RACLINK (Administer user ID associations)

Purpose

Use the RACLINK command to:

Define, approve, and delete (undefine) an established or pending user ID association
List information related to a user ID association
Establish password synchronization between user IDs

Note:

When the RACLINK command is issued from ISPF, the TSO command buffer (including password data) is written to the ISPLOG data set. As a result, you should not issue this command from ISPF or you must control the ISPLOG data set carefully.
If the RACLINK command is issued as a RACF® operator command, the command and the password data are written to the system log. Therefore, either use of RACLINK as a RACF operator command should be controlled or you should issue the command as a TSO command.

Issuing options

The following table identifies the eligible options for issuing the RACLINK command:

As a RACF TSO command?	As a RACF operator command?	With command direction?	With automatic command direction?	From the RACF parameter library?
Yes	Yes	No	No	No

For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.

For information on issuing this command as a RACF operator command, refer to RACF operator commands.

You must be logged on to the console to issue this command as a RACF operator command.

Related commands

To add a user profile, see ADDUSER (Add user profile).
To display information from a user profile, see LISTUSER (List user profile).
To change a user profile, see ALTUSER (Alter user profile).
To delete a user profile, see DELUSER (Delete user profile).
To obtain a list of user profiles, see SEARCH (Search RACF database).

Authorization required

When issuing this command as a RACF operator command, you might require sufficient authority to the proper resource in the OPERCMDS class. For details about OPERCMDS resources, see "Controlling the use of operator commands" in z/OS Security Server RACF Security Administrator's Guide.

You have the authority to issue the RACLINK command for your own user ID.

To issue the RACLINK DEFINE command you must also have sufficient authority to the proper profiles in the RRSFDATA class. For RACLINK DEFINE, this is the first security check performed. For more information, see z/OS Security Server RACF Security Administrator's Guide.

You can issue the RACLINK command for a user ID other than your own if you have the following authority over the user ID specified on the ID keyword:

You have the SPECIAL attribute.
The profile is within the scope of a group in which you have the group-SPECIAL attribute.
You are the profile owner.

When the DEFINE keyword is specified and the command issuer has sufficient authority to perform the RACLINK command for the user ID, the user ID association is implicitly approved if:

A valid password or password phrase is supplied for the user ID specified on the DEFINE keyword.
The command issuer has one of the following authorities over the user ID specified on the DEFINE keyword:
- The command issuer has the SPECIAL attribute.
- The profile is within the scope of a group in which the command issuer has the group-SPECIAL attribute.
- The command issuer is the owner of the profile.
The command issuer has an association with a user ID on the node specified on the DEFINE keyword. That association must be either a PEER association or a MANAGED association with the command issuer as the manager. The user ID with which the command issuer has the association must have one of the following authorities over the user ID specified on the DEFINE keyword:
- The command issuer has the SPECIAL attribute.
- It is within the scope of a group that has the group-SPECIAL attribute.
- It is the owner of the profile.

Syntax

For the key to the symbols used in the command syntax diagrams, see Syntax of RACF commands and operands. The complete syntax of the RACLINK command is:

[subsystem-prefix]RACLINK

[ ID(userid1 ...) ]

For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.

For information on issuing this command as a RACF operator command, refer to RACF operator commands.

Parameters

subsystem-prefix

Specifies that the RACF subsystem is the processing environment of the command. The subsystem prefix can be either the installation-defined prefix for RACF (1 - 8 characters) or, if no prefix has been defined, the RACF subsystem name followed by a blank. If the command prefix was registered with CPF, you can use the MVS command D OPDATA to display it or you can contact your RACF security administrator.

Only specify the subsystem prefix when issuing this command as a RACF operator command. The subsystem prefix is required when issuing RACF operator commands.

ID(userid1 ...)

Specifies the user for whom the RACLINK operation is to be performed. Specify one or more user IDs on the RRSF node from which the command is issued.

If this operand is not specified, the command defaults to the user issuing the command at the node where the command is issued.

LIST([node | *].[userid2 |*] ...)

Specifies that a list of associations for node.userid2 is to be displayed. If multiple user IDs are specified, then multiple lists are displayed, one for each user ID specified.

RACLINK LIST (*.*) is the default. RACLINK LIST (*.*) lists all user ID associations for the specified user ID or the issuer's user ID if the ID keyword is not specified.

If the node name is not specified, the default is the local node.

The node names you specify must have been defined as RRSF nodes with the TARGET command.

