RALTER (Alter general resource profile)
Purpose
- Alter the profile for one or more resources belonging to classes defined in the class descriptor table. Using RALTER to modify an automatic TAPEVOL profile (a profile RACF® creates automatically as part of protecting a tape data set) makes that TAPEVOL profile nonautomatic. For more information about TAPEVOL profiles, see z/OS Security Server RACF Security Administrator's Guide.
- Change the global access checking table
- Change the attributes of classes in the dynamic class descriptor table
- Change the list of security categories
- Change the list of security levels
- The security administrator issues the SETROPTS command:
See the SETROPTS command for authorization requirements.SETROPTS GENERIC(class-name) REFRESH
- The user of the resource logs off and logs on again.
SETROPTS RACLIST(class-name) REFRESH
- When the RALTER command is issued from ISPF, the TSO command buffer (including SESSKEY, SSIGNON, and possible BINDPW password data) is written to the ISPLOG data set. As a result, you should not issue this command from ISPF or you must control the ISPLOG data set carefully.
- When the command is issued as a RACF operator command, the command (including SESSKEY, SSIGNON, and possible BINDPW password data) is written to the system log. Therefore, if any of the sensitive operands are used the command should be issued through TSO, not as an operator command.
Issuing options
The following table identifies the eligible options for issuing the RALTER command:
As a RACF TSO command? | As a RACF operator command? | With command direction? | With automatic command direction? | From the RACF parameter library? |
---|---|---|---|---|
Yes | Yes | Yes | Yes | Yes |
For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.
For information on issuing this command as a RACF operator command, refer to RACF operator commands.
You must be logged on to the console to issue this command as a RACF operator command.
Related commands
- To define a general resource profile, see RDEFINE (Define general resource profile).
- To list a general resource profile, see RLIST (List general resource profile).
- To permit or deny access to a general resource profile, see PERMIT (Maintain resource access lists).
- To obtain a list of general resource profiles, see SEARCH (Search RACF database).
Authorization required
When issuing this command as a RACF operator command, you might require sufficient authority to the proper resource in the OPERCMDS class. For details about OPERCMDS resources, see Controlling the use of operator commands in z/OS Security Server RACF Security Administrator's Guide.
- You have the SPECIAL attribute.
- The resource profile is within the scope of a group in which you have the group-SPECIAL attribute.
- You are the owner of the profile.
- To assign a security label, you must have the SPECIAL attribute or have READ access to the security label profile. However, the security administrator can limit the ability to assign security labels to only users with the SPECIAL attribute.
- To assign a security category to a profile, you must have the SPECIAL attribute, or the category must be in your user profile.
- To assign a security level to a profile, you must have the SPECIAL attribute, or, in your own profile, a security level that is equal to or greater than the security level you are assigning.
- Only a SPECIAL user can define a delegated resource (by specifying the
RACF-DELEGATED
string in the APPLDATA of the profile protecting the resource) when the resource has a SECLABEL and SETROPTS SECLABELCONTROL is in effect. - To modify information in segments other than the base segment, such as DLFDATA, you must have the SPECIAL attribute or your installation must permit you to do so through field-level access checking.
- For a discrete profile, you have ALTER authority.1
To use the GLOBALAUDIT operand, you must have the AUDITOR attribute or the profile is within the scope of a group in which you have group-AUDITOR attribute.
If you have the AUDITOR attribute or the resource profile is within the scope of a group in which you have the group-AUDITOR attribute, but you do not satisfy one of the preceding checks, you can specify only the GLOBALAUDIT operand.
- ADDMEM
- DELMEM
- ADDVOL
- GLOBALAUDIT
To specify the AT keyword, you must have READ authority to the DIRECT.node resource in the RRSFDATA class and a user ID association must be established between the specified node.userid pair(s).
To specify the ONLYAT keyword you must have the SPECIAL attribute, the userid specified on the ONLYAT keyword must have the SPECIAL attribute, and a user ID association must be established between the specified node.userid pair(s) if the user IDs are not identical.
Syntax
For the key to the symbols used in the command syntax diagrams, see Syntax of RACF commands and operands. The complete syntax of the RALTER command is:
[subsystem-prefix]{RALTER | RALT} |
class-name
|
(profile-name ...)
|
[ ADDCATEGORY(category-name ...) | DELCATEGORY [ ({category-name ... | * }) ] ] |
[ {ADDMEM | DELMEM} (member ...) ]
|
[ {ADDVOL | DELVOL} (volume-serial ...) ]
|
[ APPLDATA ('application-data') | NOAPPLDATA ]
|
[ AT([node].userid ...) | ONLYAT([node].userid ...) ]
|
[ AUDIT( access-attempt [(audit-access-level)] ...) ]
|
[ CDTINFO( [ CASE ( UPPER | ASIS ) | NOCASE ] [ DEFAULTRC ( 0 | 4 | 8 ) | NODEFAULTRC ] [ DEFAULTUACC (ACEE | ALTER | CONTROL | UPDATE | READ | NONE) | NODEFAULTUACC ] [ FIRST ( characters-allowed ... ) | NOFIRST ] [ GENERIC ( ALLOWED | DISALLOWED ) | NOGENERIC ] [ GENLIST ( ALLOWED | DISALLOWED ) | NOGENLIST ] [ GROUP ( grouping-class-name ) | NOGROUP ] [ KEYQUALIFIERS ( nnn ) | NOKEYQUALIFIERS ] [ MACPROCESSING ( NORMAL | REVERSE | EQUAL ) | NOMACPROCESSING ] [ MAXLENGTH ( nnn ) | NOMAXLENGTH ] [ MAXLENX ( nnn ) | NOMAXLENX ] [ MEMBER ( member-class-name ) | NOMEMBER ] [ OPERATIONS ( YES | NO ) | NOOPERATIONS ] [ OTHER ( characters-allowed ...) | NOOTHER ] [ POSIT ( nnn ) | NOPOSIT ] [ PROFILESALLOWED ( YES | NO ) | NOPROFILESALLOWED ] [ RACLIST ( ALLOWED | DISALLOWED | REQUIRED ) | NORACLIST ] [ SECLABELSREQUIRED ( YES | NO ) | NOSECLABELSREQUIRED ] [ SIGNAL ( YES | NO ) | NOSIGNAL ] ) | NOCDTINFO ] |
[ CFDEF( [ ACEE( YES | NO ) ] [ FIRST( ALPHA | ALPHANUM | ANY | NONATABC | NONATNUM | NUMERIC ) ] [ HELP( help-text ) ] [ LISTHEAD( list-heading-text ) ] [ MAXLENGTH( maximum-field-length ) ] [ MAXVALUE( maximum-numeric-value ) | NOMAXVALUE ] [ MINVALUE( minimum-numeric-value ) | NOMINVALUE ] [ MIXED( YES | NO ) ] [ OTHER( ALPHA | ALPHANUM | ANY | NONATABC | NONATNUM | NUMERIC ) [ VALREXX( REXX-exec-name ) ] ) | NOCFDEF ] |
[ CSDATA( [ custom-field-name(custom-field-value) | NOcustom-field-name ] ... ) | NOCSDATA ] |
[ DATA ('installation-defined-data') | NODATA ] |
[ DLFDATA( [ RETAIN ( YES | NO ) | NORETAIN ] [ JOBNAMES(jobname1 ...) | NOJOBNAMES | ADDJOBNAMES(jobname1 ...) | DELJOBNAMES(jobname1 ...) ] ) | NODLFDATA ] |
[ EIM( [ DOMAINDN (eim_domain_dn) | NODOMAINDN ] [ OPTIONS (ENABLE | DISABLE) | NOOPTIONS ] [ LOCALREGISTRY (registry_name) | NOLOCALREGISTRY ] [ KERBREGISTRY (registry_name) | NOKERBREGISTRY ] [ X509REGISTRY (registry_name) | NOX509REGISTRY ] ) | NOEIM ] |
[ GLOBALAUDIT (access-attempt[(audit-access-level)] ...) ]
|
[ ICSF( [ ASYMUSAGE( [ HANDSHAKE | NOHANDSHAKE ] [ SECUREEXPORT | NOSECUREEXPORT ] ) | NOASYMUSAGE ] [ SYMEXPORTABLE(BYANY | BYLIST | BYNONE) | NOSYMEXPORTABLE ] [ SYMEXPORTCERTS([qualifier]/label-name ... | *) | ADDSYMEXPORTCERTS([qualifier]/label-name ... | *) | DELSYMEXPORTCERTS([qualifier]/label-name ... | *) | NOSYMEXPORTCERTS ] [ SYMEXPORTKEYS(ICSF-key-label ... | *) | ADDSYMEXPORTKEYS(ICSF-key-label ... | *) | DELSYMEXPORTKEYS(ICSF-key-label ... | *) | NOSYMEXPORTKEYS ] [ SYMCPACFWRAP ( YES | NO ) ] [ SYMCPACFRET ( YES | NO ) ] ) | NOICSF ] |
