Using the RACONVRT command

To convert from the UADS to the RACF® data base, use the RACONVRT command. Options provided on the RACONVRT command allow you to convert all or some user IDs from the UADS to the RACF data base. To convert all user information, specify the ALL operand. If you do not want to convert all users to the RACF data base, use the INCLUDE or EXCLUDE operands. Use the INCLUDE operand to convert specific user IDs; use EXCLUDE to indicate those user IDs that you do not want converted to the RACF data base.

To convert a very large number of users it is suggested to issue several RACONVRT commands and to subdivide the users into groups by means of the INCLUDE/ EXCLUDE operands.

During the conversion process, RACONVRT does not migrate the TSO/E command that was specified on the previous logon. Therefore, the command field in the logon panel contains no data the first time the user logs on after the conversion is complete. If the user specifies a command in the TSO/E command field on the logon panel, TSO/E saves that command for the next logon, if the logoff is successful. For information about the syntax of the RACONVRT command, see z/OS TSO/E System Programming Command Reference.

If a user ID has not logged on and off since changes were made to its SYS1.UADS entry, RACONVRT will not include an account number or procedure in the ADDUSER or ALTUSER command for that user ID. When a user ID logs off, the default account number and procedure are saved in SYS1.UADS. RACONVRT uses these defaults when creating the ADDUSER or ALTUSER command to add the user ID to RACF. If the user ID has not logged on and off since changes were made to SYS1.UADS, then defaults do not exist for the user ID in SYS1.UADS. This causes RACONVRT to create an ADDUSER or ALTUSER command without the ACCT or PROC operands.

RACONVRT generates the RACF commands needed to update or create RACF user profiles, and places these commands into members of a partitioned data set. This data set, ‘prefix.IKJ.RACONVRT.CLIST’, contains the commands necessary to convert to the RACF data base. RACONVRT creates, but does not execute the RACF commands; therefore, you can edit and change the data set's members to customize the conversion process before issuing the RACF commands.

Table 1 describes the members of the partitioned data set generated by the RACONVRT command.

Table 1. Members created by RACONVRT
Member Contents
ADDUSER Commands to:
  • Define users to RACF and define a TSO segment within each newly created profile
  • Create a data set generic profile for each new RACF profile to provide data set security
ALTUSER Commands to define a TSO segment within existing RACF user profiles.
DEFAUTH Commands to define each of the TSO/E authorities (OPER for OPERATOR, ACCT for ACCOUNT, JCL, MOUNT and RECOVER) as RACF resources and give users authority to access these resources.
DEFPROC Commands to define logon procedures as RACF resources and give users authority to access these resources.
DEFACCT Commands to define account numbers as RACF resources and give users authority to access these resources.
DEFPERF Commands to define performance groups as RACF resources and give users authority to access these resources.
RUN Commands to invoke the other members in the proper order to complete the conversion to the RACF data base. This member contains commands to execute only the members created or updated by the latest execution of RACONVRT.
To issue the RACF commands, do the following:
  1. Issue the SETROPTS command with the CLASSACT operand to activate the new RACF resource classes. The format of the command is as follows: 
    SETROPTS CLASSACT(TSOPROC ACCTNUM PERFGRP TSOAUTH)
  2. Execute the RUN member of the CLIST data set to issue the RACF commands generated by RACONVRT.
  3. Issue the RACF SETROPTS command with the RACLIST operand for the new TSO/E resource classes. Issuing this command for the resource classes brings the resource profiles into storage and performs the following functions:
    • Having the profiles in storage eliminates the need to perform I/O on the RACF data base when checking access to resources in the TSO/E classes.
    • When the profile for the ACCTNUM class is in storage, TSO/E LOGON processing can determine whether a user, who is defined to TSO/E in the RACF data base, is authorized to use account numbers. If a user is not authorized to use account numbers, the user is allowed to log on without specifying an account number.
    • If you change any user information within the resource classes, issue SETROPTS RACLIST(classname…) REFRESH to make the changes active.
      Note: If this step is not performed, TSO/E will be unable to determine certain user information such as the default logon procedure and the default account number during logon. TSO/E may prompt users for this information.