Deletion of existing users

Use the C4R.USER.DELETE.userid profile described in this topic to control the authority to delete existing user IDs.

The authority to delete User profiles is normally controlled by some form of ownership (either direct or within the scope of a group-SPECIAL attribute) and by system-SPECIAL authorization. Some organizations want to keep strict control over the authority to delete existing users. Most often, it is because these organizations implemented extra procedures, like saving or renaming data sets or interaction with non-RACF information. The policy profile that is described in this section puts more constraints on the authorization to delete user IDs. This profile is not verified if RACF already rejected deletion of the group because of syntax errors or insufficient authority.

Deleting user IDs can also be controlled through the =NOCHANGE policy for user IDs. If a DELETE policy allows deleting the ID, the =NOCHANGE policy profile can still reject the command.

• C4R.USER.DELETE.userid

  This profile can be used to control which user ID in scope can be deleted. When using generic profiles, deletion of user IDs can also be completely prevented. Only the terminal users who have access through this profile are allowed to delete these user IDs. This control reduces the normal RACF delete authorization.

  No profile found

  The control is not implemented. No additional restrictions on deleting the specified userid.

  NONE

  The userid cannot be deleted. The command is rejected.

  READ

  The userid can be deleted only if the terminal user has the system special attribute.

  UPDATE

  The userid can be deleted.

  CONTROL.

  Same as UPDATE.