[ ICTX( [ USEMAP( YES | NO ) | NOUSEMAP ] [ DOMAP( YES | NO ) | NODOMAP ] [ MAPREQUIRED( YES | NO ) | NOMAPREQUIRED ] [ MAPPINGTIMEOUT(nnnn) | NOMAPPINGTIMEOUT ] ) | NOICTX ] |
[ IDTPARMS( [ SIGTOKEN(pkcs11-token-name ) | NOSIGTOKEN ] [ SIGSEQNUM( pkcs11-sequence-number ) | NOSIGSEQNUM ] [ SIGCAT( pkcs11-category ) | NOSIGCAT ] [ SIGALG( HS256 | HS384 | HS512) | NOSIGALG ] [ ANYAPPL(YES | NO) ] [ IDTTIMEOUT( timeout-minutes ) | NOIDTTIMEOUT ] [ PROTALLOWED ( YES | NO ) ] ) | NOIDTPARMS ] |
[ JES( [ KEYLABEL(key-label) | NOKEYLABEL ] ) | NOJES ] |
[ KERB( [ CHECKADDRS( YES | NO ) | NOCHECKADDRS ] [ DEFTKTLFE(def-ticket-life) | NODEFTKTLFE ] [ ENCRYPT( [ DES | NODES ] [ DES3 | NODES3 ] [ DESD | NODESD ] [ AES128 | NOAES128 ] [ AES256 | NOAES256 ] [ AES128SHA2 | NOAES128SHA2 ] [ AES256SHA2 | NOAES256SHA2 ] ) | NOENCRYPT ] [ KERBNAME(kerberos-realm-name) | NOKERBNAME ] [ MAXTKTLFE(max-ticket-life) | NOMAXTKTLFE ] [ MINTKTLFE(min-ticket-life) | NOMINTKTLFE ] [ PASSWORD(kerberos-password) | NOPASSWORD ] ) | NOKERB ] |
[ LEVEL (nn) ] |
[ MFA | NOMFA ]
|
[ MFPOLICY( [ FACTORS(factor-name ...) | ADDFACTORS(factor-name ...) | DELFACTORS(factor-name ...) | NOFACTORS] [ TOKENTIMEOUT(timeout-seconds)] [ REUSE(YES|NO)] ) | NOMFPOLICY ] |
[ NOTIFY [(userid)] | NONOTIFY ] |
[ OWNER (userid or group-name) ] |
[ PROXY( [ LDAPHOST (ldap_url) | NOLDAPHOST ] [ BINDDN (bind_distinguished_name) | NOBINDDN ] [ BINDPW (bind_password) | NOBINDPW ] ) | NOPROXY ] |
[ SECLABEL (seclabel-name) | NOSECLABEL ]
|
[ SECLEVEL (seclevel-name) | NOSECLEVEL ]
|
[ SESSION( [ CONVSEC( NONE | CONV | ALREADYV | PERSISTV | AVPV ) | NOCONVSEC ] [ INTERVAL(n) | NOINTERVAL ] [ LOCK | NOLOCK ] [ SESSKEY(session-key) | NOSESSKEY ] ) | NOSESSION ] |
[ SIGVER( [ SIGREQUIRED( YES | NO ) | NOSIGREQUIRED ] [ FAILLOAD( ANYBAD | BADSIGONLY | NEVER ) | NOFAILLOAD ] [ SIGAUDIT( ALL | SUCCESS | ANYBAD | BADSIGONLY | NONE ) | NOSIGAUDIT ] ) | NOSIGVER ] |
[ SINGLEDSN | NOSINGLEDSN ] |
[ SSIGNON( [ KEYMASKED(legacy-passticket-key-value) | KEYENCRYPTED(legacy-passticket-key-value) | ENCRYPTKEY | KEYLABEL(legacy-passticket-label-value) | NOLEGACYKEY ] [ EPTKEYLABEL(enhanced-passticket-label-value) | NOEPTKEYLABEL ] [ TYPE(UPPER | MIXED) | NOTYPE ] [ TIMEOUT(timeout-seconds) | NOTIMEOUT ] [ REPLAY(YES | NO) ] ) | NOSSIGNON ] |
[ STDATA( [ USER(userid | =MEMBER) | NOUSER ] [ GROUP(group-name | =MEMBER) | NOGROUP ] [ PRIVILEGED( YES | NO ) | NOPRIVILEGED ] [ TRACE( YES | NO ) | NOTRACE ] [ TRUSTED( YES | NO ) | NOTRUSTED ] ) | NOSTDATA ] |
[ SVFMR( [ SCRIPTNAME(script-name) | NOSCRIPTNAME ] [ PARMNAME(parm-name) | NOPARMNAME ] ) | NOSVFMR ] |
[ TIMEZONE( {E | W} hh [.mm]) | NOTIMEZONE ] |
[ TME( [ CHILDREN(profile-name ...) | ADDCHILDREN(profile-name ...) | DELCHILDREN(profile-name ...) | NOCHILDREN ] [ GROUPS(group-name ...) | ADDGROUPS(group-name ...) | DELGROUPS(group-name ...) | NOGROUPS ] [ PARENT(profile-name) | NOPARENT ] [ RESOURCE(resource-access-specification ...) | ADDRESOURCE(resource-access-specification ...) | DELRESOURCE(resource-access-specification ...) | NORESOURCE ] [ ROLES(role-access-specification ...) | ADDROLES(role-access-specification ...) | DELROLES(role-access-specification ...) | NOROLES ] ) | NOTME ] |
[ TVTOC | NOTVTOC ] |
[ UACC(access authority) ] |
[ WARNING | NOWARNING ] |
[ WHEN( [ DAYS(day-info)] [ TIME(time-info) ]) ] |
For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.
For information on issuing this command as a RACF operator command, refer to RACF operator commands.
Parameters
- subsystem-prefix
- Specifies that the RACF subsystem
is the processing environment of the command. The subsystem
prefix can be either the installation-defined prefix for RACF (1 - 8 characters)
or, if no prefix has been defined, the RACF subsystem name followed by a blank. If the command prefix was registered with CPF, you can use the MVS™ command D OPDATA to display it or you can contact your RACF security
administrator.
Only specify the subsystem prefix when issuing this command as a RACF operator command. The subsystem prefix is required when issuing RACF operator commands.
- class-name
- Specifies the name of the class to which the resource belongs. Valid
class names are those defined in the class descriptor table. For a list of general resource classes defined in the class descriptor table
supplied by IBM®, see Supplied RACF resource classes.
This operand is required and must be the first operand following RALTER.
This command is not intended to be used for profiles in the following classes:- DCEUUIDS
- DIGTCERT
- DIGTNMAP
- DIGTRING
- IDIDMAP
- NDSLINK
- NOTELINK
- ROLE
- UNIXMAP
- (profile-name ...)
- Specifies
the name of the profile you want to change. The name you specify must
be the name of an existing discrete or generic profile in the specified
class. RACF uses the class
descriptor table to determine the syntax of resource names within
the class and whether the resource is a group.
Mixed-case profile names are accepted and preserved when class-name refers to a class defined in the static class descriptor table with CASE=ASIS or in the dynamic class descriptor table with CASE(ASIS).
This operand is required and must be the second operand following RALTER.
Note:- For class TAPEVOL, if the volume serial specified for profile-name is
a member of a tape volume set, then the profile definition for all
tapes in the set is changed, because there is only one profile for
the tape volume set.
A tape volume set is used to refer to a set of two or more tapes created by the overflow of one tape to the next. RACF protects these tapes with one profile. Hence, if the value specified for profile-name on this command is a member of a tape volume set, the changes in its resource profile affect the other members of the set.
- You can specify only a single volume serial number if you also specify the ADDVOL or DELVOL operand.
- To define a controlled program, you must specify class-name as PROGRAM and also specify ADDMEM or DELMEM. Also, you can specify only one profile-name.
- If you specify class-name as PROGRAM, profile-name must
identify one or more load modules or program objects. If you specify
the full name of the program, the profile applies only to load modules
or program objects with that specific name. If you specify the last
character of the name as an
*
, the profile applies to all load modules or program objects that match the preceding part of the name, but only if they reside in one of the libraries listed in the profile's member list. For example,IKF*
identifies all load module names that begin withIKF
. If you specify profile-name as*
or**
, then the profile applies to all load modules and program objects that reside in one of the libraries you identify in the profile's member list, unless a profile with a more specific name and matching library applies. - For z/OS® Integrated Security Services Network Authentication Service, the profile name for the definition of the local realm must be KERBDFLT.
- RACF processes each profile name you specify independently, and all operands you specify apply to each named profile name. If an error occurs while processing a profile name, RACF issues a message and continues processing with the next profile name.
- For class TAPEVOL, if the volume serial specified for profile-name is
a member of a tape volume set, then the profile definition for all
tapes in the set is changed, because there is only one profile for
the tape volume set.
