SIGNOFF (Sign off sessions)
Background
Persistent verification allows users to sign on to a partner LU (logical unit) and have their authority persist. In other words, once a user has signed on, a password is not required for subsequent signon attempts.
APPC/MVS invokes RACF to create and maintain a list called the signed-on-from list. If persistent verification is being used, the signed-on-from list consists of the users currently signed on with Persistent Verification authority.
Purpose
- User ID
- Group
- APPL (the local LU name)
- POE (the partner LU name from which the user is signed on)
The SIGNOFF command has operands which correspond to the preceding items. You can use these operands to select which user entries to remove from the signed-on-from list.
To determine which user entries are signed off by issuing a particular SIGNOFF command, issue a DISPLAY command with corresponding selection criteria.
Issuing options
As a RACF TSO command? | As a RACF operator command? | With command direction? | With automatic command direction? | From the RACF parameter library? |
---|---|---|---|---|
No | Yes | No | No | Yes |
For information on issuing this command as a RACF® operator command, see RACF operator commands.
Related commands
Use the DISPLAY operator command to view the signed-on-from list.
Authorization required
You might require sufficient authority to the proper resource in the OPERCMDS class. For details about OPERCMDS resources, see "Controlling the use of operator commands" in z/OS Security Server RACF Security Administrator's Guide.
Syntax
For the key to the symbols used in the command syntax diagrams, see Syntax of RACF commands and operands. The complete syntax of the SIGNOFF command is:
subsystem-prefixSIGNOFF |
APPL(local-luname | *) |
POE(partner-luname | *) |
USER(userid-name | *) |
[ GROUP(group-name | *) ] |
[ SECLABEL(security-label | *) ] |
For information on issuing this command as a RACF operator command, see Rules for entering RACF operator commands.
Parameters
- subsystem-prefix
- Specifies
that the RACF subsystem is the processing environment of the command.
The subsystem prefix can be either the installation-defined prefix
for RACF (1 - 8
characters) or, if no prefix has been defined, the RACF subsystem
name followed by a blank. If the command prefix was registered with
CPF, you can use the MVS command D OPDATA to display it or you can
contact your RACF security administrator.
Only specify the subsystem prefix when issuing this command as a RACF operator command. The subsystem prefix is required when issuing RACF operator commands.
- APPL(local-luname | * )
- This is a required operand. The local-luname is a 1 - 8 character name of the local LU to be searched for. An asterisk can occupy the last position of the local-luname in order to provide a partial generic selection capability. A character string consisting of a single asterisk is permitted as a full generic that matches any APPL name in the signed-on-from list.
- POE(partner-luname | * )
- This is a required operand. The partner-luname is a 1 - 7 character name of the partner LU to be searched for. A partner-luname consisting of a single asterisk is permitted as a full generic that matches any POE name in the signed-on-from list.
- USER(userid-name | * )
- This is a required operand. The userid-name is a 1 - 8 character specification which represents the RACF user ID to be searched for. A character string consisting of a single asterisk is permitted as a full generic that matches any user ID in the signed-on-from list.
- GROUP(group-name | * )
- This
is an optional operand. The group-name is
a 1 - 8
character name which represents the RACF group to be searched for.
A character string consisting of a single asterisk is also permitted
as a full generic which matches any group-name in
the signed-on-from list. If this operand is not specified, the default
value is a group-name consisting of blanks.
Note that entries in the signed-on-from list might not always be added to that list with a group-name value. Such entries have group-names consisting of blanks.
- SECLABEL(security-label | * )
- This is an optional operand. The security-label is a 1 - 8 character name that represents the RACF security label to be searched for. This operand is currently ignored.
Examples
Example | Activity label | Description |
---|---|---|
1 | Operation | Sign off a user from a local/partner LU pair. |
Known | The local LU is locallu, the partner LU is prtnrlu5, and the userid-name is jim. The RACF subsystem prefix is @. | |
Command | @signoff user(jim),appl(locallu),poe(prtnrlu5) | |
Defaults | A group-name consisting of blank characters. | |
2 | Operation | Sign off all of the users from a local/partner LU pair. |
Known | The local LU is locallu, the partner LU is prtnrlu5, and the RACF subsystem prefix is @. | |
Command | @signoff appl(locallu),poe(prtnrlu5),user(*) | |
Defaults | A group-name consisting of blank characters. | |
3 | Operation | Sign off a user from all the local/partner LU pairs to which that user is signed on. |
Known | The userid-name is Kurt, and the RACF subsystem prefix is @. | |
Command | @signoff appl(*),poe(*),group(*),user(jim) | |
Defaults | None. | |
4 | Operation | Sign off all users from all the partner LUs of a particular local LU. |
Known | The local LU is locallu, the RACF subsystem prefix is @. | |
Command | @signoff appl(locallu),poe(*),user(*),group(*) | |
Defaults | None. | |
5 | Operation | Sign off all users of a particular group from a particular local LU. |
Known | The local LU is locallu, the group is grp1, and the RACF subsystem prefix is @. | |
Command | @signoff appl(locallu),poe(*),user(*),group(grp1) | |
Defaults | None. |