowest usage of common storage.

The following classes supplied by IBM can be used with GENLIST:

APPL	FIELD	LOGSTRM	TMEADMIN	VMNODE
CPSMOBJ	GXFACILI	PRINTSRV	VMBATCH	VMRDR
DASDVOL	ILMADMIN	RACFEVNT	VMCMD	VMSEGMT
DCEUUIDS	INFOMAN	RRSFDATA	VMDEV	XFACILIT
DSNR	JESJOBS	SDSF	VMLAN
FACILITY	KEYSMSTR	TERMINAL	VMMDISK

When you activate GENLIST processing for a class, a generic profile in that class is copied from the RACF database into common storage the first time an authorized user requests access to a resource protected by the profile. The profile is retained in common storage and is available for all authorized users, thus saving real storage because the need to retain multiple copies of the same profile (one copy for each requesting user) in common storage is eliminated. Also, because RACF does not have to retrieve the profile each time a user requests access to a resource protected by it, this function saves processing overhead.

If you want to refresh shared in-storage generic profiles for a specific resource class, issue the SETROPTS command with the GENERIC(class-name) and REFRESH operands.

Note: RACF does not allow you to specify SETROPTS GENLIST and SETROPTS RACLIST for the same general resource class.

For information on sharing a POSIT value, see the POSIT keyword of the RDEFINE command.

NOGENLIST(class-name ...)

Also see NORACLIST operand.

Deactivates the sharing of in-storage generic profiles for the classes specified. Deactivate this function for general resource classes defined in the class descriptor table that are eligible for GENLIST processing. These classes are listed under the description for GENLIST.

When you specify NOGENLIST, RACF deletes in-storage generic profiles for the specified classes from common storage.

NOGENLIST is in effect for all classes defined in the class descriptor table when RACF is using a newly initialized database.

For information on sharing a POSIT value, see the POSIT keyword of the RDEFINE command.

GLOBAL | NOGLOBAL

GLOBAL(class-name ... | *)

Specifies those classes eligible for global access checking. If you specify an asterisk (*), you activate global access checking for all valid classes.

Valid classes you may specify are:

• The DATASET class
• The NODES grouping class
• The SECLABEL grouping class
• All other classes defined in the class descriptor table, except for the remaining grouping classes.

For a list of general resource classes defined in the class descriptor table supplied by IBM, see Supplied RACF resource classes.

If you specify GLOBAL with REFRESH, only those currently active and authorized classes are refreshed. If you have deleted the GLOBAL profile for a class, you should issue the SETROPTS command with the NOGLOBAL operand specified, rather than GLOBAL with REFRESH specified.

Note:

1. If you activate global access checking for a class using SETROPTS GLOBAL, RACF activates global access checking for all classes in the class descriptor table that have the same POSIT value as the class you specify, except the excluded grouping classes. For example, the resource classes TIMS and AIMS and the grouping class GIMS all have a POSIT value of 4 in their respective class descriptor table entries. If you activate global access checking for TIMS, you also activate it for AIMS. However, you cannot activate this option for GIMS because GIMS is a grouping class.

   For more information on sharing a POSIT value, see the POSIT keyword of the RDEFINE command.

2. If RACF is enabled for sysplex communication, it propagates the SETROPTS GLOBAL and SETROPTS GLOBAL REFRESH commands to other systems in the sysplex if the command is successful on the system on which it was entered. If RACF is not enabled for sysplex communication, the command has to be issued on each system sharing the database.
3. Global access checking is bypassed if the user ID has the RESTRICTED attribute.

NOGLOBAL(class-name ... | *)

Deactivates global access checking for the specified classes. For more information on valid classes that are processed by the NOGLOBAL operand, see the GLOBAL operand description.

NOGLOBAL(*) is in effect when RACF is using a newly initialized database.

Note: If you deactivate global access checking for a class using SETROPTS NOGLOBAL, RACF deactivates global access checking for all classes in the class descriptor table that have the same POSIT value as the class you specify, except for the excluded grouping classes. For example, the resource classes TIMS and AIMS and the grouping class GIMS all have a POSIT value of 4 in their respective class descriptor table entries. If you deactivate global access checking for TIMS, you also deactivate it for AIMS. However, GIMS is unaffected because it is a grouping class.

For more information on sharing a POSIT value, see the POSIT keyword of the RDEFINE command.

GRPLIST | NOGRPLIST

GRPLIST

Specifies that authorization checking processing is to perform list-of-groups access checking for all system users. When you specify GRPLIST, a user's authority to access or define a resource is not based only on the authority of the user's current connect group; access is based on the authority of any group to which the user is connected.

NOGRPLIST

Specifies that the user's authority to access a resource is based on the authority of the user's current connect group.

NOGRPLIST is in effect when RACF is using a newly initialized database.

INACTIVE | NOINACTIVE

INACTIVE(unused-userid-interval)

Specifies the number of days (1 - 255) that a user ID can remain unused and still be considered valid. RACF user verification checks the number of days since the last successful time the user accessed the system against the INACTIVE value and, if the former is larger, revokes the user's right to use the system. INACTIVE applies to new users based on creation date. If you specify INACTIVE, INITSTATS must be in effect.

If the backup database is needed but does not contain current information, some user IDs can be revoked because they appear to have been unused beyond the number of days specified on the INACTIVE operand. For more information, see z/OS Security Server RACF System Programmer's Guide.

NOINACTIVE

Specifies that RACF user verification is not to check user IDs against an unused-userid-interval.

NOINACTIVE is in effect when RACF is using a newly initialized database.

INITSTATS | NOINITSTATS

INITSTATS

Specifies that statistics available during RACF user verification are to be recorded. These statistics include the date and time the user was verified by RACF, the number of user verifications that specified a particular group, and the date and time of the user last requested verification with a particular group. If you specify INACTIVE, REVOKE, or WARNING, INITSTATS must be in effect.

For applications that specify the APPL operand on the RACROUTE REQUEST=VERIFY macro, you can define a profile in the APPL class to specify that the application needs only daily statistics recorded for its users. To do this, specify the RACF-INITSTATS(DAILY) string in the APPLDATA field. For more information about statistics collection, see z/OS Security Server RACF Security Administrator's Guide.

INITSTATS is in effect when RACF is using a newly initialized database.

NOINITSTATS

Specifies that statistics available during user verification are not to be recorded.

JES

Controls job entry subsystem (JES) options. The JES options are:

BATCHALLRACF | NOBATCHALLRACF

BATCHALLRACF

Specifies that JES is to test for the presence of a user ID and password on the job statement or for propagated RACF identification information for all batch jobs. If the test fails, JES is to fail the job.

NOBATCHALLRACF

Specifies that JES is not to test for the presence of a user ID and a password on the statement, or propagated RACF identification information for all batch jobs.

NOBATCHALLRACF is in effect when RACF is using a newly initialized database.

EARLYVERIFY | NOEARLYVERIFY

This setting is ignored.

XBMALLRACF | NOXBMALLRACF

XBMALLRACF

Specifies that JES is to test for the presence of either a user ID and password on the JOB statement, or JES-propagated RACF identification information for all jobs to be run with an execution batch monitor. If the test fails, JES is to fail the job.

XBMALLRACF is only used on JES2.

NOXBMALLRACF

Specifies that JES is not to test for the presence of either a user ID and password on the JOB statement, or JES-propagated RACF identification information for all jobs to be run with an execution batch monitor.