- ADDCATEGORY | DELCATEGORY
-
- ADDCATEGORY(category-name ...)
- Specifies one or more names of
installation-defined security categories. The category-name you specify
must be defined as members of the CATEGORY profile in the SECDATA class. (For information on
defining security categories, see z/OS Security Server RACF Security Administrator's Guide.)
Specifying ADDCATEGORY causes RACF to add any category-name values you specify to any list of required categories that already exists in the resource profile. All users previously allowed to access the resource can continue to do so only if their profiles also include the additional values for category-name.
When the SECDATA class is active and you specify ADDCATEGORY, RACF performs security category checking in addition to its other authorization checking. If a user requests access to a resource, RACF compares the list of security categories in the user profile with the list of security categories in the resource profile. If RACF finds any security category in the resource profile that is not in the user's profile, RACF denies access to the resource. If the user's profile contains all the required security categories, RACF continues with other authorization checking.
Note:- RACF does not perform security category checking for a started task with the RACF privileged or trusted attribute. The RACF privileged or trusted attribute can be assigned to a started task through the RACF started procedures table or STARTED class. Also, RACF does not enforce security category information specified on profiles in the PROGRAM class.
- If you specify both ADDCATEGORY and DELCATEGORY, RACF uses the last operand that you specify.
- DELCATEGORY[(category-name
... |
*
)] - Specifies
one or more names of installation-defined security categories you
want to delete from the resource profile. Specifying an asterisk (
*
) deletes all categories; RACF no longer performs security category checking for the resource.Specifying DELCATEGORY by itself causes RACF todelete from the profile only undefined category names (those category names that were once known to RACF but that the installation has since deleted from the CATEGORY profile).Note: If you specify both ADDCATEGORY and DELCATEGORY, RACF uses the last operand that you specify.
- ADDMEM | DELMEM
- Specifies the resource names that RACF is
to add to, or delete from, the member list of the resource group profile
indicated by profile-name.
- ADDMEM(member ...)
-
You can use the ADDMEM operand to perform tasks such as altering security categories and security levels, entries in the global access checking table, and entries for program control, or to implement security labels on a system basis, as described in the following sections.
If you specify ADDMEM to add one or more members to an existing profile, the new members are stored in the profile in the reverse of the order in which you specified them with the ADDMEM operand of the RALTER command. Additionally, if the existing profile already contains members, the new members are stored ahead of the existing members. For example, if you specify ADDMEM(C D) with the RALTER command to add members to an existing profile that already contains the members A B, the resulting member list stored in the profile is D C A B.
Mixed-case member names are accepted and preserved when class-name refers to a class defined in the static class descriptor table with CASE=ASIS or in the dynamic class descriptor table with CASE(ASIS). When class-name is GLOBAL and profile-name is the name of a class defined in the static class descriptor table with CASE=ASIS or in the dynamic class descriptor table with CASE(ASIS), the name part of a member entry in the GLOBAL access table is preserved as entered.
For ADDMEM with the GLOBAL DATASET class, no characters including generic characters, such as the asterisk (
*
) and the percent sign (%
), can be combined with the value&RACUID
to form a single qualifier level of the member name. This restriction does not exist for ADDMEM with classes other than GLOBAL DATASET.For ADDMEM with the RACFVARS class, the following rules apply:- Do not specify generic characters, such as the ampersand (
&
), the asterisk (*
) and the percent sign (%
) in a member name. - Issue the SETROPTS RACLIST(RACFVARS) REFRESH command to activate your member change.
- If your member change affects profiles in a class with in-storage profiles processed by RACLIST or GENLIST, you must also refresh that class to activate your change.
For important guidelines, see How RACF uses the RACFVARS member list in z/OS Security Server RACF Security Administrator's Guide.
To add members using the RALTER command, you need one of the following authorities, in addition to the authority needed to issue the RALTER command:- For classes other than SECLABEL, PROGRAM, SECDATA, GLOBAL, RACFVARS, and NODES, if the member resources are already RACF-protected by a member class profile or as a member of a profile in the same grouping class, one of the following must be true:
- You have ALTER access authority to the member.2
- You are the owner of the member resource.
- The member resource is within the scope of a group in which you have the group-SPECIAL attribute.
- You have the SPECIAL attribute.
- For classes other than SECLABEL, PROGRAM, SECDATA, GLOBAL, RACFVARS, and NODES, if the member resources are not RACF-protected (that is, there is no profile defined for that member), one of the following must be true:
- You have CLAUTH authority to define resources in the member resource class.
- You have the SPECIAL attribute.
- To add a member to a profile in the RACFVARS or NODES class, one of the following must be true:
- You have CLAUTH authority to define resources in the specified class (for example, RACFVARS or NODES).
- You have the SPECIAL attribute.
- You are the owner of the profile indicated by profile-name.
- You have ALTER access authority to the profile indicated by profile-name.3
- To add a member to a profile in the PROGRAM or SECDATA class, one of the following must be true:
- You have CLAUTH authority to define resources in the specified class (for example, PROGRAM or SECDATA).
- You have the SPECIAL attribute.
- To add a member to a profile in the GLOBAL class (other than the GLOBAL DATASET, GLOBAL
DIRECTRY, or GLOBAL FILE profile) using the following syntax:
RALT GLOBAL class-name ADDMEM(resource-name/access-level)
- If the profile resource-name is already RACF-protected by a profile in class class-name:
- You have ALTER access authority to the profile resource-name in class class-name.
- You are the OWNER of the profile resource-name.
- The profile resource-name in class class-name is within the scope of a group in which you have the group-special attribute.
- You have the SPECIAL attribute.
- If the profile resource-name is not already RACF-protected (that is, there is no profile defined for that member in class class-name):
- You have CLAUTH authority to define resources in the class class-name.
- You have the SPECIAL attribute.
- If the profile resource-name is already RACF-protected by a profile in class class-name:
- To add a member to the GLOBAL DATASET profile, one of the following must be true:
- You are the owner of the DATASET profile in the GLOBAL class.
- The member is within the scope of a group in which you have the group-SPECIAL attribute.
- You have the SPECIAL attribute.
- To add a member to the GLOBAL DIRECTRY or GLOBAL FILE profile, you must have the SPECIAL attribute.
For more information on the format of member names in general, and for specific classes (SECLABEL, GLOBAL, NODES, PROGRAM, SECDATA), see "Specifying member on the ADDMEM operand" under the ADDMEM parameter of the RDEFINE command.
Note: If you specify both ADDMEM and DELMEM, RACF uses the last operand that you specify. - Do not specify generic characters, such as the ampersand (
- DELMEM(member ...)
- Specifies the resource names that are to be deleted
from the resource group indicated by profile-name. This operand is ignored
when the class name specified is not a resource group class.
If class-name is specified as GLOBAL the rules for member are the same as given for ADDMEM. If class-name is specified as SECDATA, member should be a valid SECLEVEL name or category name.
Mixed-case member names are accepted and preserved when class-name refers to a class defined in the static class descriptor table with CASE=ASIS or in the dynamic class descriptor table with CASE(ASIS). When class-name is GLOBAL and profile-name is the name of a class defined in the static class descriptor table with CASE=ASIS or in the dynamic class descriptor table with CASE(ASIS), the name part of a member entry in the GLOBAL access table is preserved as entered.
For DELMEM with the RACFVARS class, the following rules apply:- Issue the SETROPTS RACLIST(RACFVARS) REFRESH command to activate your member change.
- If your member change affects profiles in a class with in-storage profiles processed by RACLIST or GENLIST, you must also refresh that class to activate your change.
For important guidelines, see How RACF uses the RACFVARS member list in z/OS Security Server RACF Security Administrator's Guide.
Note: If you specify both ADDMEM and DELMEM, RACF uses the last operand that you specify.
- ADDVOL | DELVOL
-
- ADDVOL(volume-serial ...)
- Specifies the tape volume serial numbers
to be added to the tape volume set represented by profile-name.
When you specify ADDVOL, profile-name must
be a single volume serial number, which can identify any of the volumes
currently defined in the volume set.
To use the ADDVOL operand, you must have the SPECIAL attribute, or you must have the CLAUTH attribute for the TAPEVOL resource class in addition to the other authorization requirements for using the RALTER command.
If you specify a generic profile, RACF ignores this operand.
Note:- The ADDVOL operand is only valid for the TAPEVOL resource class.
- If you specify both ADDVOL and DELVOL, RACF uses the last operand that you specify.
- DELVOL(volume-serial ...)
- Specifies the
tape volume serial numbers to be deleted from the tape volume set
represented by profile-name. When you specify
DELVOL, profile-name must be a single volume
serial number, which can identify any of the volumes currently defined
in the volume set except one of the volumes to be deleted. If you
specify the same volume serial number for both profile-name and
DELVOL, RACF ignores it.
