|
Purpose Use the ALTUSER command to change
the information in a user's profile, including the user's system-wide
attributes and authorities. The
user profile consists of a RACF® segment
and, optionally, other segments such as a TSO segment or a DFP segment.
You can use this command to change information in any segment of the
user's profile.
When you change a user's level of authority
in a group (using the AUTHORITY operand), RACF updates the appropriate group profile.
When you change a user's default universal access authority for a
group (using the UACC operand), RACF changes
the appropriate connect profile. For
all other changes, RACF changes
the user's profile. Note: If the user is currently logged on, changes
to the attributes (except for OWNER and AUTHORITY) do not take effect
until the next time the user logs on, even though the LISTUSER command
shows the new values.
Attention: - When the ALTUSER command is issued from ISPF, the TSO command
buffer (including password and password phrase data) is written to
the ISPLOG data set. As a result, you should not issue this command
from ISPF or you must control the ISPLOG data set carefully.
- If the ALTUSER command is issued as a RACF operator command, the command and all data
(including password and password phrase data) is written to the system
log. Therefore, use of ALTUSER as a RACF operator
command should either be controlled or you should issue the command
as a TSO command.
Note that you cannot: - Use the ALTUSER command to change a user ID association; you must
use the RACLINK command.
- Use the ALTUSER command for profiles in the DIGTCERT class.
- Use the ALTUSER command for user IDs that have mixed-case characters,
such as irrcerta, irrsitec, and irrmulti (which
are associated with digital certificates).
Issuing options The following table identifies
the eligible options for issuing the ALTUSER command:
As a RACF TSO command? |
As a RACF operator command? |
With command direction? |
With automatic command direction? |
From the RACF parameter library? |
---|
Yes |
Yes |
Yes |
Yes |
Yes |
For information on issuing this command
as a RACF TSO command, refer
to RACF TSO commands.
For
information on issuing this command as a RACF operator command, refer to RACF operator commands.
You
must be logged on to the console to issue this command as a RACF operator command.
Authorization required When issuing this command as a RACF operator command, you might
require sufficient authority to the proper resource in the OPERCMDS
class. For details about OPERCMDS resources, see "Controlling the use of operator commands" in z/OS Security Server RACF Security Administrator's Guide.
The
level of authority required depends on which of the user's attributes
you want to change. - If you have the SPECIAL attribute, you can use all the operands
except UAUDIT/NOUAUDIT.
- To specify the AT keyword, you must have READ authority to the
DIRECT.node resource in the RRSFDATA class and a user ID association
must be established between the specified node.userid pair(s).
- To specify the ONLYAT keyword you must have the SPECIAL attribute,
the userid specified on the ONLYAT keyword
must have the SPECIAL attribute, and a user ID association must be
established between the specified node.userid pair(s)
if the user IDs are not identical.
- If the owner of the user profile is within the scope of a group
in which you have the group-SPECIAL attribute, you can use all of
the operands except SPECIAL, AUDITOR, OPERATIONS, NOEXPIRED and UAUDIT/NOUAUDIT.
- If you are the owner of the user's profile, you can use any of
the following operands for user-related attributes:
- ADSP | NOADSP
- DATA | NODATA
- DFLTGRP
- GRPACC | NOGRPACC
- MODEL | NOMODEL
- NAME
- OIDCARD | NOOIDCARD
- OWNER
- PASSWORD | NOPASSWORD
- PHRASE | NOPHRASE
- RESTRICTED | NORESTRICTED
- RESUME | NORESUME
- REVOKE | NOREVOKE
- WHEN
- Users can change their own name field (using the NAME
operand), default group (using the DFLTGRP operand), or model data
set profile name (using the MODEL operand).
- You can use the GROUP, AUTHORITY, and UACC operands for group-related
user attributes if you have JOIN or CONNECT authority, if the group
profile is within the scope of a group in which you have the group-SPECIAL
attribute, or if you are the owner of the specified group.
- To specify the AUDITOR/NOAUDITOR, SPECIAL/NOSPECIAL, and OPERATIONS/NOOPERATIONS
operands as system-wide user attributes, you must have the SPECIAL
attribute.
- To specify the UAUDIT/NOUAUDIT operand, either you must have the
AUDITOR attribute, or the user profile must be within the scope of
a group in which you have the group-AUDITOR attribute.
- You can specify the CLAUTH and NOCLAUTH operands if you are the
owner of the user's profile and have the CLAUTH attribute for the
class to be added or deleted.
- To assign a security category to a profile, or to
delete a category from a profile, one of the following must be true:
- If the user profile is within the scope of a group in which you
have the group-SPECIAL attribute, or if you are the owner of the specified
user, the category you are adding or deleting must be in your user
profile.
- You have the SPECIAL attribute.
- To assign a security level to a profile, or to delete
a security level from a profile, one of the following must be true:
- If the user profile is within the scope of a group in which you
have the group-SPECIAL attribute, or if you are the owner of the specified
user, the security level in your user profile must be equal to or
greater than the security level you are assigning or deleting.
- You have the SPECIAL attribute.
- To change information within a segment other than the base segment,
you must have one of the following:
- The SPECIAL attribute
- At least UPDATE authority to the desired field within the segment
through field-level access control.
For information on field-level access checking, see z/OS Security Server RACF Security Administrator's Guide.
- To reset passwords and password phrases or to resume user IDs,
you must have at least one of the following authorizations:
- You have the SPECIAL attribute.
- You have group-SPECIAL authority over the user profile.
- You are the OWNER of the user profile.
- You have sufficient access to the IRR.PASSWORD.RESET resource
in the FACILITY class.
- You have sufficient access to an appropriate resource in the FACILITY
class (IRR.PWRESET.OWNER.owner or IRR.PWRESET.TREE.owner),
and both of the following conditions are also true:
- The other user does not have the SPECIAL, OPERATIONS, AUDITOR,
or PROTECTED attribute.
- You are not excluded from altering the user by the IRR.PWRESET.EXCLUDE.excluded-user resource
in the FACILITY class.
For more information about the IRR.PWRESET profiles, see z/OS Security Server RACF Security Administrator's Guide.
When your reset and resume authority is through your access
to the IRR.PASSWORD.RESET resource, the IRR.PWRESET.OWNER.owner resource,
or the IRR.PWRESET.TREE.owner resource, the following requirements
apply:
- If you have READ access, you can:
- Use the PASSWORD operand to reset a password (to an expired
password) for a user who does not have the SPECIAL, OPERATIONS,
AUDITOR, or PROTECTED attribute.
- Use the PHRASE operand to reset a password phrase (to an expired
password phrase) for a user with an assigned password phrase
who does not have the SPECIAL, OPERATIONS, AUDITOR, or PROTECTED attribute. Note: You
cannot use the PHRASE operand to add a password phrase for
a user who does not have one.
- Use the RESUME operand, without specifying a date, for a user
who does not have the SPECIAL, OPERATIONS, AUDITOR, or PROTECTED attribute.
- If you have UPDATE access, you can:
- Use the PASSWORD, PHRASE, and RESUME operands as noted for READ
access.
- Use the NOEXPIRED operand (with PASSWORD or PHRASE) for a user
who does not have the SPECIAL, OPERATIONS, AUDITOR, or PROTECTED attribute.
- If you have CONTROL access, you can:
- Use the PASSWORD, PHRASE, RESUME, and NOEXPIRED operands as noted
for READ and UPDATE access.
- Reset the password or password phrase within the minimum change
interval for a user who does not have the SPECIAL, OPERATIONS, AUDITOR,
or PROTECTED attribute.
- To specify the SHARED keyword, you must have the SPECIAL attribute
or at least READ authority to the SHARED.IDS resource in the UNIXPRIV
class.
Syntax For the key to the symbols used in the command
syntax diagrams, see Syntax of RACF commands and operands. The
complete syntax of the ALTUSER command is:
|
|
---|
[subsystem-prefix]{ALTUSER
| ALU} |
|
(userid …) |
|
[ ADDCATEGORY(category-name …)
| DELCATEGORY [(category-name … | *) ]
|
|
[ ADSP | NOADSP ] |
|
[ AT([node].userid
…) | ONLYAT([node].userid
…) ] |
|
[ AUDITOR | NOAUDITOR ] |
|
[ AUTHORITY(group-authority)
] |
|
[ CICS(
[ OPCLASS(operator-class …)
| ADDOPCLASS(operator-class …)
| DELOPCLASS(operator-class …)
| NOOPCLASS ]
[ OPIDENT(operator-id) | NOOPIDENT ]
[ OPPRTY(operator-priority) | NOOPPRTY ]
[ RSLKEY(rslkey … | 0 | 99) | NORSLKEY ]
[ TIMEOUT(timeout-value) | NOTIMEOUT ]
[ TSLKEY(tslkey … | 0 | 1 | 99) | NOTSLKEY ]
[ XRFSOFF(FORCE | NOFORCE) | NOXRFSOFF ]
)
| NOCICS ]
|
|
[ {CLAUTH | NOCLAUTH} (class-name
…) ] |
|
[ CSDATA(
[ custom-field-name(custom-field-value) | NOcustom-field-name ] … )
| NOCSDATA ]
|
|
[ DATA('installation-defined-data')
| NODATA ] |
|
[ DCE(
[ AUTOLOGIN(YES | NO) | NOAUTOLOGIN ]
[ DCENAME(user-principal-name) | NODCENAME ]
[ HOMECELL(dce-cell-name) | NOHOMECELL ]
[ HOMEUUID(home-cell-UUID) | NOHOMEUUID ]
[ UUID(universal-unique-identifier) | NOUUID ]
)
| NODCE ]
|
|
[ DFLTGRP(group-name)
] |
|
[ DFP(
[ DATAAPPL(application-name) | NODATAAPPL ]
[ DATACLAS(data-class-name) | NODATACLAS ]
[ MGMTCLAS(management-class-name) | NOMGMTCLAS ]
[ STORCLAS(storage-class-name) | NOSTORCLAS ]
)
| NODFP ]
|
|
[ EIM(
[ LDAPPROF(ldapbind_profile) | NOLDAPPROF ]
)
| NOEIM ]
|
|
[ EXPIRED | NOEXPIRED ] |
|
[ GROUP(group-name) ] |
|
[ GRPACC | NOGRPACC ] |
|
[ KERB(
[ ENCRYPT (
[ DES | NODES ]
[ DES3 | NODES3 ]
[ DESD | NODESD ]
[ AES128 | NOAES128 ]
[ AES256 | NOAES256 ]
)
| NOENCRYPT ]
[ KERBNAME(kerberos-principal-name) | NOKERBNAME ]
[ MAXTKTLFE(max-ticket-life) | NOMAXTKTLFE ]
)
| NOKERB ]
|
|
[ LANGUAGE(
[ PRIMARY(language) | NOPRIMARY ]
[ SECONDARY(language) | NOSECONDARY ]
)
| NOLANGUAGE ]
|
|
[ LNOTES(
[ SNAME(short-name) | NOSNAME ]
)
| NOLNOTES ]
|
|
[ MODEL(dsname)
| NOMODEL ] |
|
[ NAME(user-name)
] |
|
[ NDS(
[ UNAME(user-name) | NOUNAME ]
)
| NONDS ]
|
|
[ NETVIEW(
[ CONSNAME(console-name | NOCONSNAME ]
[ CTL(GENERAL | GLOBAL | SPECIFIC) | NOCTL ]
[ DOMAINS(domain-name …)
| ADDDOMAINS(domain-name …)
| DELDOMAINS(domain-name …)
| NODOMAINS ]
[ IC('command | command-list') | NOIC ]
[ MSGRECVR( YES | NO) | NOMSGRECVR ]
[ NGMFADMN( YES | NO) | NONGMFADMN ]
[ NGMFVSPN(view-span) | NONGMFVSPN ]
[ OPCLASS(class …)
| ADDOPCLASS(class …)
| DELOPCLASS(class …)
| NOOPCLASS ]
)
| NONETVIEW ]
|
|
[ OIDCARD | NOOIDCARD ] |
|
[ OMVS(
[ ASSIZEMAX(address-space-size) | NOASSIZEMAX ]
[ AUTOUID | UID(user-identifier) [ SHARED ] | NOUID ]
[ CPUTIMEMAX(cpu-time) | NOCPUTIMEMAX ]
[ FILEPROCMAX(files-per-process) | NOFILEPROCMAX ]
[ HOME(directory-pathname) | NOHOME ]
[ MEMLIMIT(nonshared-memory-size) | NOMEMLIMIT ]
[ MMAPAREAMAX(memory-map-size) | NOMMAPAREAMAX ]
[ PROCUSERMAX(processes-per-UID) | NOPROCUSERMAX ]
[ PROGRAM(program-name) | NOPROGRAM ]
[ SHMEMMAX(shared-memory-size) | NOSHMEMMAX ]
[ THREADSMAX(threads-per-process) | NOTHREADSMAX ]
)
| NOOMVS ]
|
|
[ OPERATIONS | NOOPERATIONS ] |
|
[ OPERPARM(
[ ALTGRP(alternate-console-group) | NOALTGRP ]
[ AUTH(operator-authority) | NOAUTH ]
[ AUTO( YES | NO ) | NOAUTO ]
[ CMDSYS(system-name) | NOCMDSYS ]
[ DOM( NORMAL | ALL | NONE ) | NODOM ]
[ HC( YES | NO ) | NOHC ]
[ INTIDS( YES | NO ) | NOINTIDS ]
[ KEY(searching-key) | NOKEY ]
[ LEVEL(message-level) | NOLEVEL ]
[ LOGCMDRESP( SYSTEM | NO ) | NOLOGCMDRESP ]
[ MFORM(message-format) | NOMFORM ]
[ MIGID( YES | NO ) | NOMIGID ]
[ MONITOR(event) | NOMONITOR ]
[ MSCOPE(system-name … | * | *ALL)
| ADDMSCOPE(system-name …)
| DELMSCOPE(system-name …)
| NOMSCOPE ]
[ ROUTCODE(ALL | NONE | routing-codes) | NOROUTCODE ]
[ STORAGE(amount) | NOSTORAGE ]
[ UD( YES | NO ) | NOUD ]
[ UNKNIDS( YES | NO ) | NOUNKNIDS ]
)
| NOOPERPARM ]
|
|
[ OVM(
[ FSROOT(file-system-root) | NOFSROOT ]
[ HOME(initial-directory-name) | NOHOME ]
[ PROGRAM(program-name) | NOPROGRAM ]
[ UID(user-identifier) | NOUID ]
)
| NOOVM ]
|
|
[ OWNER(userid or group-name)
] |
|
[ PASSWORD(password)
| NOPASSWORD ] |
|
[ PHRASE('password-phrase')
| NOPHRASE ] |
|
[ PROXY [ (
[ LDAPHOST(ldap_url) | NOLDAPHOST ]
[ BINDDN(bind_distinguished_name) | NOBINDDN ]
[ BINDPW(bind_password) | NOBINDPW) ]
| NOPROXY ]
|
|
[ RESTRICTED | NORESTRICTED ] |
|
[ RESUME [(date)]
| NORESUME ] |
|
[ REVOKE [(date)]
| NOREVOKE ] |
|
[ SECLABEL(seclabel-name)
| NOSECLABEL ] |
|
[ SECLEVEL(seclevel-name)
| NOSECLEVEL ] |
|
[ SPECIAL | NOSPECIAL ] |
|
[ TSO(
[ ACCTNUM(account-number) | NOACCTNUM ]
[ COMMAND(cmd-issued-at-logon) | NOCOMMAND ]
[ DEST(destination-id) | NODEST ]
[ HOLDCLASS(hold-class) | NOHOLDCLASS ]
[ JOBCLASS(job-class) | NOJOBCLASS ]
[ MAXSIZE(maximum-region-size) | NOMAXSIZE ]
[ MSGCLASS(message-class) | NOMSGCLASS ]
[ PROC(logon-procedure-name) | NOPROC ]
[ SECLABEL(seclabel-name) | NOSECLABEL ]
[ SIZE(default-region-size) | NOSIZE ]
[ SYS(sysout-class) | NOSYS ]
[ UNIT(unit-name) | NOUNIT ]
[ USERDATA(user-data) | NOUSERDATA ]
)
| NOTSO ]
|
|
[ UACC(access-authority)
] |
|
[ UAUDIT | NOUAUDIT ] |
|
[ WHEN(
[ DAYS(day-info) ]
[ TIME(time-info) ]
) ]
|
|
[ WORKATTR(
[ WAACCNT(account-number) | NOWAACCNT ]
[ WAADDR1(address-line-1) | NOWAADDR1 ]
[ WAADDR2(address-line-2) | NOWAADDR2 ]
[ WAADDR3(address-line-3) | NOWAADDR3 ]
[ WAADDR4(address-line-4) | NOWAADDR4 ]
[ WABLDG(building) | NOWABLDG ]
[ WADEPT(department) | NOWADEPT ]
[ WANAME(name) | NOWANAME ]
[ WAROOM(room) | NOWAROOM ]
)
| NOWORKATTR ]
|
For information on issuing this command
as a RACF TSO command, refer
to RACF TSO commands.
For
information on issuing this command as a RACF operator command, refer to RACF operator commands.
Parameters - subsystem-prefix
- Specifies that the RACF subsystem
is the processing environment of the command. The subsystem
prefix can be either the installation-defined prefix for RACF (1 - 8 characters)
or, if no prefix has been defined, the RACF subsystem
name followed by a blank. If the command prefix was registered with
CPF, you can use the MVS command D OPDATA to display it or you can
contact your RACF security
administrator.
Only specify the subsystem prefix when issuing
this command as a RACF operator
command. The subsystem prefix is required when issuing RACF operator commands.
- userid
- Specifies
the RACF-defined user or users whose profile you want to change. If
you specify more than one user ID, the list must be enclosed in parentheses.
This operand is required and must be the first operand following
ALTUSER.
