QUESTION

The QUESTION command can be used to set, delete, or verify question/answer pairs, and to list questions present in a user profile.

The QUESTION command has the following syntax:

QUESTION profile [ REASON(reason) ] SET qid question PASSWORD(answer) ...
QUESTION profile [ REASON(reason) ] VERIFY qid PASSWORD(answer) ...
QUESTION profile [ REASON(reason) ] LIST [ qid ] ...
QUESTION profile [ REASON(reason) ] DELETE [ qid ] ...

profile           Any valid RACF profile in the USER class                   
qid               A question identifier, which has syntax Qnn where nn 
                  is a nonnegative integer below 100. A question identifier  
                  provides an index to a single question/answer pair.        
reason            A reason string (Reason keywords in CKGRACF)

Each question and answer value must be specified as a string (where quotes and conversions are allowed). The action (SET, VERIFY, LIST, or DELETE) determines the number of question identifiers that can be specified. The next table presents the details.

Table 1. Actions for CKGRACF QUESTION
Action	Number	Effect	Example
DELETE	none	Deletes all previous question/answer pairs, if present.	DELETE
DELETE	one or more	For each qid, deletes the previous question/answer pair identified by qid, if present.	DELETE qid
LIST	none	Lists all previous question/answer pairs, if present.	LIST
LIST	one or more	For each qid, lists the previous question/answer pair identified by qid, if present.	LIST qid
SET	one or more	For each qid, deletes the previous question/answer pair identified by qid, if present; then adds a question/answer pair identified by qid	SET qid question PASSWORD(answer)
VERIFY	one or more	For each qid, verifies whether the current answer matches with the previous answer identified by qid.	VERIFY qid PASSWORD(answer)

More than one question identifier (+ question + answer) can be specified in a single QUESTION command; the same action is applied to each identifier (+ question + answer) in turn. The target profile is not changed if an error occurs within a single QUESTION command.

The QUESTION command requires access to the command profile shown in the following table.

Table 2. Command access checks for CKGRACF QUESTION
Resource name checked	Access required
CKG.CMD.QUESTION	READ for the LIST and VERIFY actions; UPDATE for the SET and DELETE actions.

In addition, the target user must be within the userdata-scope of the command user (see CKGRACF authority checks). In the following table, each nn is a two-digit number corresponding with question identifier Qnn.

Table 3. USRDATA access checks for CKGRACF QUESTION
Resource name checked	Access required
CKG.USRDATA.OWN.USER.CNGC2Hnn	READ for the LIST and VERIFY actions; UPDATE for the SET and DELETE actions.
CKG.USRDATA.ALL.USER.CNGC2Hnn	READ for the LIST and VERIFY actions; UPDATE for the SET and DELETE actions.
CKG.USRDATA.SCP.USER.CNGC2Hnn	READ for the LIST and VERIFY actions; UPDATE for the SET and DELETE actions.

If access to CKG.USRDATA.SCP.USER.CNGC2Hnn is defined, the following profiles will be checked:

Table 4. Scope access checks for CKGRACF QUESTION
Resource name checked	Access required
CKG.SCP.ID.userid.owner.dfltgrp	READ for the LIST and VERIFY actions; UPDATE for the SET and DELETE actions.
CKG.SCP.ID.groupid.owner	READ for the LIST and VERIFY actions; UPDATE for the SET and DELETE actions.
CKG.SCP.G.groups...	READ for the LIST and VERIFY actions; UPDATE for the SET and DELETE actions.
CKG.SCP.U.user.groups...	READ for the LIST and VERIFY actions; UPDATE for the SET and DELETE actions.