NOXBMALLRACF is in effect when RACF is using a newly initialized database.

NJEUSERID(userid)

Defines the name (user ID) associated with SYSOUT or jobs that arrive through the network without an RTOKEN or UTOKEN.

The initial user ID (default user ID) after RACF data set initialization is ???????? (eight question marks).

Note: The variable userid cannot be a user ID defined in the RACF database. For more information, see the section on providing security for JES in z/OS Security Server RACF Security Administrator's Guide.

UNDEFINEDUSER(userid)

Defines the name (user ID) that is associated with local jobs that enter the system without a user ID.

The initial user ID (default user ID) after RACF data set initialization is ++++++++ (eight plus signs).

Note: The variable userid cannot be a user ID defined in the RACF database. For more information, see the section on providing security for JES in z/OS Security Server RACF Security Administrator's Guide.

KERBLVL

Specifies what level of key encryption processing should occur when a KERB segment is being processed for user and realm profiles. Beginning with z/OS Version 1 Release 9, the KERBLVL setting is ignored.

See z/OS Integrated Security Services Network Authentication Service Administration for information about how z/OS Network Authentication Service uses keys and how to customize environment variables related to keys.

LANGUAGE

Specifies the system-wide defaults for national languages (such as American English or Japanese) to be used on your system. You can specify a primary language, a secondary language, or both. The languages you specify depend on which products, when installed on your system, check for primary and secondary languages (using RACROUTE REQUEST=EXTRACT).

• If this user establishes an extended MCS console session, the languages you specify should be the same as the languages specified on the LANGUAGE LANGCODE statements in the MMSLSTxx PARMLIB member. See your MVS system programmer for this information.
• If this is a CICS® user, see your CICS administrator for the languages supported by CICS on your system.

The SETROPTS LANGUAGE operand does not affect the language in which the RACF ISPF panels are displayed. The order in which the RACF ISPF panel libraries are allocated determines the language used. If your installation ordered a translated feature of RACF, the RACF program directory gives instructions for setting up the ISPF panels.

PRIMARY(language)

Specifies the installation's default primary language.

The variable language can be a quoted or unquoted string.

If the PRIMARY suboperand is not specified, the primary language is not changed.

SECONDARY(language)

Specifies the installation's default secondary language.

The language name can be a quoted or unquoted string.

If the SECONDARY suboperand is not specified, the secondary language is not changed.

Note:

1. For both the PRIMARY and SECONDARY suboperands, specify the installation-defined name of a currently active language (a maximum of 24 characters) or one of the language codes (3 characters in length) that is installed on your system. For a list of valid codes, see National Language Design Guide, Volume 2, National Language Support Reference Manual, SE09-8002.
2. If the MVS message service is not active, the PRIMARY and SECONDARY values must be a 3-character language code.
3. The same language can be specified for both PRIMARY and SECONDARY.
4. RACF is shipped with both the primary and secondary language defaults set to ENU, meaning United States English.

LIST

Specifies that the current RACF options are to be displayed. If you specify operands in addition to LIST on the SETROPTS command, RACF processes the other operands before it displays the current set of options.

If RACF is enabled for sysplex communication and the system is in read-only mode, users on that system can issue the SETROPTS LIST command. All other operands are ignored.

You must have the SPECIAL, AUDITOR, ROAUDIT, group-SPECIAL, or group-AUDITOR attribute to enter the LIST operand.

If you have the SPECIAL or group-SPECIAL attribute, RACF displays all operands except these auditing operands:

• APPLAUDIT | NOAPPLAUDIT
• AUDIT | NOAUDIT
• CMDVIOL | NOCMDVIOL
• LOGOPTIONS
• OPERAUDIT | NOOPERAUDIT
• ROAUDIT | NOROAUDIT
• SAUDIT | NOSAUDIT
• SECLABELAUDIT | NOSECLABELAUDIT.

If you have the AUDITOR, ROAUDIT, or the group-AUDITOR attribute, RACF displays all operands.

Notes:

• SETROPTS LIST with no other keywords specified is not eligible for automatic command direction. Do not specify the ONLYAT and LIST keywords together without any other keywords on a SETROPTS command.
• To ensure that SETROPTS LIST shows the most current information, SETROPTS LIST reads information from the RACF database and may write to the RACF database

LOGOPTIONS (auditing-level (class-name ...) ...)

Audits access attempts to resources in specified classes according to the auditing level specified. You must have the AUDITOR attribute. You can specify the DATASET class and any classes in the class descriptor table. The resources need not have profiles created in order for auditing to occur. See z/OS Security Server RACF Auditor's Guide for more information on when auditing occurs.

The SUCCESSES and FAILURES operands result in auditing in addition to any auditing specified in profiles in the class. In contrast, the ALWAYS and NEVER operands override any auditing specified in profiles in the class. Note that LOG=NONE, specified on a RACROUTE REQUEST=AUTH, takes precedence (auditing is not performed).

auditing-level

Specifies the access attempts to be logged for class-name. These options are processed in the following order. Thus, if class-name is specified with both SUCCESSES and ALWAYS in the same command, auditing takes place at the SUCCESSES level because option SUCCESSES is processed after ALWAYS.

ALWAYS

All access attempts to resources protected by the class are audited.

NEVER

No access attempts to resources protected by the class are audited. (All auditing is suppressed.)

SUCCESSES

All successful access attempts to resources protected by the class are audited.

FAILURES

All failed access attempts to resources protected by the class are audited.

DEFAULT

Auditing is controlled by the profile protecting the resource, if a profile exists. You can specify DEFAULT for all classes by specifying an asterisk (*) with DEFAULT.

LOGOPTIONS(DEFAULT) is in effect when RACF is using a newly initialized database.

class-name

The RACF class to which auditing-level applies. The class-name value can be DATASET and any classes in the class descriptor table. Each class can have only one auditing level associated with it. The auditing levels are processed in the following order:

1. ALWAYS
2. NEVER
3. SUCCESSES
4. FAILURES
5. DEFAULT.

This processing order occurs independently of the order you specify the auditing levels. If you specify two or more auditing levels for a class in the same command, only the last option processed takes effect. Thus, if you specify the following command:

SETR LOGOPTIONS (FAILURES (DATASET,SECLABEL),
         ALWAYS (DATASET, APPL),
         DEFAULT (DATASET, GLOBAL))

The options in effect for the classes is:

• ALWAYS for the APPL class
• FAILURES for the SECLABEL class
• DEFAULT for the DATASET and GLOBAL classes

The DATASET and APPL classes are first assigned auditing-level ALWAYS. The DATASET class is then assigned auditing-level FAILURES, as is class SECLABEL. Finally, the DATASET class is assigned DEFAULT auditing-level, as is class GLOBAL.

If you specify one auditing-level for class-name and in a separate command specify a new auditing level for the same class name, the new auditing-level take effects.

SETROPTS LOGOPTIONS(DEFAULT(*)) is in effect when RACF is using a newly initialized database.

For information on sharing a POSIT value, see the POSIT keyword of the RDEFINE command.

MLACTIVE | NOMLACTIVE

For the relationships among the SECLABEL class and the MLS, MLACTIVE, MLNAMES, MLQUIET, and SECLBYSYSTEM options, see z/OS Security Server RACF Security Administrator's Guide.

MLACTIVE (FAILURES | WARNING)

Causes security labels to be required on all work entering the system and on all resources defined to USER, DATASET, and all classes defined in the class descriptor table that require security labels.