- ADDCATEGORY
| DELCATEGORY
-
- ADDCATEGORY(category-name)
- Specifies
one or more names of installation-defined security categories. The
names you specify must be defined as members of the CATEGORY profile
in the SECDATA class. For information on defining security categories,
see z/OS Security Server RACF Security Administrator's Guide.
When
the SECDATA class is active and you specify ADDCATEGORY, RACF performs security category checking in
addition to its other authorization checking. If a user requests access
to a data set, RACF compares
the list of security categories in the user profile with the list
of security categories in the data set profile. If RACF finds any security category in the data
set profile that is not in the user's profile, RACF denies access to the data set. If the user's
profile contains all the required security categories, RACF continues with other authorization checking.
Note: RACF does not perform security
category checking for a started task or user that has the RACF privileged or trusted attribute.
The RACF privileged or trusted
attribute can be assigned to a started task through the RACF started procedures table or STARTED class,
or to other users by installation-supplied RACF exits.
- DELCATEGORY[(category-name…
|*)]
- Specifies
one or more names of the installation-defined security categories
you want to delete from the user profile. Specifying an asterisk (*)
deletes all categories; the user no longer has access to any resources
protected by security category checking.
Specifying DELCATEGORY
without category-name causes RACF to
delete only undefined category names (those names that once were valid
names but that the installation has since deleted from the CATEGORY
profile).
- ADSP
| NOADSP
-
- ADSP
- Assigns the ADSP attribute to the user.
This means that all permanent tape and DASD data sets the user creates
are automatically RACF-protected by discrete profiles. ADSP specified
on the ALTUSER command overrides NOADSP specified on the CONNECT command.
The ADSP attribute has no effect (even if assigned to a user)
if SETROPTS NOADSP is in effect.
- NOADSP
- Specifies that the user no longer
has the ADSP attribute.
- AT
| ONLYAT
- The AT and ONLYAT keywords are only valid when the command is
issued as a RACF TSO command.
- AT([node].userid
…)
- Specifies
that the command is to be directed to the node specified by node,
where it runs under the authority of the user specified by userid in
the RACF subsystem address
space.
If node is not specified, the
command is directed to the local node.
- ONLYAT([node].userid
…)
- Specifies
that the command is to be directed only to the node specified by node where
it runs under the authority of the user specified by userid in
the RACF subsystem address
space.
If node is not specified, the
command is directed only to the local node.
- AUDITOR
| NOAUDITOR
-
- AUDITOR
- Specifies that the
user is to have full responsibility for auditing the use of system
resources. An AUDITOR user can control the logging of detected accesses
to any RACF-protected resources during RACF authorization
checking and accesses to the RACF database.
You must have the SPECIAL attribute to enter the AUDITOR operand.
- NOAUDITOR
- Specifies
that the user no longer has the AUDITOR attribute.
You must have
the SPECIAL attribute to enter the NOAUDITOR operand.
- AUTHORITY(group-authority)
- Specifies
the new level of authority the user is to have in the group specified
in the GROUP operand. The valid group authority values are USE, CREATE,
CONNECT, and JOIN, as described in Group authorities. If you specify AUTHORITY without group-authority, RACF ignores the operand and the
existing group authority remains unchanged.
- CICS
| NOCICS
- Adds,
alters, or deletes CICS® operator
information for a CICS terminal
user.
If
you are adding a CICS segment
to a user profile, omitting a suboperand is equivalent to omitting
the suboperand on the ADDUSER command. If you are changing an existing CICS segment in a user profile,
omitting a suboperand leaves the existing value for that suboperand
unchanged.
You can control access to the entire CICS segment or to individual fields within
the CICS segment by using field-level
access checking. For more information, see z/OS Security Server RACF Security Administrator's Guide. - OPCLASS | ADDOPCLASS | DELOPCLASS | NOOPCLASS
- Where operator-class1, operator-class2 are
numbers in the range 1 - 24, defined
as two digits. These numbers represent classes assigned to this operator
to which BMS (basic mapping support) messages are routed.
- OPCLASS(operator-class …)
- Specifies
the list of classes assigned to this operator to which BMS messages
are routed.
- ADDOPCLASS(operator-class …)
- Adds
to the list of classes assigned to this operator to which BMS messages
are routed.
- DELOPCLASS(operator-class …)
- Deletes
only the specified classes from the list of classes assigned to this
operator to which BMS messages are routed.
- NOOPCLASS
- Deletes
all operator classes from this profile and returns the user to the CICS defaults for this field. This
field no longer appears in LISTUSER output.
- OPIDENT | NOOPIDENT
-
- OPIDENT(operator-id)
- Specifies a 1 - 3 character
identification of the operator for use by BMS.
Operator identifiers
can consist of any characters, and can be entered with or without
single quotation marks. The following rules apply: - If parentheses, commas, blanks, or semicolons are to be entered
as part of the operator identifier, the character string must be enclosed
in single quotation marks. For example, if the operator identifier
is (1), you must enter OPIDENT('(1)').
- If a single quotation mark is intended to be part of the operator
identifier, use two single quotation marks together for each single
quotation mark within the string, and enclose the entire string within
single quotation marks.
- NOOPIDENT
- Deletes
the operator identification and returns the user to the CICS default for this field. The OPIDENT field
defaults to blanks in the RACF user
profile, and blanks appear for the field in LISTUSER output.
- OPPRTY | NOOPPRTY
-
- OPPRTY(operator-priority)
- Specifies a number in the range 0 - 255 that
represents the priority of the operator.
- NOOPPRTY
- Deletes
the operator priority and returns the user to the CICS default for this field.
This field defaults
to zeros in the RACF user profile,
and zeros appear for the field in LISTUSER output.
- RSLKEY | NORSLKEY
-
- RSLKEY(rslkey … | 0 | 99)
- Specifies the complete list of resource security level (RSL) keys
assigned to the user. The RSL keys are used by CICS on distributed platforms. Each CICS resource has one RSL key assigned
to it; in order for a user to access a resource, the user must have
the same RSL key as the RSL key assigned to the resource.
RSLKEY
does not add or delete keys. It only replaces existing keys. Use NORSLKEY
to delete keys.
- RSLKEY(rslkey …) specifies a list of
one or more numbers in the range of 1 - 24 which
represent the resource security level (RSL) keys assigned to the user.
- If RSLKEY(0) is specified, no RSL keys are assigned to the user.
- If RSLKEY(99) is specified, all RSL keys are assigned to the user
(1 - 24,
inclusive).
- Keys 0 and 99 are mutually exclusive and cannot be specified with
any other keys.
- If RSLKEY is specified with no key numbers, RSLKEY(0) is defaulted.
- NORSLKEY
- Specifies
that you want to remove the RSL key list from the user's RACF user profile. CICS will treat it as RSLKEY(0).
- TIMEOUT | NOTIMEOUT
-
- TIMEOUT(timeout-value)
- Specifies the time, in hours and minutes, that the operator is
allowed to be idle before being signed off. The value for TIMEOUT
can be entered in the form m, mm, hmm,
or hhmm, where the value for m or mm is
00 - 59,
or 00 - 60
if h or hh is
not specified or is specified as 0 or 00.
The value for h or hh must
be 00 - 99.
If this suboperand is omitted, there is no change to this field.
- NOTIMEOUT
- Deletes
the timeout value and returns the user to the CICS default for this field.
This field defaults
to zeros in the RACF user profile,
and zeros appear for the field in LISTUSER output.
- TSLKEY | NOTSLKEY
-
- TSLKEY(tslkey … | 0 | 1 | 99)
- Specifies the complete list of transaction security level (TSL)
keys assigned to the user. The TSL keys are used by CICS on distributed platforms. Each CICS transaction has one TSL key
assigned to it; in order for a user to run a transaction, the user
must have the same TSL key as the TSL key assigned to the transaction.
TSLKEY does not add or delete keys. It only replaces existing
keys. Use NOTSLKEY to delete keys.
- TSLKEY(tslkey …) specifies a list of
one or more values of 1 - 64 which
represent the transaction security level (TSL) keys assigned to the
user.
- If TSLKEY(0) is specified, no TSL keys are assigned to the user.
- If TSLKEY(99) is specified, all TSL keys are assigned to the user
(1 - 64,
inclusive).
- Keys 0 and 99 are mutually exclusive and cannot be specified with
any other keys.
- If TSLKEY is specified with no key numbers, TSLKEY(1) is defaulted.
- NOTSLKEY
- Specifies
that you want to remove the TSL key list from the user's RACF user profile. CICS will treat it as TSLKEY(1).
- XRFSOFF | NOXRFSOFF
-
- XRFSOFF(FORCE | NOFORCE)
- Specifies
that the user is to be signed off by CICS when
an XRF takeover occurs.
- NOXRFSOFF
- Returns
the user to the CICS default
for this field.
This field defaults to NOFORCE in the RACF user profile, and NOFORCE appears in LISTUSER
output.
- NOCICS
- Deletes
the CICS segment from a user
profile. No CICS information
appears in LISTUSER output.
- CLAUTH
| NOCLAUTH
-
- CLAUTH(class-name …)
- Specifies
the classes in which the user is allowed to define profiles to RACF for protection, in addition
to the classes previously allowed for the user. Classes you can specify
are USER, and any resource class defined in the class descriptor table. RACF adds the class names you specify
to the class names previously specified for this user.
To enter
the CLAUTH operand, you must have the SPECIAL attribute, or the user's
profile must be within the scope of a group in which you have the
group-SPECIAL attribute and have the CLAUTH attribute, or you must
be the owner of the user's profile and have the CLAUTH attribute for
the class to be added.
Note: The CLAUTH attribute has no meaning
for the FILE and DIRECTORY classes.
- NOCLAUTH(class-name …)
- Specifies
that the user is not allowed to define profiles to RACF for the classes that you specify. Classes
you can specify are USER and any resource class name defined in the
user profile. RACF deletes
the class names you specify from the class names previously allowed
for this user.
To enter the NOCLAUTH operand specifying a class
in the class descriptor table, you must have the SPECIAL attribute,
or the user's profile must be within the scope of a group in which
you have the group-SPECIAL attribute and have the CLAUTH attribute,
or you must be the owner of the user's profile and have the CLAUTH
attribute for the class to be deleted.
To enter the NOCLAUTH
operand specifying a class that is not in the class descriptor table
you must have the SPECIAL attribute.
If you do not have sufficient authority for
a specified class, RACF ignores
the CLAUTH or NOCLAUTH specification for the class and continues processing
with the next class name specified.
- CSDATA
| NOCSDATA
-
- CSDATA
- Specifies information
to add, change, or remove a custom field for this user.
- custom-field-name … | NOcustom-field-name …
-
- custom-field-name(custom-field-value) …
- Specifies the name and value of a custom field for this user.
You can specify values for multiple custom fields with a single ALTUSER
command.
Usage for each custom field is defined using the CFDEF
operand of the RDEFINE command for resource profiles in the CFIELD
class. Contact your security administrator to see how custom fields
are used at your installation. For more information about custom fields,
see z/OS Security Server RACF Security Administrator's Guide.
Rules: - You must use the same custom-field-name as
defined by the CFIELD profile named USER.CSDATA.custom-field-name.
(The CFIELD profile is defined using the CFDEF operand of the RDEFINE
command.)
- You must specify a custom-field-value that
is valid for the attributes of this custom field. (The attributes,
such as data type, are defined in the CFDEF segment of the CFIELD
profile.)
- NOcustom-field-name …
- Removes the custom
field information for this user. You can remove values for multiple
custom fields with a single ALTUSER command.
When you append the
prefix NO to the name of the custom field, you delete the value
for that custom field from the user's profile. For example, if your
installation has defined a custom field named ADDRESS and you want
to remove the ADDRESS field from the profile of the user SHANNON,
you might issue the following command:
Example: ALTUSER SHANNON CSDATA(NOADDRESS)
- NOCSDATA
- Deletes
the CSDATA segment from the user profile.
- DATA
| NODATA
-
- DATA('installation-defined-data')
-
Specifies
up to 255 characters of installation-defined data to be stored in
the user's profile and must be enclosed in single quotation marks.
It can also contain double-byte character set (DBCS) data. Note that
only 254 characters of data are available for installation exits.
If your installation has exits that examine this data, you should
specify a maximum of 254 characters.
Use the LISTUSER command
to list this information.
- NODATA
- Specifies
that the ALTUSER command is to delete the installation-defined data
in the user's profile.
- DCE
| NODCE
-
- DCE
- Adds or modifies the DCE segment in the user profile of the
specified z/OS DCE user
or Distributed File Service (DFS) Server Message Block (SMB) user. You
can enter any of the following suboperands to specify information
for that user. Each suboperand defines information that RACF stores in a field within the DCE segment
of the user's profile.
You can control access to an entire DCE
segment or to individual fields within the DCE segment by using field
level access checking.
- AUTOLOGIN(YES | NO)
| NOAUTOLOGIN
- Specifies whether z/OS UNIX DCE is to
log this user into z/OS UNIX DCE automatically.
If AUTOLOGIN(NO) or NOAUTOLOGIN is specified, z/OS UNIX DCE does not attempt
to login this user to z/OS UNIX DCE automatically.
If AUTOLOGIN is not specified, AUTOLOGIN(NO) is the default.
- DCENAME | NODCENAME
-
- DCENAME(user-principal-name)
- Specifies the DCE principal name defined for this RACF user in the DCE registry.
The DCENAME
you define to RACF can contain
1 - 1023
characters and can consist of any character. You can enter the name
with or without single quotation marks, depending on the following:
- If parentheses, commas, blanks, or semicolons are entered as part
of the name, the character string must be enclosed in single quotation
marks.
- If a single quotation mark is intended to be part of the character
string, use two single quotation marks together for each single quotation
mark within the string, and enclose the entire string within single
quotation marks.
Both uppercase and lowercase characters are accepted
and maintained in the case in which they are entered. RACF does not ensure that a valid DCENAME has
been specified.
The DCENAME assigned to a user must be the
same as the DCE principal name defined to the DCE registry.
If
DCENAME is not specified, the LISTUSER command does not display a
DCENAME for this user.
Note: RACF does
not enforce the uniqueness of each DCENAME. The DCENAME specified
must match the user's DCE principal name that is defined to the DCE
registry. If the DCENAME entered does not correspond to the DCE principal
name entered in the DCE registry for this user, z/OS UNIX DCE cannot
correctly associate the identity of the DCE principal with the correct RACF user ID.
- NODCENAME
- Specifies that you want to delete the DCE principal name from
the DCE segment of the user's profile.
If NODCENAME is specified,
the LISTUSER command does not display a DCENAME for this user.
- HOMECELL | NOHOMECELL
-
- HOMECELL(dce-cell-name)
- Specifies the DCE cell name defined for this RACF user.
The HOMECELL you define to RACF can contain 1 - 1023 characters
and can consist of any character. You can enter the name with or without
single quotation marks, depending on the following: - If parentheses, commas, blanks, or semicolons are entered as part
of the cell name, the character string must be enclosed in single
quotation marks.
- If a single quotation mark is intended to be part of the cell
name, use two single quotation marks together for each single quotation
mark within the string, and enclose the entire string within single
quotation marks.
Both uppercase and lowercase characters are accepted
and maintained in the case in which they are entered. The fully qualified
pathname should be specified. RACF does
not ensure that a valid DCE cell name has been specified.
The
HOMECELL assigned to a user must be the same as the DCE cell
name that this user has been defined to.
If the HOMECELL is
not specified, z/OS UNIX DCE single
signon to DCE support assumes that the HOMECELL for this user is the
same cell where this MVS system is defined.
RACF checks that the prefix of the HOMECELL
name entered has a prefix of either /.../ or /.:/.
The
notation /.../ indicates that the HOMECELL name is
a global domain name service (DNS) cell name or X.500 global name.
The
notation /.:/ indicates that the HOMECELL name is
a cell relative CDS (cell directory service) name. When determining
the naming conventions used within your DCE cell, you should contact
your DCE cell administrator.
- NOHOMECELL
- Specifies that you want to delete the cell information from the
DCE segment of the user profile.
If NOHOMECELL is specified, the
LISTUSER command does not display the HOMECELL for this user.
- HOMEUUID | NOHOMEUUID
-
- HOMEUUID(home-cell-UUID)
- Specifies the DCE universal unique identifier (UUID) for the cell
that this user is defined to. The UUID is a 36-character string that
consists of numeric and hexadecimal characters. This string must have
the delimiter character (-) in positions 9, 14, 19,
and 24. The general format for the UUID string is xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,
in which x represents a valid numeric or
hexadecimal character.
Be careful when assigning UUIDs. The UUID cannot be
randomly assigned. The HOMEUUID is the DCE UUID of the cell that this RACF user is defined to. If HOMEUUID
is not specified, the LISTUSER command displays NONE for the HOMEUUID
field.
Note: The HOMEUUID specified must match the UUID
of the DCE cell to which this principal (specified by the DCENAME
operand) is defined.
- NOHOMEUUID
- Specifies that you want to delete the home cell unique universal
identifier from the DCE segment of the user's profile.
If NOHOMEUUID
is specified, LISTUSER for that user ID shows NONE for the HOMEUUID
field.
- UUID | NOUUID
-
- UUID(universal-unique-identifier)
- Specifies the DCE universal unique identifier (UUID) of the DCE
principal defined in DCENAME. The UUID is a 36-character string that
consists of numeric and hexadecimal characters. This string must have
the delimiter character (-) in positions 9, 14, 19,
and 24. The general format for the UUID string is xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,
in which x represents a valid numeric or
hexadecimal character.
Be careful when assigning UUIDs. The UUID cannot be
randomly assigned.
The DCE UUID assigned to a user must be
the same as the DCE UUID assigned when defining this RACF user to the DCE registry as a DCE principal.
If
UUID is not specified, the user cannot become a z/OS DCE user
and a LISTUSER command for that user ID shows NONE for the UUID.
Note: RACF does not enforce the uniqueness
of each UUID entered. The UUID specified must match the UUID in the
DCE registry for the principal (specified by the DCENAME operand)
that is being cross-linked with this RACF user
ID.
