DELDSD (Delete data set profile)
Purpose
Use the DELDSD command to remove RACF® protection from tape or DASD data sets that are protected by either discrete or generic profiles.
- The RACF indicator for the data set is turned off. For a DASD data set, the indicator is in the DSCB for a non-VSAM data set or in the catalog entry for a VSAM data set. For a tape data set, the indicator is in the TVTOC entry for the data set in the corresponding TAPEVOL profile.
- The data set profile is deleted from the RACF database. (Note that the data set itself
is not physically deleted or scratched.)
If all the data sets in the TVTOC have expired, then RACF deletes the TAPEVOL profiles and the associated tape DATASET profiles.
To remove RACF protection from a non-VSAM DASD data set that is protected by a discrete profile, the data set must be online and not currently in use. For a VSAM data set that is protected by a discrete profile, the catalog for the data set must be online. The VSAM data set itself must also be online if the VSAM catalog recovery option is being used. If the required data set or catalog is not online, the DELDSD command processor requests that the volume be mounted if you have the TSO MOUNT authority.
- The user of the data set issues the LISTDSD command:
LISTDSD DA(data-set-protected-by-the-profile) GENERIC
Note: Use the data set name, not the profile name. - The security administrator issues the SETROPTS command:
SETROPTS GENERIC(DATASET) REFRESH
See SETROPTS command for authorization requirements.
- The user of the data set logs off and logs on again.
Issuing options
The following table identifies the eligible options for issuing the DELDSD command:
As a RACF TSO command? | As a RACF operator command? | With command direction? | With automatic command direction? | From the RACF parameter library? |
---|---|---|---|---|
Yes | Yes | Yes | Yes | Yes |
For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.
For information on issuing this command as a RACF operator command, refer to RACF operator commands.
You must be logged on to the console to issue this command as a RACF operator command.
Related commands
- To create a data set profile, see ADDSD (Add data set profile).
- To change a data set profile, see ALTDSD (Alter data set profile).
- To display a data set profile, see LISTDSD (List data set profile).
- To obtain a list of data set profiles, see SEARCH (Search RACF database).
Authorization required
When issuing this command as a RACF operator command, you might require sufficient authority to the proper resource in the OPERCMDS class. For details about OPERCMDS resources, see "Controlling the use of operator commands" in z/OS Security Server RACF Security Administrator's Guide.
- You have the SPECIAL attribute.
- The data set profile is within the scope of a group in which you have the group-SPECIAL attribute.
- The high-level qualifier of the profile name (or the qualifier supplied by a command installation exit) is your user ID.
- You are the owner of the profile.
- For a discrete profile, you are on the access list with ALTER authority.
- For a discrete profile, your group or one of your groups (if checking list of groups is active) is on the access list and has ALTER authority.
- For a discrete profile, the universal access authority is ALTER.
To specify the AT keyword, you must have READ authority to the DIRECT.node resource in the RRSFDATA class and a user ID association must be established between the specified node.userid pair(s).
To specify the ONLYAT keyword you must have the SPECIAL attribute, the userid specified on the ONLYAT keyword must have the SPECIAL attribute, and a user ID association must be established between the specified node.userid pair(s) if the user IDs are not identical.
Syntax
For the key to the symbols used in the command syntax diagrams, see Syntax of RACF commands and operands. The complete syntax of the DELDSD command is:
[subsystem-prefix]{DELDSD | DD} |
(profile-name...) |
[ AT([node].userid ...) | ONLYAT([node].userid ...) ] |
[ GENERIC | NOSET | SET ] |
[ VOLUME(volume-serial) ] |
For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.
For information on issuing this command as a RACF operator command, refer to RACF operator commands.
Parameters
- subsystem-prefix
- Specifies that the RACF subsystem
is the processing environment of the command. The subsystem
prefix can be either the installation-defined prefix for RACF (1 - 8 characters)
or, if no prefix has been defined, the RACF subsystem
name followed by a blank. If the command prefix was registered with
CPF, you can use the MVS command D OPDATA to display it or you can
contact your RACF security
administrator.
Only specify the subsystem prefix when issuing this command as a RACF operator command. The subsystem prefix is required when issuing RACF operator commands.
- profile-name ...
- Specifies
the name of the discrete or generic profile. If you specify more than
one profile, the list must be enclosed in parentheses.