Rules:

• This option is available only if the SECLABEL class is active. Activation of MLACTIVE will fail if the SECLABEL class is not active or being activated by the command activating MLACTIVE.
• With MLACTIVE, user tasks running in a server address space must have a security label that is equivalent to the address space's security label.

Data set and general resource profiles in WARNING mode: A user or task can access a resource that is in WARNING mode and has no security label even when MLACTIVE(FAILURES) is in effect and the class requires security labels. The user or task receives a warning message and gains access. (A data set or general resource is in WARNING mode when you define or modify the profile that protects it and you specify the WARNING operand.)

FAILURES

Specifies that RACF is to reject any request to create or access any resource that requires a security label in the profile that protects it, and does not have one, and to reject any work entering the system that does not have a security label.

The only exception is if MLS(FAILURES) and MLACTIVE(FAILURES) are in effect, and a privileged started task or a user with the SPECIAL attribute and the SYSHIGH SECLABEL attempts to access a resource that requires a security label and does not have one. In this case, RACF allows the request as long as the request does not declassify data.

WARNING

Specifies that when a user requests access to a resource that does not have a security label and the resource belongs to a class that requires security labels, access is allowed but a warning is issued. Also, when work enters the system without a security label, access is allowed but a warning is issued.

MLACTIVE(WARNING) is the default value.

NOMLACTIVE

Allows work to enter the system without a security label and allows requests to access a resource that does not have a security label and the resource belongs to a class that requires security labels.

NOMLACTIVE is in effect when RACF is using a newly initialized database.

MLFSOBJ

MLFSOBJ (ACTIVE | INACTIVE )

ACTIVE

Specifies that security labels are required for files and directories. When the SECLABEL class is active, and MLFSOBJ is active, access to files and directories without security labels is denied except by trusted or privileged started tasks. This option cannot be activated if the SECLABEL class is not active.

If you do not specify ACTIVE or INACTIVE, MLFSOBJ(ACTIVE) is the default.

INACTIVE

Specifies that security labels are not required for files and directories.

INACTIVE is in effect when RACF is using a newly initialized database.

MLIPCOBJ

MLIPCOBJ (ACTIVE | INACTIVE )

ACTIVE

Specifies that security labels are required for interprocess communication. When the SECLABEL class is active, and MLIPCOBJ is active, access to semaphores, message queues and shared memory without associated security labels is denied except by trusted or privileged started tasks. This option cannot be activated if the SECLABEL class is not active.

If you do not specify ACTIVE or INACTIVE, MLIPCOBJ(ACTIVE) is the default.

INACTIVE

Specifies that security labels are not required for interprocess communication.

INACTIVE is in effect when RACF is using a newly initialized database.

MLNAMES | NOMLNAMES

MLNAMES

Specifies that users are restricted to viewing only the names of files and directories that could be read from their current security label, and to viewing data set names that they have access to from their current security label. When MLNAMES is active, users listing catalogs or directories will not see names of resources that they cannot currently access.

NOMLNAMES

Specifies that users are not restricted to viewing only the names of files and directories that they cannot currently access.

If you do not specify MLNAMES or NOMLNAMES, NOMLNAMES is the default.

NOMLNAMES is in effect when RACF is using a newly initialized database.

MLQUIET | NOMLQUIET

For the relationships among SECLABEL, MLS, MLACTIVE, and MLQUIET, see z/OS Security Server RACF Security Administrator's Guide.

MLQUIET

Allows only started tasks, console operators, or users with the SPECIAL attribute to log on, start new jobs, or access resources. Actions requiring user verification, resource access checking, or resource definition are available only to the security administrator (SPECIAL user), a trusted computer base job (as indicated in the token), or the console operator.

When this option is enabled, the system is in a tranquil state.

NOMLQUIET

Allows all users access to the system.

NOMLQUIET is in effect when RACF is using a newly initialized database.

MLS | NOMLS

For the relationships among SECLABEL, MLS, MLACTIVE, and MLQUIET, see z/OS Security Server RACF Security Administrator's Guide.

MLS (FAILURES |WARNING )

Prevents a user from declassifying data. In order to copy data, the security label of the target must encompass the security label of the source.

Rules:

• This option is available only if the SECLABEL class is active.
• Activation of MLS will fail if the SECLABEL class is not active or being activated by the command activating MLS.

FAILURES

Specifies that RACF is to reject any request to declassify data.

WARNING

Specifies that when a user attempts to declassify data, RACF is to allow the request but issue warning messages to the user and the security administrator.

MLS(WARNING) is the default value if you do not specify either FAILURES or WARNING.

NOMLS

Allows users to declassify data within the same CATEGORY.

NOMLS is in effect when RACF is using a newly initialized database.

MLSTABLE | NOMLSTABLE

MLSTABLE

Allows the installation to indicate that no one on the system is allowed to alter the security label of an object or alter the definition of the security label, unless MLQUIET is in effect.

NOMLSTABLE

Allows the alteration of security label definitions or the security labels within a profile without requiring MLQUIET to be in effect.

NOMLSTABLE is in effect when RACF is using a newly initialized database.

MODEL | NOMODEL

MODEL

Specifies, through the following suboperands, the model profile processing options. For information about automatic profile modeling, refer to the z/OS Security Server RACF Security Administrator's Guide.

GDG | NOGDG

Specifies that RACF should attempt to protect RACF-indicated members of a generation data group (GDG) using a base profile with the same name as the GDG data set base name. If a base profile exists for a particular RACF-indicated member, then RACF uses the base profile when determining whether the user can access or create the member. Otherwise, RACF uses, or creates, an individual profile for the model. MODEL(GDG) has no effect on GDG members that are protected by generic profiles.

NOGDG specifies that GDG members should not be treated specially by RACF; they are processed as any other data set would be.

GROUP | NOGROUP

Specifies that when creating a new profile for a group-named data set, RACF should check whether a model profile is specified in the group profile. If so, that model profile should be used to complete the definition of the new data set profile.

NOGROUP specifies that RACF should not use model profiles to complete the definition of new group-named data sets.

USER | NOUSER

Specifies that when creating a new profile for all user ID-named data sets, RACF should check whether a model profile is specified in the user profile. If so, that model profile should be used to complete the definition of the new data set profile.

NOUSER specifies that RACF should not use model profiles to complete the definition of new user ID-named data sets.

NOMODEL

Specifies that there is no model profile processing for GDG, GROUP, or USER data sets.

NOMODEL is in effect when RACF is using a newly initialized database.

OPERAUDIT | NOOPERAUDIT

Specifies whether RACF is to log all actions allowed only because a user has the OPERATIONS (or group-OPERATIONS) attribute. You must have the AUDITOR attribute to enter these operands.

OPERAUDIT

Specifies that RACF is to log all actions, such as accesses to resources and commands, allowed only because a user has the OPERATIONS or group-OPERATIONS attribute.

NOOPERAUDIT

Specifies that RACF is not to log the actions allowed only because a user has the OPERATIONS or group-OPERATIONS attribute.

NOOPERAUDIT is in effect when RACF is using a newly initialized database.

PASSWORD (suboperands)

Specifies options to monitor and check passwords and password phrases:

ALGORITHM(KDFAES) | NOALGORITHM

ALGORITHM(KDFAES)

Indicates that RACF should start using the KDFAES algorithm to encrypt user passwords and password phrases. After enablement, the existing algorithm continues to be used to evaluate a user's password or password phrase until the user's password or password phrase is changed. The first time a user's password or password phrase is changed, the new algorithm is used from that point forward.

