RACF command replacement

zSecure Command Verifier provides a way to replace commands with other commands by a combined add/replace approach.

The first step is to specify a pre-command or a post-command. The second step is to specify whether the original commands must be run, maybe stripped of some keywords, or not. It can be controlled by three profiles. In the pre-command and post-command, several fields from the original RACF® command can be referenced by variables. For instance, the target class and profile can be specified by &CLASS and &PROFILE.

The specified pre- and post-commands run with the same authority as the original RACF command. If temporary special or auditor authorization is specified for the original RACF command, the pre- and post-commands also run with temporary special or auditor. This also applies to controlled temporary attributes. It is the responsibility of the Command Verifier Policy administrator to specify pre- and post-commands that are appropriate for the environment in which they run.

Note: Currently this function is only available for the following commands and keywords:
Table 1. Commands and keywords supported by the Command/Keyword Replace Function.
Command Keyword Keyword-qualification
ALTUSER RESUME RESUME
ALTUSER REVOKE REVOKE
ALTUSER RESUME(date) NORESUME RESUMEDT
ALTUSER REVOKE(date) NOREVOKE REVOKEDT
ADDUSER ALTUSER SPECIAL SPECIAL
ADDUSER ALTUSER OPERATIONS OPERATIONS
ADDUSER ALTUSER AUDITOR AUDITOR
ADDUSER ALTUSER segment
nosegment 		segment.action
action={Add | Alt | Del}
ADDUSER ALTUSER OMVS(UID(0))
OVM(UID(0))		 UID0
ADDUSER ALTUSER OWNER(owner) OWNER.owner
CONNECT GROUP(grpname) GROUP.grpname
PERMIT CLASS(class) CLASS.class
REMOVE GROUP(grpname) GROUP.grpname

The general form of the command replacement policy profile is:

C4R.command.function.keyword-qualification

The command is the non-abbreviated RACF command issued by the terminal user. The function indicates which part of the command replacement feature is controlled by this policy profile. Possible values for function are =PRECMD, =PSTCMD, and =REPLACE. These are used to specify the PRE-command and the POST-command and to indicate if and how the original RACF command is issued.

The possible values for the keyword-qualifier are dependent on the command:

  • For setting attributes through the ADDUSER or ALTUSER command, the keyword-qualifier consists of only a single qualifier. Examples are the REVOKE, RESUME, and SPECIAL qualifiers.
  • When managing the owner of users, the keyword-qualifier consists of the fixed value OWNER, followed by the specified value for the new owner.
  • When managing user segments, the keyword-qualifier consists of two qualifiers. The first is the name of the segment, and the second is an action qualifier. The action qualifier can be ADD, ALT, or DEL.
  • When managing user-to-group connects through the CONNECT or REMOVE command, the keyword-qualifier consists of the fixed value GROUP, followed by the name of the group used in the command.
  • For changing the access list through the PERMIT command, the keyword-qualifier consists of two qualifiers. The first is the fixed value CLASS, and the second is the resource class name.

The special qualifier =PRECMD, =PSTCMD, or =REPLACE must be explicitly coded in the policy profile. It cannot be matched by generic characters. Other qualifiers in these policy profiles like the command or the resource class can be described by generic characters.

The following list contains some sample policy profiles.

C4R.*.=PRECMD.SPECIAL
C4R.ALTUSER.=PRECMD.REVOKE
C4R.ALTUSER.=PSTCMD.TSO.ADD
C4R.A*.=PRECMD.*.A*
C4R.PERMIT.=PSTCMD.CLASS.DATASET

See the following list for the detailed description of the profiles and the supported access levels.

  • C4R.command.=PRECMD.keyword-qualification

    This profile specifies the command that must be run before the original RACF command. The pre-command is specified by the APPLDATA of the profile. The most common use of this profile is to replace the ALTUSER RESUME command by a CKGRACF RESUME command.

    If more than one keyword matches an =PRECMD profile, any of the profiles can be used to specify the pre-command. The profile that is used by zSecure Command Verifier is unpredictable.

    The qualifier =PRECMD in the policy profile cannot be covered by generic characters. It must be present in the exact form shown.

    If the pre-command fails during execution, the original, or modified RACF command is suppressed. This way, dependent actions in the modified RACF command are only run if the prerequisite action from the pre-command is completed.