This operand is required and must be the first operand following DELDSD.
Note: Because RACF uses the RACF database and not the system catalog, you cannot use alias data set names. - AT | ONLYAT
- The AT and ONLYAT keywords are only valid when the command is
issued as a RACF TSO command.
- AT([node].userid ...)
- Specifies
that the command is to be directed to the node specified by node,
where it runs under the authority of the user specified by userid in
the RACF subsystem address
space.
If node is not specified, the command is directed to the local node.
- ONLYAT([node].userid ...)
- Specifies
that the command is to be directed only to the node specified by node where
it runs under the authority of the user specified by userid in
the RACF subsystem address
space.
If node is not specified, the command is directed only to the local node.
- GENERIC | NOSET | SET
- If you do not specify GENERIC, NOSET, or SET, the default
value is SET.
- GENERIC
- Specifies that RACF is to treat the profile name as a generic name, even if it does not contain any generic characters.
- NOSET | SET
- Specifies
whether the RACF indicator
should be set off or not. If the profile name contains a generic character or if you specify GENERIC, RACF ignores this operand.
- NOSET
- Specifies
that RACF is not to turn off
the RACF indicator for the
data set.
Use NOSET when you are transferring a RACF-indicated data set to another system where it is also to be RACF-protected. Leaving the indicator on prevents unauthorized access to the data set until it can be redefined on the new system. (To delete multiple data set profiles, see Example 2 for the SEARCH command.)
When you specify NOSET for a tape data set protected by a discrete profile, RACF deletes the discrete profile but retains the TVTOC entry for the data set name. You can then use a generic profile to protect the data set.
If you specify NOSET, the volumes on which the data set or catalog resides need not be online.
To use NOSET, you must have the SPECIAL attribute, the data set profile must be within the scope of a group in which you have the group-SPECIAL attribute, or the high-level qualifier of the data set name (or the qualifier supplied by the naming conventions table or by a command installation exit) must be your user ID.
- SET
- Specifies that RACF is to turn off the RACF indicator for the data set. Use SET, which is the default value, when you are removing RACF protection for a data set. If the indicator is already off, the command fails.
- VOLUME(volume-serial)
- Specifies
the volume on which the tape data set, the non-VSAM DASD data set,
or the catalog for the VSAM data set resides.
If you specify this operand and volume-serial does not appear in the profile for the data set, the command fails.
If the data set name appears more than once in the RACF database and you do not specify VOLUME, the command fails. If the data set name appears only once and you do not specify VOLUME, no volume serial number checking is performed, and processing continues.
If the profile name contains a generic character or if you specify GENERIC, RACF ignores this operand.
Examples
Example | Activity label | Description |
---|---|---|
1 | Operation | User EH0 wants to remove discrete profile RACF protection from data set CD0.DEPT1.DATA. User EH0 wants to direct the command to run at node CPPD0 under the authority of user GCP02 and prohibit the command from being automatically directed to other nodes. |
Known | User GCP02 at CPPD0 owns data set CD0.DEPT1.DATA. User EH0 wants to issue the command as a RACF TSO command. Users EH0 and GCP02 at CPPD0 have an already established user ID association. Users EH0 and GCP02 at CPPD0 have the SPECIAL attribute. | |
Command | DELDSD 'CD0.DEPT1.DATA' ONLYAT(CPPDO.GCP02) | |
Results | The command is only processed at node CPPD0 and not automatically directed to any other nodes in the RRSF configuration. | |
2 | Operation | User KLE05 wants to enter a RACF TSO command to remove discrete profile protection from data set KLE05.DUPDS1.DATA. The data set is a duplicate data set, and the user wants to remove the profile for the data set on volume DU2 without turning off the RACF indicator. |
Command | DELDSD DUPDS1.DATA VOLUME(DU2) NOSET | |
Defaults | None. | |
3 | Operation | User JTB01 wants to delete the generic profile and remove RACF protection from the data set or sets protected by the profile SALES.*.DATA |
Known | User JTB01 has the group-SPECIAL attribute in group SALES. User JTB01 wants to issue the command as a RACF operator command, and the RACF subsystem prefix is @. | |
Command | @DELDSD 'SALES.*.DATA' | |
Defaults | None. |