The following information is displayed for each user ID association:

User ID association type
- Peer association
- Managed association (including whether the specified user ID is the managed user ID or the managing user ID)
Password synchronization status
- YES (password synchronization is active)
- NO (password synchronization is inactive)
- N/A (password synchronization is not applicable to a managed association)
User ID association status
- PENDING APPROVAL BY userid (waiting for userid to approve or reject the user ID association)
- ESTABLISHED (the user ID association has been approved)
- SYSTEM ERROR (an unexpected error occurred on the target node that prevented the user ID association from being completed) The user ID association should be deleted and then defined again. See the notes under the DEFINE keyword for additional details.

DEFINE([node].userid2[/password] ...)

Specifies that a user ID association is to be formed between userid1 at the node where the command was issued, and userid2 at node. If you specify more than one node.userid2 operand, an association is established between userid1 and each node.userid2 specified. A user ID association enables RACF users to utilize command direction and password synchronization.

Start of change If the password or phrase contains special characters that cause problems with TSO/E, the entire string ([node].userid2[/password]) must be enclosed in single quotation marks. For example, if the phrase contains blanks, or special characters such as the comma, parenthesis, or comment delimiter (/*), the string must be enclosed in quotes. Likewise, when a password or phrase starts with an asterisk, the string must be enclosed in quotes. End of change

To issue the RACLINK DEFINE command, you need READ access to the following profile in the RRSFDATA class:

RACLINK.DEFINE.node

The RRSFDATA class must be active.

When the DEFINE keyword is specified and the command issuer has sufficient authority to perform the RACLINK command for the user ID, the user ID association is implicitly approved if any of the following are true:

A valid password is supplied for node.userid2 on the DEFINE keyword.
The command issuer has one of the following authorities over userid2 on the DEFINE keyword:
- The command issuer has the SPECIAL attribute.
- The profile is within the scope of a group in which the command issuer has the group-SPECIAL attribute.
- The command issuer is the owner of the profile.
The command issuer has an association with a user ID on the node specified on the DEFINE keyword. That association must be either a PEER association or a MANAGED association with the command issuer as the manager. The user ID with which the command issuer has the association must have one of the following authorities over userid2 on the DEFINE keyword:
- The command issuer has the SPECIAL attribute.
- It is within the scope of a group that has the group-SPECIAL attribute.
- It is the owner of the profile.

Otherwise, a user ID association requires explicit approval by node.userid2 with the RACLINK APPROVE command.

Although it is possible for the command issuer to have more than 50 associated user IDs on the target node, only the first 50 are used for authority checking. RACLINK issues a message if more than 50 user ID associations exist for the command issuer.

An association is PENDING until node.userid2 either approves the association with a RACLINK APPROVE command or rejects the association with a RACLINK UNDEFINE command.

Note:

Under certain circumstances, RACLINK DEFINE(node.userid) requests can be issued by two users. If both requests are consistent, RACF treats this as an implicit approval. The entry is marked established in the target user IDs profile. An entry is considered consistent if the association type (PEER(PWSYNC) or PEER(NOPWSYNC)) is the same. If the request is not consistent (for example, differing PEER definitions or both users requesting a MANAGED association), RACF fails the request and the entries remain in a pending state. In order to correct this situation, the user(s) need to undefine and redefine the user ID associations.
When creating a user ID association with a revoked user ID:
- If a RACLINK DEFINE command is coded without the password operand and the target user ID is a revoked user, the results vary depending on the authority of the command issuer and the user ID associations of the command issuer. When:
  The user ID association with the revoked user ID is created and the status displayed by a RACLINK LIST command is ESTABLISHED when one of the following is true:
  - The command issuer has sufficient authority (SPECIAL, group-SPECIAL, or owner) over the target user ID or
  - The command issuer has a PEER association or is the manager of a MANAGED association with a user ID on the target node and the associated user ID has sufficient authority over the target user ID.
If a RACLINK DEFINE command is coded without the password operand, the target user ID is a revoked user ID, and the command issuer does not have sufficient authority (SPECIAL, group-SPECIAL, or owner) over the target user ID, the user ID association is created and the status displayed by a RACLINK LIST command is PENDING APPROVAL BY userid2.
If a RACLINK DEFINE command is coded with the password operand and the target user is a revoked user, the user ID association is not established and the status displayed by a RACLINK LIST is SYSTEM ERROR.
If a RACLINK DEFINE command is coded with a password phrase and the target system is at a release before z/OS V2R2, the association will be in the PENDING APPROVAL state and message IRRT032I will not be issued. In this case, the target user ID must log on and explicitly approve the request.
If a RACLINK DEFINE command is attempted to a node which is denying inbound work, the user ID association is not established and the status displayed by a RACLINK LIST is SYSTEM ERROR.