The KDFAES algorithm is more secure than DES, but is more computationally intensive, by design.

The PWCONVERT keyword of ALTUSER can be used to convert a user's password from DES to KDFAES format without requiring the password to be changed.

If ALGORITHM is specified without a sub-operand, it is ignored.

NOALGORITHM

Indicates that the legacy algorithm is used to encrypt passwords. This is the default setting. In this case, the algorithm in effect is determined by the ICHDEX01 exit, with DES being the default if there is no exit installed.

If you deactivate KDFAES after some set of passwords have been encrypted using KDFAES, each password continues to be evaluated using KDFAES. When the password is changed, the legacy algorithm is used from that point forward. Any history entries that were created with KDFAES continue to be evaluated using KDFAES. The PWCONVERT keyword of ALTUSER can be used to delete KDFAES history entries, if you want, after reverting to DES.

HISTORY | NOHISTORY

HISTORY(number-of-previous-values)

Specifies the number (1 - 32) of previous passwords and password phrases that RACF saves for each user and compares with each new intended value. When RACF finds a match with a previous value, or with the current password or password phrase, RACF rejects the new intended value.

For passwords, RACF stores only previous passwords in each user's history. For password phrases, RACF saves the user's current password phrase in addition to the user's previous password phrases. Therefore, for password phrases, RACF saves one fewer previous value than the number you specify for history.

For example, if you specify 12 for your HISTORY number, RACF saves up to 12 previous passwords and up to 11 previous password phrases for each user.

SETROPTS PASSWORD(HISTORY(12))

If you increase the HISTORY number, RACF saves and compares that number of passwords and password phrases to the new intended value. If you subsequently reduce the HISTORY number, any previous passwords and password phrases stored in the user profile in excess of the newly specified HISTORY number are not deleted and continue to be used for comparison.

For example, if you specify 12 for your HISTORY number and subsequently reduce it to 8, RACF compares the old passwords and password phrases 9 - 12 with the new intended value.

Attention: You should use ALTUSER PWCLEAN to clean up history entries for all users any time you change the HISTORY value.

NOHISTORY

Specifies that new password and password phrase values are only compared with the current password or password phrase. If prior history information exists in the user profile, it is neither deleted nor changed. ALTUSER PWCLEAN can be used to delete history from USER profiles when NOHISTORY is in effect.

NOHISTORY is in effect when RACF is using a newly initialized database.

INTERVAL(maximum-change-interval)

Specifies the maximum number of days (1 - 254) each user's password and password phrase are valid. For example, if you specify 90 for your INTERVAL number, each user's password is valid for 90 days and each user's password phrase (if set) is valid for 90 days.

RACF uses the value you specify for maximum-change-interval as both:

• The default value for new users defined to RACF through the ADDUSER command.
• The upper limit for users who specify the INTERVAL operand on the PASSWORD command.

When a user logs on to the system, RACF compares this INTERVAL value (the system interval) with the interval value specified in the user's profile (the user's interval). RACF uses the lower of the two values to determine if the user's password and password phrase have expired.

The initial default at RACF initialization is 30 days. The maximum change interval cannot be less than the minimum change interval set with the MINCHANGE keyword.

MINCHANGE(minimum-change-interval)

Specifies the number of days that must pass between a user's password and password phrase changes. Acceptable values are 0 - 254 (days), providing the number of days between changes does not exceed the maximum change interval specified by the INTERVAL keyword. For example, if you specify 5 for your MINCHANGE number, users cannot change their passwords more than once in 5 days, nor can they change their password phrases (if assigned) more than once in 5 days.

The initial default is 0 days, allowing users to change their passwords and password phrases more than once on the same day.

Users can not change their own passwords and password phrases within the minimum change interval. However, you can use the ALTUSER command to change another user's password within the minimum change interval if you have at least one of the following authorities:

• You have the SPECIAL attribute.
• The user is within the scope of a group in which you have the group-SPECIAL attribute.
• You are the owner of the user's profile.
• You have at least CONTROL authority to the IRR.PASSWORD.RESET resource in the FACILITY class, and the other user does not have the SPECIAL, OPERATIONS, AUDITOR, or PROTECTED attribute.
• You have at least CONTROL access to an appropriate resource in the FACILITY class (IRR.PWRESET.OWNER.owner or IRR.PWRESET.TREE.owner), and both of the following conditions are also true:
  • The other user does not have the SPECIAL, OPERATIONS, AUDITOR, or PROTECTED attribute.
  • You are not excluded from altering the user by the IRR.PWRESET.EXCLUDE.excluded-user resource in the FACILITY class.
  For more information about the IRR.PWRESET profiles, see z/OS Security Server RACF Security Administrator's Guide.

MIXEDCASE | NOMIXEDCASE

MIXEDCASE

Indicates that all applications on this system and those that share the RACF database support mixed-case and lowercase passwords. The syntax rules must be modified to allow mixed-case and lowercase characters. (See RULEn | NORULEn | NORULES for more information.) When this option is activated, the RACF ALTUSER, ADDUSER, PASSWORD and RACLINK commands do not translate passwords to uppercase, nor do applications that provide mixed-case password support, such as TSO/E and z/OS® UNIX Systems Services. This option is inactive by default.

If you are propagating passwords with RRSF, see "RRSF Considerations for Mixed-Case Passwords" in z/OS Security Server RACF Security Administrator's Guide.

Important: The MIXEDCASE option is intended to be activated - after evaluating and updating applications and implementing appropriate password syntax rules - and never deactivated. Deactivate it only if problems are encountered. If you deactivate MIXEDCASE after it was active, any users who changed their passwords to mixed-case or lowercase (when MIXEDCASE was active) will no longer be able to enter the system until an authorized user resets their passwords to uppercase. If you subsequently reactivate MIXEDCASE, the same users must enter their passwords in upper case.

NOMIXEDCASE

Indicates that mixed-case and lowercase passwords are not supported. This is the default setting.

Important: If you issue SETR NOMIXEDCASE after MIXEDCASE was active, any users who changed their passwords to mixed-case or lowercase (when MIXEDCASE was active) can no longer enter the system until an authorized user resets their passwords to uppercase. See the important note for the MIXEDCASE operand.

REVOKE | NOREVOKE

REVOKE(number-of-unsuccessful-attempts)

Specifies the number of consecutive unsuccessful attempts (1 - 255) to access the system (using an incorrect password or password phrase) before RACF revokes the user ID on the next unsuccessful attempt. If you specify REVOKE, INITSTATS must be in effect.

The REVOKE number you specify applies to the combination of incorrect passwords and password phrases RACF allows. For example, if you specify 5 as your REVOKE number, a user will be revoked upon three consecutive incorrect passwords followed by three consecutive incorrect password phrases.

NOREVOKE

Specifies that RACF ignores the number of consecutive unsuccessful attempts to access the system using an incorrect password or password phrase.

RULEn | NORULEn | NORULES

Tip: You might find the ISPF panels easier to use for entering password rules.

RULEn (LENGTH (m1:m2) content-keyword (position))

Specifies an individual syntax rule for new passwords that users specify at logon, on JCL job cards, or on the PASSWORD command. Also applies to passwords specified on the ALTUSER commands that have the NOEXPIRED operand. Eight syntax rules are allowed. Therefore, for the RULEn suboperand, the value of n is 1 - 8.

