Task-oriented commands
Some simple administrative tasks can be done with the COPY, MOVE, and REMOVE commands. You can create a new userid (or group) like an existing one with COPY. There are keywords to specify unique properties, such as NEWPASSWORD. Apart from creating the userid itself, by default, this command also clones all the authorizations that the user has to various profiles and generates commands to set up catalog aliases. There are various SUPPRESS keywords to limit these operations. The easy way to review these is to go to RA.U (RACF USER), issue the C(opy) line command, tag or untag the various settings on the panel brought up, and review the SUPPRESS commands that were generated. REMOVE can delete a user or group, or, as a preparation for a delete, move a user to a holding group. MOVE can move a user to another group. The associated line commands are D and M, respectively.
The VERIFY command has an extensive number of keywords related to verifying, for example, the integrity of the RACF database. It reports on aberrations found and suggests remediating commands for certain situations. There are also keywords to verify certain audit requirements, such as flagging users with default passwords. Output for this command is reviewed in SYSPRINT (and generated commands are available in CKRCMD).
The REPORT command originally generated a number of specific reports relevant to administrators and auditors in a fixed layout. It has a number of keywords to request the specific report, and a number of keywords to specify some global configurations to use. In modern CARLa, REPORT can be combined with NEWLIST queries that define the layout to be used for the kind of report. For example, if REPORT REDUNDANT is requested in a CARLa run by itself, it imbeds the standard layout for the report from SCKRCARL. However, when a NEWLIST TYPE=REPORT_REDUNDANCY (or R_REDUNDANCY for short) is present before the REPORT statement, that layout (or those layouts) are used instead. Note that options like REPORT DATASETS are still global options and affect all reports that are sensitive to this setting. This also extends to selections for REPORT_PROFILE within a STANDARD (and conversely an OPTION(R_PROFILE(DATASETS)) within a STANDARD also influences the REPORTs).
The ASSERT command is used to record compliance assertions, in connection to compliance tests in a STANDARD.
The OVERRIDE command is used to override a compliance test finding.
The MERGE command is used to merge two RACF databases. The command opens a context that is closed by ENDMERGE. In between, you use SELECT and EXCLUDE to select profiles from the source database to be merged into the current database. The program determines automatically which profiles in the current database are relevant. You can also specify MERGERULEs to determine how conflicts must be handled. For example, use the most restrictive access if the two databases have a different opinion about the access to a particular profile. Only the DEFINE and IMBED commands are allowed in a merge context. The records made available for reporting by NEWLIST TYPE=MERGE represent decisions taken by the MERGE process.
The SHOW command can be used to show the following information:
- Installation options set for the program
- zSecure Collect processing options used for a CKFREEZE file
- RACF classes and template fields available
- RACF naming convention table