SETROPTS administration

The following tables define SETROPTS field names and their usage. All field names relate directly to SETROPTS keywords. Although the fields are alphabetized in the following table, there is no defined order in which the fields are returned when using the extract function. See z/OS Security Server RACF Command Language Reference for questions pertaining to field usage and data. Note that within the command image generated internally, RACF® truncates long keywords to 12 characters.

Boolean fields are identified in the field name column. Unless otherwise noted, a field is a character field by default.

When SETROPTS extract returns the fields which contain a list of classes (CLASSACT, CLASSTAT, GENCMD, GENERIC, GENLIST, GLOBAL, RACLIST, AUDIT, LOGALWYS, LOGNEVER, LOGSUCC, LOGFAIL, AND LOGDEFLT), each class name (including the final one) will be padded with blanks to eight characters, and followed by a single blank. Therefore, you can determine the number of classes by dividing the total field length by nine.

Table 1. BASE segment field names
Field name	Flag byte value	SETROPTS keyword reference
ADDCREAT (boolean)	'Y'	ADDCREATOR
ADDCREAT (boolean)	'N'	NOADDCREATOR
ADSP (boolean)	'Y'	ADSP
ADSP (boolean)	'N'	NOADSP
APPLAUDT (boolean)	'Y'	APPLAUDIT
APPLAUDT (boolean)	'N'	NOAPPLAUDIT
AUDIT	'A'	AUDIT (xx ...)
AUDIT	'D'	NOAUDIT (xx ...)
CATDSNS	'Y'	CATDSNS ( xx )
CATDSNS	'N'	NOCATDSNS
CLASSACT	'A'	CLASSACT (xx ...)
CLASSACT	'D'	NOCLASSACT (xx ...)
CLASSTAT	'A'	STATISTICS (xx ...)
CLASSTAT	'D'	NOSTATISTICS (xx ...)
CMDVIOL (boolean)	'Y'	CMDVIOL
CMDVIOL (boolean)	'N'	NOCMDVIOL
COMPMODE (boolean)	'Y'	COMPATMODE
COMPMODE (boolean)	'N'	NOCOMPATMODE
EGN (boolean)	'Y'	EGN
EGN (boolean)	'N'	NOEGN
ERASE (boolean)	'Y'	ERASE
ERASE (boolean)	'N'	NOERASE
ERASEALL (boolean)	'Y'	ERASE (ALL)
ERASESEC	'Y'	ERASE (SECLEVEL ( xx ) )
ERASESEC	'N'	ERASE (NOSECLEVEL)
GENCMD	'A'	GENCMD (xx ...)
GENCMD	'D'	NOGENCMD (xx ...)
GENERIC	'A'	GENERIC (xx ...)
GENERIC	'D'	NOGENERIC (xx ...)
GENLIST	'A'	GENLIST (xx ...)
GENLIST	'D'	NOGENLIST (xx ...)
GENOWNER (boolean)	'Y'	GENERICOWNER
GENOWNER (boolean)	'N'	NOGENERICOWNER
GLOBAL	'A'	GLOBAL (xx ...)
GLOBAL	'D'	NOGLOBAL (xx ...)
GRPLIST (boolean)	'Y'	GRPLIST
GRPLIST (boolean)	'N'	NOGRPLIST
HISTORY	'Y'	PASSWORD (HISTORY ( xx ))
HISTORY	'N'	PASSWORD (NOHISTORY)
INACTIVE	'Y'	INACTIVE (xx)
INACTIVE	'N'	NOINACTIVE (xx)
INITSTAT (boolean)	'Y'	INITSTATS
INITSTAT (boolean)	'N'	NOINITSTATS
INTERVAL	'Y'	PASSWORD (INTERVAL ( xx ))
JESBATCH (boolean)	'Y'	JES (BATCHALLRACF)
JESBATCH (boolean)	'N'	JES (NOBATCHALLRACF)
JESEARLY (boolean)	'Y'	JES (EARLYVERIFY)
JESEARLY (boolean)	'N'	JES (NOEARLYVERIFY)
NOTE: Early verification is always done, even if the SETROPTS command has been issued with JES(NOEARLYVERIFY) specified. See the z/OS Security Server RACF Security Administrator's Guide: JES user ID early verification in z/OS Security Server RACF Security Administrator's Guide.