If you try to delete a tape volume when the TAPEVOL profile contains one or more TVTOC entries, RACF does not complete the command if a TVTOC entry indicates that there is a protected data set on the volume. To delete this volume, you must first use the DELDSD command to delete any protected data sets on the volume.
If you specify a generic profile, RACF ignores this operand.
Note:- The DELVOL operand is only valid for the TAPEVOL resource class.
- If you specify both ADDVOL and DELVOL, RACF uses the last operand that you specify.
- APPLDATA | NOAPPLDATA
-
- APPLDATA('application-data')
- Specifies a text string that is associated with each of the named
resources. The text string can contain a maximum of 255 characters and must be enclosed in single
quotation marks. It can also contain double-byte character set (DBCS) data. Rules:
- For profiles in the PROGRAM class, RACF examines the
APPLDATA (if any) and perform special processing if you have specified
MAIN
orBASIC
(optionally followed by blanks). This processing will occur only for profiles whose names do not end in*
, and only when you have enabled enhanced PGMSECURITY mode. For details of this processing, see z/OS Security Server RACF Security Administrator's Guide. - For the FACILITY class, RACF examines the APPLDATA value
of the following profiles:
- BPX.UNIQUE.USER
The APPLDATA value specifies the name of a user profile from which RACF can copy OMVS segment information (other than UID) when assigning unique UIDs through a callable service.
- BPX.DEFAULT.USER
The APPLDATA value specifies a user ID and group name from which RACF can retrieve default OMVS segment information. Beginning with z/OS Version 1 Release 11, the BPX.DEFAULT.USER profile is ignored when the BPX.UNIQUE.USER profile is defined. Beginning with z/OS Version 2 Release 1, the BPX.DEFAULT.USER profile is no longer supported.
- BPX.NEXT.USER
The APPLDATA value specifies information that RACF will use for the automatic assignment of OMVS UIDs and GIDs.
- IRR.PGMSECURITY
The APPLDATA value specifies whether RACF will operate in basic, enhanced, or enhanced-warning PGMSECURITY mode.
- If the APPLDATA value contains the string
ENHANCED
, then RACF will run in enhanced PGMSECURITY mode. - If the APPLDATA value contains the string
BASIC
, then RACF will run in basic PGMSECURITY mode. - If the APPLDATA is empty or contains any other value, RACF will run in enhanced PGMSECURITY mode but in warning mode rather than failure mode.
- If the APPLDATA value contains the string
- IRR.PROGRAM.SIGNING.group.userid
- IRR.PROGRAM.SIGNING.userid
- IRR.PROGRAM.SIGNING.group
- IRR.PROGRAM.SIGNING
For any of the IRR.PROGRAM.SIGNING profiles, the APPLDATA value specifies the signing hash algorithm, and the SAF key ring to use when signing a program.
- IRR.PROGRAM.SIGNATURE.VERIFICATION
The APPLDATA value specifies the SAF key ring to use when verifying the signature of a signed program.
- IRR.IDIDMAP.PROFILE.CODEPAGE
The APPLDATA value specifies the code page which is to be used when processing the USERDIDFILTER NAME and REGISTRY values with the RACMAP command. The code page is specified in the form:
APPLDATA(CCSID(nnnnn))
The valid values for the code page nnnnn are:- 00037
- EBCDIC US 037
- 00870
- EBCDIC LATIN 2
- 00875
- EBCDIC GREEK
- 00924
- EBCDIC US 1047 with the Euro sign
- 01047
- EBCDIC US 1047
- 01140
- EBCDIC US 037 with the Euro sign
- 01153
- EBCDIC LATIN 2 with the Euro sign #2
- 04971
- EBCDIC GREEK with the Euro sign
Note:- If the IRR.IDIDMAP.PROFILE.CODEPAGE profile does not exist, then RACF uses code page IBM-1047.
- If the IRR.IDIDMAP.PROFILE.CODEPAGE profile does exist, but contains no APPLDATA or the APPLDATA references a code page other than one of the supported code pages, then RACF uses code page IBM-1047
- BPX.UNIQUE.USER
- For the TIMS and GIMS class, specify application-data as REVERIFY to force the user to reenter his password whenever the transaction or transactions listed in the profile-name or ADDMEM operands are used.
- For the PTKTDATA class, the application-data field can be used to
control the replay protection function of legacy
PassTicket support. This setting applies only to legacy
PassTickets and does not control the replay behavior of enhanced PassTickets.
- PassTicket replay protection prevents the use of user IDs to be shared among multiple users. However, in some events it is desirable to bypass this replay protection function.
- Specifying
no replay protection
in the application-data field indicates that replay protection is to be bypassed. For example, the following command would result in replay protection being bypassed.RALTER PTKTDATA profile-name APPLDATA('NO REPLAY PROTECTION')
Note the following:- There must be a single space between the words
no
andreplay
, and betweenreplay
andprotection
. Lack of spaces or additional spaces or characters will make the command ineffective. For example, entering the following command would not result in replay protection being bypassed.RALTER PTKTDATA profile-name APPLDATA('NOREPLAY PROTECTION')
- The text string
no replay protection
will always be translated to uppercase. - The text string
no replay protection
can appear anywhere in the APPLDATA field.
- There must be a single space between the words
- See z/OS Security Server RACF Security Administrator's Guide for more information on the PassTicket function.
- For the APPL class, when the APPLDATA value contains the
RACF-INITSTATS(DAILY)
string, RACF records statistics only for the first user verification of the day for the applications protected by this profile. TheRACF-INITSTATS(DAILY)
string is reserved text and may appear anywhere in the APPLDATA field. For more information about statistics collection, see z/OS Security Server RACF Security Administrator's Guide. - Specifying the
RACF-DELEGATED
string in the APPLDATA designates the resources protected by the profile as delegated, meaning that RACROUTE REQUEST=FASTAUTH should honor a nested ACEE during access checking to this resource. TheRACF-DELEGATED
string is reserved text and may appear anywhere in the APPLDATA field. For more information on nested ACEEs and delegated resources, see z/OS Security Server RACF Security Administrator's Guide.
RACF does not validate the APPLDATA value during RALTER. Depending on the function, RACF might or might not issue any messages during subsequent processing if it finds an unexpected value.
The APPLDATA value, if present, can be displayed with the RLIST command.
For detailed information about each APPLDATA value, see z/OS Security Server RACF Security Administrator's Guide.
- For profiles in the PROGRAM class, RACF examines the
APPLDATA (if any) and perform special processing if you have specified
- NOAPPLDATA
- Specifies that the RALTER command is to delete the text string that was present in the profile associated with the resource.
- AT | ONLYAT
- The AT and ONLYAT keywords are only valid when the command is
issued as a RACF TSO command.
- AT([node].userid ...)
- Specifies
that the command is to be directed to the node specified by node,
where it runs under the authority of the user specified by userid in
the RACF subsystem address
space.
If node is not specified, the command is directed to the local node.
- ONLYAT([node].userid ...)
- Specifies
that the command is to be directed only to the node specified by node where
it runs under the authority of the user specified by userid in
the RACF subsystem address
space.
If node is not specified, the command is directed only to the local node.
- AUDIT(access-attempt[(audit-access-level)] )
- Specifies which access attempts and
access levels you want logged to the SMF data set.
- access-attempt
- Specifies which access attempts you want logged to the SMF data set. The following options are
available:
- ALL
- Specifies that you want to log both authorized accesses and detected unauthorized attempts to access the resource.
- FAILURES
- Specifies that you want to log detected unauthorized attempts to access the resource.
- NONE
- Specifies that you do not want any logging to be done for accesses to the resource.
- SUCCESS
- Specifies that you want to log authorized accesses to the resource.
- audit-access-level
- Specifies which access levels you want logged to the SMF data set.
The levels you can specify are:
- ALTER
- Logs ALTER access-level attempts only.
- CONTROL
- Logs access attempts at the CONTROL and ALTER levels.
- READ
- Logs access attempts at any level. This is the default value if no access level is specified.
- UPDATE
- Logs access attempts at the UPDATE, CONTROL, and ALTER levels.
- CDTINFO | NOCDTINFO
-
- CDTINFO
- Specifies information used in the definition of an installation-defined class in the dynamic
class descriptor table. CDTINFO should only be specified for profiles in the CDT class. Carefully
plan changes to avoid unintended results. For guidelines, see Guidelines for changing dynamic CDT entries in z/OS Security Server RACF Security Administrator's Guide. You can use the CDTINFO keyword with no suboperands to initiate validation checking of fields within the CDTINFO segment. For example, you issued an RDEFINE CDT command and received several errors, but you did not save a copy of the error messages. You could then issue the following command and the validation checking will be performed; those error messages will then be issued again.
