RACROUTE REQUEST=DEFINE: Define, modify, rename, or delete a resource for RACF

The RACROUTE REQUEST=DEFINE macro defines, modifies, renames, or deletes resource profiles for RACF®. You can also use it for special cases of authorization checking. RACF uses the resulting profiles to perform authorization checking when a user requests access to a RACF-protected resource.

In general, you should use the RACF command processors to create RACF resource profiles, because only the command processors do complete validation of profile name syntax. If you use RACROUTE REQUEST=DEFINE instead, you should create profiles which are supported by the command processors. For instance, RACROUTE REQUEST=DEFINE allows you to create a fully qualified generic profile in a general resource class and a data set profile containing characters that are not valid, but those profiles are not supported by the RACF command processors.

The RACROUTE REQUEST=DEFINE preprocessing and postprocessing exit routines can change or add the RACROUTE REQUEST=DEFINE parameters OWNER, LEVEL, UACC, or AUDIT.

The RACROUTE REQUEST=DEFINE caller must be authorized (APF-authorized, in system key 0–7, or in supervisor state).

The caller cannot hold any locks when issuing RACROUTE REQUEST=DEFINE.

When activated, automatic direction of application updates propagates RACROUTE REQUEST=DEFINE updates to selected remote nodes.

Not all RACROUTE REQUEST=DEFINE requests update the RACF database. The ENVIR=VERIFY keyword specifies that no profile is to be created, but that the user's authority is to be checked. Automatic direction of application updates does not propagate a RACROUTE REQUEST=DEFINE if ENVIR=VERIFY is specified. Similarly, many RACROUTE REQUEST=DEFINE requests are issued with RACFIND=NO to check if a user is authorized to create a data set or catalog a data set based on a generic profile. RACROUTE REQUEST=DEFINE RACFIND=NO requests for DASD data sets are not propagated. RACROUTE REQUEST=DEFINE requests for tape data sets are propagated even when RACFIND=NO is specified because even though no data set profile is updated, an update might be made to the TVTOC in a TAPEVOL profile.

Only RACROUTE REQUEST=DEFINE requests with return code 0 are propagated.