Changing the RACF profile of a remote user

CICS® is notified of certain changes in the RACF® profile of a signed-on remote user, or a signed-on user who is not directly using a physical terminal or console, through a type 71 RACF Event Notification (ENF).

RACF sends type 71 ENFs when RACF commands such as ALTUSER with the REVOKE option, CONNECT, REMOVE, DELGROUP and DELUSER affect the group authorization of a user. In addition, with RACF APAR OA58677 and SAF APAR OA58678, RACF sends a type 71 ENF when a user ID is revoked automatically as a result of too many failed password attempts.

CICS monitors for such RACF type 71 ENFs. Notification of a change to the user ID overrides any setting that is specified in the USRDELAY system initialization parameter. Therefore, review your USRDELAY settings.

For example, CICS is notified when you use the REVOKE option on the ALTUSER command, with no date specified, to revoke a user ID with immediate effect. However, CICS is not notified when a user ID expires, or for a user ID that is signed on to a local region (for example, a TOR that uses the CESN transaction to sign on).

When a RACF profile change occurs and CICS receives a new attach request for a user ID, CICS performs an implicit sign-on for the user ID and the new RACF profile information is used. Existing tasks for that user continue with the RACF profile that was valid when the task was attached.

If you specified a low value for the USRDELAY system initialization parameter to ensure that CICS detects changes to RACF profiles promptly, you might want to increase this value, because CICS is now notified immediately if RACF profile changes occur. The primary impact of a high USRDELAY value is that the amount of storage used for RACF control blocks is increased.