These syntax rules do not apply to:

• Password phrases
• Logon passwords that are currently in effect for a user
• Logon passwords specified on the ADDUSER command
• Logon passwords specified on the ALTUSER command with the PASSWORD operand and with the EXPIRED operand either specified or defaulted
• Default passwords set by the PASSWORD USER(userid) command, which are set to the user's default group name.

If multiple rules are defined, a password that passes at least one rule is accepted.

Restriction: Changes to password syntax rules will not force users to immediately change their passwords. RACF does not apply new password rules to users until users change their passwords - either voluntarily or at password expiration.

LENGTH(m1:m2)

Specifies the minimum and maximum password lengths to which this particular rule applies (m2 must be greater than or equal to m1). Because RACF allows passwords no longer than 8 alphanumeric characters, the value for m2 must be less than or equal to 8. If you omit the m2 value, the rule applies to a password of one length only.

content-keyword(position)

Specifies the syntax rules for the positions indicated by the LENGTH suboperand. Rules specifying mixed-case characters should only be set when the MIXEDCASE option is in effect. New passwords will not match these rules when mixed-case passwords are not supported, either because the MIXEDCASE option is not in effect or because an application is used that does not support mixed-case passwords. The possible values for content-keyword are:

ALPHA

Includes uppercase alphabetic characters and the national characters # (X'7B'), $ (X'5B'), and @ (X'7C')

ALPHANUM

Includes the ALPHA characters - uppercase alphabetic characters and the national characters # (X'7B'), $ (X'5B'), and @ (X'7C') - and NUMERIC characters.

If the password syntax rule requires only one ALPHANUM character, passwords must contain either one ALPHA character or one NUMERIC character.

If the password syntax rule requires two or more ALPHANUM characters, passwords must contain at least one ALPHA character and at least one NUMERIC character in the specified ALPHANUM positions.

VOWEL

Includes uppercase vowel characters, namely A, E, I, O, and U

NOVOWEL

Includes characters that are not vowels, such as

• Uppercase alphabetic characters that are consonants, not vowels
• National and special characters
• Numeric characters

CONSONANT

Includes uppercase non-vowel characters

NUMERIC

Includes numeric characters

NATIONAL

Includes the national characters # (X'7B'), $ (X'5B'), and @ (X'7C')

MIXEDALL

Includes all allowable password characters separated into the following categories. There are either three or four "active" categories, depending on whether SETROPTS PASSWORD(MIXEDCASE) is enabled.

1. The national characters, and special characters if SETROPTS PASSWORD(SPECIALCHARS) is in effect
2. Numeric characters
3. Uppercase alphabetic characters (not including the national characters)
4. Lowercase alphabetic characters, if SETROPTS PASSWORD(MIXEDCASE) is in effect.

MIXEDALL is intended to force a mixture of character types that can include special characters. MIXEDALL requires a character from as many different active categories as there are MIXEDALL positions specified, in any combination:

• When one MIXEDALL position is specified, any character from any active category may be specified in that position. This is equivalent to not specifying a content-keyword in this position.
• When two MIXEDALL positions are specified, two characters from any two different active categories must be specified in the designated positions.
• When three MIXEDALL positions are specified, three characters from any three different active categories must be specified in the designated positions.
• When four or more MIXEDALL positions are specified, and SETROPTS PASSWORD(MIXEDCASE) is enabled, then at least one of every category must be specified anywhere across the designated positions. If MIXEDCASE is not enabled, then there is no change in behavior from having three MIXEDALL positions, other than in the number of positions over which the three active categories may be spread.

MIXEDCONSONANT

Includes uppercase and lowercase non-vowel characters

MIXEDVOWEL

Includes the uppercase and lowercase vowel characters, A, E, I, O, U, and a, e, i, o, u

MIXEDNUM

Includes all characters of the following three types of MIXEDNUM characters:

1. ALPHA characters - includes uppercase alphabetic characters and the national characters # (X'7B'), $ (X'5B'), and @ (X'7C')
2. Lowercase alphabetic characters
3. NUMERIC characters.

If the password syntax rule requires only one MIXEDNUM character, passwords must contain at least one character of any one of the three MIXEDNUM character types.

If the password syntax rule requires two MIXEDNUM characters, passwords must contain two characters of different MIXEDNUM character types, in one of the following valid combinations:

• An ALPHA character and a lowercase alphabetic
• An ALPHA character and a NUMERIC character
• A lowercase alphabetic character and a NUMERIC character.

If the password syntax rule requires three or more MIXEDNUM characters, passwords must contain three or more MIXEDNUM characters including at least one character of each MIXEDNUM character type in the specified MIXEDNUM positions.

SPECIAL

Includes the special characters documented under SETROPTS PASSWORD(SPECIALCHARS) as well as the national characters # (X'7B'), $ (X'5B'), and @ (X'7C').

If the values in the content-keywords do not define every position specified by the LENGTH value, the undefined positions can consist of any combination of alphanumeric characters.

Each content-keyword is followed by a position (in the form of k, not greater than 8), list of positions (form of k1,k2,k3... in any order), or a range (form of k4:k5, where k5 must be greater than or equal to k4).

• Example:

  RULE1(LENGTH(8) CONSONANT(1,3,5:8) NUMERIC(2,4))

• Result:

  Syntax RULE1 applies to passwords eight characters in length with consonants in positions 1, 3, 5, 6, 7, and 8 and numbers in positions 2 and 4. The password B2D2GGDD obeys RULE1, and C3PIBOLO does not.

• Example:

  RULE2(LENGTH(6) NATIONAL(3) MIXEDNUM(4:6))

• Result:

  Syntax RULE2 applies to passwords 6 characters in length with a national character in position 3 and requires an uppercase alphabetic, a lowercase alphabetic, and a numeric in positions 4, 5, and 6. The password AB@1tD obeys RULE2.

NORULEn

Specifies that RACF is to delete the particular rule identified by n.

NORULES

Specifies that RACF is to delete all password syntax rules established by the installation.

NORULES is in effect when RACF is using a newly initialized database.

SPECIALCHARS | NOSPECIALCHARS

SPECIALCHARS

Indicates that all applications on this system and those that share the RACF database support additional special characters in passwords. For more information, see Allowing special characters in passwords (PASSWORD option) in z/OS Security Server RACF Security Administrator's Guide . This option is inactive by default.

NOSPECIALCHARS

Indicates that special characters are not allowed in passwords. This is the default setting. If NOSPECIALCHARS is specified after users have already starting using special characters in passwords, those users will still be able to logon with their existing password, but will not be able to include special characters in the new password when they change their password.

WARNING | NOWARNING

WARNING(days-before-password-expires)

Specifies the number of days (1 - 255) before a password or password phrase expires, indicating that RACF is to issue a warning message to the TSO user or to the job log of a batch job that specified the expiring password or password phrase.

If you specify a WARNING value that exceeds the INTERVAL value, a warning message is issued at each logon. If you do not want the warning with each logon, specify a value for WARNING that is less than the value you specify for INTERVAL. If you specify WARNING, INITSTATS must be in effect.

NOWARNING

Specifies that RACF is not to issue the warning message for expiring passwords or password phrases.

NOWARNING is in effect when RACF is using a newly initialized database.

PREFIX | NOPREFIX

PREFIX(prefix)

Activates RACF protection for data sets that have single-qualifier names, and specifies the 1 - 8 character prefix to be used as the high-level qualifier in the internal form of the names. The variable prefix should be a predefined group name, and it must not be the high-level qualifier of any actual data sets in the system.