- NOUUID
- Specifies that you want to delete the DCE unique universal identifier
from the DCE segment of the user's profile.
If NOUUID is specified,
LISTUSER for that user ID shows NONE for the UUID field.
- NODCE
- Specifies
that RACF should delete the
DCE segment from the user's profile.
- DFLTGRP(group-name)
- Specifies the name of a RACF-defined
group to be used as the new default group for the user. The user must
already be connected to this new group with at least USE authority.
The user remains connected to the previous default group.
- DFP
| NODFP
-
- DFP
- Specifies
that when you change the profile of a user, you can enter any of the
following suboperands to add, change, or delete default values for
the DFP data application, data class, management class, and storage
class. DFP uses this information to determine data management and
DASD storage characteristics when a user creates a new data set.
You
can control access to the entire DFP segment or to individual fields
within the DFP segment by using field-level access checking. For more
information, see z/OS Security Server RACF Security Administrator's Guide. - DATAAPPL | NODATAAPPL
-
- DATAAPPL(application-name)
- Specifies
the name of a DFP data application. The name you specify can contain
up to 8 alphanumeric characters.
- NODATAAPPL
- Specifies
that you want to delete the DFP data application name from the DFP
segment of the user's profile.
- DATACLAS | NODATACLAS
-
- DATACLAS(data-class-name)
- Specifies
the default data class. The class name you specify can contain up
to 8 alphanumeric characters.
A data class can specify some or
all of the physical data set attributes associated with a new data
set. During new data set allocation, data management uses the value
you specify as a default unless it is preempted by a higher priority
default, or overridden in some other way (for example, by JCL).
The
value you specify must be a valid data class name defined for use
on your system. For more information, see z/OS Security Server RACF Security Administrator's Guide.
For
information on defining DFP data classes, see z/OS DFSMSdfp Storage Administration.
- NODATACLAS
- Specifies
that you want to delete the default data class name from the DFP segment
of the user's profile.
- MGMTCLAS | NOMGMTCLAS
-
- MGMTCLAS(management-class-name)
- Specifies
the default management class. The class name you specify can contain
up to 8 alphanumeric characters.
A management class contains a
collection of management policies that apply to data sets. Data management
uses the value you specify as a default unless it is preempted by
a higher priority default, or overridden in some other way (for example,
by JCL).
The value you specify must be defined as a profile
in the MGMTCLAS general resource class, and the user must be granted
at least READ access to the profile. Otherwise, RACF does not allow the user access to the specified
MGMTCLAS. For more information, see z/OS Security Server RACF Security Administrator's Guide.
For
information on defining DFP management classes, see z/OS DFSMSdfp Storage Administration.
- NOMGMTCLAS
- Specifies
that you want to delete the default management class name from the
DFP segment of the user's profile.
- STORCLAS | NOSTORCLAS
-
- STORCLAS(storage-class-name)
- Specifies
the default storage class. The class name you specify can contain
up to 8 alphanumeric characters.
A storage class specifies the
service level (performance and availability) for data sets managed
by the storage management subsystem (SMS). During new data set allocation,
data management uses the value you specify as a default unless it
is preempted by a higher priority default, or overridden in some other
way (for example, by JCL).
The value you specify must be defined
as a profile in the STORCLAS general resource class, and the user
must be granted at least READ access to the profile. Otherwise, RACF does not allow the user access
to the specified STORCLAS. For more information, see z/OS Security Server RACF Security Administrator's Guide.
For
information on defining DFP storage classes, see z/OS DFSMSdfp Storage Administration.
- NOSTORCLAS
- Specifies
that you want to delete the default storage class name from the DFP
segment of the user's profile.
- NODFP
- Specifies
that RACF should delete the
DFP segment from the user's profile.
- EIM
| NOEIM
- Specifies
or deletes the bind information required to establish a connection
with the EIM domain.
- EIM
- Specifies the EIM segment for the user's profile.
- LDAPPROF(ldapbind_profile)
- Specifies the name of a profile in the LDAPBIND class. The profile
in the LDAPBIND class contains the name of an EIM domain and the bind
information required to establish a connection with the EIM domain.
The EIM services attempt to retrieve this information when it is not
explicitly supplied through invocation parameters. Applications or
other services that use the EIM services may instruct their callers
to define a profile in the LDAPBIND class or the IRR.PROXY.DEFAULTS
profile in the FACILITY class.
The ldapbind_profile specifies
the name of a profile in the LDAPBIND class containing the EIM domain
and the LDAP bind information. The ldapbind_profile name
may be 1 - 246
characters long. It is not a case-sensitive name.
- NOLDAPPROF
- Deletes the LDAPBIND profile name from the EIM segment in the
user's profile.
- NOEIM
- Deletes
the EIM segment from the user's profile
- EXPIRED
| NOEXPIRED
-
- EXPIRED
- Specifies
that the new password or password phrase (specified with the PASSWORD
or PHRASE keyword) or the new password defaulted by the PASSWORD keyword
is marked as expired. Specifying the EXPIRED keyword requires the
user to change their new password or password phrase at the next logon
or job start.
The EXPIRED keyword is only valid when specified
with the PASSWORD or PHRASE keyword.
When EXPIRED is specified
with the PHRASE keyword, the password phrase you specify is subject
to the basic RACF rules for
password phrase syntax and to any rules set by the installation through
the new-password-phrase exit (ICHPWX11), if present.
When EXPIRED
is specified with the PASSWORD keyword, the password you specify is not subject
to the password syntax rules set by the installation through the SETROPTS
PASSWORD command. However, the password is checked by the new-password
exit (ICHPWX01), if present.
- NOEXPIRED
- Specifies
that the password specified by the PASSWORD keyword or the password
phrase specified by the PHRASE keyword need not be changed at the
next logon. The NOEXPIRED keyword is only valid when specified with
the PASSWORD or PHRASE keyword. NOEXPIRED does not indicate
that the password or password phrase never expires. If you want to
set a password or password phrase that never expires, use the NOINTERVAL
keyword on the PASSWORD command.
When NOEXPIRED is specified,
the password or password phrase value you supply is subject to certain
rules. Those rules include the basic RACF rules
for password phrase syntax and any password syntax rules
set by the installation through the SETROPTS PASSWORD(RULEn) command.
In addition, the new-password exit (ICHPWX01), if present, is called
to check passwords. The new-password-phrase exit (ICHPWX11), if present,
is called to check password phrases and perform additional validation.
To
specify NOEXPIRED, you must either have the SPECIAL attribute (at
the system level), or you must have UPDATE access to either the IRR.PASSWORD.RESET
resource or the appropriate IRR.PWRESET resource in the FACILITY class.
Being the owner of the USER profile or having the group-SPECIAL attribute
is not sufficient when NOEXPIRED is specified.
- GROUP(group-name)
- Specifies the
group to which changes to the group-related user attributes UACC and
AUTHORITY are to be made. The user must be connected to the specified
group.
If you omit GROUP, the changes apply to the user's default
group. If you omit GROUP and specify DFLTGRP, however, the changes
still apply to the user's previous default group.
- GRPACC
| NOGRPACC
-
- GRPACC
- Specifies
that any group data sets protected by DATASET profiles defined by
this user are automatically accessible to other users in the group.
The group whose name is used as the high-level qualifier of the data
set name (or the qualifier supplied by a command installation exit)
has UPDATE access authority in the new profile. GRPACC specified on
the ALTUSER command overrides NOGRPACC specified on the CONNECT command.
- NOGRPACC
- Specifies
that the user no longer has the GRPACC attribute.
- KERB
| NOKERB
-
- KERB
- Specifies z/OS Integrated Security Services Network Authentication
Service information
for a user defined to RACF.
Each subkeyword defines information that RACF stores in a field within the KERB segment
of the user's profile.
Note: The RACF user
password must be changed to be non-expired in order to complete the
definition of the z/OS Network Authentication Service principal.
The user cannot use any z/OS Network Authentication Service function
until the definition is complete.
- ENCRYPT | NOENCRYPT
-
- ENCRYPT
- Specifies which keys the user (the z/OS Network Authentication Service principal)
is allowed to use.
- DES | NODES
- Whether DES encrypted keys can be used.
- DES3 | NODES3
- Whether DES3 encrypted keys can be used.
- DESD | NODESD
- Whether DESD encrypted keys can be used.
- AES128 | NOAES128
- Whether AES128 encrypted keys can be used.
- AES256 | NOAES256
- Whether AES256 encrypted keys can be used.
When a principal's password changes, a key of
each type is generated and stored in the principal's user profile.
The use of each key is based on the z/OS Network Authentication Service configuration.
Important: When
you enable the use of a new key type, be sure that the principal's
password is changed to ensure that a key of the new type is generated
and stored in the principal's user profile.
See z/OS Integrated Security Services Network Authentication Service Administration for
information about how z/OS Network Authentication Service uses
keys and how to customize environment variables related to keys.
- NOENCRYPT
- Specifies
that there is no restriction on which generated keys the principal
can use, and resets the KERB ENCRYPT values to the default settings.
See z/OS Integrated Security Services Network Authentication Service Administration for
information about how z/OS Network Authentication Service uses
keys and how to customize environment variables related to keys.
- KERBNAME | NOKERBNAME
-
- KERBNAME(kerberos-principal-name)
- Specifies
the z/OS user
ID's local kerberos-principal-name.
The
value specified for the local kerberos-principal-name must
be unique. Consequently, a list of users cannot be specified on an
ALTUSER command with the KERBNAME keyword.
The kerberos-principal-name you
define to RACF can consist
of any character except the @ ( X'7C') character.
You can enter the name with or without single quotation marks, depending
on the following: - If parentheses, commas, blanks, or semicolons are entered as part
of the name, the name must be enclosed in single quotation marks.
- If a single quotation mark is intended to be part of the name
and the entire character string is enclosed in single quotation marks,
you must use two single quotation marks together to represent each
single quotation mark within the string.
- If the first character of the name is a single quotation mark,
you must enter the string within single quotation marks, with two
single quotation marks entered for that single quotation mark.
Guideline: Avoid using EBCDIC variant characters
to prevent problems with different code pages.
Both uppercase
and lowercase characters are accepted and maintained in the case in
which they are entered. However, RACF does
not ensure that a valid kerberos-principal-name has
been specified.
A local kerberos-principal-name must not be
qualified with a realm name when specified with the KERBNAME keyword.
However, RACF verifies that
the local principal name, when fully qualified with the name of the
local realm: /.../local_realm_name/principal_name
does
not exceed 240 characters. For example,
This length verification requires that the REALM profile for
the local realm KERBDFLT be defined and contain the name of the local
realm, prior to the specification of local z/OS Network Authentication Service user
principals. Otherwise, z/OS Network Authentication Service users
will not be defined.
Note: Because of the relationship between
realm names and local kerberos-principal-names,
in which the length of a fully qualified name cannot exceed 240 characters,
caution and planning must go into renaming the local realm because
the combined length is only checked by RACF when
a local kerberos-principal-name is added
or altered. Renaming the realm should be avoided as a result.
- NOKERBNAME
- Deletes
the kerberos-principal-name. This invalidates
the z/OS user
ID's z/OS Network Authentication Service account.
- MAXTKTLFE | NOMAXTKTLFE
-
- MAXTKTLFE(max-ticket-life)
- Specifies
the max-ticket-life in seconds. The value
for MAXTKTLFE must be 1 - 2 147 483 647.
Note that 0 is not a valid value.
If MAXTKTLFE is specified on
the definition of a local z/OS Network Authentication Service principal,
the z/OS Integrated Security Services Network Authentication
Service takes
the most restrictive of the value defined for the local principal
and the value specified on the definition of the local realm (the
KERBDFLT profile in the REALM class). Consequently, if the realm max-ticket-life is
24 hours, a principal cannot get a ticket with a longer lifetime even
if the max-ticket-life is set to 48 hours.
If this field is not specified for a local principal, or if NOMAXTKTLFE
has been specified, the maximum lifetime for tickets created by this
principal is determined from the definition of the local z/OS Network Authentication Service realm.
- NOMAXTKTLFE
- Deletes
the max-ticket-life value for this local z/OS Network Authentication Service principal.
- NOKERB
- Deletes
the user's KERB segment. This user is no longer considered a principal
by the z/OS Integrated Security Services Network Authentication
Service.
- LANGUAGE
| NOLANGUAGE
- Specifies to add, alter, or delete the user's preferred national
languages.
Specify LANGUAGE if this user is to have languages
other than the ones established or defaulted by the LANGUAGE operand
on the SETROPTS command, or the ones previously specified with the
ADDUSER command. - LANGUAGE(PRIMARY(language)
SECONDARY(language))
- Specifies
the user's preferred national languages. Specify this operand if the
user is to have languages other than the system-wide defaults (established
by the LANGUAGE operand on the SETROPTS command).
- If this profile is for a TSO/E user who will establish an extended
MCS console session, the languages you specify should be one of the
languages specified on the LANGUAGE LANGCODE statements in the MMSLSTxx
PARMLIB member. See your MVS system programmer for this information.
For more information on TSO/E national language support, see z/OS TSO/E Customization.
- If this profile is for a CICS user,
see your CICS administrator
for the languages supported by CICS on
your system.
For more information, visit CICS Transaction Server for z/OS Information
Center.
- PRIMARY | NOPRIMARY
-
- PRIMARY(language)
- Specifies the user's new primary language.
- NOPRIMARY
- Deletes any primary language information from
the user's profile and returns the user to the installation's default
primary language.
- SECONDARY | NOSECONDARY
-
- SECONDARY(language)
- Specifies the language to
which the user's secondary language is to be changed.
- NOSECONDARY
- Deletes any secondary language information from
the user's profile and returns the user to the installation's default
secondary language.
Note: - For the primary and secondary languages, specify either the installation-defined
name of a currently active language (a maximum of 24 characters) or
one of the language codes (three characters in length) for a language
installed on your system.
- The language name can be a quoted or unquoted string.
- The same language can be specified for with both PRIMARY and SECONDARY
parameters.
- If the MVS message service is not active, the PRIMARY and SECONDARY
values must be a 3-character language code.
- NOLANGUAGE
- Deletes
the user's preferred national languages from the profile and returns
that user to the installation defaults. LANGUAGE information no longer
appears in LISTUSER output.
- LNOTES
| NOLNOTES
-
- LNOTES
- Specifies Lotus Notes for z/OS information
for the user profile being changed.
- SNAME | NOSNAME
-
- SNAME(short-name)
- Specifies
the Lotus Notes for z/OS short-name of
the user being changed. The name should match the one stored in the Lotus® Notes® address book for this user, but this
is not verified by the command.
The short-name you
define to RACF can contain
1 - 64
characters. You can specify the following characters: uppercase and
lowercase alphabetic characters (A - Z,
and a - z), 0 - 9, & (X'50'), - (X'60'), . (X'4B'), _ (X'6D'),
and blanks (X'40').
If the short-name you
specify contains any blanks, it must be enclosed in single quotation
marks. The short-name is stripped of leading
and trailing blanks.
The value specified for the short-name must
be unique. Consequently, a list of users might not be specified on
an ALTUSER command with the SNAME keyword.
- NOSNAME
- Specifies
that you want to delete the short-name from
the LNOTES segment of the user's profile.
- NOLNOTES
- Specifies that you want to delete the LNOTES segment from the
user's profile.
- MODEL
| NOMODEL
-
- MODEL(dsname)
- Specifies
the name of a data set that RACF is
to use as a model when new data set profiles are created that have userid as
the high-level qualifier. For this operand to be effective, the MODEL(USER)
option (specified on the SETROPTS command) must be active. If the
ALTUSER command cannot find the dsname profile,
it issues a warning message but places the model name in the user
ID entry.
Note that RACF always
prefixes dsname with the user ID.
For
information about automatic profile modeling, refer to z/OS Security Server RACF Security Administrator's Guide.
- NOMODEL
- Deletes
the model profile name in the user's profile.
- NAME(user-name)
- Specifies the user
name to be associated with the user ID. You can use a maximum of 20
alphanumeric or non-alphanumeric characters. If the name you specify
contains any blanks, it must be enclosed in single quotation marks.
Names longer than 20 characters are truncated to 20 characters
when you enclose the name in quotation marks. However, if you specify
a name longer than 20 characters without enclosing the name
in quotation marks, you receive an error from the TSO parse routine.
If
you omit the NAME operand, RACF uses
a default of twenty # (X'7B') characters
('### …'). Note, however, that the corresponding
entry in a LISTUSER output is the word UNKNOWN.
- NDS
| NONDS
-
- NDS
- Specifies Novell Directory Services for OS/390 information
for the user profile being changed.
- UNAME | NOUNAME
-
- UNAME(user-name)
- Specifies
the Novell Directory Services for OS/390 user-name of
the user being changed. The user-name value
should match the name stored in the Novell Directory Services for OS/390 directory
for this user, but this is not verified by the command.
The user-name you
define to RACF can contain
1 - 246
characters. However, the user-name cannot
contain the following characters: * (X'5C'), + (X'4E'), | (X'4F'), = (X'7E'), , (X'6B'), " (X'7F'), ` (X'79'), / (X'61'), : (X'7A'), ; (X'5E'), ¢ (X'4A'), and
brackets [ and ] (X'AD' and X'BD').
If
the user-name you specify contains any parentheses
or blanks, it must be enclosed in single quotation marks. The user-name is
stripped of leading and trailing blanks. If a single quotation mark
is intended to be part of the user-name,
use two single quotation marks together for each single quotation
mark within the string, and enclose the entire string within single
quotation marks.
The value specified for the user-name must
be unique. Consequently, a list of users cannot be specified on an
ALTUSER command with the UNAME keyword.
- NOUNAME
- Specifies
that you want to delete the user-name from
the NDS segment of the user's profile.
- NONDS
- Specifies that RACF delete
the NDS segment from the user's profile.