    The following access rules apply:

    No Profile Found
    This control is not implemented. No pre-command is issued.
    NONE
    The pre-command that is specified in this profile is not run for this terminal user.
    READ
    The pre-command that is defined by the APPLDATA is run before the original RACF command.
    UPDATE
    Same as READ.
    CONTROL
    Same as UPDATE.
  • C4R.command.=REPLACE.keyword-qualification

    This profile specifies whether the original keyword must be kept or suppressed or if the entire RACF command must be suppressed. If the pre-command fails, the original RACF command is not run. This case is independent of the definition of the =REPLACE profile.

    If the keyword is present in the command, the action is controlled by the access rules that are specified in the following list. If more than one keyword matches an =REPLACE profile, all of these profiles can be used to suppress keywords or the entire command.

    For the CONNECT and REMOVE commands, the only supported keyword qualification is for the group. Suppression of the GROUP keyword is not effective because, in the absence of the GROUP keyword, RACF automatically uses the terminal user's current connect group for the command. The resulting command does not have the intended effect. For this reason, the CONNECT and REMOVE commands do not support suppression.

    The qualifier =REPLACE in the policy profile cannot be covered by generic characters. It must be present in the exact form shown.

    The following access rules apply:

    No Profile Found
    This control is not implemented. The keyword is not removed.
    NONE
    The keyword suppress is not done for this terminal user.
    READ
    The keyword is suppressed. This suppression can result in a command without any effective keywords. For the CONNECT and REMOVE commands, the effect of READ is the same as NONE: the keyword is not suppressed.
    UPDATE
    The entire command is suppressed. This suppression can result in error flags that are being presented to the terminal user, indicating that the command failed.
    CONTROL
    Same as UPDATE.
  • C4R.command.=PSTCMD.keyword-qualification

    This profile specifies the command that must be run after the original RACF command. The post-command is specified by the APPLDATA of the profile. In the command, the target class and profile can be specified by &CLASS and &PROFILE.

    If more than one keyword matches an =PSTCMD profile, any of the profiles can be used to specify the post-command. The profile that is used by zSecure Command Verifier is unpredictable.

    The qualifier =PSTCMD in the policy profile cannot be covered by generic characters. It must be present in the exact form shown.

    The following access rules apply:
    No Profile Found
    This control is not implemented. No post-command is issued.
    NONE
    The post-command that is specified in this profile is not run for this terminal user.
    READ
    The post-command that is defined by the APPLDATA is run after the original RACF command. If the original RACF command issues a warning message, the post-command is suppressed. This access level can be useful for some RACF commands like ALTUSER and ALTGROUP that issue only a warning message, even if the command fails completely.
    UPDATE
    The post-command that is defined by the APPLDATA is run after the original RACF command. If the original RACF command failed with an error message or an abend, the post-command is suppressed.
    CONTROL
    Same as UPDATE.

The APPLDATA of =PRECMD and =PSTCMD profiles can be used to specify the command that is to be run before and after the original RACF command. The Command Verifier policy can specify multiple commands, that are separated by a semicolon (;), up to 255 characters. Command Verifier executes each command in the order that it is provided before moving on to the next command. If a command fails, all the following commands are not executed.

The command can be a REXX exec; the maximum length of the REXX exec name is 8 and the name is preceded by special character %. Because the REXX exec is executed by System REXX, the REXX exec must reside in a REXX library that is allocated by the System REXX address space (see Example 5). For more information about System REXX, see section Planning to use system REXX in z/OS MVS Programming: Authorized Assembler Services Guide.

Because of the way that RACF handles the APPLDATA field, the value that is entered is folded to uppercase. In the specified command string, variables can be used to refer to parts of the original RACF command. Variables are prefixed by an ampersand (&) sign. The following variables are supported:
&CLASS
Represents the CLASS of the PROFILE. For the ALTUSER command, this value is USER. For the PERMIT command, the value is DATASET or the general resource class specified. 
PERMIT STGADMIN.** CLASS(FACILITY) ID(IBMUSER,C4RTEST) ACCESS(READ)
&CLASS ---> FACILITY
 