NOPREFIX

Deactivates RACF protection for data sets that have single-level names.

When EGN is active and NOPREFIX is in effect, a data set can be protected with a generic profile of the form ABC.**, where ABC equals the data set name.

NOPREFIX is in effect when RACF is using a newly initialized database.

PROTECTALL | NOPROTECTALL

PROTECTALL(FAILURES | WARNING)

Activates PROTECTALL processing. When PROTECTALL processing is active, the system automatically rejects any request to create or access a data set that is not RACF-protected. This processing includes DASD data sets, tape data sets, catalogs, and GDG basenames. Temporary data sets that comply with standard MVS temporary data set naming conventions are excluded from PROTECTALL processing.

Note that PROTECTALL requires all data sets to be RACF-protected. This includes tape data sets if your installation specifies the TAPEDSN operand on the SETROPTS command.

In order for PROTECTALL to work effectively, you must specify GENERIC to activate generic profile checking. Otherwise, RACF would allow users to create or access only data sets protected by discrete profiles. If your installation uses nonstandard names for temporary data sets, you must also predefine entries in the global access checking table that allow these data sets to be created and accessed.

The WARNING suboperand enables you to specify a warning message to the requestor in place of rejecting the request.

FAILURES

Specifies that RACF is to reject any request to create or access a data set that is not RACF-protected.

The default value is FAILURES.

If PROTECTALL(FAILURES) is in effect and a user with the SPECIAL attribute requests access to an unprotected data set, RACF accepts the request, audits the event, and issues a PROTECTALL warning message.

If PROTECTALL(FAILURES) is in effect and a trusted started task requests access to an unprotected data set, RACF accepts the request, audits the event, and no warning message is issued.

If PROTECTALL(FAILURES) is in effect and a privileged started task requests access to an unprotected data set, RACF accepts the request, the event is not audited, and no warning message is issued.

WARNING

Specifies that when a user requests creation of, or access to, a data set that is not RACF-protected, RACF is to allow the request but issue warning messages to the user and the security administrator.

NOPROTECTALL

Specifies that a user can create or access a data set that is not protected by a profile.

NOPROTECTALL is in effect when RACF is using a newly initialized database.

RACLIST | NORACLIST

RACLIST(class-name ...)

Activates the sharing of in-storage profiles, both generic and discrete, for the classes specified. Also see GENLIST operand.

Activate this function to improve the performance of resource access checking for a general resource class. With the profiles for the class in storage, RACF requires no database I/O when making an access decision.

A valid class-name is any member class for which the class descriptor table allows or requires RACLIST processing. Grouping classes are not valid, except for RACFVARS and NODES. If class-name is valid, not only the specified class-name, but all classes that share the same POSIT are processed. If some classes sharing the same POSIT do not allow RACLIST processing, those classes are skipped.

Only active classes are RACLISTed. Be sure to activate each class you want to RACLIST. For example:

SETROPTS RACLIST(DIGTCERT) CLASSACT(DIGTCERT)

If REFRESH is also specified, member classes for which the class descriptor table does not allow RACLIST processing are also valid because the SETROPTS RACLIST(class-name) REFRESH command refreshes classes that were RACLISTed by RACROUTE REQUEST=LIST,GLOBAL=YES or SETROPTS RACLIST. Likewise, classes for which SETROPTS GENLIST was specified are also valid.

You cannot SETROPTS RACLIST and SETROPTS GENLIST for the same general resource class.

Rule: If the following supplied classes are active, you must issue the SETROPTS RACLIST command to share them:

APPCSERV	DIGTCRIT	NODES	RACFVARS	UNIXPRIV
APPCTP	DIGTNMAP	OPERCMDS	RDATALIB	VTAMAPPL
CRYPTOZ	FIELD	PROPCNTL	SECLABEL	XCSFKEY
CSFKEYS	FSACCESS	PSFMPL	SERVAUTH
CSFSERV	FSEXEC	PTKTDATA	STARTED
DEVICES	IDIDMAP	RACFHC	SYSMVIEW

In-storage profiles for the following supplied classes can be optionally shared by using SETROPTS RACLIST.

ACCTNUM *	DBNFORM	JESINPUT	PERFGRP *	TERMINAL *
ALCSAUTH	DCEUUIDS	JESJOBS	PTKTVAL	TMEADMIN
APPCPORT	DIGTCERT *	JESSPOOL	PRINTSRV *	TSOAUTH *
APPCSI	DIGTRING	KEYSMSTR	RRSFDATA *	TSOPROC *
APPL *	DLFCLASS	LDAPBIND *	SDSF	VMBATCH
CBIND	DSNR	LFSCLASS	SERVER	VMCMD
CDT *	FACILITY *	LOGSTRM	SMESSAGE	VMDEV
CONSOLE	FCICSFCT	MGMTCLAS	SOMDOBJS	VMLAN
CPSMOBJ	INFOMAN	MQCMDS	STORCLAS	VMNODE
CPSMXMP	JAVA	MQCONN	SUBSYSNM	VMSEGMT
DASDVOL		NETCMDS	SURROGAT	WRITER

Important: For each class marked with an asterisk (*), you might incur performance degradation or missing function if you do not issue the SETROPTS RACLIST command when you define profiles in the class and activate it. For important details about each class, see z/OS Security Server RACF Security Administrator's Guide (for classes used for RACF functions) or the appropriate program documentation.

If you have, or are considering, authorizing a large number of users for a resource in a class that can be processed to an in-storage profile using the SETROPTS RACLIST command, you must consider the number of entries in the access list, because RACLIST processing merges profiles and the access lists of each profile. The combined number of access-list entries might cause the profile to become too large to be processed, and RACLIST processing might fail. See z/OS Security Server RACF Security Administrator's Guide for more information about limiting the size of access lists and profile sizes.

Note:

1. When you activate RACLIST processing for a class, RACF copies both discrete and generic profiles for that class into a data space.
2. When the RACGLIST class is active and class-name profiles have been specified in the RACGLIST class, SETROPTS RACLIST(class-name) stores the RACLISTed results from the data space in the RACGLIST classname_nnnnn profiles on the RACF database, enabling all systems sharing the database to access the same level of profile information.
   For example if you issue the commands:

   SETR CLASSACT(RACGLIST)
   RDEFINE RACGLIST TERMINAL

   Then either when you issue:

   SETROPTS RACLIST(TERMINAL)

   or at the next IPL, if the TERMINAL class was RACLISTed before the RACGLIST class was activated, RACF creates RACGLIST TERMINAL_00001, RACGLIST TERMINAL_00002, and so on, to hold the results of the SETROPTS RACLIST processing.

   The profiles are available to all authorized users, thereby eliminating the need for RACF to retrieve a profile each time a user requests access to a resource protected by that profile. Thus, when you activate this function, you reduce processing overhead.

   The SETROPTS RACLIST(class-name) command overrides a RACROUTE REQUEST=LIST,GLOBAL=YES request for the same class. The data space and RACGLIST classname_nnnnn profiles, if any, are refreshed by the SETROPTS RACLIST. SETROPTS LIST output will list the class in the SETR RACLIST CLASSES = line rather than the GLOBAL=YES RACLIST ONLY = line.

3. If you specify RACLIST with REFRESH, RACF rebuilds the discrete and generic profiles for the class and places them in the new data space. If the RACGLIST class is active and contains a profile for class-name, the classname_nnnnn profiles for the class are also rebuilt, or are created if they had not been built previously.