JESNJE	'Y'	JES (NJEUSERID( xx ) )
JESUNDEF	'Y'	JES (UNDEFINEDUSER( xx ) )
JESXBM (boolean)	'Y'	JES (XBMALLRACF)
JESXBM (boolean)	'N'	JES (NOXBMALLRACF)
KERBLVL	'Y'	KERBLVL(xx)
LIST (boolean)	'Y'	LIST
NOTE: The LIST field is not returned by ADMN_UNL_SETR or ADMN_XTR_SETR.
LOGALWYS	'Y'	LOGOPTIONS (ALWAYS (xx ...))
LOGDEFLT	'Y'	LOGOPTIONS (DEFAULT (xx ...))
LOGFAIL	'Y'	LOGOPTIONS (FAILURES (xx ...))
LOGNEVER	'Y'	LOGOPTIONS (NEVER (xx ...))
LOGSUCC	'Y'	LOGOPTIONS (SUCCESSES (xx ...))
MINCHANG	'Y'	PASSWORD (MINCHANG(xx))
MIXDCASE (boolean)	'Y'	PASSWORD (MIXEDCASE)
MIXDCASE (boolean)	'N'	PASSWORD (NOMIXEDCASE)
MLACTIVE	'Y'	MLACTIVE ( xx )
MLACTIVE	'N'	NOMLACTIVE
MLFS	'Y'	MLFSOBJ(xx)
MLIPC	'Y'	MLIPCOBJ(xx)
MLNAMES (boolean)	'Y'	MLNAMES
MLNAMES (boolean)	'N'	NOMLNAMES
MLQUIET (boolean)	'Y'	MLQUIET
MLQUIET (boolean)	'N'	NOMLQUIET
MLS	'Y'	MLS ( xx )
MLS	'N'	NOMLS
MLSTABLE (boolean)	'Y'	MLSTABLE
MLSTABLE (boolean)	'N'	NOMLSTABLE
MODEL (boolean)	'N'	NOMODEL
MODGDG (boolean)	'Y'	MODEL (GDG)
MODGDG (boolean)	'N'	MODEL (NOGDG)
MODGROUP (boolean)	'Y'	MODEL (GROUP)
MODGROUP (boolean)	'N'	MODEL (NOGROUP)
MODUSER (boolean)	'Y'	MODEL (USER)
MODUSER (boolean)	'N'	MODEL (NOUSER)
OPERAUDT (boolean)	'Y'	OPERAUDT
OPERAUDT (boolean)	'N'	NOOPERAUDT
PHRINT	'Y'	PASSWORD (PHRASEINT(xx))
PREFIX	'Y'	PREFIX ( xx )
PREFIX	'N'	NOPREFIX
PRIMLANG	'Y'	LANGUAGE (PRIMARY ( xx ) )
PROTALL	'Y'	PROTECTALL ( xx )
PROTALL	'N'	NOPROTECTALL
PWDALG	'Y'	PASSWORD (ALGORITHM ( xx ))
PWDALG	'N'	PASSWORD (NOALGORITHM)
PWDSPEC (boolean)	'Y'	PASSWORD (SPECIALCHARS)
PWDSPEC (boolean)	'N'	PASSWORD (NOSPECIALCHARS)
RACLIST	'A'	RACLIST (xx ...)
RACLIST	'D'	NORACLIST (xx ...)
REALDSN (boolean)	'Y'	REALDSN
REALDSN (boolean)	'N'	NOREALDSN
REFRESH (boolean)	'Y'	REFRESH
NOTE: The REFRESH field is not returned by ADMN_UNL_SETR or ADMN_XTR_SETR.
RETPD	'Y'	RETPD ( xx )
REVOKE	'Y'	PASSWORD (REVOKE ( xx ))
REVOKE	'N'	PASSWORD (NOREVOKE)
RULES (boolean)	'N'	PASSWORD (NORULES)
NOTE: Specifying RULES with the 'N' flag results in the cancellation of all password syntax rules, regardless of any RULEn fields also specified.