- NETVIEW
| NONETVIEW
-
- NETVIEW
- Specifies
that this is a NetView® operator
that can enter any of the following suboperands to add, update, or
delete the information in the NETVIEW segment.
You can control
access to the entire NETVIEW segment or to individual fields within
the NETVIEW segment by using field-level access checking. For more
information, see z/OS Security Server RACF Security Administrator's Guide.
- CONSNAME | NOCONSNAME
-
- CONSNAME(console-name)
- Specifies
the default MCS console name identifier used for this operator. This
default console name is used when the operator does not specify a
console name using the NetView GETCONID
command.
The console-name value is a
1 - 8
character identifier whose validity is checked by MVS processing when
the operator tries to use it. See z/OS MVS Planning: Operations
for information on valid values for a particular release.
- NOCONSNAME
- Deletes
any default MCS console name previously specified for this operator.
- CTL | NOCTL
-
- CTL (GENERAL | GLOBAL | SPECIFIC)
- Specifies
whether a security check is performed for this NetView operator when they try to use a span
or try to do a cross-domain logon.
- GENERAL
- Specifies that a security done should be done as for SPECIFIC,
and, in addition, that the operator is allowed to access devices that
are not part of any span.
- GLOBAL
- Specifies that no security check is done.
- SPECIFIC
- Specifies that a security check is performed through RACROUTE
REQUEST=AUTH whenever this operator attempts to use a span. It also
specifies that any cross-domain logon must be to a domain listed in
the operator's NETVIEW segment with the DOMAINS keyword.
CTL(SPECIFIC)
is the default.
- NOCTL
- NOCTL has
the same effect as specifying CTL(SPECIFIC).
- DOMAINS | NODOMAINS | ADDDOMAINS | DELDOMAINS
-
- DOMAINS(domain-name …)
- Specifies
the complete list of identifiers of NetView programs
in another NetView domain
where this operator can start a cross-domain session. The NetView program identifiers
are coded on the NCCFID definition statement for the other domains,
and represent the name given to that NetView program
on the APPL statement.
Domain-name is
a 1 - 5
character identifier. The characters can be alphabetic, numeric, or
national.
- ADDDOMAINS(domain-name …)
- Adds
identifiers of NetView programs
in another NetView domain
where this operator can start a cross-domain session. The NetView program identifiers
are coded on the NCCFID definition statement for the other domains,
and represent the name given to that NetView program
on the APPL statement.
The domain-name value
is a 1 - 5
character identifier. The characters can be alphabetic, numeric, or
national.
- DELDOMAINS(domain-name …)
- Deletes
specific identifiers of NetView programs
in another NetView domain
where this operator can start a cross-domain session. The NetView program identifiers
are coded on the NCCFID definition statement for the other domains,
and represent the name given to that NetView program
on the APPL statement.
The domain-name value
is a 1 - 5
character identifier. The characters can be alphabetic, numeric, or
national.
- NODOMAINS
- Specifies
that the operator cannot start any cross-domain sessions.
- IC | NOIC
-
- IC('command | command-list')
- Specifies the
command or command list (up to 255 characters) to be processed when
the operator logs on to NetView.
If the command or command list you specify contains any commas,
blanks, or other special characters that TSO/E requires to be quoted,
it must be enclosed in single quotation marks.
- NOIC
- Deletes the
command or command list to be processed at logon time for this operator.
No command or command list is automatically processed when this operator
logs on.
- MSGRECVR | NOMSGRECVR
-
- MSGRECVR (YES | NO)
- Specifies
whether this operator can receive unsolicited messages that are not
routed to a specific NetView operator.
- YES
- Specifies that the operator is to receive the messages.
- NO
- Specifies that the operator is not to receive the messages.
- NOMSGRECVR
- NOMSGRECVR
has the same effect as specifying MSGRECVR(NO).
- NGMFADMN | NONGMFADMN
-
- NGMFADMN (YES | NO)
- Specifies
whether a NetView operator
has administrator authority to the NetView Graphic
Monitor Facility (NGMF).
- YES
- Specifies that the operator does have the authority.
- NO
- Specifies that the operator does not have the authority.
- NONGMFADMN
- NONGFMADMN
has the same effect as specifying NGFMADMN(NO).
- NGMFVSPN | NONGMFVSPN
-
- NGMFVSPN (view-span)
- Reserved
for future use by the NetView Graphic
Monitor Facility
- NONGMFVSPN
- Reserved
for future use by the NetView Graphic
Monitor Facility
- OPCLASS | NOOPCLASS | ADDOPCLASS | DELOPCLASS
-
- OPCLASS(class …)
- Specifies
the complete list of NetView scope
classes for which the operator has authority.
The class value
is a number 1 - 2040
that specifies a NetView scope
class.
- ADDOPCLASS(class …)
- Adds
specific NetView scope classes
to the operator's current list of classes.
The class value
is a number 1 - 2040
that specifies a NetView scope
class.
- DELOPCLASS(class …)
- Deletes
specific NetView scope classes
from the operator's current list of classes.
The class value
is a number 1 - 2040
that specifies a NetView scope
class.
- NOOPCLASS
- Specifies
that the operator is in no scope classes.
- NONETVIEW
- Specifies that RACF should
delete the NETVIEW segment from the user's profile.
- OIDCARD
| NOOIDCARD
-
- OIDCARD
- Specifies
that the user must supply an operator identification card when logging
onto the system. If you specify the OIDCARD operand, the system prompts
you to enter the user's new operator identification card as part of
the processing of the ALTUSER command. If you specify the OIDCARD
operand in a job executing in the background or when you cannot be
prompted in the foreground, the ALTUSER command fails.
- NOOIDCARD
- Specifies
that the user is not required to supply an operator identification
card.
If NOPASSWORD is specified or the user ID already has the
NOPASSWORD attribute, specifying NOOIDCARD causes this user ID to
become a protected user ID. Protected user IDs cannot be used to enter
the system by any means that requires a password to be specified,
such as TSO logon. If the user attempts to enter the system with a
password, the attempt fails.
Protected user IDs can be used
for the user IDs associated with the started tasks in ICHRIN03 or
the STARTED class.
- OMVS
| NOOMVS
-
- OMVS
- Specifies z/OS UNIX information
for the user profile being changed.
You can control access to
the entire OMVS segment or to individual fields within the OMVS segment
by using field-level access checking. - ASSIZEMAX | NOASSIZEMAX
-
- ASSIZEMAX(address-space-size)
- Specifies the RLIMIT_AS hard limit (maximum) resource value that
processes receive when they are dubbed a process. The address-space-size you
define to RACF is a numeric
value from 10485760 - 2 147 483 647.
ASSIZEMAX indicates the address space region size in bytes. The soft
limit (current) resource value is obtained from MVS. If the soft limit
value from MVS is greater than the address space size, the soft limit
is used.
The value specified for ASSIZEMAX is also used when processes
are initiated by a daemon process using an exec after setuid().
In this case, both the RLIMIT_AS hard limit and soft limit are set
to the address-space-size value.
The
value specified for ASSIZEMAX overrides any value provided by the
MAXASSIZE parameter of BPXPRMxx. For more information, see z/OS UNIX System Services Planning.
- NOASSIZEMAX
- Specifies
that you want to delete the address space size from the OMVS segment
of the user's profile. The value specified for MAXASSIZE in BPXPRMxx
now applies to the user.
- AUTOUID | UID | NOUID
- Specifies whether RACF is
to automatically assign an unused UID value to the user, if a specific
UID value is to be assigned or if the user identifier from the OMVS
segment of the user's profile is to be deleted.
- AUTOUID
- Specifies
that RACF is to automatically
assign an unused UID value to the user. The UID value is derived from
information obtained from the BPX.NEXT.USER profile in the FACILITY
class. For more information on setting up BPX.NEXT.USER, see z/OS Security Server RACF Security Administrator's Guide.
If
you are using RRSF automatic command direction for the USER class,
the command sent to other nodes will contain an explicit assignment
of the UID value which was derived by RACF on
the local node.
Rules: - AUTOUID cannot be specified if more than one user ID is entered.
- The AUTOUID keyword is mutually exclusive with the SHARED keyword.
- If both UID and AUTOUID are specified, AUTOUID is ignored.
- If both NOUID and AUTOUID are specified, AUTOUID is ignored.
- Field-level access checking for the UID field applies when using
AUTOUID.
- AUTOUID cannot be used to reassign a UID value when one already
exists for the user. If AUTOUID is specified, but the user already
has a UID assigned, one of two things will happen.
- If the preexisting UID is unique to this user, this value will
be identified in informational message IRR52177I, and the value will
be left unchanged. If RRSF automatic command direction is in effect
for the USER class, then the outbound ALTUSER command will be altered
to contain the preexisting UID value in the OMVS UID keyword.
- If the preexisting UID is not unique to this user, error message
IRR52178I will be issued, and the command will fail. See IRR52178I
for information on changing the user's existing UID value.
- UID(user-identifier) [SHARED]
-
- UID(user-identifier)
- Specifies
the user identifier. The UID is a numeric value from 0 - 2 147 483 647.
When
assigning a UID to a user, you should make sure that the user's default
group has a GID. A user who has a UID and a current connect group
that has a GID can use functions such as the TSO/E OMVS command and
can access z/OS UNIX files
based on the UID and GID values assigned.
Care should be taken
in assigning 0 as the user identifier. UID 0 is considered a superuser.
The superuser passes all z/OS UNIX security
checks. Assigning a UID to a user ID that appears in the RACF started procedures table (ICHRIN03) should
also be done with care. RACF defined
started tasks that have the trusted or privileged attribute are considered
superusers even if their UID is a value other than 0.
If the
UID is not specified, the user is unable to become a z/OS UNIX user and
a LISTUSER for that user ID shows NONE for the UID.
Note: - If the security administrator has defined the SHARED.IDS profile
in the UNIXPRIV class, the UID value must be unique. Use the SHARED
keyword in addition to UID to assign a value that is already in use.
- If SHARED.IDS is not defined, RACF does
not require the UID to be unique. The same value can be assigned to
multiple users but this is not recommended because individual user
control would be lost. However, if you want a set of users to have
exactly the same access to z/OS UNIX resources,
you might decide to assign the same UID to more than one user.
- The maximum number of user IDs that can share a UID or groups
that can share a GID is 132 at 8 characters. More user IDs or groups
are available using less than 8 characters. If the limit is met, you
can combine user ID functions (for started tasks or daemons) to use
physically less user IDs sharing the same UID. You may also use SUPERUSER
granularity functionality to reduce the need for SUPERUSER (using
UID 0) for as many user IDs as possible.
- SHARED
- If the security administrator
has chosen to control the use of shared UIDs, this keyword must be
used in addition to the UID keyword to specify the user identifier
if it is already in use by at least one other user. The administrator
controls shared UIDs by defining the SHARED.IDS profile in the UNIXPRIV
class.
Rules: - If the SHARED.IDS profile is not defined, SHARED is ignored.
- If SHARED is specified in the absence of UID, it is ignored.
- If the SHARED.IDS profile is defined and SHARED is specified,
but the value specified with UID is not currently in use, SHARED is
ignored and UNIXPRIV authority is not required.
- Field-level access checking for the UID field applies when using
SHARED.
- The SHARED keyword is mutually exclusive with the AUTOUID keyword.
- NOUID
- Specifies
that you want to delete the user identifier from the OMVS segment
of the user's profile.
If NOUID is specified, the user is unable
to become a z/OS UNIX System Services user
and a LISTUSER for that user ID shows NONE for the UID.
- CPUTIMEMAX | NOCPUTIMEMAX
-
- CPUTIMEMAX(cpu-time)
- Specifies the RLIMIT_CPU hard limit (maximum) resource value that
the user's z/OS UNIX processes
receive when they are dubbed a process. The cpu-time you
define to RACF is a numeric
value from 7 - 2 147 483 647.
RLIMIT_CPU indicates the cpu-time that a
process is allowed to use, in seconds. The soft limit (current) is
obtained from MVS. If the soft limit (current) resource value from
MVS is greater than the cpu-time value,
the soft limit is used.
The value specified for CPUTIMEMAX is
also used when processes are initiated by a daemon process using an
exec after setuid(). In this case, both the RLIMIT_CPU
hard and soft limits are set to the cpu-time value.
For
processes running in, or forked from TSO or BATCH, the cpu-time value
has no effect. For processes created by the rlogin command or other
daemons, cpu-time is the time limit for
the address space.
The value specified for CPUTIMEMAX overrides
any value provided by the MAXCPUTIME parameter of BPXPRMxx. For more
information, see z/OS UNIX System Services Planning.
- NOCPUTIMEMAX
- Specifies
that you want to delete the CPU time from the OMVS segment of the
user's profile. The value specified for MAXCPUTIME in BPXPRMxx now
applies to the user.
- FILEPROCMAX | NOFILEPROCMAX
-
- FILEPROCMAX(files-per-process)
- Specifies the maximum number of files the user is allowed to have
concurrently active or open. The files-per-process you
define to RACF is a numeric
value from 3 and 524287. FILEPROCMAX is the same as the OPEN_MAX variable
defined in the POSIX standard.
FILEPROCMAX lets you limit the
amount of system resources available to a user process. Select FILEPROCMAX
by considering: - For conformance to standards, set FILEPROCMAX to:
- At least 16 to conform to the POSIX standard
- At least 25 to conform to the FIPS standard
- The commonly recommended value is 256.
- A process can change its own value for the number of files it
has active or open using the setrlimt() function.
Only processes with appropriate privileges can increase their limits.
- The minimum value of 3 supports the standard files for a process:
standard input, standard output, and standard error.
- The value needs to be larger than 3 to support z/OS UNIX shell
users. If the value is too small, the z/OS UNIX shells
might issue the message File descriptor not available.
The value specified for FILEPROCMAX overrides any value
provided by the MAXFILEPROC parameter of BPXPRMxx. For more information,
see z/OS UNIX System Services Planning.
- NOFILEPROCMAX
- Specifies
that you want to delete the files per process from the OMVS segment
of the user's profile. The value specified for MAXFILEPROC in BPXPRMxx
now applies to the user.
- HOME | NOHOME
-
- HOME(directory-pathname)
- Specifies the z/OS® UNIX directory pathname. This is
the current working directory for the user's process when the user
enters the TSO/E command OMVS.
When you define a directory pathname
to RACF, it can contain 1 - 1023 characters.
The directory pathname can consist of any characters and can be entered
with or without single quotation marks. The following rules apply:
- If parentheses, commas, blanks, or semicolons are to be entered
as part of the pathname, the character string must be enclosed in
single quotation marks.
- If a single quotation mark is intended to be part of the pathname,
use two single quotation marks together for each single quotation
mark within the string, and enclose the entire string within single
quotation marks.
Both uppercase and lowercase characters are accepted
and maintained in the case in which they are entered. The fully qualified
pathname should be specified. RACF does
not ensure that a valid pathname has been specified. If you issue
the ALTUSER command as a RACF operator
command and you specify the pathname in lowercase, you must include
the pathname within single quotations.
- NOHOME
- Specifies
that you want to delete the initial directory pathname from the OMVS
segment of the user's profile.
If no value is specified for HOME in the OMVS
segment, MVS sets the working directory for the user to / (the
root directory).
- MEMLIMIT | NOMEMLIMIT
-
- MEMLIMIT(nonshared-memory-size)
- Specifies the maximum number of bytes of nonshared memory that
can be allocated by the user. The nonshared-memory-size value
must be numeric 0 - 16777215,
followed by the letter M, G, T,
or P. The M, G, T or P letter
indicates the multiplier to be used. The maximum value is 16383P.
|
Decimal |
Binary |
Hexadecimal |
---|
M - megabyte |
1048576 |
2 to the power of 20 |
00000000 00100000 |
G - gigabyte |
1073741824 |
2 to the power of 30 |
00000000 40000000 |
T - terabyte |
1099511627776 |
2 to the power of 40 |
00000100 00000000 |
P - petabyte |
1125899906842624 |
2 to the power of 50 |
00040000 00000000 |
The following are different MEMLIMIT( nonshared-memory-size)
examples: - MEMLIMIT(1M) indicates a nonshared-memory-size
of 1048576 bytes.
- MEMLIMIT(1500M) indicates a nonshared-memory-size
of 1572864000 bytes.
- MEMLIMIT(10G) indicates a nonshared-memory-size
of 10737418240 bytes.
For more extensive information, see z/OS UNIX System Services Planning.
- NOMEMLIMIT
- Specifies
that you want to delete the nonshared memory size from the OMVS segment
of the user's profile.
- MMAPAREAMAX | NOMMAPAREAMAX
-
- MMAPAREAMAX(memory-map-size)
- Specifies the maximum amount of data space storage, in pages,
that can be allocated by this user for memory mappings of z/OS UNIX files.
Storage is not allocated until memory mappings are active. The value
of memory-map-size must be 1 - 16777216.
Use of memory map services consumes a significant amount of system
memory. For each page (4KB) that is memory mapped, 96 bytes of ESQA
are consumed when a file is not shared with any other users. When
a file is shared by multiple users, each user after the first causes
32 bytes of ESQA to be consumed for each shared page. The ESQA storage
is consumed when the mmap() function is invoked by
the application program.
The value specified for MMAPAREAMAX
overrides any value provided by the MAXMMAPAREA parameter of BPXPRMxx.
For more information, see z/OS UNIX System Services Planning.
- NOMMAPAREAMAX
- Specifies
that you want to delete the memory map size from the OMVS segment
of the user's profile. The value specified for MAXMMAPAREA in BPXPRMxx
now applies to the user.
- PROCUSERMAX | NOPROCUSERMAX
-
- PROCUSERMAX(processes-per-UID)
- Specifies the maximum number of processes this user is allowed
to have active at the same time, regardless of how the process became
a z/OS UNIX process.
The processes-per-UID you define to RACF is a numeric value from 3
and 32767. PROCUSERMAX is the same as the CHILD_MAX variable defined
in the POSIX standard.