ALTUSER IBMUSER REVOKE
&CLASS ---> USER
&PROFILE
Represents the PROFILE. For the ALTUSER command, it is the affected user ID. For the PERMIT command, it is the fully qualified data set name or the general resource profile name. 
PERMIT STGADMIN.** CLASS(FACILITY) ID(IBMUSER,C4RTEST) ACCESS(READ)
&PROFILE ---> STGADMIN.**
 
ALTUSER IBMUSER REVOKE
&PROFILE ---> IBMUSER
&PROFILE(1)
Represents one PROFILE. For the ALTUSER command, it is one of the affected user IDs. For the PERMIT command, it is one of the fully qualified data set names or general resource profile names. Which profile is used is unpredictable. 
PERMIT STGADMIN.** CLASS(FACILITY) ID(IBMUSER,C4RTEST) ACCESS(READ)
&PROFILE(1) ---> STGADMIN.**
 
ALTUSER (IBMUSER) REVOKE
&PROFILE(1) ---> IBMUSER
 
ALTUSER (IBMUSER, C4RTEST) REVOKE
&PROFILE(1) ---> C4RTEST (maybe)
&SEGMENT
Represents the list of USER SEGMENTs that are being managed in this command. 
ALTUSER IBMUSER TSO OMVS(UID(0))
&SEGMENT ---> TSO OMVS
&SEGMENT(1)
Represents one of the USER SEGMENTs that are being managed in this command. Which SEGMENT is used is unpredictable. 
ALTUSER IBMUSER TSO OMVS(UID(0))
&SEGMENT(1) ---> OMVS (maybe)
&RACUID
Represents the user ID of the terminal user that is issuing the command. 
PERMIT STGADMIN.** CLASS(FACILITY) ID(IBMUSER,C4RTEST) ACCESS(READ)
&RACUID ---> CRMAHJB (maybe)
 
ALTUSER IBMUSER REVOKE
&RACUID ---> CRMAHJB (maybe)
&RACGPID
Represents the current connect GROUP of the terminal user that is issuing the command. 
PERMIT STGADMIN.** CLASS(FACILITY) ID(IBMUSER,C4RTEST) ACCESS(READ)
&RACGPID ---> CRMA (maybe)
 
ALTUSER IBMUSER REVOKE
&RACGPID ---> CRMA (maybe)
&DATE
Represents the current date in Julian format (YY.DDD). The Julian date is the same format as used by RACF in the LISTUSER output. 
ALTUSER IBMUSER REVOKE
&DATE ---> 04.060 (maybe)
&TIME
Represents the current time in 24 hour format (HH:MM:SS). This time format is the same as used by RACF in the LISTUSER output. 
ALTUSER IBMUSER REVOKE
&TIME ---> 08:17:31 (maybe)
&SYSID
Represents the SMF System Identifier of the current system. This variable is the four character string that is specified by SMFPARMxx in parmlib. It is the same value that can be used in the conditional access list of PROGRAM profiles. 
ALTUSER IBMUSER REVOKE
&SYSID ---> IDFX (maybe)
&ACLID
Represents the list of IDs of both user and GROUPs specified in the ID keyword of the PERMIT command. The list can consist of a single value, or a blank separated list. Leading and trailing blanks are not included. 
PERMIT STGADMIN.** CLASS(FACILITY) ID(IBMUSER,C4RTEST) ACCESS(READ)
&ACLID ---> IBMUSER C4RTEST
&ACLID(1)
Represents one of the IDs of both user and GROUPs specified in the ID keyword of the PERMIT command. Which one of the IDs is used is not predictable. 
PERMIT STGADMIN.** CLASS(FACILITY) ID(IBMUSER,C4RTEST) ACCESS(READ)
&ACLID(1); ---> C4RTEST (maybe)
&ACLACC
Represents the access level that is granted by the ACCESS keyword of the PERMIT command. In addition to the regular access levels, the value DELETE represents that an ACL-entry is to be removed.
It is also possible to substitute by using a substring of the ACCESS level. This substitution can be specified by a single digit between parenthesis immediately following the string &ACLACC. Only a single digit from 1 to 8 is allowed, and the total substring specification must consist of exactly 3 characters. Any other format is treated as a regular character string. 
PERMIT STGADMIN.** CLASS(FACILITY) ID(IBMUSER C4RTEST) ACCESS(UPDATE)
&ACLACC    ---> UPDATE
&ACLACC(3); ---> UPD