   SETROPTS RACLIST(class-name) REFRESH can also be used to refresh classes RACLISTed by RACROUTE REQUEST=LIST,GLOBAL=YES, as well as classes that are RACLISTed. It refreshes the class, but has no effect on SETROPTS LIST output. If the class was processed using SETROPTS RACLIST solely by RACROUTE REQUEST=LIST,ENVIR=CREATE,GLOBAL=YES, the class are listed in the GLOBAL=YES RACLIST ONLY = line. Regardless of whether the class was RACLISTed by GLOBAL=YES, if it was RACLISTed by SETROPTS RACLIST (classname) then the class is listed only in the SETR RACLIST CLASSES = line.

   SETROPTS RACLIST(classname) REFRESH can also be issued to create the RACGLIST profiles for the class, even if the class were not RACLISTed by either RACROUTE REQUEST=LIST,GLOBAL=YES or by SETROPTS RACLIST. Then the first RACROUTE REQUEST=LIST,GLOBAL=YES uses the RACLIST profiles to build the RACLIST data space, rather than accessing the database for each individual discrete and generic profile.

   While the rebuild is in progress, RACF continues to use the old in-storage profiles for authorization requests until the new ones are created. When all systems have completed rebuilding the local data spaces, the coordinator signals the members of the data sharing group to discard the old ones, and to begin using the new one.

4. When RACF is enabled for sysplex communication, RACF propagates a SETROPTS RACLIST(class-name) or SETROPTS RACLIST(class-name) REFRESH command issued from any one system (coordinator) to other systems in the data sharing group (peers) if the command is successful on the system on which it was entered. If the RACGLIST classname_nnnnn profiles were built for the class, peer members of the sysplex use the results to build the RACLIST data space on their system, but do not rebuild the RACGLIST profiles.

   If a refresh is being done, RACF continues to use the old in-storage profiles for authorization requests until the new ones are created. When all systems have completed rebuilding the local data spaces, the coordinator signals the members of the data sharing group to discard the old ones, and to begin using the new one.

   If RACF is not enabled for sysplex communication, you must issue the SETROPTS RACLIST(class-name) command and the SETROPTS RACLIST(class-name) REFRESH command on each system sharing the database.

5. When you activate RACLIST processing for the CDT class, the dynamic class descriptor table is built in a dataspace instead of in-storage profiles. The information in the dataspace is not used for authorization checking. If authorization checking using RACROUTE REQUEST=FASTAUTH is required for the CDT class, you must use RACROUTE REQUEST=LIST,GLOBAL=NO to locally RACLIST the CDT class profiles. Alternatively, RACROUTE REQUEST=AUTH may be used for the CDT class, and RACF will use CDT profiles in the RACF database for authorization checking. For more information on the dynamic CDT, see z/OS Security Server RACF Security Administrator's Guide.

NORACLIST(class-name ...)

Deactivates the sharing of in-storage profiles, both generic and discrete, for the classes specified. Also see the NOGENLIST operand.

When you specify NORACLIST, RACF deletes the data space containing the generic and discrete profiles for the specified classes. The data space might have been created by specifying the class with either a SETROPTS RACLIST command or a RACROUTE REQUEST=LIST,GLOBAL=YES request. In the latter case, all applications that issued a RACROUTE REQUEST=LIST,ENVIR=CREATE,GLOBAL=YES for the class should issue a RACROUTE REQUEST=LIST,ENVIR=DELETE before a SETROPTS NORACLIST is issued that processes the class. The SETROPTS NORACLIST should be used to delete the data space only after all applications have relinquished their access to it.

For both the SETROPTS RACLIST and RACROUTE REQUEST=LIST,GLOBAL=YES cases, if RACGLIST classname_nnnnn profiles exist for the class, they are deleted. Even if the class was not RACLISTed, SETROPTS NORACLIST can be used to delete these profiles. In all cases, the RACGLIST classname profile remains.

A valid class-name is any member class in the class descriptor table. Grouping classes are not valid, except for RACFVARS and NODES. If class-name is valid, not only the specified class but all classes that share the same POSIT are processed. For a list of general resource classes defined in the class descriptor table supplied by IBM, see Supplied RACF resource classes.

Because SETROPTS NORACLIST, like SETROPTS RACLIST REFRESH, operates on classes that are RACLISTed by RACROUTE REQUEST=LIST,GLOBAL=YES, or SETROPTS RACLIST, member classes in the class descriptor table that do not allow RACLIST processing are now valid classes for the command. Both these conditions are still invalid for SETROPTS RACLIST.

When RACF is enabled for sysplex communication, RACF propagates the SETROPTS NORACLIST command to other systems in the data sharing group, if the command was successful on the system in which it was entered. If RACF is not enabled for sysplex communication, you must issue the SETROPTS NORACLIST command on each system sharing the database.

NORACLIST is in effect for all classes defined in the class descriptor table when RACF is using a newly initialized database.

When SETROPTS NORACLIST(CDT) is issued, the dataspace containing the dynamic class descriptor table is deactivated, but not deleted. The dataspace remains until the system is restarted. For more information on the dynamic CDT, see z/OS Security Server RACF Security Administrator's Guide.

REALDSN | NOREALDSN

REALDSN

Specifies that RACF is to record, in any SMF log records and operator messages, the real data set name (not the naming-conventions name) used on the data set commands and during resource access checking and resource definition.

NOREALDSN

Specifies that RACF is to record, in any SMF log records and operator messages, the data set names modified according to RACF naming conventions.

NOREALDSN is in effect when RACF is using a newly initialized database.

REFRESH

Refreshes the in-storage generic profiles when specified with GENERIC, GLOBAL or RACLIST, or the in-storage program control tables when specified with WHEN(PROGRAM).

RETPD(nnnnn)

Specifies the default RACF security retention period for tape data sets, where nnnnn is a 1-5 digit number in the range of 0 through 65533 or 99999 to indicate a data set that never expires. The security retention period is the number of days that RACF protection is to remain in effect for a tape data set; RACF stores the value in the tape data set profile.

If you specify RETPD, you must also specify TAPEDSN to activate tape data set protection. If you omit TAPEDSN, RACF records the value you specify for security retention period in the list of RACF options. However, without tape data set protection activated, this value is meaningless.

If you specify RETPD and TAPEDSN, the value you specify for security retention period is the default for your installation; RACF places the value in each tape data set profile unless the user specifies one of the following:

• An EXPDT in the JCL other than the current date
• An RETPD other than 0 on the ADDSD command.

If you specify TAPEDSN and do not specify RETPD, RACF uses a value of 0 for the default security retention period.

RVARYPW([SWITCH(switch-pw)] [STATUS(status-pw) ])

Specifies the passwords that the operator is to use to respond to requests to approve RVARY command processing, where switch-pw is the response to a request to switch RACF databases or change the operating mode of RACF, and status-pw is the response to a request to change RACF or database status from ACTIVE to INACTIVE or from INACTIVE to ACTIVE. You can specify different passwords for each response. Note that NO is not a valid password for either SWITCH or STATUS.

When RACF is using a newly initialized database, the switch password and the status password are both set to YES.

SAUDIT | NOSAUDIT

Specifies whether RACF is to log RACF commands issued by users with the SPECIAL or group-SPECIAL attribute. You must have the AUDITOR attribute to specify these operands.