RALTER CDT profile-name CDTINFO
- CASE | NOCASE
-
- CASE ( UPPER | ASIS )
- Specifies whether mixed-case profile names are allowed for the class. When UPPER is specified, RACF translates the profile names for the specified class to uppercase. When ASIS is specified, RACF commands preserve the case of profile names for the specified class. Lowercase characters are allowed in any position of the profile name where alphabetic characters are allowed, based on the character restrictions in the FIRST and OTHER keywords.
- NOCASE
- Resets CASE to the default value of UPPER.
- DEFAULTRC | NODEFAULTRC
-
- DEFAULTRC
- Specifies the return code that RACF will provide from
RACROUTE REQUEST=AUTH or REQUEST=FASTAUTH when both RACF and
the class are active and (if required) the class has been processed using SETROPTS RACLIST, but RACF doesn't find a profile to protect the resource specified on
the AUTH or FASTAUTH request. The return codes are interpreted as follows:
- 0
- The access request was accepted.
- 4
- No profile exists.
- 8
- The access request was denied.
- NODEFAULTRC
- Resets DEFAULTRC to the default value of
4
.
- DEFAULTUACC | NODEFAULTUACC
-
- DEFAULTUACC ( ALTER | CONTROL | UPDATE | READ | NONE )
- Specifies the minimum access allowed if the access level is not set when a resource profile is defined in the class.
- DEFAULTUACC ( ACEE )
- If no universal access level is specified at the time the profile is created, RACF uses the default universal access authority from the command issuer's ACEE, as specified on the UACC operand of the ADDUSER, ALTUSER or CONNECT command.
- NODEFAULTUACC
- Resets the DEFAULTUACC to the default of NONE.
- FIRST | NOFIRST
-
- FIRST (characters-allowed ...)
- Specifies a character type restriction for the first character of the profile name. One or more
of the following may be specified.
- ALPHA - Allows
an alphabetic character (
A - Z
) - NUMERIC - Allows a digit (
0 - 9
) - NATIONAL - Allows characters
#
(X'7B'),@
(X'7C'), and$
(X'5B') - SPECIAL - Allows any character except the following:
- a blank
- a comma
- a parenthesis
- a semicolon
- those characters in ALPHA, NUMERIC, or NATIONAL.
Note: This option includes the period ('.') and is needed if you intend to use it as a delimiter. - ALPHA - Allows
an alphabetic character (
- NOFIRST
- Resets FIRST to the default value of FIRST(ALPHA, NATIONAL).
- GENERIC | NOGENERIC
-
- GENERIC ( ALLOWED | DISALLOWED )
- Specifies whether or not SETROPTS GENERIC and SETROPTS GENCMD are allowed for the class. The
SETROPTS GENERIC command activates generic profile checking for a class. The SETROPTS GENCMD command
activates generic profile command processing.
If GENERIC(DISALLOWED) is specified, GENLIST(ALLOWED) cannot also be specified.
Because generic processing is not allowed for grouping classes, GENERIC(DISALLOWED) should be specified if MEMBER(member-class-name) is also specified. If GENERIC(ALLOWED) is specified or defaulted for a grouping class, a warning message is issued. Subsequent processing for the dynamic class being defined and for profiles in that class will be treated as if GENERIC(DISALLOWED) was specified.
Rule: If the dynamic class you are defining shares a POSIT number with other classes, all classes with the shared POSIT number must have the same GENERIC keyword value. This is because the SETROPTS GENERIC and SETROPTS GENCMD commands process all classes that share a POSIT number. If at least one class specifies GENERIC(DISALLOWED) and at least one class specifies GENERIC(ALLOWED), RACF issues a warning message. When you subsequently add this class to the dynamic class descriptor table using the SETROPTS RACLIST(CDT) command, RACF might change the value of the GENERIC keyword to match the GENERIC keyword value of the other classes sharing the POSIT number.- If this dynamic class shares a POSIT number with an IBM-supplied class, RACF changes the value of the GENERIC keyword in the dynamic class to match the IBM class. (The class attribute in the IBM-supplied class takes precedence).
- If this dynamic class shares a POSIT number with an installation-defined class (static or dynamic), RACF determines the least restrictive attribute - GENERIC(ALLOWED) is less restrictive than GENERIC(DISALLOWED) - and changes the GENERIC(DISALLOWED) class attribute to GENERIC(ALLOWED).
Exception: A grouping class and member class can share a POSIT number although their GENERIC keyword values need not match. You must specify GENERIC(DISALLOWED) for the grouping class. However, you can specify either ALLOWED or DISALLOWED for the member class.
- NOGENERIC
- Resets GENERIC to the default value of ALLOWED.
- GENLIST | NOGENLIST
-
- GENLIST ( ALLOWED | DISALLOWED )
- Specifies whether SETROPTS GENLIST is to be allowed for the class. If you GENLIST the class on the SETROPTS command and a user then requests access to a resource protected by a generic profile, a copy of that profile will be brought into the common storage area rather than into the user's address space. RACF uses those generic profiles in common storage to check the authorization of any users who want to access the resource. The profiles remain in common storage until a REFRESH occurs.
- NOGENLIST
- Resets GENLIST to the default value of DISALLOWED.
- GROUP | NOGROUP
-
- GROUP ( grouping-class-name )
- Specifies the name of the class that groups the resources within the specified class. If GROUP
is not specified, RACF does not allow resource grouping for
the class. The grouping-class-name must be 1 - 8 characters.
When GROUP is specified, the class being defined is a member class.
If GROUP is specified, then grouping-class-name must also be defined in the CDT class, and its MEMBER keyword should refer to the class being defined. The GROUP and MEMBER keywords must have matching class entries before SETROPTS RACLIST(CDT) is issued to build or refresh the dynamic CDT or before the system is restarted; otherwise, the class in error will not be added to the dynamic class descriptor table.
- NOGROUP
- Removes the grouping-class-name.
- KEYQUALIFIERS | NOKEYQUALIFIERS
-
- KEYQUALIFIERS ( nnn )
- Specifies the number of matching qualifiers RACF uses
when loading generic profile names to satisfy an authorization request if a discrete profile does
not exist for a resource. For example, if you specify two for the class, all generic profile names
whose highest level qualifiers match the two highest qualifiers of the entity name are loaded into
the user's storage when the user requests access to a resource. The nnn
value must be a number 0 - 123.
If KEYQUALIFIERS is not specified, the default is 0 and profile names for the entire class are loaded and searched.
The maximum value you can specify is 123, which is the maximum number of qualifiers in a name 246 characters long.
When KEYQUALIFIERS(nnn) is specified, generic profiles created in that class may not contain generic characters in the first nnn qualifiers of the profile name.
When KEYQUALIFIERS(nnn) is greater than 0 for a class, all discrete and generic profiles in that class must have at least nnn+1 qualifiers in each profile name. The number of qualifiers a profile name is determined by counting the number of period characters in the profile and adding one; the first character is not examined.
Examples of valid profile names for KEYQUALIFIERS(2
) are:A.B.C A.B.** A.B.C.D*
Guideline: Specify KEYQUALIFIERS(nnn) greater than 0 for classes that have the following characteristics:- The class is not usually RACLISTed or GENLISTed.
- Profile names in the class follow a naming convention where many generic profiles have the same nnn number of qualifiers at the beginning of the profile name.
In this example, you might define your installation class using KEYQUALIFIERS(REPORTS.USER1.TERMUSE.* REPORTS.USER1.TERMUSE.DEPT60.* REPORTS.USER1.TERMUSE.2006.JAN.* REPORTS.USER1.TERMUSE.2006.FEB.* REPORTS.USER1.TERMUSE.2006.MAR.* REPORTS.USER1.TERMUSE.2006.APR.* REPORTS.USER1.TERMUSE.2006.MAY.* REPORTS.USER1.TERMUSE.2006.JUN.* REPORTS.USER1.TERMUSE.2006.JUL.* REPORTS.USER1.TERMUSE.2006.AUG.* REPORTS.USER1.TERMUSE.2006.SEP.* REPORTS.USER1.TERMUSE.2006.OCT.* REPORTS.USER1.TERMUSE.2006.NOV.* REPORTS.USER1.TERMUSE.2006.DEC.*
3
) so that when RACF checks authorization checks for resources in your class, only generic profile names that match the first three qualifiers of your report are loaded into storage for RACF to check. - NOKEYQUALIFIERS
- Resets KEYQUALIFIERS to the default value of 0.
- MACPROCESSING | NOMACPROCESSING
-
- MACPROCESSING ( NORMAL | REVERSE | EQUAL )
- Specifies which type of mandatory access control (MAC) processing is required for the class:
- NORMAL - specifies normal MAC processing is required. If and when a MAC check is performed, the user's SECLABEL must dominate that of the resource.
- REVERSE - specifies reverse MAC processing is required. If and when a MAC check is performed, the SECLABEL of the resource must dominate that of the user.
