Security administration tasks and the RACF commands to run them

Reference the list of common security tasks that are carried out by a security administrator and the RACF® commands that are required to implement them.

The RACF commands can be issued on TSO or by using this JCL:

//jobname JOB 
//RACF EXEC PGM=IKJEFT01,REGION=6M 
//SYSTSPRT DD SYSOUT=* 
//SYSTSIN DD *
 RACF commands 
/* 
//

These tables are lists of common tasks that a security administrator would need.

Table 1. Types of RACF administration
Table	Example tasks
Defining authorities required by security administrators	Delegation of RACF administrative responsibility, controlling access to fields in RACF profiles
Managing users	Specifying default values in the CICS® segment, creating or updating segment data for a CICS user, defining terminal users and user groups to RACF
Managing groups	Creating groups, creating subgroups, adding a user to a group, removing a user from a group
Managing profiles and classes	Listing profiles in a class, activating the CICS classes

Defining authorities required by security administrators

Task	RACF command	Reference
What level of authority do you have?	`LISTUSER`	LISTUSER
Delegate authority to administer a class.	`ALTUSER userid CLAUTH(class)`	ALTUSER
Delegate authority to administer users.	`ALTUSER userid CLAUTH(USER)`	ALTUSER
Delegate authority to administer a group.	`CONNECT userid GROUP(group) SPECIAL`	CONNECT
Giving access to control CICS fields in the user profile.	`RDEFINE FIELD USER.CICS. UACC(NONE)` `PERMIT USER.CICS. CLASS(FIELD)GROUP(group) ACCESS(UPDATE)`	RDEFINE PERMIT Field-level access checking
Giving access to control LANGUAGE fields in the user profile.	`RDEFINE FIELD USER.CICS. UACC(NONE)` `PERMIT USER.LANGUAGE. CLASS(FIELD)GROUP(group) ACCESS(UPDATE)`	RDEFINE PERMIT Field-level access checking
Installing a resource with user ID attributes.	`DEFINE SURROGAT .DFHINSTAL UACC(NONE)` `PERMIT .DFHINSTAL CLASS(SURROGAT) GROUP(group) ACCESS(UPDATE)`	RDEFINE PERMIT Surrogate Security

Managing users

Task	RACF command	Reference
Adding a CICS User with the default CICS options.	`ADDUSER userid DFLTGRP(group) CICS`	ADDUSER The CICS segment in user profiles
Changing CICS options for a user.	`ALTUSER userid CICS(field1 field2 .. fieldN)`	ALTUSER The CICS segment in user profiles
Removing CICS options for a user.	`ALTUSER userid NOCICS`	ALTUSER
Listing the CICS options for a user.	LISTUSER userid CICS	LISTUSER
Specifying the language in the LANGUAGE segment.	`ALTUSER userid LANGUAGE(PRIMARY(language_code) SECONDARY(language_code))`	ALTUSER The LANGUAGE segment in user profiles
Listing the LANGUAGE segment for a user.	LISTUSER userid LANGUAGE	LISTUSER

Managing groups

Task	RACF command	Reference
Creating groups .	`ADDGROUP group OWNER(owner)`	ADDGROUP
Creating subgroups.	`ADDGROUP subgroup OWNER(subowner) SUPGROUP(group)`	ADDGROUP
Adding a user to a group.	`CONNECT userid GROUP(group)`	CONNECT
Removing a user from a group.	`REMOVE userid GROUP(group)`	REMOVE

Managing profiles and classes

Task	RACF command	Reference
Listing the profiles in a class.	`RLIST class * ALL`	RLIST
Defining a resource by using a generic profile.	`REDEFINE class profile UACC(NONE)`	RDEFINE RACF profiles for CICS classes
Defining a resource by using a member profile.	`REDEFINE class profile ADDMEM(memberList) UACC(NONE)`	RDEFINE RACF profiles for CICS classes
Giving access to a group of users to a profile.	`PERMIT profile CLASS(class) ID(group) ACCESS(access)`	PERMIT
Defining resource definitions when you use SECPRFX.	`REDEFINE class secprfx.profile UACC(NONE)`	RDEFINE Prefixing RACF Profiles with SECPRFX
Refreshing resource profiles in main storage.	`SETROPTS RACLIST(class) REFRESH`	SETROPTS Caching of RACF classes and their profiles
Activating the CICS classes.	`SETROPTS CLASSACT(class)`	SETROPTS Caching of RACF classes and their profiles
Making an installation defined class support generic resources.	`SETROPTS GENERIC(class)`	SETROPTS

When you have a pair of classes, class is the general resource class, for example, TCICSTRN.