PROCUSERMAX allows you to limit user activity
to optimize performance. Select PROCUSERMAX by considering: - For conformance to standards, set PROCUSERMAX to:
- At least 16 to conform to the POSIX standard
- At least 25 to conform to the FIPS standard
- A user with a UID of 0 is not limited by the PROCUSERMAX value
because a superuser might need to be capable of logging on and using z/OS UNIX services
to solve a problem.
- A low PROCUSERMAX value limits the number of concurrent processes
that the user can run. A low value also limits the user's consumption
of processing time, virtual storage, and other system resources.
- Some daemons run without UID 0, and can create many address spaces.
In these cases, it is necessary to set the limit high enough for the
daemon associated with this user ID to run all of its processes.
Though not recommended, the same OMVS UID
can be given to more than one user ID. If users share a UID, you need
to define a greater number for PROCUSERMAX.
The value specified
for PROCUSERMAX overrides any value provided by the MAXPROCUSER parameter
of BPXPRMxx. For more information, see z/OS UNIX System Services Planning.
- NOPROCUSERMAX
- Specifies
that you want to delete the processes per UID from the OMVS segment
of the user's profile. The value specified for MAXPROCUSER in BPXPRMxx
now applies to the user.
- SHMEMMAX | NOSHMEMMAX
-
- SHMEMMAX(shared-memory-size)
- Specifies the maximum number of bytes of shared memory that can
be allocated by the user. The shared-memory-size value
must be numeric 1 - 16777215,
followed by the letter M, G, T,
or P. The M, G, T,
or P letter indicates the multiplier to be used.
The maximum value is 16383P.
|
Decimal |
Binary |
Hexadecimal |
---|
M - megabyte |
1048576 |
2 to the power of 20 |
00000000 00100000 |
G - gigabyte |
1073741824 |
2 to the power of 30 |
00000000 40000000 |
T - terabyte |
1099511627776 |
2 to the power of 40 |
00000100 00000000 |
P - petabyte |
1125899906842624 |
2 to the power of 50 |
00040000 00000000 |
The following are different SHMEMMAX( shared-memory-size)
examples: - SHMEMMAX(1M) indicates a shared-memory-size of 1048576 bytes.
- SHMEMMAX(1500M) indicates a shared-memory-size
of 1572864000 bytes.
- SHMEMMAX(10G) indicates a shared-memory-size
of 10737418240 bytes.
The value specified for SHMEMMAX overrides any value
provided by the IPCSHMMPAGES parameter of BPXPRMxx. For more information,
see z/OS UNIX System Services Planning.
- NOSHMEMMAX
- Specifies
that you want to delete the shared memory size from the OMVS segment
of the user's profile. The value specified for IPCSHMMPAGES in BPXPRMxx
now applies to the user.
- THREADSMAX | NOTHREADSMAX
-
- THREADSMAX(threads-per-process)
- Specifies the maximum number of threads, including those running,
queued, and exited but not detached, that this user can have concurrently
active. The threads-per-process you define
to RACF is a numeric value
from 0 - 100000.
Specifying a value of 0 prevents applications run by this user from
using the pthread_create service.
The value specified
for THREADSMAX overrides any value provided by the MAXTHREADS parameter
of BPXPRMxx. For more information, see z/OS UNIX System Services Planning.
- NOTHREADSMAX
- Specifies
that you want to delete the threads per process from the OMVS segment
of the user's profile. The value specified for MAXTHREADS in BPXPRMxx
now applies to the user.
- PROGRAM | NOPROGRAM
-
- PROGRAM(program-name)
- Specifies the PROGRAM pathname (z/OS UNIX shell
program). This is the first program started when the TSO/E command
OMVS is entered or when a batch job is started using the BPXBATCH
program.
When you define a PROGRAM pathname to RACF, it can contain 1 - 1023 characters.
The PROGRAM pathname can consist of any characters and can be entered
with or without single quotation marks. The following rules apply:
- If parentheses, commas, blanks, or semicolons are to be entered
as part of the pathname, the character string must be enclosed in
single quotation marks.
- If a single quotation mark is intended to be part of the pathname,
use two single quotation marks together for each single quotation
mark within the string, and enclose the entire string within single
quotation marks.
Both uppercase and lowercase characters are accepted
and maintained in the case in which they are entered. The fully qualified
pathname should be specified. RACF does
not ensure that a valid pathname has been specified. If you issue
the ALTUSER command as a RACF operator
command and you specify the pathname in lowercase, you must include
the pathname within single quotations.
- NOPROGRAM
- Specifies
that you want to delete the z/OS UNIX System Services program
pathname from the OMVS segment of the user's profile.
If no value is specified for PROGRAM in the
OMVS segment, MVS gives control to the default z/OS UNIX shell
program when the user issues the TSO/E command OMVS or starts a batch
job using the BPXBATCH program.
For more information about
the default z/OS UNIX shell
program supplied with z/OS UNIX System Services, see z/OS UNIX System Services Planning
and z/OS UNIX System Services User's Guide.
- NOOMVS
- Specifies
that RACF delete the OMVS segment
from the user's profile.
- OPERATIONS
| NOOPERATIONS
-
- OPERATIONS
- Specifies
that the user is to have authorization to do maintenance operations
on all RACF-protected DASD data sets, tape volumes, and DASD volumes
except those where the access list specifically limits the OPERATIONS
user to an access authority that is less than the operation requires.
You establish the lower access authority for the OPERATIONS user
with the PERMIT command. OPERATIONS on the ALTUSER command overrides
NOOPERATIONS on the CONNECT command.
You must have the SPECIAL
attribute to use the OPERATIONS operand.
- NOOPERATIONS
- Specifies
that the user is not to have the OPERATIONS attribute.
You must
have the SPECIAL attribute to use the NOOPERATIONS operand.
- OPERPARM
| NOOPERPARM
-
- OPERPARM
- Specifies default information used when this user establishes
an extended MCS console session.
You can control access to the
entire OPERPARM segment or to individual fields within the OPERPARM
segment by using field-level access checking. For more information,
see z/OS Security Server RACF Security Administrator's Guide.
For
information on planning how to use OPERPARM segments, see z/OS MVS Planning: Operations.
Note: - You need not specify every suboperand in an OPERPARM segment.
In general, if you omit a suboperand, the default is the same as the
default in the CONSOLxx PARMLIB member, which can also be used to
define consoles.
- If you specify MSCOPE or ROUTCODE but do not specify a value for
them, RACF uses MSCOPE(*ALL)
and ROUTCODE(NONE) to update the corresponding fields in the user
profile. These values appear in listings of the OPERPARM segment of
the user profile.
- If you omit the other suboperands, RACF does
not update the corresponding fields in the user's profile, and no
value appears in listings of the OPERPARM segment of the profile.
- ALTGRP | NOALTGRP
-
- ALTGRP(alternate-console-group)
- Specifies the console group used in recovery. The variable alternate-console-group can
contain 1 - 8
characters. Valid characters are 0 - 9, A - Z, # (X'7B'), $ (X'5B'),
or @ (X'7C').
Restriction: Starting
with z/OS Version 1 Release 8, console
services ignores ALTGRP(alternate-console-group)
when a session is established and it need not be specified.
- NOALTGRP
- Deletes
alternate console group information from this profile.
- AUTH | NOAUTH
-
- AUTH
- Specifies this console's authority to issue operator commands.
If
you omit this operand, RACF does
not alter this field in the user's profile. If this field has not
been added to the user's profile, an extended MCS console uses AUTH(INFO)
when a session is established.
The console can have the following
authorities: - MASTER
- Allows this console to act as a master console, which can issue
all MVS operator commands. This authority can only be specified by
itself.
- ALL
- Allows this console to issue system control commands, input/output
commands, console control commands, and informational commands. This
authority can only be specified by itself.
- INFO
- Allows this console to issue informational commands. This authority
can only be specified by itself.
- CONS
- Allows this console to issue console control and informational
commands.
- IO
- Allows this console to issue input/output and informational commands.
- SYS
- Allows this console to issue system control commands and informational
commands.
- NOAUTH
- Deletes
the user's operator authorities from the profile. Console operator
authority no longer appears in profile listings. However, AUTH(INFO)
is used when an extended MCS console session is established.
- AUTO | NOAUTO
-
- AUTO(YES | NO)
- Specifies
whether the extended console can receive messages that have been automated
by the Message Processing Facility (MPF) in the sysplex.
- NOAUTO
- Deletes this field from the user's profile. No AUTO information
appears in profile listings. However, AUTO(NO) is used when an extended
MCS console session is established.
- CMDSYS | NOCMDSYS
-
- CMDSYS(system-name | *)
- Specifies
the system to which commands from this console are to be sent.
If
you omit this operand, RACF does
not alter this field in the user's profile. If this field has not
been added to the user's profile, an extended MCS console uses CMDSYS(*)
when a session is established. The system-name value
must be 1 - 8
characters. Valid characters are A - Z, 0 - 9, @ (X'7C'), # (X'7B'),
and $ (X'5B'). If (*) is
specified, commands are processed on the local system where the console
is attached.
- NOCMDSYS
- Deletes any system-names from this profile. No
CMDSYS information appears in profile listings. However, CMDSYS(*)
is used when an extended MCS console session is established.
- DOM | NODOM
-
- DOM(NORMAL | ALL | NONE)
- Specifies
which delete operator message (DOM) requests this console can receive.
If you omit this operand, RACF does
not alter this field in the user's profile. If this field has not
been added to the user's profile, an extended MCS console uses DOM(NORMAL)
when a session is established. - NORMAL
- The system queues all appropriate DOM requests to this console.
- ALL
- All systems in the sysplex queue DOM requests to this console.
- NONE
- No DOM requests are queued to this console.
- NODOM
- Deletes this field from the user's profile. DOM information
no longer appears in profile listings. However, DOM(NORMAL) is used
when an extended MCS console session is established.
- HC | NOHC
-
- HC(YES | NO)
- Specifies whether this console is to receive all messages that
are directed to hardcopy. Any route codes specified for a console
do not apply to hardcopy messages, so this console will receive all
hardcopy messages regardless of their specific route code.
- NOHC
- Deletes this
field from the user's profile. z/OS console
services will use HC(NO) when a session is established.
- INTIDS | NOINTIDS
-
- INTIDS(YES | NO)
- Specifies whether this console is to receive messages directed
to console ID zero (the internal console). Such messages are usually
responses to internally issued commands.
- NOINTIDS
- Deletes
this field from the user's profile. z/OS console
services will use INTIDS(NO) when a session is established.
- KEY | NOKEY
-
- KEY(searching-key)
- Specifies
a 1 - 8
character name that can be used to display information for all consoles
with the specified key by using the MVS command DISPLAY CONSOLES,KEY.
If specified, KEY can include A - Z, 0 - 9, # (X'7B'), $ (X'5B'),
or @ (X'7C').
If you omit this operand, RACF does not alter this field
in the user's profile. If this field has not been added to the user's
profile, an extended MCS console uses a KEY value of NONE when a session
is established.
- NOKEY
- Deletes search key information from the user's profile. Search
key information no longer appears in profile listings. However, a
KEY value of NONE is used when an extended MCS console session is
established.
- LEVEL | NOLEVEL
-
- LEVEL(message-level)
- Specifies
the messages that this console is to receive.
If you omit this
operand, RACF does not alter
this field in the user's profile. If this field has not been added
to the user's profile, an extended MCS console uses LEVEL(ALL) when
a session is established.
The message-level variable
can be a list of R, I, CE, E, IN, NB or ALL. If you specify ALL, you
cannot specify R, I, CE, E, or IN. - NB
- The console receives no broadcast messages.
- ALL
- The console receives these messages: R, I, CE, E, IN.
- R
- The console receives messages requiring an operator reply.
- I
- The console receives immediate action messages.
- CE
- The console receives critical eventual action messages.
- E
- The console receives eventual action messages.
- IN
- The console receives informational messages.
- NOLEVEL
- Deletes any defined message levels for this
console from the profile. Message information no longer appears in
profile listings. However, LEVEL(ALL) is used when an extended MCS
console session is established.
- LOGCMDRESP | NOLOGCMDRESP
-
- LOGCMDRESP(SYSTEM | NO)
- Specifies
if command responses are to be logged.
If you omit this operand, RACF does not alter this field
in the user's profile. If this field has not been added to the user's
profile, an extended MCS console uses LOGCMDRESP(SYSTEM) when a session
is established. - SYSTEM
- Specifies that command responses are logged in the hardcopy log.
- NO
- Specifies that command responses are not logged.
- NOLOGCMDRESP
- Deletes the value for LOGCMDRESP from the profile. Command
response logging information no longer appears in profile listings.
However, LOGCMDRESP(SYSTEM) is used when an extended MCS console session
is established.
- MFORM | NOMFORM
-
- MFORM(message-format)
- Specifies
the format in which messages are displayed at the console.
If
you omit this operand, RACF does
not alter this field in the user's profile. If this field has not
been added to the user's profile, an extended MCS console uses MFORM(M)
when a session is established.
The message-format variable
can be a combination of T, S, J, M, and X: - J
- Messages are displayed with a job ID or name.
- M
- The message text is displayed.
- S
- Messages are displayed with the name of the originating system.
- T
- Messages are displayed with a time stamp.
- X
- Messages that are flagged as exempt from job name and system name
formatting are ignored.
- NOMFORM
- Deletes the values for MFORM from the profile and causes
message text to be displayed (MFORM(M)) when an extended MCS console
session is established.
- MIGID | NOMIGID
-
- MIGID(YES | NO)
- Specifies
whether a 1-byte migration ID is to be assigned to this console or
not. The migration ID allows command processors that use a 1-byte
console ID to direct command responses to this console.
Restriction: Starting
with z/OS Version 1 Release 7, console
services ignores MIGID(YES | NO) when a session is established and
it need not be specified.
- NOMIGID
- Deletes this segment from the profile. Migration identification
information no longer appears in profile listings. However, MIGID(NO)
is assigned when an extended MCS console session is established.
- MONITOR | NOMONITOR
-
- MONITOR(events)
- Specifies
which information should be displayed when monitoring jobs, TSO sessions,
or data set status.
If you omit this operand, RACF does not alter this field in the user's
profile. If this field has not been added to the user's profile, an
extended MCS console uses MONITOR(JOBNAMES SESS) when a session is
established. The variable events can be
a list of the following: - JOBNAMES | JOBNAMEST
- Displays information about the start and end of each job. JOBNAMES
omits the times of job start and job end. JOBNAMEST displays the times
of job start and job end.
- SESS | SESST
- Displays information about the start and end of each TSO session.
SESS omits the times of session start and session end. SESST displays
the times of session start and session end.
- STATUS
- Specifies that the information displayed when a data set is freed
or unallocated should include the data set status.
- NOMONITOR
- Deletes job monitor information from the user's
profile. Information from this field no longer appears in profile
listings. However, MONITOR(JOBNAMES SESS) is used when an extended
MCS console session is established.
- MSCOPE | ADDMSCOPE | DELMSCOPE | NOMSCOPE
-
- MSCOPE(system-name … | * | *ALL)
- Specifies the systems from which this console can receive messages
that are not directed to a specific console.
If you omit this
operand, RACF does not alter
this field in the user's profile. If this field has not been added
to the user's profile, an extended MCS console uses MSCOPE( *ALL)
when a session is established. If you specify MSCOPE but omit a value, RACF uses MSCOPE( *ALL)
as the default to update this field in the user's profile. *ALL
appears in listings of the OPERPARM segment of the user's profile.
- system-name …
- Is a list of one or more system names, where a system name can
be any combination of A - Z, 0 - 9, # (X'7B'), $ (X'5B'),
or @ (X'7C').
- *
- Is the system on which the console is currently active.
- *ALL
- Means all systems.
- ADDMSCOPE(system-name …)
- Adds the specified system names to the existing list of systems
from which this console can receive messages that are not directed
to a specific console.
- DELMSCOPE(system-name …)
- Deletes the specified system names from the existing list of systems
from which this console can receive messages that are not directed
to a specific console.
- NOMSCOPE
- Deletes any system name information from the user's profile. Message
reception information no longer appears in profile listings. However,
MSCOPE(*ALL) is used when an extended MCS console
session is established.
- ROUTCODE | NOROUTCODE
-
- ROUTCODE(ALL | NONE | routing-codes)
- Specifies the routing codes of messages this operator is to receive.
If you omit this operand, RACF does
not alter this field in the user's profile. If this field has not
been added to the user's profile, an extended MCS console uses ROUTCODE(NONE)
when a session is established. If you specify ROUTCODE but omit a
value, RACF uses ROUTCODE(NONE)
to update this field in the user's profile. NONE appears in listings
of the OPERPARM segment of the user's profile.
The routing
code information can be one of the following: - ALL
- Means all routing codes.
- NONE
- Means no routing codes.
- routing-codes
- Specifies one or more routing codes or sequences of routing codes.
The routing codes can be a list of n and n1:n2,
where n, n1, and n2 are
integers 1 - 128,
and n1:n2 represents
a range of routing codes from n1 (low) to n2 (high).
- NOROUTCODE
- Deletes
routing code information from the user's profile. Routing code information
no longer appears in profile listings. However, ROUTCODE(NONE) is
used when an extended MCS console session is established.
- STORAGE | NOSTORAGE
-
- STORAGE(amount)
- Specifies
the amount of storage in the TSO/E user's address space that can be
used for message queuing to this console.
If you omit this operand, RACF does not alter this field
in the user's profile. If this field has not been added to the user's
profile, an extended MCS console uses STORAGE(1) when a session is
established. A value of 0 will appear in listings of the user's profile
to indicate that no value was specified. The variable amount must
be a value from 1 - 2000.
- NOSTORAGE
- Deletes this field from the profile. A value of 0 appears
in listings of the user's profile to indicate that no value was specified.
However, STORAGE(1) is used when an extended MCS
console session is established.
- UD | NOUD
-
- UD(YES | NO)
- Specifies
whether this console is to receive undelivered messages. If you do
not specify this operand, RACF does
not alter the user's profile.