- EQUAL - specifies equal MAC processing is required. If and when a MAC check is performed, the SECLABEL of the user must be equivalent to that of the resource. MACPROCESSING(EQUAL) should be used for classes where two-way communication is expected. Writedown (SETROPTS MLS) does not apply to classes where MACPROCESSING(EQUAL) is specified.
- NOMACPROCESSING
- Resets MACPROCESSING to the default value of NORMAL.
- MAXLENGTH | NOMAXLENGTH
-
- MAXLENGTH ( nnn )
- Specifies the maximum length of resource and profile names for the specified class when MAXLENX is not specified. When MAXLENX is also specified, MAXLENGTH represents the maximum length of a resource name only when a RACROUTE macro is invoked with the ENTITY keyword. The value of nnn must be 1 - 246.
- NOMAXLENGTH
- Resets MAXLENGTH to the default value of 8.
- MAXLENX | NOMAXLENX
-
- MAXLENX ( nnn )
- Specifies the maximum length of resource and profile names for the specified class when a
RACROUTE macro is invoked with the ENTITYX keyword or when a profile is added or changed using a RACF command processor. The value of
nnn must be 1 - 246.
If MAXLENX is not specified before SETROPTS RACLIST(CDT) is issued to build or refresh the dynamic CDT or before the system is restarted, the value specified for MAXLENGTH is used for MAXLENX in subsequent processing for the dynamic class.
- NOMAXLENX
- Removes the MAXLENX value.
- MEMBER | NOMEMBER
-
- MEMBER ( member-class-name )
- Specifies the name of the class grouped by the resources within the specified class. The
member-class-name value must be 1 - 8 characters.
When MEMBER is specified, the class being defined is a resource group.
If MEMBER is specified, then member-class-name must also be defined in the CDT class and its GROUP keyword should refer to the class being defined. The GROUP and MEMBER keywords must have matching class entries before SETROPTS RACLIST(CDT) is issued to build or refresh the dynamic CDT or before the system is restarted; otherwise, the class in error will not be added to the dynamic class descriptor table.
- NOMEMBER
- Removes the member-class-name.
- OPERATIONS | NOOPERATIONS
-
- OPERATIONS ( YES | NO )
- Specifies whether RACF is to take the OPERATIONS attribute into account when it performs authorization checking. If YES is specified, RACF considers the OPERATIONS attribute; if NO is specified, RACF ignores the OPERATIONS attribute.
- NOOPERATIONS
- Resets OPERATIONS to the default value of NO.
- OTHER | NOOTHER
-
- OTHER ( characters-allowed ...)
- Specifies a character type restriction for the characters of the profile name other than the
first character. One or more of the following may be specified:
- ALPHA - Allows
an alphabetic character (
A - Z
) - NUMERIC - Allows a digit (
0 - 9
) - NATIONAL - Allows characters
#
(X'7B'),@
(X'7C'), and$
(X'5B') - SPECIAL - Allows any character except the following:
- a blank
- a comma
- a parenthesis
- a semicolon
- those characters in ALPHA, NUMERIC, or NATIONAL.
Note: This option includes the period ('.') and is needed if you intend to use it as a delimiter. - ALPHA - Allows
an alphabetic character (
- NOOTHER
- Resets OTHER to the default of OTHER(ALPHA, NATIONAL).
- POSIT | NOPOSIT
-
- POSIT ( nnn )
- Specifies the POSIT number associated with the class. Each class in the class descriptor table
has a POSIT number specified which identifies a set of option flags that control the following RACF processing options:
- Whether authorization checking should take place for the class (SETROPTS CLASSACT)
- Whether auditing should take place for resources within the class (SETROPTS AUDIT)
- Whether statistics should be kept for resources within the class (SETROPTS STATISTICS)
- Whether generic profile access checking is active for the class (SETROPTS GENERIC)
- Whether generic command processing is active for the class (SETROPTS GENCMD)
- Whether global access checking is active for the class (SETROPTS GLOBAL)
- Whether the user has CLAUTH to a resource class
- Whether special resource access auditing applies to the class (SETROPTS LOGOPTIONS)
- Whether SETROPTS RACLIST will occur for this class (when RACLIST(ALLOWED) or RACLIST(REQUIRED) is also specified)
- For all classes that have the same POSIT number specified, these options are identical. If you change an option for one class, this change will also affect all other classes that share the same POSIT number.
Before you issue SETROPTS RACLIST(CDT) to build or refresh the dynamic class descriptor table, you must decide whether to use a unique set of option flags for each RACF class or whether to have two or more RACF classes share the same set of option flags. If you choose to use a unique set of option flags for a class, assign the class a unique POSIT number. If you choose to share the same set of option flags among several classes, assign those classes the same POSIT number.
Before you issue SETROPTS RACLIST(CDT) to build or refresh the dynamic CDT, the POSIT keyword must specify a valid value on either the RDEFINE or RALTER command. Otherwise, the new or changed class will not be added to the dynamic class descriptor table.
Once you issue SETROPTS RACLIST(CDT) to build or refresh the dynamic class descriptor table, you can activate the classes that comprise it and their respective set of option flags using the appropriate keywords on the SETROPTS command.
There are 1024 POSIT numbers that can identify 1024 sets of option flags. Installations can specify POSIT numbers 19 - 56 and 128 - 527. POSIT numbers 0 - 18, 57 - 127 and 528 - 1023 are reserved for IBM use and should not be specified for installation-defined classes unless an installation intends that one of its classes share SETROPTS options with an IBM-defined class.
Guideline: A RACF class that has a default return code of
8
should not share a POSIT value with a RACF class having a different default return code. If a class with a default return code of8
is activated but no profiles are defined, user activity that requires access in that class will be prevented. - NOPOSIT
- Removes the POSIT number.
Before you issue SETROPTS RACLIST(CDT) to build or refresh the dynamic CDT, the POSIT keyword must specify a valid value on either the RDEFINE or RALTER command. Otherwise, the new or changed class will not be added to the dynamic class descriptor table.
- PROFILESALLOWED | NOPROFILESALLOWED
-
- PROFILESALLOWED ( YES | NO )
- Specifies whether you want RACF to allow profiles to be defined for this RACF class. If you specify PROFILESALLOWED(NO), RACF will not allow profiles to be defined to this RACF class; if a user attempts to define a profile to that class, the RDEFINE command responds with an appropriate message.
- NOPROFILESALLOWED
- Resets the PROFILESALLOWED value to the default of YES.
- RACLIST | NORACLIST
-
- RACLIST
- Specifies whether SETROPTS RACLIST is to be allowed, disallowed or required for the specified
class. If you process this class using SETROPTS RACLIST, RACF
brings copies of all discrete and generic profiles within that class into storage in a data space.
RACF uses those profiles in storage to check the
authorization of any users who want to access the resources. The profiles remain in storage until
removed by SETROPTS NORACLIST.
- ALLOWED
- Specifies that SETROPTS RACLIST may be used for the class, but is not required for authorization checking.
- DISALLOWED
- Specifies that SETROPTS RACLIST may not be used for the class.
- REQUIRED
- Specifies that you must process the class using SETROPTS RACLIST in order to use RACROUTE REQUEST=AUTH. The purpose of this keyword is to allow routines that cannot tolerate I/O to invoke RACF. When this keyword is specified and the class is not processed by SETROPTS RACLIST and a RACROUTE REQUEST=AUTH is attempted, the return code is 4.
- NORACLIST
- Resets the RACLIST value to the default of DISALLOWED.
- SECLABELSREQUIRED | NOSECLABELSREQUIRED
-
- SECLABELSREQUIRED ( YES | NO )
- Specifies whether a SECLABEL is required for the profiles of the specified class when SETROPTS
MLACTIVE is on.
SECLABELSREQUIRED(NO) means that RACF will not require a SECLABEL for profiles in this class; however, if a SECLABEL exists for this profile and the SECLABEL class is active, RACF will use it during authorization checking. SECLABELSREQUIRED(NO) applies to general resource classes that have no profiles, such as DIRAUTH, or for classes that contain no data, such as OPERCMDS and SECLABEL.
SECLABELSREQUIRED(YES) means that RACF will require a SECLABEL for profiles in this class when SETROPTS MLACTIVE is on.
- NOSECLABELSREQUIRED
- Resets the SECLABELSREQUIRED to the default of NO.
- SIGNAL | NOSIGNAL
-
- SIGNAL ( YES | NO )
- Specifies whether an ENF signal should be sent to listeners when RACLISTed profiles are created,
updated or deleted for authorization checking.
When SIGNAL(YES) is specified, RACF will send an ENF signal to listeners when a SETROPTS RACLIST, SETROPTS NORACLIST or SETROPTS RACLIST REFRESH is issued for the class to activate, deactivate, or update the profiles used for authorization checking. For more information, see ENF signals in z/OS Security Server RACF System Programmer's Guide.
When SIGNAL(NO) is specified, no ENF signal is sent.
SIGNAL(YES) is not valid if RACLIST(DISALLOWED) is specified.