RULE1	'Y'	PASSWORD (RULE1 (LENGTH (m1:m2) content-keyword (position)))
RULE1	'N'	PASSWORD (NORULE1)
RULE2	'Y'	PASSWORD (RULE2 (LENGTH (m1:m2) content-keyword (position)))
RULE2	'N'	PASSWORD (NORULE2)
RULE3	'Y'	PASSWORD (RULE3 (LENGTH (m1:m2) content-keyword (position)))
RULE3	'N'	PASSWORD (NORULE3)
RULE4	'Y'	PASSWORD (RULE4 (LENGTH (m1:m2) content-keyword (position)))
RULE4	'N'	PASSWORD (NORULE4)
RULE5	'Y'	PASSWORD (RULE5 (LENGTH (m1:m2) content-keyword (position)))
RULE5	'N'	PASSWORD (NORULE5)
RULE6	'Y'	PASSWORD (RULE6 (LENGTH (m1:m2) content-keyword (position)))
RULE6	'N'	PASSWORD (NORULE6)
RULE7	'Y'	PASSWORD (RULE7 (LENGTH (m1:m2) content-keyword (position)))
RULE7	'N'	PASSWORD (NORULE7)
RULE8	'Y'	PASSWORD (RULE8 (LENGTH (m1:m2) content-keyword (position)))
RULE8	'N'	PASSWORD (NORULE8)
NOTE: When specifying the 'Y' flag, the date supplied in the RULEn field consists of a length field and a character sequence, separated by a blank. The length field can be either a single numeric value, or two numeric values separated by a colon (:) to denote a minimum and maximum length. The character sequence conforms to the format of the output of the SETROPTS LIST command. It is a string of 1 to 8 characters, where each position of the string contains a character that indicates the valid characters that can occupy that position: A - Alphabetic C - Consonant c - Mixed consonant L - Alphanumeric m - Mixed numeric N - Numeric V - Vowel v - Mixed vowel W - Non-vowel * - Any character $ - National s – Special character x – Mixed all For example, if the RULE1 field is specified with field data of "3:6 ANVA", the resulting SETROPTS PASSWORD keyword would be RULE1(LENGTH(3:6) ALPHA(1 6) NUMERIC(3) VOWEL(4)). See the z/OS Security Server RACF Command Language Reference for details on SETROPTS.
RVARSWPW	'Y'	RVARY ( SWITCH ( xx ))
NOTE: For ADMN_XTR_SETR, the value returned for this field is not the actual password, but one of two predefined values. A value of "DEFAULT" indicates that the default password in in effect, while a value of "INSTLN" indicates that an installation-defined password is in effect.
RVARSTPW	'Y'	RVARY ( STATUS ( xx ) )
NOTE: For ADMN_XTR_SETR, the value returned for this field is not the actual password, but one of two predefined values. A value of "DEFAULT" indicates that the default password in in effect, while a value of "INSTLN" indicates that an installation-defined password is in effect.
SAUDIT (boolean)	'Y'	SAUDIT
SAUDIT (boolean)	'N'	NOSAUDIT
SECLABCT (boolean)	'Y'	SECLABELCONTROL
SECLABCT (boolean)	'N'	NOSECLABELCONTROL
SECLANG	'Y'	LANGUAGE (SECONDARY ( xx ) )
SESSINT	'Y'	SESSIONINTERVAL ( xx )
SESSINT	'N'	NOSESSIONINTERVAL
SLABAUDT (boolean)	'Y'	SECLABELAUDIT
SLABAUDT (boolean)	'N'	NOSECLABELAUDIT
SLBYSYS (boolean)	'Y'	SECLBYSYSTEM
SLBYSYS (boolean)	'N'	NOSECLBYSYSTEM
SLEVAUDT	'Y'	SECLEVELAUDIT (xx)
SLEVAUDT	'N'	NOSECLEVELAUDIT
TAPEDSN (boolean)	'Y'	TAPEDSN
TAPEDSN (boolean)	'N'	NOTAPEDSN
TERMINAL	'Y'	TERMINAL(xx)
WARNING	'Y'	PASSWORD (WARNING ( xx ))
WARNING	'N'	PASSWORD (NOWARNING)
WHENPROG (boolean)	'Y'	WHEN (PROGRAM)
WHENPROG (boolean)	'N'	NOWHEN (PROGRAM)