SAUDIT

Specifies that RACF is to log RACF commands (except LISTDSD, LISTGRP, LISTUSER, RLIST, and SEARCH) issued by users who either had the SPECIAL attribute or who gained authority to issue the command through the group-SPECIAL attribute.

SAUDIT is in effect when RACF is using a newly initialized database.

NOSAUDIT

Specifies that RACF is not to log the commands issued by users with the SPECIAL or group-SPECIAL attribute.

SECLABELAUDIT | NOSECLABELAUDIT

You must have the AUDITOR attribute to specify these options.

SECLABELAUDIT

Specifies that the SECLABEL profile's auditing options are to be used in addition to the auditing options specified for the user or resource. This additional auditing occurs whenever an attempt is made to access or define a resource protected by a profile, FSP, or ISP that has a security label specified, or when a user running with a security label attempts to access or define a resource.

The SECLABEL profile requires SETROPTS RACLIST processing. If SECLABEL profile audit options are not specified, SECLABEL auditing is not done.

For more information, refer to z/OS Security Server RACF Auditor's Guide.

NOSECLABELAUDIT

Disables auditing by SECLABEL.

NOSECLABELAUDIT is in effect when RACF is using a newly initialized database.

SECLABELCONTROL | NOSECLABELCONTROL

SECLABELCONTROL

Limits the users who can specify the SECLABEL operand on RACF commands. Those allowed to specify the operand are:

• Users with the SPECIAL attribute can specify the SECLABEL operand on any RACF command.
• Users with the group-SPECIAL attribute can specify the SECLABEL operand on the ADDUSER and ALTUSER commands when adding a user to a group within their scope of control (provided the group-SPECIAL is permitted to the SECLABEL).

NOSECLABELCONTROL

Allows any user to change the SECLABEL field in a profile, as long as the user has at least READ access authority to the associated SECLABEL profile.

NOSECLABELCONTROL is in effect when RACF is using a newly initialized database.

SECLBYSYSTEM | NOSECLBYSYSTEM

SECLBYSYSTEM

Specifies that security labels can be activated on a system image basis. When SECLBYSYSTEM is active, the SMF ID values specified in the member list of the profiles in the SECLABEL class will determine whether or not the security label is valid for each system. Security labels that are not valid for a system are considered inactive and cannot be used or listed by users without SPECIAL or AUDITOR on that system. After activating SECLBYSYSTEM, SETR RACLIST(SECLABEL) REFRESH must be issued to complete the activation of security labels by system. This option cannot be activated if the SECLABEL class is not active.

NOSECLBYSYSTEM

Specifies that security labels are not activated on a system image basis.

NOSECLBYSYSTEM is in effect when RACF is using a newly initialized database.

SECLEVELAUDIT | NOSECLEVELAUDIT

You must have the AUDITOR attribute to specify these operands.

SECLEVELAUDIT (security-level)

Activates auditing of access attempts to all RACF-protected resources based on the specified installation-defined security level. RACF audits all access attempts for the specified security level and higher.

You can specify only a security level name defined by your installation as a SECLEVEL profile in the SECDATA class. (For information on defining security levels, see the description of the RDEFINE and RALTER commands.)

NOSECLEVELAUDIT

Deactivates auditing of access attempts to RACF-protected resources based on a security level.

NOSECLEVELAUDIT is in effect when RACF is using a newly initialized database.

SESSIONINTERVAL | NOSESSIONINTERVAL

SESSIONINTERVAL(n)

Sets the maximum value that can be specified by RDEFINE or RALTER for session key intervals. This n value must be a number in the range of 1 - 32767 (inclusive).

The SESSIONINTERVAL value after RACF data set initialization is 30. This value is used for:

1. A default if SESSION is specified without INTERVAL on RDEFINE when defining an APPCLU class profile.
2. An upper limit if INTERVAL is specified on RDEFINE or RALTER for APPCLU class profiles.

NOSESSIONINTERVAL

Disables the global limit on the number of days before a session key expires. The internal value is set to zero.

STATISTICS | NOSTATISTICS

Use these operands to cause RACF to record or not record statistical information for the specified class name. The valid class names are DATASET and those classes defined in the class descriptor table. For a list of general resource classes defined in the class descriptor table supplied by IBM, see Supplied RACF resource classes.

Note: If you activate or deactivate statistics processing for a class, all other classes in the class descriptor table with the same POSIT number are also be activated or deactivated. If, for instance, you activate statistics processing for the TIMS class, statistics processing is activated for classes AIMS and GIMS because they share POSIT number 4.

For more information on sharing a POSIT value, see the POSIT keyword of the RDEFINE command.

STATISTICS(class-name ... | *)

Specifies that RACF is to record statistical information for class-name.

If you specify an asterisk (*), you activate the recording of statistical information for the DATASET class and all classes defined in the class descriptor table.

When RACF is using a newly initialized database, the recording of class statistics is turned off. Because statistics recording has an impact on system performance, it is recommended that you do not activate this option for any class until your installation evaluates the need to use it versus the potential performance impact. For more information, see z/OS Security Server RACF System Programmer's Guide.

NOSTATISTICS(class-name ... | *)

Specifies the names of the classes to be deleted from those previously defined to have statistical information recorded.

If you specify an asterisk (*), you deactivate the recording of statistical information for the DATASET class and all classes defined in the class descriptor table.

TAPEDSN | NOTAPEDSN

TAPEDSN

Activates tape data set protection. When tape data set protection is in effect, RACF can protect individual tape data sets as well as tape volumes.

If you activate tape data set protection, you should also activate the TAPEVOL class. If you do not also activate TAPEVOL, RACF does not check the retention period before it deletes a tape data set, and you must provide your own protection for tape data sets that reside on a volume that contains more than one data set.

Before you activate tape data set protection, see z/OS Security Server RACF Security Administrator's Guide for a complete description of the relationship between TAPEDSN and activating the TAPEVOL class.

NOTAPEDSN

Deactivates tape data set protection. When NOTAPEDSN is in effect, RACF cannot protect individual tape data sets, though it can protect tape volumes.

NOTAPEDSN is in effect when RACF is using a newly initialized database.

TERMINAL(READ | NONE)

Is used to set the universal access authority (UACC) associated with undefined terminals. If you specify TERMINAL but do not specify READ or NONE, the system prompts you for a value.

WHEN | NOWHEN

WHEN(PROGRAM)

Activates RACF program control, which includes both access control to load modules and program access to data sets.

To set up access control to load modules, you must identify your controlled programs by creating a profile for each in the PROGRAM class. To set up program access to data sets, you must add a conditional access list to the profile of each program-accessed data set. Then, when program control is active, RACF ensures that each controlled load module is executed only by callers with the defined authority. RACF also ensures that each program-accessed data set is opened only by users who are listed in the conditional access list with the proper authority and who are executing the program specified in the conditional access list entry.

When RACF is enabled for sysplex communication, the SETROPTS WHEN(PROGRAM) command and the SETROPTS WHEN(PROGRAM) REFRESH command are propagated to other members of the data sharing group if the command was successful on the system on which it was entered. When RACF is not enabled for sysplex communication, you must issue the SETROPTS WHEN(PROGRAM) command and the SETROPTS WHEN(PROGRAM) REFRESH command on each system sharing the database.

For more information about program control, see z/OS Security Server RACF Security Administrator's Guide.

Note: The PROGRAM class does not have to be active.

NOWHEN(PROGRAM)

Specifies that RACF program control is not to be active.

NOWHEN(PROGRAM) is in effect when RACF is using a newly initialized database.