- NOSIGNAL
- Resets the SIGNAL value to the default of NO.
- NOCDTINFO
- Deletes the CDTINFO segment.
- CFDEF | NOCFDEF
-
- CFDEF
- Changes the attributes of a custom field for profiles in the CFIELD class. The custom fields you
define with the CFDEF operand can be used in the CSDATA segment of RACF profiles. For more information about custom fields,
including the profile name format, see Defining and using custom fields in z/OS Security Server RACF Security
Administrator's Guide.
Changes in the custom field are not effective until the system programmer rebuilds the dynamic parse table using the IRRDPI00 UPDATE command. For information about using the IRRDPI00 command, see z/OS Security Server RACF System Programmer's Guide.
You can use the CFDEF keyword with no suboperands to initiate validation checking of fields within the CFDEF segment. For example, you issued an RDEFINE CFIELD command and received several errors, but you did not save a copy of the error messages. You could then issue the following command and the validation checking will be performed; those error messages will then be issued again.RALTER CFIELD profile-name CFDEF
Rules:- Specify CFDEF only for profiles in the CFIELD class.
- You cannot change the data type of a custom field using the RALTER command. (Changing the data
type might render the field unusable if all other attributes are not correctly set.)
If you want to change the data type for a custom field, delete the CFIELD profile using the RDELETE command, and then define the custom field with the proper data type using the RDEFINE command.
Important: Plan carefully before you change the attributes of a custom field. Most attributes are either required or desirable based on data type. Therefore, you can change but not remove certain attributes using the RALTER command.
- ACEE
- Specifies whether the field value will be:
- Anchored in an ACEE that is created for a user
- Available to applications through the R_GetInfo SAF callable service (IRRSGI00).
Rule: The ACEE keyword can be used only for USER profile custom fields.
The following values are valid:- YES
- The value will be contained in an ACEE that is created for the user.
- NO
- The value will not be contained in an ACEE that is created for the user.
- FIRST
- Specifies a character restriction for the first character in the custom field. Rules:
- You can change but you cannot remove the FIRST value.
- The valid options for the FIRST attribute apply as follows, based on TYPE value (data type).
Valid
optionsData type based on TYPE attribute CHAR FLAG HEX NUM ALPHA Allowed. ALPHANUM Allowed. ANY Allowed. NONATABC Allowed. Allowed. NONATNUM Allowed. Allowed. NUMERIC Allowed. Allowed. For each option of the FIRST attribute, the characters allowed in the custom field are as follows:
Valid
optionsCharacters allowed Alphabetic
characters
(A - Z
)National
characters
#
(X'7B'),
@
(X'7C'),
and$
(X'5B')Numeric
characters
(0 - 9)
Any
other
characterALPHA Allowed. Allowed. ALPHANUM Allowed. Allowed. Allowed. ANY Allowed. Allowed. Allowed. Allowed. NONATABC Allowed. NONATNUM Allowed. Allowed. NUMERIC Allowed. - ALPHA
- Allows alphabetic characters (
A - Z
) and national characters#
(X'7B'),@
(X'7C'), and$
(X'5B'). - ALPHANUM
- Allows alphabetic characters (
A - Z
), numbers (0 - 9
), and national characters#
(X'7B'),@
(X'7C'), and$
(X'5B'). - ANY
- Allows alphabetic characters (
A - Z
), numbers (0 - 9
), national characters#
(X'7B'),@
(X'7C'), and$
(X'5B'), and any other character. When you specify both FIRST(ANY) and OTHER(ANY), also allows quoted strings. - NONATABC
- Allows alphabetic characters, and excludes numbers and national
characters
#
(X'7B'),@
(X'7C'), and$
(X'5B'). - NONATNUM
- Allows alphabetic characters and numbers, but excludes national
characters
#
(X'7B'),@
(X'7C'), and$
(X'5B'). - NUMERIC
- Allows numbers (
0 - 9
).
- HELP( help-text )
- Specifies the help text for this custom field. The help text is displayed when the user is in
TSO PROMPT mode and presses the PF1 key or enters a question mark (
?
). Lowercase alphabetic characters in the help-text value are translated to uppercase.Rules:- Length: 1 - 255 characters.
- If the help text contains parentheses, commas, blanks, or semicolons, enclose the entire text string in single quotation marks.
- If a single quotation mark is intended to be part of the help text, use two single quotation
marks together for each single quotation mark within the string, and enclose the entire string in
single quotation marks. Example: To define help text for a customer's address and indicate that the field can be up to 100 characters, you might specify the following value:
HELP('CUSTOMER''S ADDRESS. SPECIFY UP TO 100 CHARACTERS')
- You can change but you cannot remove the HELP value.
- LISTHEAD( list-heading-text )
- Specifies the heading to display in the output for the LISTUSER or LISTGRP command whenever the
CSDATA segment is listed. Lowercase alphabetic characters in the
list-heading-text value are translated to uppercase. Rules:
- Length: 1 - 40 characters.
- If the heading text contains parentheses, commas, blanks, or semicolons, enclose the entire text string in single quotation marks.
- If a single quotation mark is intended to be part of the help text, use two single quotation
marks together for each single quotation mark within the string, and enclose the entire string in
single quotation marks. Example:
LISTHEAD('CUSTOMER''S ADDRESS =')
- You can change but you cannot remove the LISTHEAD value.
Guidelines: If you specify a LISTHEAD value, avoid confusion for users who use the LISTUSER or LISTGRP command to list custom field values by following these guidelines:
- Ensure that each custom field has a unique heading.
- Append an equal sign (
=
) or other delimiter to your LISTHEAD value to indicate in the list output where the heading ends and the data begins.
- MAXLENGTH( maximum-field-length )
- Specifies the maximum length of the custom field. Rules:
- You can change but you cannot remove the MAXLENGTH value.
- The valid values or value ranges shown in Table 1 apply based on data type.
Table 1. Valid values or value range for the MAXLENGTH keyword, based on data type Data type Valid value or range CHAR 1 - 1100 FLAG 3 HEX 1 - 512 NUM 1 - 10 - MAXVALUE | NOMAXVALUE
-
- MAXVALUE( maximum-numeric-value )
- Specifies the maximum numeric value for a custom field with TYPE(NUM). Rules:
- Valid range: 0 - 2 147 483 647
- Do not specify a MAXVALUE value for custom fields with CHAR, FLAG, or HEX data type.
- Do not specify a MAXVALUE value lower than the MINVALUE value.
- Do not specify a MAXVALUE value longer than the highest value based on MAXLENGTH value.
- NOMAXVALUE
- Removes the MAXVALUE value. If you specify NOMAXVALUE, the following information is displayed
when you list the CFDEF segment using the RLIST command.
MAXVALUE = NONE
- MINVALUE | NOMINVALUE
-
- MINVALUE( minimum-numeric-value )
- Specifies the minimum numeric value for a custom field with TYPE(NUM). Rules:
- Valid range: 0 - 2 147 483 647
- Do not specify a MINVALUE value for fields with CHAR, FLAG, or HEX data type.
- Do not specify a MINVALUE value higher than the MAXVALUE value.
- Do not specify a MINVALUE value longer than the highest value based on MAXLENGTH value.
- NOMINVALUE
- Removes the MINVALUE value. If you specify NOMINVALUE, the following information is displayed
when you list the CFDEF segment using the RLIST command.
MINVALUE = NONE
- MIXED
- Specifies whether mixed-case alphabetic characters are allowed for a custom field with
TYPE(CHAR).
- YES
- Lowercase characters are allowed in any position of the custom field where alphabetic characters
are allowed, based on the character restrictions specified in the FIRST and OTHER keywords. RACF commands, such as ADDUSER, do not translate lowercase
alphabetic characters in the field to uppercase.
Rule: Do not specify MIXED(YES) for custom fields with FLAG, HEX, or NUM data type.
- NO
- RACF commands translate lowercase alphabetic characters in the field to uppercase.
- OTHER
- Specifies a character restriction for characters in the custom field other than the first
character.
For each option of the OTHER attribute, the characters allowed in the custom field are as follows:
Valid
optionsCharacters allowed Alphabetic
characters
(A - Z
)National
characters
#
(X'7B'),
@
(X'7C'),
and$
(X'5B')Numeric
characters
(0 - 9)
Any
other
characterALPHA Allowed. Allowed. ALPHANUM Allowed. Allowed. Allowed. ANY Allowed. Allowed. Allowed. Allowed. NONATABC Allowed. NONATNUM Allowed. Allowed. NUMERIC Allowed. - ALPHA
- Allows alphabetic characters (
A - Z
) and national characters#
(X'7B'),@
(X'7C'), and$
(X'5B'). - ALPHANUM
- Allows alphabetic characters (
A - Z
), numbers (0 - 9
), and national characters#
(X'7B'),@
(X'7C'), and$
(X'5B'). - ANY
- Allows alphabetic characters (
A - Z
), numbers (0 - 9
), national characters#
(X'7B'),@
(X'7C'), and$
(X'5B'), and any other character. When you specify both FIRST(ANY) and OTHER(ANY), also allows quoted strings. - NONATABC
- Allows alphabetic characters, and excludes numbers and national
characters
#
(X'7B'),@
(X'7C'), and$
(X'5B'). - NONATNUM
- Allows alphabetic characters and numbers, but excludes national
characters
#
(X'7B'),@
(X'7C'), and$
(X'5B'). - NUMERIC
- Allows numbers (
0 - 9
).