Restriction: Starting with z/OS Version 1 Release 8, console
services ignores UD(YES | NO) when a session is established and it
need not be specified.
- NOUD
- Deletes the field from the profile. Undelivered message information
no longer appears in profile listings. However, UD(NO) is used when
an extended MCS console session is established.
- UNKNIDS | NOUNKNIDS
-
- UNKNIDS(YES | NO)
- Specifies whether this console is to receive messages directed
to unknown console IDs. Unknown consoles are typically one-byte
console IDs that the system cannot unambiguously resolve.
- NOUNKNIDS
- Deletes
this field from the user's profile. z/OS console
services will use UNKNIDS(NO) when a session is established.
- NOOPERPARM
- Specifies
that the OPERPARM segment is to be deleted. Operator information no
longer appears in LISTUSER output.
- OVM
| NOOVM
- Specifies
OpenExtensions VM information for the user profile being changed.
Information is stored in the OVM segment of the user's profile.
You
can control access to an entire OVM segment or to individual fields
within the OVM segment by using field level access checking.
- FSROOT | NOFSROOT
-
- FSROOT(file-system-root)
- Specifies the pathname for the file system root.
When you
define the FSROOT pathname to RACF,
it can contain 1 - 1023 characters,
consist of any character, and be entered with or without single quotation
marks. The following rules apply: - If the pathname contains parentheses, commas, blanks, or semicolons,
enclose the character string in single quotation marks. For example,
if the pathname is (123), you must enter FSROOT('(123)').
- If a single quotation mark is intended to be part of the pathname,
use two single quotation marks together for each single quotation
mark within the string, and enclose the entire string within single
quotation marks.
When entering the ALTUSER command, both uppercase and
lowercase characters are accepted and maintained in the case in which
they are entered. You should specify the fully qualified pathname
because RACF does not ensure
that a valid pathname has been specified.
- NOFSROOT
- Specifies that you want to delete the FSROOT pathname from the
OVM segment of the user's profile.
If you do not specify a value for FSROOT in
the OVM segment, VM uses the value specified in the CP directory.
If no value is specified in the CP directory, issue the OPENVM MOUNT
command to mount the appropriate file system.
- HOME | NOHOME
-
- HOME(initial-directory-name)
- Specifies the initial directory pathname. The initial directory
is part of the file system and is the current working directory for
the user's process when the user enters the OPENVM SHELL command.
When you define a HOME directory name to RACF, the name can contain 1 - 1023 characters,
consist of any character, and be entered with or without single quotation
marks. The following rules apply: - If the pathname contains parentheses, commas, blanks, or semicolons,
enclose the character string in single quotation marks. For example,
if the pathname is (123), you must enter HOME('(123)').
- If a single quotation mark is intended to be part of the pathname,
use two single quotation marks together for each single quotation
mark within the string, and enclose the entire string within single
quotation marks.
When entering the ALTUSER command, both uppercase and
lowercase characters are accepted and maintained in the case in which
they are entered. You should specify the fully qualified pathname
because RACF does not ensure
that a valid pathname has been specified.
- NOHOME
- Specifies that you want to delete the initial directory pathname
from the OVM segment of the user's profile.
If no value is specified for HOME in the OVM
segment, VM uses the value specified in the CP directory. If no value
is specified in the CP directory, VM sets the working directory for
the user to / (the root directory).
- PROGRAM | NOPROGRAM
-
- PROGRAM(program-name)
- Specifies the PROGRAM pathname (z/OS UNIX shell
program). This is the first program started when the OPENVM SHELL
command is entered.
When you define a PROGRAM pathname to RACF, it can contain 1 - 1023 characters,
consist of any character, and be entered with or without single quotation
marks. The following rules apply: - If the pathname contains parentheses, commas, blanks, or semicolons,
enclose the character string in single quotation marks. For example,
if the pathname is (123), you must enter PROGRAM('(123)').
- If a single quotation mark is intended to be part of the pathname,
use two single quotation marks together for each single quotation
mark within the string, and enclose the entire string within single
quotation marks.
When entering the ALTUSER command, both uppercase and
lowercase characters are accepted and maintained in the case in which
they are entered. Specify the fully qualified pathname. RACF does not ensure that a valid pathname is
specified.
- NOPROGRAM
- Specifies that you want to delete the PROGRAM pathname from the
OVM segment of the user's profile.
If no value is specified for PROGRAM in the
OVM segment, VM uses the value specified in the CP directory. If no
value is specified in the CP directory, VM gives control to the default z/OS UNIX shell
program (/bin/sh) when a user issues the OPENVM SHELL
command.
- UID | NOUID
-
- UID(user-identifier)
- Specifies the user identifier. The UID is a numeric value from
0 - 2 147 483 647.
Care should be taken in assigning 0 as the user identifier. UID
0 is considered a superuser, and a superuser passes all OpenExtensions
VM security checks. Note: - RACF does not require the
UID to be unique. You can assign the same value to multiple users,
but this is not recommended because individual user control is lost.
However, if you want a set of users to have exactly the same access
to the OpenExtensions VM resources, you can assign the same UID to
more than one user.
- Exercise caution when changing the UID for a user.
- The file-system might contain files that were created by the user,
and thus contain the old UID as the file owner UID. Depending on the
permission bits associated with the file, the user will probably lose
access to those files.
- If files already exist with an owner UID equal to the user's new
UID value, the user will probably gain access to these files.
- If another user is subsequently added with the old value as its
UID, then the user might have access to the old files.
- If you have an EXEC.uid profile in the
VMPOSIX class for the old UID value, make sure you delete this profile
and create another to reflect the new value.
- NOUID
- Specifies that you want to delete the user identifier from the
OVM segment of the user's profile.
If NOUID is specified, the
user is assigned the default UID of 4294967295 (X'FFFFFFFF')
and a LISTUSER for that user ID shows NONE for the UID.
- NOOVM
- Specifies that RACF delete
the OVM segment from the user's profile.
- OWNER(userid
or group-name)
- Specifies
a RACF-defined user or group to be assigned as the new owner of the
user's profile.
- PASSWORD
| NOPASSWORD
-
- PASSWORD[(password)]
- Specifies the user's logon
password. Use this command to specify a password for a user who has
forgotten his/her password. Unless the NOEXPIRED operand is also specified,
this password is set expired, thus requiring the user to change the
password at next logon or job start. Note that the password syntax
rules your installation defines using SETROPTS PASSWORD do not apply
to this password unless the NOEXPIRED operand is also included.
If
you specify a password value, the password is checked by the new-password
exit (ICHPWX01), if present.
If you specify PASSWORD without
a value, the password defaults to the user's default group name. If
you specify PASSWORD without a value and specify DFLTGRP, the default
password is the user's old default group name. Note: - For z/OS Integrated Security Services Network Authentication
Service support,
this means the key is not generated for the default group. However,
the default group continues to be used as the RACF password.
- If the installation is maintaining user password history, the
password that was in effect prior to issuing this command is stored
as part of this history.
- When the installation specifies a minimum change interval, RACF checks the number of days
between password changes to ensure the minimum required days have
elapsed each time users change their own passwords. RACF also checks the days when users change
passwords using their IRR.PASSWORD.RESET or IRR.PWRESET authority
unless the command issuer has CONTROL authority or higher.
- NOPASSWORD
- Specifies
that the user does not need to supply an initial logon password when
first entering the system if OIDCARD is also specified. If NOOIDCARD
is specified, or the user ID has the NOOIDCARD attribute and you specify
NOPASSWORD, you change the status of the user ID to protected. Protected
user IDs cannot be used to enter the system by any means that requires
a password to be specified, such as a TSO logon, CICS signon, batch job that specifies a password
on the JOB statement. Therefore, user IDs that you assign to z/OS UNIX, UNIX daemons, started procedures,
applications, servers or subsystems can be protected from being revoked
when an incorrect password is entered. If the user attempts to enter
the system with a password, the attempt fails. Note that the protected
user ID is not revoked due to the failed password attempts even if
the SETROPTS PASSWORD(REVOKE) option is in effect.
Determine which
user IDs you want to protect, ensuring that these user IDs will not
be used in any circumstance where a password must be supplied. A protected
user will have the PROTECTED attribute displayed in the output of
the LISTUSER command. Protected users can be associated with started
procedures defined in the STARTED class (preferred method) or in the
started procedures table (ICHRIN03).
Note: z/OS Integrated Security Services Network Authentication
Service information
such as a local kerberos-principal-name must
not be defined for protected user IDs, and these user IDs must not
be used for z/OS Network Authentication Service authentication,
because these authentication failures can result in user revocation.
- PHRASE
| NOPHRASE
-
- PHRASE('password-phrase')
- Specifies
the user's password phrase. The password phrase you define is a text
string of up to 100 characters and must be enclosed in single quotation
marks. The password phrase is set expired unless NOEXPIRED is also
specified.
When the new-password-phrase exit (ICHPWX11) is present
and allows it, the password phrase can be 9 - 100 characters.
When ICHPWX11 is not present, the password phrase must be 14 - 100 characters.
Contact your system programmer to find out if your installation uses
the new-password-phrase exit (ICHPWX11) or see z/OS Security Server RACF System Programmer's Guide for programming details.
Every
user that you assign a password phrase must have a password.
If you attempt to remove the password from a user with a password
phrase, or add a password phrase for a user with no password, the
PHRASE operand is ignored and an error message issued.
The
following syntax rules apply to all password phrases. You cannot alter
these syntax rules but you can specify additional syntax rules if
your installation tailors the new-password-phrase exit (ICHPWX11).
Syntax rules for password phrases: - Maximum length: 100 characters
- Minimum length:
- 9 characters, when ICHPWX11 is present and allows the new value
- 14 characters, when ICHPWX11 is not present
- Must not contain the user ID (as sequential uppercase or sequential
lowercase characters)
- Must contain at least 2 alphabetic characters (A - Z, a - z)
- Must contain at least 2 non-alphabetic characters (numerics, punctuation,
or special characters)
- Must not contain more than 2 consecutive characters that are identical
- If a single quotation mark is intended to be part of the password
phrase, you must use two single quotation marks together for each
single quotation mark.
If the new-password-phrase exit (ICHPWX11) is
present, it can reject the specified password phrase. RACF rejects password phrases shorter than 14
characters unless ICHPWX11 is present and allows the new value.
If the specified password phrase is accepted, it is
made the user's current password phrase and, when SETROPTS PASSWORD(HISTORY)
is in effect, it is added to the user's password phrase history.
If you enter
PHRASE without a password-phrase value,
you are prompted for a value unless your TSO session is in NOPROMPT
mode.
When the installation specifies a minimum change interval, RACF checks the number of days
between password phrase changes to ensure the minimum required days
have elapsed each time users change their own password phrases. RACF also checks the days when
users change password phrases using the IRR.PASSWORD.RESET or IRR.PWRESET
authority unless the command issuer has CONTROL authority or higher.
- NOPHRASE
- Specifies
that the user cannot use a password phrase for authentication. If
a password phrase was previously set, the password phrase is cleared.
The date of the last password phrase change is also cleared from the
user's profile.
- PROXY
| NOPROXY
-
- PROXY
- Specifies information which the z/OS LDAP
server will use when acting as a proxy on behalf of a requester. The R_proxyserv (IRRSPY00)
SAF callable service will attempt to retrieve this information when
it is not explicitly supplied with the invocation parameters. Applications
or other services which use the R_proxyserv callable
service, such as IBM Policy Director Authorization Services for
z/OS and OS/390, may
instruct their invokers to define PROXY segment information.
- LDAPHOST | NOLDAPHOST
-
- LDAPHOST(ldap_url)
- Specifies
the URL of the LDAP server which the z/OS LDAP
server will contact when acting as a proxy on behalf of a requester.
An LDAP URL has a format such as ldap://123.45.6:389 or ldaps://123.45.6:636,
where ldaps indicates that an SSL connection is desired
for a higher level of security. LDAP will also allow you to specify
the host name portion of the URL using either the text form (BIGHOST.POK.IBM.COM)
or the dotted decimal address (123.45.6). The port
number is appended to the host name, separated by a colon : (X'7A').
For
more information about LDAP URLs and how to enable LDAP servers for
SSL connections, see z/OS IBM Tivoli Directory Server Administration and Use for z/OS.
The
LDAP URL that you define to RACF can
consist of 10 - 1023
characters. A valid URL must start with either ldap:// or ldaps://. RACF will allow any characters
to be entered for the remaining portion of the URL, but you should
ensure that the URL conforms to TCP/IP conventions. For example, parentheses,
commas, blanks, semicolons, and single quotation marks are not typically
allowed in a host name. The LDAP URL can be entered with or without
single quotation marks, however, in both cases, it will be translated
to uppercase.
RACF does
not ensure that a valid LDAP URL has been specified.
- NOLDAPHOST
- Deletes
the URL of the LDAP server which the z/OS LDAP
server will contact when acting as a proxy on behalf of a requester.
- BINDDN | NOBINDDN
-
- BINDDN(bind_distinguished_name)
- Specifies the distinguished name (DN)
which the z/OS LDAP server
will use when acting as a proxy on behalf of a requester. This DN
will be used in conjunction with the BIND password, if the z/OS LDAP server needs to supply
an administrator or user identity to BIND with another LDAP server.
A DN is made up of attribute value pairs, separated by commas. For
example:
cn=Ben Gray,ou=editing,o=New York Times,c=US
cn=Lucille White,ou=editing,o=New York Times,c=US
cn=Tom Brown,ou=reporting,o=New York Times,c=US
When
you define a BIND DN to RACF,
it can contain 1 - 1023 characters.
The BIND DN can consist of any characters and can be entered with
or without single quotation marks. The following rules apply: - If parentheses, commas, blanks, or semicolons are to be entered
as part of the BIND DN, the character string must be enclosed in single
quotation marks.
- If a single quotation mark is intended to be part of the BIND
DN, use two single quotation marks together for each single quotation
mark within the string, and enclose the entire string within single
quotation marks.
Both uppercase and lowercase characters are accepted
and maintained in the case in which they are entered. For more information
about LDAP distinguished names, see z/OS IBM Tivoli Directory Server Administration and Use for z/OS.
If
you issue the ALTUSER command as a RACF operator
command and you specify the BIND DN in lowercase, you must include
the BIND DN within single quotations.
RACF does not ensure that a valid BIND DN has
been specified.
- NOBINDDN
- Deletes the distinguished name (DN)
used by the z/OS LDAP server
when acting as a proxy on behalf of a requester.
- BINDPW | NOBINDPW
-
- BINDPW
- Specifies
the password which the z/OS LDAP
server will use when acting as a proxy on behalf of a requester.
When
you define a BIND password to RACF,
it can contain 1 - 128 characters.
The BIND password can consist of any characters (see exception below)
and can be entered with or without single quotation marks. The following
rules apply: - The BIND password cannot start with a left brace { character (X'8B').
- If parentheses, commas, blanks, or semicolons are to be entered
as part of the BIND password, the character string must be enclosed
in single quotation marks.
- If a single quotation mark is intended to be part of the BIND
password, use two single quotation marks together for each single
quotation mark within the string, and enclose the entire string within
single quotation marks.
Both uppercase and lowercase characters are accepted
and maintained in the case in which they are entered. For more information
about LDAP passwords, see z/OS IBM Tivoli Directory Server Administration and Use for z/OS.
If
you issue the ALTUSER command as a RACF operator
command and you specify the BIND password in lowercase, you must include
the BIND password within single quotations.
RACF does not ensure that a valid BIND password
has been specified.
Important: - When the command is issued from ISPF, the TSO command buffer (including
possible BINDPW password data) is written to the ISPLOG data set.
As a result, you should not issue this command from ISPF or you must
control the ISPLOG data set carefully.
- When the command is issued as a RACF operator
command, the command and the possible BINDPW password data is written
to the system log. Therefore, use of ALTUSER as a RACF operator command should either be controlled
or you should issue the command as a TSO command.
- NOBINDPW
- Deletes
the password used by the z/OS LDAP
server when acting as a proxy on behalf of a requester.
- NOPROXY
- Deletes
LDAP proxy information.
- RESTRICTED
| NORESTRICTED
-
- RESTRICTED
- Specifies that global access
checking is bypassed when resource access checking is performed for
the user, and neither ID(*) on the access list nor
the UACC will allow access. The RESTRICTED.FILESYS.ACCESS profile
in the UNIXPRIV class can also be used to bypass the z/OS UNIX other permission
bits during file access checking for RESTRICTED users.
Note: If your
installation has profiles defined in the PROGRAM class, and the user
ID with the RESTRICTED attribute needs to load programs covered by
one or more of these profiles, the user ID must be put on the access
list with EXECUTE or READ authority.
- NORESTRICTED
- Specifies
that the user does not have the RESTRICTED attribute and access checking
is performed the standard way including global access checking, ID(*),
the UACC, and the z/OS UNIX 'other'
permission bits as appropriate.
- RESUME
| NORESUME
-
- RESUME[(date)]
- Specifies
that the user is to be allowed to access the system again. You normally
use RESUME to restore access to the system that has been prevented
by a prior REVOKE.
If you specify a date, RACF prevents the user from accessing the system
until the date you specify. The date must be a future date; if it
is not, you are prompted to provide a future date.
Between
the time you specify the RESUME and the time the RESUME takes effect,
the RESUME is called a pending resumption (or a pending RESUME).
You
specify a date in the form mm/dd/yy, and
you need not specify leading zeros; specifying 9/1/06 is
the same as specifying 09/01/06. RACF interprets dates as 20yy when yy is
less than 71, and 19yy when yy is 71 or higher. So, 09/01/94 would
be in the year 1994, and 09/01/14 would be in the
year 2014.
If you specify RESUME without a date, the RESUME
takes effect immediately.
When no REVOKE or pending REVOKE
is in effect for the user, RACF ignores
the RESUME operand.
