DELUSER (Delete user profile)

Purpose

Use the DELUSER command to delete a user from RACF®.

This command removes the user's profile and all user-to-group connections for the user. (The connect profiles define the user's connections to various RACF groups.)

There are, however, other places in the RACF database where the user's user ID might appear, and the DELUSER command does not delete the user ID from all these places. Specifically, the user could be the owner of a group, the owner of a user's profile, the owner of a group data set, or in an access list for any resource. Before issuing DELUSER, you must first issue the REMOVE command to assign new owners for any group data sets the user owns in groups other than his default group. You can use the RACF remove ID utility (IRRRID00) to remove all of the occurrences of a user ID. For information on using the RACF remove ID utility, see z/OS® Security Server RACF Security Administrator's Guide.

You can use the DELUSER command to delete a TSO user from the RACF database. However, you have no way of knowing if the TSO user is logged on to TSO at the time you issue the DELUSER command. As a result, if the user is logged on to TSO, the user remains active until logging off. Therefore, you might consider having the console operator examine any logons (or jobs) that are active for the TSO user and cancel those that should not be allowed to continue.

The DELUSER command supports digital certificates. If the command issuer is authorized to delete the user profile, and the DELUSER command processor has decided that the user profile can be deleted, the profiles in the DIGTCERT, DIGTRING, or DIGTNMAP classes that describe certificates, private key information, key rings, or certificate mappings associated with the user profile are also deleted. When determining what certificates to delete, the list of certificates from the user profile is used. Certificates that are to be deleted as a result of DELUSER processing are removed from any rings they are connected to at the time the DELUSER command was issued. Likewise, rings that are to be deleted as a result of DELUSER processing have all certificates connected to them removed prior to being deleted. No additional authority checking is done. Authority to the IRR.DIGTCERT.function resource is not required. If an error is encountered by DELUSER while attempting to delete a DIGTCERT, DIGTRING, or DIGTNMAP profile, the DELUSER command is terminated without attempting to delete the user profile. If the error indicates that the template is downlevel, an error message is issued and the user profile is deleted.

Restrictions:

User IDs with mixed-case characters, such as irrcerta, irrsitec, and irrmulti which are associated with digital certificates, cannot be specified as userid in the DELUSER command because DELUSER cannot process mixed-case user IDs.
Do not issue a DELUSER command for user ID that has a distributed identity filter (contained in an IDIDMAP profile) associated with it. The command will fail with error message ICH04018I. You must first delete the distributed identity filter. To do this, issue the RACMAP LISTMAP command for the user ID to examine the name filter and determine its label name, and then issue the RACMAP DELMAP command.

Issuing options

The following table identifies the eligible options for issuing the DELUSER command:

As a RACF TSO command?	As a RACF operator command?	With command direction?	With automatic command direction?	From the RACF parameter library?
Yes	Yes	Yes	Yes	Yes

For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.

For information on issuing this command as a RACF operator command, refer to RACF operator commands.

You must be logged on to the console to issue this command as a RACF operator command.

Related commands

To add a user profile to the RACF database, see ADDUSER (Add user profile).
To change a user profile in the RACF database, see ALTUSER (Alter user profile).
To list information in a user profile, see LISTUSER (List user profile).
To administer user ID associations, see RACLINK (Administer user ID associations).

Authorization required

When issuing this command as a RACF operator command, you might require sufficient authority to the proper resource in the OPERCMDS class. For details about OPERCMDS resources, see Controlling the use of operator commands in z/OS Security Server RACF Security Administrator's Guide.

To use the DELUSER command, at least one of the following must be true:

You must have the SPECIAL attribute.
The user profile to be deleted must be within the scope of a group in which you have the group-SPECIAL attribute.
You must be the owner of the user's profile.

Note: JOIN authority in the user's default group is not sufficient authority to delete the user from RACF.

To specify the AT keyword, you must have READ authority to the DIRECT.node resource in the RRSFDATA class and a user ID association must be established between the specified node.userid pair(s).

To specify the ONLYAT keyword you must have the SPECIAL attribute, the userid specified on the ONLYAT keyword must have the SPECIAL attribute, and a user ID association must be established between the specified node.userid pair(s) if the user IDs are not identical.

Syntax

For the key to the symbols used in the command syntax diagrams, see Syntax of RACF commands and operands. The complete syntax of the DELUSER command is:

[subsystem-prefix]{DELUSER | DU}

(userid ...)

[ AT([node].userid ...) | ONLYAT([node].userid ...) ]

For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.

For information on issuing this command as a RACF operator command, refer to RACF operator commands.

Parameters

subsystem-prefix

Specifies that the RACF subsystem is the processing environment of the command. The subsystem prefix can be either the installation-defined prefix for RACF (1 - 8 characters) or, if no prefix has been defined, the RACF subsystem name followed by a blank. If the command prefix was registered with CPF, you can use the MVS™ command D OPDATA to display it or you can contact your RACF security administrator.

Only specify the subsystem prefix when issuing this command as a RACF operator command. The subsystem prefix is required when issuing RACF operator commands.

userid

Specifies the user ID of the user whose profile is to be deleted from the RACF database. If you are deleting more than one user, you must enclose the list of user IDs in parentheses. You must enter at least one user ID. For each user ID you enter, the following conditions must exist:

The user must be defined to RACF.
The user must not have any user data sets defined to RACF. (User data sets are data sets whose names are qualified by the user ID of the user being deleted or begin with the value supplied by an installation exit.)
The user cannot have any user ID associations defined. User ID associations for a user must be deleted before the user can be deleted.

AT | ONLYAT

The AT and ONLYAT keywords are only valid when the command is issued as a RACF TSO command.

AT([node].userid ...): Specifies that the command is to be directed to the node specified by node, where it runs under the authority of the user specified by userid in the RACF subsystem address space.
If node is not specified, the command is directed to the local node.
ONLYAT([node].userid ...): Specifies that the command is to be directed only to the node specified by node where it runs under the authority of the user specified by userid in the RACF subsystem address space.
If node is not specified, the command is directed only to the local node.

Examples

Example	Activity label	Description
1	Operation	User WJE10 wants to delete user AEH0 from RACF.
	Known	User AEH0 is defined to RACF. User AEH0 is not the owner of any RACF profiles. User WJE10 is connected to group PAYROLL (and is the owner of user AEH0) with the group-SPECIAL attribute. User WJE10 wants to issue the command as a RACF TSO command.
	Command	`DELUSER AEH0`
	Defaults	None.
2	Operation	User SPB1 wants to delete user CA00 from RACF.
	Known	User CA00 is defined to RACF. User SPB1 is not the owner of any RACF profiles. User SPB1 is connected to group PAYROLL (and is the owner of user CA00) with the group-SPECIAL attribute. User SPB1 wants to issue the command as a RACF operator command, and the RACF subsystem prefix is `@`.
	Command	`@DELUSER CA00`
	Defaults	None.