The type of association you want to establish is specified with one of the following:

MANAGED

Specifies a managed association.

A managed association does not provide password synchronization. A managed association allows commands to be directed from the managing user ID to the managed user ID (that is, from userid1 to node.userid2).

A managed association does not allow commands to be directed from the managed user ID to the managing user ID (that is, node.userid2 cannot direct commands to userid1).

PEER(NOPWSYNC)

Specifies a peer association without password synchronization.

Either user ID in a peer association can direct commands to the other user ID in the association.

If no association type is specified, PEER(NOPWSYNC) is the default.

PEER(PWSYNC)

Specifies a peer association with password synchronization.

Either user ID in a peer association can direct commands to the other user ID in the association.

If either user in the association changes their password, the password is automatically changed for the other user in the association.

READ access to the RACLINK.PWSYNC.node resource is required to use the RACLINK command to define a peer association with the PWSYNC attribute. READ access to the PWSYNC resource is required to synchronize the passwords when one of the associated users changes their password.

If the RRSFDATA class is not active, you cannot define an association with the PWSYNC attribute, or synchronize passwords.

UNDEFINE([node].userid2 ...)

Specifies that a user ID association is ended between userid2 on node and userid1 on the node where the command is processed. Either member of an association can end an association.

If a user ID has attempted to establish an association with your user ID which requires approval, and you do not want to approve it, use the UNDEFINE keyword to reject the pending association.

APPROVE([node1].userid1 ...)

Specifies that userid2 on node2 approves of a pending association between userid2 at node2 and userid1 at node1. node1 is the node where the RACLINK DEFINE was issued, and node2 is the node where userid2 issues the command.

Examples

Example	Activity label	Description
1	Operation	The security administrator wants to know what, if any, associations user DENICE has with user BETH.
	Known	The security administrator wants to issue the command as a RACF TSO command.
	Command	`RACLINK ID(DENICE) LIST(*.BETH)`
	Defaults	None.
	Output	See Figure 1.
2	Operation	User DENICE wants to define password synchronization between all of her MVS user IDs; DENICE at NODE1, DENICE at NODE2, and DENICE at NODE3.
	Known	DENICE wants to issue the command as a RACF TSO command. DENICE has the authority to issue the RACLINK command for her own user IDs and has the authority to establish password synchronization for her own user IDs. The command is to be issued from DENICE at NODE1.
	Command	`RACLINK DEFINE(NODE2.DENICE/passw2 NODE3.DENICE/passw3) PEER(PWSYNC)`
	Defaults	None.
	Results	DENICE at NODE1 receives the following messages: `IRRT032I RACLINK command to associate user ID DENICE with NODE2.DENICE is pending approval. IRRT032I RACLINK command to associate user ID DENICE with NODE3.DENICE is pending approval. IRRP097I Peer association with DENICE at node NODE2 has been approved. IRRP097I Peer association with DENICE at node NODE3 has been approved.` When user DENICE changes her password on one of her MVS user IDs, the new password propagates to take affect on her other user IDs. The password is checked for validity only on the node where user DENICE issues the command to change her password, not at any of the other nodes.
3	Operation	User BETH wants to define a MANAGED user ID association where BETH is the managing user ID and DENICE is the managed user ID.
	Known	User BETH: wants to issue the command as a RACF TSO command, does not know the password for user DENICE, and has the authority to issue the RACLINK command for her own user ID.
	Command	`RACLINK DEFINE(NODE1.DENICE) MANAGED`
	Defaults	None.
	Results	User BETH receives the following message: `IRRT032I RACLINK command to associate user ID BETH with NODE1.DENICE is pending approval.` User DENICE receives the following message: `IRRP094I Managed association with DENICE at node NODE1 issued by BETH waiting for your approval.` The association remains pending until DENICE at NODE1 either approves the association with a RACLINK APPROVE command or rejects the association with a RACLINK UNDEFINE command.

Figure 1. Example 1: Output for the RACLINK LIST Command

ASSOCIATION information for user ID DENICE on node NODE1
at 1:12:31 on 04/01/95:

 Association  Node.userid    Password  Association 
  Type                         Sync       Status 
 ___________  ____________   ________  _____________ 

PEER OF       NODE1.BETH       YES      ESTABLISHED

MANAGED BY    NODE2.BETH       N/A      PENDING APPROVAL BY DENICE

PEER OF       NODE3.BETH       NO       PENDING APPROVAL BY BETH