Note: - If you use the ALTUSER command to issue a REVOKE for a user, you
must use the ALTUSER command to issue the corresponding RESUME. Issuing
RESUME on the CONNECT command does not restore access revoked on the
ALTUSER command.
- If you specify both REVOKE(date) and
RESUME(date), RACF acts
on them in date order. For example, if you specify RESUME(8/19/06)
and REVOKE(8/5/06), RACF prevents
the user from accessing the system from August 5, 2006, to August
18, 2006. On August 19, the user can again access the system.
If
a user is already revoked and you specify RESUME(8/5/06) and REVOKE(8/19/06), RACF allows the user to access
the system from August 5, 2006, to August 18, 2006. On August 19, RACF prevents the user from accessing
the system.
- If RACF detects a conflict
between REVOKE and RESUME (for example, you specify both without a
date), RACF uses REVOKE.
- To clear the RESUME date field, specify NORESUME.
- To successfully resume a user whose revoke date has passed, you
must specify NOREVOKE to clear the revoke date as well as specifying
the RESUME keyword.
- Downlevel systems sharing the RACF database
should not be affected by the changes to REVOKE and RESUME processing.
A user who is considered revoked on a z/OS V1R7
system should also be considered revoked on a downlevel system.
- NORESUME
- Specifies
that RACF is to clear the user's
RESUME date field. You can use the NORESUME option to cancel the pending
resumption (of a user's ID) that resulted from a previous ALTUSER
command specified with RESUME(date).
- REVOKE
| NOREVOKE
-
- REVOKE[(date)]
- Specifies that RACF is
to prevent the user from accessing the system. The user's profile
is not deleted from the RACF database,
and the user's data sets are not deleted from the RACF data set.
If you specify the date, RACF prevents the user from accessing
the system, starting on the date you specify. The date must be a future
date; if it is not, you are prompted to provide a future date.
Between
the time you specify the REVOKE and the time the REVOKE takes effect,
the REVOKE is called a pending revocation (or a pending REVOKE).
You
specify a date in the form mm/dd/yy, and
you need not specify leading zeros; specifying 9/1/06 is
the same as specifying 09/01/06. RACF interprets dates as 20yy when yy is
less than 71, and 19yy when yy is 71 or higher. So, 09/01/94 would
be in the year 1994, and 09/01/14 would be in the
year 2014.
When you specify REVOKE without a date, the following
conditions apply:
When
a REVOKE is already in effect for the user, RACF ignores the REVOKE operand and issues a
message.
Note: - Specifying REVOKE on the ALTUSER command overrides RESUME on the
CONNECT command.
- If you specify both REVOKE(date) and
RESUME(date), RACF acts
on them in date order. For example, if you specify RESUME(8/19/06)
and REVOKE(8/5/06), RACF prevents
the user from accessing the system from August 5, 2006, to August
18, 2006. On August 19, the user can again access the system.
If
a user is already revoked and you specify RESUME(8/5/06) and REVOKE(8/19/06), RACF allows the user to access
the system from August 5, 2006, to August 18, 2006. On August 19, RACF prevents the user from accessing
the system.
- If RACF detects a conflict
between REVOKE and RESUME (for example, you specify both without a
date), RACF uses REVOKE.
- To clear the REVOKE date field, specify NOREVOKE.
- Downlevel systems sharing the RACF database
should not be affected by the changes to REVOKE and RESUME processing.
A user who is considered revoked on a z/OS V1R7
system should also be considered revoked on a downlevel system.
- NOREVOKE
- Specifies that RACF is
to clear the user's REVOKE date field. You can use the NOREVOKE option
to cancel the pending revocation (of a user's ID) that resulted from
a previous ALTUSER command specified with REVOKE(date).
To
successfully resume a user whose revoke date has passed, you must
specify NOREVOKE to clear the revoke date as well as specifying the
RESUME keyword.
The NOREVOKE option does not resume the user
ID after it was revoked by the ALTUSER REVOKE command or the user's
excessive attempts to use incorrect passwords or password phrases.
- SECLABEL
| NOSECLABEL
-
- SECLABEL(seclabel-name)
- Specifies
the user's default security label where seclabel-name is
an installation-defined security label that represents an association
between a particular security level and a set of zero or more security
categories.
A security label corresponds to a particular security
level (such as CONFIDENTIAL) with a set of zero or more security categories
(such as PAYROLL or PERSONNEL).
When no profile in the SECLABEL
class exists for seclabel-name, an error
message is issued and the user's security label is not changed.
- NOSECLABEL
- Specifies
that the ALTUSER command is to delete any security label contained
in the user profile.
- SECLEVEL
| NOSECLEVEL
-
- SECLEVEL(seclevel-name)
- Specifies
the user's security level, where seclevel-name is
an installation-defined name that must be a member of the SECLEVEL
profile in the SECDATA class. The security level name that you specify
corresponds to the number of the minimum security level that a user
must have to access the resource.
When you specify SECLEVEL and the SECDATA
class is active, RACF adds
security level access checking to its other authorization checking.
If global access checking does not grant access, RACF compares the security level allowed in
the user profile with the security level required in the resource
profile. If the security level in the user profile is less than the
security level in the resource profile, RACF denies
the access. If the security level in the user profile is equal to
or greater than the security level in the resource profile, RACF continues with other authorization
checking.
Note: RACF does
not perform security level checking for a started task or user that
has the RACF privileged or
trusted attribute. The RACF privileged
or trusted attribute can be assigned to a started task through the RACF started procedures table or
STARTED class, or to other users by installation-supplied RACF exits.
When the
SECDATA class is not active, RACF ignores
this operand. When the SECLEVEL profile does not include a member
for seclevel-name, you are prompted to provide
a valid security level name.
- NOSECLEVEL
- Specifies
that the ALTUSER command is to delete any security level contained
in the user profile. The user no longer has access to any resource
that requires a requester to have a certain security level.
- SPECIAL
| NOSPECIAL
-
- SPECIAL
- Specifies
that the user is to be allowed to issue all RACF commands with all operands except the operands
that require the AUDITOR attribute. SPECIAL specified on the ALTUSER
command overrides NOSPECIAL specified on the CONNECT command.
You
must have the SPECIAL attribute to use the SPECIAL operand.
- NOSPECIAL
- Specifies
that the user no longer has the SPECIAL attribute.
You must have
the SPECIAL attribute to use the NOSPECIAL operand.
- TSO
| NOTSO
-
- TSO
- Specifies
that when you change the profile of a TSO user, you can enter any
of the following suboperands to add or change default TSO logon information
for that user. Each suboperand defines information that RACF stores in a field within the TSO segment
of the user's profile.
You can control access to an entire TSO
segment or to individual fields within the TSO segment by using field-level
access checking. For more information, see z/OS Security Server RACF Security Administrator's Guide.
- ACCTNUM | NOACCTNUM
-
- ACCTNUM(account-number)
- Specifies
the user's default TSO account number when logging on from the TSO/E
logon panel. The account number you specify must be defined as a profile
in the ACCTNUM general resource class, and the user must be granted
READ access to the profile. Otherwise, the user cannot log on to TSO
using the specified account number.
Account numbers can consist
of any characters, and can be entered with or without single quotation
marks. The following rules apply: - If parentheses, commas, blanks, and semicolons are to be entered
as part of the account number, the character string must be enclosed
in single quotation marks. For example, if the account number is (123),
you must enter ACCTNUM('(123)').
- If a single quotation mark is intended to be part of the account
number, use two single quotation marks together for each single quotation
mark within the string, and enclose the entire string within single
quotation marks.
A user can change an account number, or specify an account
number if one has not been specified, using the TSO/E logon panel. RACF checks the user's authorization
to the specified account number. If the user is authorized to use
the account number, RACF stores
the account number in the TSO segment of the user's profile, and TSO/E
uses it as a default value the next time the user logs on to TSO/E.
Otherwise, RACF denies the
use of the account number.
Note: When you define an account number
on TSO, you can specify 1 - 40 characters.
When you define a TSO account number to RACF,
you can specify only 1 - 39 characters.
- NOACCTNUM
- Specifies
that you want to delete the user's default account number. If you
delete the default account number from a user's profile, RACF uses a default value consistent with current
TSO defaults when the user logs on to TSO.
- COMMAND | NOCOMMAND
-
- COMMAND(command-issued-at-logon)
- Specifies the command to be run during TSO/E logon. TSO/E uses
this field to prime the COMMAND field of the logon panel. The command
value can contain 1 - 80 characters
and consist of any characters. You can enter the value with or without
single quotation marks depending on the following rules:
- If the command value contains parentheses, commas, blanks, or
semicolons, enclose the character string in single quotation marks.
For example, if the command value is (123), you must
enter COMMAND('(123)').
- If a single quotation mark is intended to be part of the command
value, use two single quotation marks together for each single quotation
mark within the string, and enclose the entire string within single
quotation marks.
Both uppercase and lowercase characters are accepted and
maintained in the case in which they are entered. A user can change
the command value, or specify a command if one has not been specified,
using the TSO/E logon panel.
Note: It is recommended that you
use this command for a user who is logged off. If you change the command
value for a currently logged-on user ID, the change is overwritten
by the TSO/E logoff command processor when the user ID is logged off.
- NOCOMMAND
- Deletes any COMMAND data that was previously saved in the RACF database for this user ID.
Note: When you delete this field for a currently logged-on user ID,
the field is overwritten by the TSO/E logoff command processor when
the user ID is logged off.
- DEST | NODEST
-
- DEST(destination-id)
- Specifies
the default destination to which the user can route dynamically allocated
SYSOUT data sets. The specified value must be 1 - 7 alphanumeric
characters, beginning with an alphabetic or national character.
- NODEST
- Specifies
that you want to remove any default destination information for this
user. Without explicit action by the user to route SYSOUT, the SYSOUT
for this user is printed at your system default print location.
- HOLDCLASS | NOHOLDCLASS
-
- HOLDCLASS(hold-class)
- Specifies
the user's default hold class. The specified value must be 1 alphanumeric
character, excluding national characters.
If you specify the TSO
operand on the ALTUSER command but do not specify a value for HOLDCLASS, RACF uses a default value consistent
with current TSO defaults.
- NOHOLDCLASS
- Specifies
that you want to delete the default hold class from the TSO segment
of the user's profile. If you delete the default hold class from a
user's profile, RACF uses a
default value consistent with current TSO defaults when the user logs
onto TSO.
- JOBCLASS | NOJOBCLASS
-
- JOBCLASS(job-class)
- Specifies
the user's default job class. The specified value must be 1 alphanumeric
character, excluding national characters.
If you specify the TSO
operand on the ALTUSER command but do not specify a value for JOBCLASS, RACF uses a default value consistent
with current TSO defaults.
- NOJOBCLASS
- Specifies
that you want to delete the default job class from the TSO segment
of the user's profile. If you delete the default job class from a
user's profile, RACF uses a
default value consistent with current TSO defaults when the user logs
on to TSO.
- MAXSIZE | NOMAXSIZE
-
- MAXSIZE(maximum-region-size)
- Specifies
the maximum region size that the user can request at logon. The maximum
region size is the number of 1024-byte units of virtual storage that
TSO can create for the user's private address space. The specified
value must be an integer 0 - 2096128.
If
you specify the TSO operand on the ALTUSER command but do not specify
a value for MAXSIZE, or specify MAXSIZE(0), RACF uses a default value consistent with current
TSO defaults.
If values are specified for both MAXSIZE and
SIZE and SIZE is greater than MAXSIZE, RACF sets
SIZE equal to MAXSIZE. If a value is specified for only SIZE or MAXSIZE
and SIZE is greater than MAXSIZE, the operand is ignored.
- NOMAXSIZE
- Specifies
that you want to delete the maximum region size from the TSO segment
of the user's profile. If you delete the maximum region size from
a user's profile, RACF uses
a default value consistent with current TSO defaults when the user
logs on to TSO.
- MSGCLASS | NOMSGCLASS
-
- MSGCLASS(message-class)
- Specifies
the user's default message class. The specified value must be one
alphanumeric character, excluding national characters.
If you
specify the TSO operand on the ALTUSER command but do not specify
a value for MSGCLASS, RACF uses
a default value consistent with current TSO defaults.
- NOMSGCLASS
- Specifies
that you want to delete the default message class from the TSO segment
of the user's profile. If you delete the default message class from
a user's profile, RACF uses
a default value consistent with current TSO defaults when the user
logs on to TSO.
- PROC | NOPROC
-
- PROC(logon-procedure-name)
- Specifies
the name of the user's default logon procedure when logging on through
the TSO/E logon panel. The name you specify must be 1 - 8 alphanumeric
characters and begin with an alphabetic character. The name must also
be defined as a profile in the TSOPROC general resource class, and
the user must be granted READ access to the profile. Otherwise, the
user cannot log on to TSO using the specified logon procedure.
A
user can change a logon procedure, or specify a logon procedure if
one has not been specified, using the TSO/E logon panel. RACF checks the user's authorization to the
specified logon procedure. If the user is authorized to use the logon
procedure, RACF stores the
name of the procedure in the TSO segment of the user's profile, and
TSO/E uses it as a default value the next time the user logs on to
TSO/E. Otherwise, RACF denies
the use of the logon procedure.
- NOPROC
- Specifies
that you want to delete the default logon procedure from the TSO segment
of the user's profile. If you delete the default logon procedure from
a user's profile, RACF uses
a default value consistent with current TSO defaults when the user
logs on to TSO.
- SECLABEL | NOSECLABEL
-
- SECLABEL(security-label)
- Specifies the user's security label if the user specifies one
on the TSO logon panel.
- NOSECLABEL
- Specifies
that you want to delete the security label from the TSO segment of
the user's profile. If you delete the security label from a user's
TSO segment, RACF uses the
security label in the user's profile the next time the user logs on
to TSO.
- SIZE | NOSIZE
-
- SIZE(default-region-size)
- Specifies
the minimum region size if the user does not request a region size
at logon. The default region size is the number of 1024-byte units
of virtual storage available in the user's private address space at
logon. The specified value must be an integer 0 - 2096128.
A
user can change a minimum region size, or specify a minimum region
size if one has not been specified, using the TSO/E logon panel. RACF stores this value in the TSO
segment of the user's profile, and TSO/E uses it as a default value
the next time the user logs on to TSO/E.
If values are specified
for both MAXSIZE and SIZE and SIZE is greater than MAXSIZE, RACF sets SIZE equal to MAXSIZE.
If a value is specified for only SIZE or MAXSIZE and SIZE is greater
than MAXSIZE, the operand is ignored.
- NOSIZE
- Specifies
that you want to delete the default minimum region size from the TSO
segment of the user's profile. If you delete the default minimum region
size from a user's profile, RACF uses
a default value consistent with current TSO defaults when the user
logs on to TSO.
- SYS | NOSYS
-
- SYS(sysout-class)
- Specifies
the user's default SYSOUT class. The specified value must be one alphanumeric
character, excluding national characters.
If you specify the TSO
operand on the ALTUSER command but do not specify a value for SYS, RACF uses a default value consistent
with current TSO defaults.
- NOSYS
- Specifies
that you want to delete the default SYSOUT class from the TSO segment
of the user's profile. If you delete the default SYSOUT class from
a user's profile, RACF uses
a default value consistent with current TSO defaults when the user
logs on to TSO.
- UNIT | NOUNIT
-
- UNIT(unit-name)
- Specifies
the default name of a device or group of devices that a procedure
uses for allocations. The specified value must be 1 - 8 alphanumeric
characters.
- NOUNIT
- Specifies
that you want to delete the default name of a device or group of devices
that a procedure uses for allocations from the TSO segment of the
user's profile. If you delete this name from a user's profile, RACF uses a default value consistent
with current TSO defaults when the user logs on to TSO.
- USERDATA | NOUSERDATA
-
- USERDATA(user-data)
- Specifies optional
installation data defined for the user. The specified value must be
4 EBCDIC characters; valid characters are 0 - 9 and A - F.
Note: When you change this value for a currently logged-on user ID,
the change is overwritten by the TSO logoff command processor when
the user ID is logged off.
- NOUSERDATA
- Specifies
that you want to delete the installation data previously defined for
a user.
- NOTSO
- Specifies that you are revoking
a user's authority to use TSO. RACF deletes
TSO logon information from the RACF database
for the specified user. However, if the user ID is currently logged
on, when the user issues the LOGOFF command the TSO logoff processor
restores the TSO segment with default values (except for the USERDATA
field which is set to the user's current value). To prevent the TSO
segment from being restored, the user ID should be logged off before
issuing the ALTUSER NOTSO command.
When you specify NOTSO, the
result is the same as if you issue the TSO ACCOUNT command with the
DELETE subcommand.
- UACC(access-authority)
- Specifies the
new default universal access authority for all new resource profiles
the user defines while the user's default group or the group specified
in the GROUP operand is the user's current connect group. The universal
access authorities are ALTER, CONTROL, UPDATE, READ, and NONE. (RACF does not accept EXECUTE access
authority with the ALTUSER command.) If you specify UACC without a
value, RACF ignores the operand.
This
operand is group-related. If a user is subsequently connected to other
groups (with the CONNECT command), the user can have a different default
universal access authority in each group. Therefore, if the user specifies
a different group at logon time or at batch job execution, the user's
default UACC is the UACC of the specified group, not the UACC of the
user's default group.
- UAUDIT
| NOUAUDIT
-
- UAUDIT
- Specifies that RACF is to log the following events:
- All RACF commands (except LISTDSD, LISTGRP, LISTUSER, RLIST and
SEARCH) issued by this user
- All additions, changes, or deletions that the user makes to RACF
profiles using RACROUTE REQUEST=DEFINE requests
- All attempts that the user makes to access RACF-protected resources,
except those authorized by global access checking and those not logged
because the resource manager (issuer of the RACROUTE REQUEST=AUTH
or RACROUTE REQUEST=FASTAUTH request) specified no logging
- All security decisions made during RACF callable services involving
this user and any resource in certain z/OS UNIX classes. For a list
of these classes, see "Auditing for
z/OS UNIX System Services" in z/OS Security Server RACF Auditor's Guide.
You must have the AUDITOR attribute, or the user profile
must be within the scope of a group in which you have the group-AUDITOR
attribute, in order to enter the UAUDIT operand.
If an unauthorized
user specifies UAUDIT on the ALTUSER command, none of the operands
on the command is processed. RACF issues
ICH21005I NOT AUTHORIZED TO SPECIFY UAUDIT, OPERAND IGNORED.
The System Action states RACF ignores the operand and
continues processing with the next operand. RACF verifies other operands, but does not process
any of them. For more information, see z/OS Security Server RACF Messages and Codes.
- NOUAUDIT
- Specifies
that no UAUDIT logging is to be performed. This operand does not override
any other auditing options (for example, CMDVIOL specified on SETROPTS)
that might be in effect.
You must have the AUDITOR attribute,
or the user profile must be within the scope of a group in which you
have the group-AUDITOR attribute, to enter the NOUAUDIT operand.
- WHEN
- Specifies the days
of the week and the hours in the day when the user is allowed to access
the system from a terminal. The day-of-week and time restrictions
apply only when a user logs on to the system; that is, RACF does not force the user off the system
if the end-time occurs while the user is logged on. Also, the day-of-week
and time restrictions do not apply to batch jobs; the user can submit
a batch job on any day and at any time.
If you specify the WHEN
operand, you can restrict the user's access to the system to certain
days of the week and to a certain time period within each day. For
example, you can restrict a user's access to any one of the following:
- From 9:00 a.m. to 5:00 p.m. (0900:1700). (This
would be a daily restriction because days were not also specified.)
- Monday through Friday. (This restriction applies for all 24 hours
of Monday, Tuesday, Wednesday, Thursday, and Friday.)
- Monday through Friday from 9:00 a.m. to 5:00 p.m. (0900:1700)
- DAYS(day-info)
- Specifies days of the week when a user can access the system.
The day-info value can be any one of the
following:
- ANYDAY
- Specifies that the user can access the system on any day.
- WEEKDAYS
- Specifies that the user can access the system only on weekdays
(Monday through Friday).
- day …
- Specifies that the user can access the system only on the days
specified, where day can be MONDAY, TUESDAY, WEDNESDAY, THURSDAY,
FRIDAY, SATURDAY, or SUNDAY, and you can specify the days in any order.
Restriction: You cannot specify more
than one combination of days and times, even through multiple ALTUSER
commands.
- TIME(time-info)
- Specifies the time period each day when a user can access the
system. The time-info value can be any one
of the following:
- ANYTIME
- Specifies that the user can access the system at any time.
- start-time:end-time
- Specifies that the user can access the system only during the
specified time period. The format of both start-time and end-time is hhmm,
where hh is the hour in 24-hour notation
(00 - 23)
and mm is the minutes (00 - 59). Note
that 0000 is not a valid time value.
If start-time is
greater than end-time, the interval spans
midnight and extends into the following day.
If you omit DAYS and specify TIME, the time
restriction applies to any day-of-week restriction already indicated
in the profile. If you omit TIME and specify DAYS, the day restriction
applies to the time restriction already indicated in the profile.
If you specify both DAYS and TIME, the user can access the system
only during the specified time period and only on the specified days.
If
you omit both DAYS and TIME, the time and day restriction remains
as it was in the profile.
- WORKATTR
| NOWORKATTR
-
- WORKATTR
- Specifies the user-specific attributes of a unit of work.
z/OS elements
or features such as APPC, WLM, and z/OS UNIX might
use the WORKATTR segment.
These operands are used by APPC/MVS
for SYSOUT created by APPC transactions. - WAACCNT(account-number) | NOWAACCNT
- Specifies
an account number for APPC/MVS processing.
You can specify a maximum
of 255 EBCDIC characters. Use the following rules when entering a
value for this field: - If the data contains parentheses, commas, blanks, or semicolons,
enclose the character string in single quotation marks. For example,
if the data is (123), you must enter WAACCNT'(123)').
- If a single quotation mark is intended to be part of the data,
use two single quotation marks together for each single quotation
mark within the string, and enclose the entire string within single
quotation marks.
The NOWAACCNT suboperand deletes
the account number from the user profile.
- WAADDRn(address-line-n)
| NOWAADDRn
- Where n can be 1 - 4, address-line-n specifies
other address lines for SYSOUT delivery. For each line of the address
you can specify a maximum of 60 EBCDIC characters. Both uppercase
and lowercase characters are accepted and maintained in the case in
which they are entered.
Use the following rules when entering
a value for this field: - If the data contains parentheses, commas, blanks, or semicolons,
enclose the character string in single quotation marks. For example,
if the data is (123), you must enter WAADDR('(123)').
- If a single quotation mark is intended to be part of the data,
use two single quotation marks together for each single quotation
mark within the string, and enclose the entire string within single
quotation marks.
The NOWAADDR suboperand deletes
address line n from the user profile.
- WABLDG(building) | NOWABLDG
- Specifies
the building that SYSOUT information is to be delivered to.
You
can specify a maximum of 60 EBCDIC characters. Both uppercase and
lowercase characters are accepted and maintained in the case in which
they are entered.
Use the following rules when entering a value
for this field: - If the data contains parentheses, commas, blanks, or semicolons,
enclose the character string in single quotation marks. For example,
if the data is (123), you must enter WABLDG('(123)').
- If a single quotation mark is intended to be part of the data,
use two single quotation marks together for each single quotation
mark within the string, and enclose the entire string within single
quotation marks.
The NOWABLDG suboperand deletes
the building from the profile.
- WADEPT(department) | NOWADEPT
- Specifies
the department that SYSOUT information is to be delivered to.
You
can specify a maximum of 60 EBCDIC characters. Both uppercase and
lowercase characters are accepted and maintained in the case in which
they are entered.
Use the following rules when entering a value
for this field: - If the data contains parentheses, commas, blanks, or semicolons,
enclose the character string in single quotation marks. For example,
if the data is (123), you must enter WADEPT('(123)').
- If a single quotation mark is intended to be part of the data,
use two single quotation marks together for each single quotation
mark within the string, and enclose the entire string within single
quotation marks.
The NOWADEPT suboperand deletes
the department from the profile.
- WANAME(name) | NOWANAME
- Specifies
the name of the user SYSOUT information is to be delivered to.
You
can specify a maximum of 60 EBCDIC characters. Both uppercase and
lowercase characters are accepted and maintained in the case in which
they are entered.
Use the following rules when entering a value
for this field: - If the data contains parentheses, commas, blanks, or semicolons,
enclose the character string in single quotation marks. For example,
if the data is (123), you must enter WANAME('(123)').
- If a single quotation mark is intended to be part of the data,
use two single quotation marks together for each single quotation
mark within the string, and enclose the entire string within single
quotation marks.
The NOWANAME suboperand deletes
the name from the profile.
- WAROOM(room) | NOWAROOM
- Specifies
the room SYSOUT information is to be delivered to.
You can specify
a maximum of 60 EBCDIC characters. Both uppercase and lowercase characters
are accepted and maintained in the case in which they are entered.
Use
the following rules when entering a value for this field: - If the data contains parentheses, commas, blanks, or semicolons,
enclose the character string in single quotation marks. For example,
if the data is (123), you must enter WAROOM('(123)').
- If a single quotation mark is intended to be part of the data,
use two single quotation marks together for each single quotation
mark within the string, and enclose the entire string within single
quotation marks.
The NOWAROOM suboperand deletes
the room from the profile.
- NOWORKATTR
- Specifies
that you want to delete the work attributes previously defined for
a user.
Examples
|
|
|
---|
Example 1 |
Operation |
User IA0 wants to alter the level of group authority
from USE to CREATE for user DAF0 in the user's (DAF0's) default
group so user DAF0 can define generic profiles for data sets in group
RESEARCH. |
Known |
User IA0 is the owner of user DAF0 and has JOIN
authority in the group RESEARCH. The default group for user DAF0
is RESEARCH.
User IA0 wants to issue the command as a RACF TSO command.
|
Command |
ALTUSER DAF0 AUTHORITY(CREATE) |
Defaults |
GROUP(RESEARCH) |
Example 2 |
Operation |
User CD0 wants to correct his name and change
his default group to PAYROLL. |
Known |
The default group for user CD0 is RESEARCH. User
CD0 has USE authority in the group PAYROLL.
User CD0 wants
to issue the command as a RACF TSO
command.
|
Command |
ALTUSER CD0 NAME(CDAVIS) DFLTGRP(PAYROLL) |
Defaults |
None. |
Example 3 |
Operation |
User IA0 wants to add the FINANCIAL category and
the CONFIDENTIAL security level to user ESH25's profile and restrict
the user's access to the system to weekdays from 8:00 a.m. - 8:00 p.m. |
Known |
User IA0 is connected to group PAYROLL with the
group-SPECIAL attribute. Group PAYROLL is user ESH25's default group.
User IA0's profile includes the FINANCIAL category and the CONFIDENTIAL
security level. The FINANCIAL category and the CONFIDENTIAL security
level have been defined to RACF.
User
IA0 wants to issue the command as a RACF TSO
command.
|
Command |
ALTUSER ESH25 ADDCATEGORY(FINANCIAL) SECLEVEL(CONFIDENTIAL)
WHEN(DAYS(WEEKDAYS)TIME(0800:2000)) |
Defaults |
None. |
Example 4 |
Operation |
User RADM02 wants to revoke the user ID of an
employee, user D5819, who will be on vacation for three weeks, starting
on August 5, 1994. User RADM02 wants to direct the command to run
at the local node under the authority of user HICKS and prohibit the
command from being automatically directed to other nodes. |
Known |
Users RADM02 and HICKS have the SPECIAL attribute.
Today's date is August 3, 1994. User RADM02 wants to issue the command
as a RACF TSO command. Users
RADM02 and HICKS have an already established user ID association. |
Command |
ALTUSER D5819 REVOKE(8/5/94) RESUME(8/26/94)
ONLYAT(.HICKS) |
Results |
The command is only processed on the local node
and not automatically directed to any other nodes in the RRSF configuration. |
Example 5 |
Operation |
User RGB01 wants to remove all class authorities
and the AUDITOR attribute from USER1, and wants to audit all activity
by user USER1. |
Known |
User RGB01 has the SPECIAL and AUDITOR attributes.
User USER1 is an existing user.
User RGB01 wants to issue
the command as a RACF TSO command.
|
Command |
ALTUSER USER1 NOCLAUTH(USER TERMINAL)
NOAUDITOR UAUDIT |
Defaults |
None. |
Example 6 |
Operation |
User RADMIN wants to change the installation-defined
information contained in the SJR1 user ID entry, and delete the model
name information. |
Known |
User RADMIN is the owner of user ID SJR1. User
RADMIN wants to issue the command as a RACF TSO
command. |
Command |
ALTUSER SJR1 DATA('RESOURCE USAGE ADMINISTRATOR
NAME TOM P.') NOMODEL |
Defaults |
None. |
Example 7 |
Operation |
User VROGERS wants to change default TSO logon
information for user BNORTH. User BNORTH requires the following changes:
- A new TSO account number, 12345
- A new TSO logon procedure, LPROC12
- A new SYSOUT data set destination, BL2030
- A new SYSOUT class, Z
- A new maximum region size, 18000.
|
Known |
- User VROGERS has the SPECIAL attribute.
- User BNORTH has been defined to RACF with
authority to use TSO.
- 12345 has been defined to RACF as
a profile in the ACCTNUM general resource class, and user BNORTH has
been given READ access to this profile.
- LPROC12 has been defined to RACF as
a profile in the TSOPROC general resource class, and user BNORTH has
been given READ access to this profile.
- User VROGERS wants to issue the command as a RACF TSO command.
|
Command |
ALTUSER BNORTH TSO(ACCTNUM(12345) PROC(LPROC12)
DEST(BL2030) SYS(Z) MAXSIZE(18000)) |
Defaults |
None. |
Example 8 |
Operation |
User MIKEM wants to make the following changes
to the profile for user MARTIN: - Change the default DFP management class to MGMT617
- Change the default DFP storage class to STOR533
- Delete the default DFP data application.
|
Known |
- User MIKEM has the SPECIAL attribute.
- User MARTIN has been defined to RACF,
and MARTIN's user profile contains a DFP segment.
- MGMT617 has been defined to RACF as
a profile in the MGMTCLAS general resource class, and user MARTIN
has been given READ access to this profile.
- STOR533 has been defined to RACF as
a profile in the STORCLAS general resource class, and user MARTIN
has been given READ access to this profile.
- User MIKEM wants to issue the command as a RACF TSO command.
|
Command |
ALTUSER MARTIN DFP(MGMTCLAS(MGMT617) STORCLAS(STOR533)
NODATAAPPL)) |
Defaults |
None. |
Example 9 |
Operation |
A user with SPECIAL authority wants to make existing z/OS UNIX System Services user
CSMITH a superuser and delete PROGRAM from CSMITH's profile so that
the default z/OS UNIX shell
program is used when CSMITH enters the TSO/E command OMVS. |
Known |
User CSMITH is already defined to OMVS. The user
with SPECIAL authority wants to issue the command as a RACF TSO command. |
Command |
ALTUSER CSMITH OMVS(UID(0) NOPROGRAM) |
Defaults |
None. |
Example 10 |
Operation |
A user with SPECIAL authority wants to make existing z/OS UNIX System Services DCE user,
CSMITH, a z/OS UNIX System Services superuser
and change the HOMECELL name to /.../hootie.scarol.ibm.com. |
Known |
The DCE UUID for the /.../hootie.scarol.ibm.com cell
is 003456ab-ecb7-7de3-ebda-95531ed63dae. |
Command |
ALTUSER CSMITH OMVS(UID(0))
DCE(HOMECELL('/.../hootie.scarol.ibm.com')
HOMEUUID(003456ab-ecb7-7de3-ebda-95531ed63dae))
|
Defaults |
None. |
Example 11 |
Operation |
A help desk consultant wants to reset a user's
password. |
Known |
- The consultant is authorized to reset passwords
- The consultant's RACF user
ID (or RACF group associated
with the help desk consultant's user ID) has been permitted by the
security administrator with READ access to the RACF FACILITY class profile IRR.PASSWORD.RESET.
- The help desk consultant is resetting user JIMBOB's password.
|
Command |
ALTUSER JIMBOB PASSWORD(TEMP012X) |
Defaults |
EXPIRED |
Example 12 |
Operation |
A help desk consultant wants to reset an application's
password. |
Known |
A help desk consultant has been authorized
to reset passwords. The consultant's RACF user
ID (or the RACF group associated
with the consultant's user ID) has been permitted by the security
administrator with UPDATE access to the RACF FACILITY
class profile IRR.PASSWORD.RESET.
In this example, at the request
of operations personnel, the consultant is resetting the user ID associated
with an application called CUSTAPP.
The consultant uses the
NOEXPIRED operand so the application user ID (CUSTAPP in this example)
does not need to change the password when it is logged on.
To
reset the application's password, the consultant enters:
|
Command |
ALTUSER CUSTAPP PASSWORD(STBR01R) NOEXPIRED |
|
Note: The password value STBR01R must satisfy
the installation's password quality rules enforced by both SETROPTS
and ICHPWX01. |
Defaults |
None. |
Example 13 |
Operation |
User RACFADM with SPECIAL or UPDATE authority
requests the alteration of a RACF user
to add Lotus Notes information and to delete the NDS segment
from the user's profile. |
Known |
User RACFADM has SPECIAL authority or UPDATE authority
to the desired field within the segment. |
Command |
ALTUSER PCUSER2 LNOTES(SNAME(B.B.SMITH))
NONDS |
Defaults |
None. |
Example 14 |
Operation |
User RACFADM with SPECIAL authority adds the user
IDs PUBLIC, RACFU00, and USER04. The user ID PUBLIC is then altered
and is assigned RESTRICTED access. |
Known |
User RACFADM has SPECIAL authority. |
Command |
ADDUSER (PUBLIC RACFU00 USER004)
ALTUSER PUBLIC RESTRICTED
ADDSD 'RACFU00.*' UACC(READ)
|
Defaults |
RACFU00, USER004, and PUBLIC have NORESTRICTED
access by default. |
Example 15 |
Operation |
An existing user, whose RACF user profile is RONTOMS, is defining a z/OS Integrated Security Services Network Authentication
Service account
within the local realm. MAXTKTLFE is not specified, so the value specified
on the definition of the local realm KERBDFLT in the REALM class is
used. |
Known |
User RONTOMS wants to alter his user profile in
order to add z/OS Integrated Security Services Network Authentication
Service information. |
Command |
ALTUSER RONTOMS KERB(KERBNAME('KerberizedUser'))
PASSWORD(BUNG21R) NOEXPIRED
|
Defaults |
None. |
Example 16 |
Operation |
User RACFADMN issues a command to delete the
profile that references the EIM domain in the LDAPBIND class for user
MRSERVER. |
Known |
The profile in the LDAPBIND class that defines
the EIM LDAP values is no longer required for EIM processing |
Command |
ALTUSER MRSERVER EIM(NOLDAPPROF) |
Defaults |
None. |
Example 17 |
Operation |
User RACFADM with SPECIAL authority alters a
user's values for allowable shared and nonshared memory allocation. |
Known |
User RACFADM has SPECIAL authority. |
Command |
ALTUSER OMVSUSER OMVS(SHMEMMAX(5M) MEMLIMIT(1G)) |
Defaults |
None. |
Output |
See Figure 1 |
Figure 1. Output
for ALTUSER command for OMVS SegmentLU OMVSUSER OMVS NORACF
USER=OMVSUSER
OMVS INFORMATION
----------------
UID= 0000000005
CPUTIMEMAX= NONE
ASSIZEMAX= NONE
FILEPROCMAX= NONE
PROCUSERMAX= NONE
THREADSMAX= NONE
MMAPAREAMAX= NONE
MEMLIMIT= 1G
SHMEMMAX= 5M
|