Rules:- You can change but you cannot remove the OTHER value.
- The valid options for the OTHER attribute apply as follows, based on TYPE value (data type).
Valid
optionsData type based on TYPE attribute CHAR FLAG HEX NUM ALPHA Allowed. ALPHANUM Allowed. ANY Allowed. NONATABC Allowed. Allowed. NONATNUM Allowed. Allowed. NUMERIC Allowed. Allowed. - VALREXX( REXX-exec-name )
- Specifies the name of a REXX exec that RACF will call to perform validation on the value of the custom field as it is being assigned. The REXX exec must reside in the system rexx concatenations.
- NOCFDEF
- Deletes the CFDEF segment.
Important: Avoid issuing the NOCFDEF operand for profiles in the CFIELD class because it causes the custom fields defined in the CFDEF segment to be unusable.
If you want to change the TYPE attribute, or remove an attribute that you are unable to remove using the RALTER command, delete the CFIELD profile using the RDELETE command, and then define the custom field with the proper attributes using the RDEFINE command.
- CSDATA | NOCSDATA
-
- CSDATA
- Specifies information to add, change, or remove a custom
field for this general resource.
- custom-field-name ... | NOcustom-field-name ...
-
- custom-field-name(custom-field-value) ...
- Specifies the name and value of a custom field for this general resource. You can specify values
for multiple custom fields with a single RALTER command.
Usage for each custom field is defined using the CFDEF operand of the RDEFINE command for resource profiles in the CFIELD class. Contact your security administrator to see how custom fields are used at your installation. For more information about custom fields, see z/OS Security Server RACF Security Administrator's Guide.
Rules:- You must use the same custom-field-name as defined by the CFIELD profile named GENERAL.CSDATA.custom-field-name. (The CFIELD profile is defined using the CFDEF operand of the RDEFINE command.)
- You must specify a custom-field-value that is valid for the attributes of this custom field. (The attributes, such as data type, are defined in the CFDEF segment of the CFIELD profile.)
- NOcustom-field-name ...
- Removes the custom field information for this user. You
can remove values for multiple custom fields with a single RALTER command.
When you append the prefix NO to the name of the custom field, you delete the value for that custom field from the general resources profile. For example, if your installation has defined a custom field named ADDRESS and you want to remove the ADDRESS field from the profile of the user SHANNON, you might issue the following command:
Example:GENERAL SHANNON CSDATA(NOADDRESS)
- NOCSDATA
- Deletes the CSDATA segment from the general resources profile.
- DATA | NODATA
-
- DATA('installation-defined-data')
- Specifies
up to 255 characters of installation-defined data to be stored in
the profile for the resource. The data must be enclosed in single
quotation marks. It can also contain double-byte character set (DBCS)
data.
This information is listed by the RLIST command.
- NODATA
- Specifies that the RALTER command is to delete the installation-defined data in the resource profile.
- DLFDATA | NODLFDATA
-
- DLFDATA
- For
profiles in the DLFCLASS, specifies information used in the control
of DLF objects.
- RETAIN(YES | NO) | NORETAIN
- Specifies whether the DLF object can be retained after use.
- JOBNAMES | NOJOBNAMES | ADDJOBNAMES | DELJOBNAMES
- You can specify any job name valid on your system. You can also specify generic job names with an asterisk (
*
) as the last character of a job name, to indicate generic job names. For example, JOBNAMES(ABC) allows only job ABC to access the DLF objects protected by the profile. JOBNAMES(ABC*
) allows any job whose name begins with ABC (such as ABC, ABC1, or ABCDEF and so forth) to access to the DLF objects.- JOBNAMES(jobname1 ...)
- Specifies the list of job names that can access the DLF objects protected by this profile.
- NOJOBNAMES
- Specifies that no job names can access the DLF objects protected by this profile.
- ADDJOBNAMES(jobname1...)
- Adds to the list of job names, the job names that can access the DLF objects protected by this profile.
- DELJOBNAMES(jobname1...)
- Deletes the names from the job names list.
- NODLFDATA
- Deletes the DLFDATA in the specified segment.
- EIM | NOEIM
-
- EIM
- The EIM and PROXY segment keywords and subkeywords combine to
define the EIM domain, the LDAP host it resides on, and the bind information
required by the EIM services to establish a connection with an EIM
domain. The EIM services will attempt to retrieve this information
when it is not explicitly supplied with the invocation parameters.
- DOMAINDN | NODOMAINDN
-
- DOMAINDN(eim_domain_dn)
- Specifies the distinguished name of the EIM domain. A valid EIM domain distinguished name begins
with
ibm-eimDomainName=
. Uppercase and lowercase characters are accepted and maintained in the case in which they are entered.The EIM domain distinguished name is one component of an EIM domain name. An EIM domain name identifies the LDAP server that stores the EIM domain information. The EIM domain name begins with the ldap_url from the LDAPHOST suboperand of the keyword, followed by
/
and ends with the eim_domain_dn from the DOMAINDN suboperand. The length of a valid EIM domain name is determined by the combination of those factors. RACF allows the input of 1023 characters for the domain distinguished name. RACF does not ensure that an EIM domain name created from the LDAP URL and EIM domain distinguished name forms a valid EIM domain name.For more information about LDAP distinguished names, see z/OS IBM Tivoli Directory Server Administration and Use for z/OS.
- NODOMAINDN
- Deletes the eim_domain_dn value.
- OPTIONS | NOOPTIONS
- Specifies options that control the EIM configuration.
- ENABLE | DISABLE
-
- ENABLE
- Specifies that new connections may be established with the specified EIM domain. This is the default.
- DISABLE
- Specifies that new connections may not be established with the specified EIM domain.
- NOOPTIONS
- Resets OPTIONS to the default value of ENABLE.
- LOCALREGISTRY | NOLOCALREGISTRY
-
- LOCALREGISTRY(registry_name)
- Specifies the name of the local RACF registry
in EIM domains. This operand is valid only with the following profiles
and is ignored for all others:
- The IRR.PROXY.DEFAULTS profile in the FACILITY class
- The IRR.ICTX.DEFAULTS.sysid profile in the LDAPBIND class
- The IRR.ICTX.DEFAULTS profile in the LDAPBIND class.
EIM uses the registry_name value defined in the IRR.PROXY.DEFAULTS profile. The ICTX identity cache uses the registry_name value defined in the IRR.ICTX.DEFAULTS.sysid or IRR.ICTX.DEFAULTS profile.
The registry_name value is 1 - 255 characters in length. It can consist of any characters and can be entered with or without single quotation marks. The following rules apply:- If parentheses, commas, blanks, or semicolons are intended as part of the registry_name, you must enclose the entire character string in single quotation marks.
- If a single quotation mark is intended as part of the registry_name, use two single quotation marks together for each single quotation mark within the string, and enclose the entire string within single quotation marks.
- Both uppercase and lowercase characters are accepted and maintained in the case in which they are entered.
- NOLOCALREGISTRY
- Deletes the local registry name from the profile. It does not affect the in-storage copy of the registry name. IPL the system to remove the in-storage copy.
- KERBREGISTRY | NOKERBREGISTRY
-
- KERBREGISTRY(registry_name)
- Specifies the name of the Kerberos registry in the EIM domain
that the system is configured to use. This operand is only valid for
the IRR.PROXY.DEFAULTS FACILITY class profile. The value is ignored
when used on other profiles. The Kerberos registry_name may be 1 - 255 characters in length. The registry_name can consist of any characters and can be entered with or without single quotation marks. The following rules apply:
- If parentheses, commas, blanks, or semicolons are to be entered as part of the registry_name, the character string must be enclosed in single quotation marks.
- If a single quotation mark is intended to be part of the registry_name, use two single quotation marks together for each single quotation mark within the string, and enclose the entire string within single quotation marks.
- Both uppercase and lowercase characters are accepted and maintained in the case in which they are entered.
- NOKERBREGISTRY
- Deletes the Kerberos registry name from the profile.
- X509REGISTRY | NOX509REGISTRY
-
- X509REGISTRY(registry_name)
- Specifies the name of the X.509 registry in the EIM domain that
the system is configured to use. This operand is only valid for the
IRR.PROXY.DEFAULTS FACILITY class profile. The value is ignored when
used on other profiles. The X.509 registry_name may be 1 - 255 characters long. The registry_name can consist of any characters and can be entered with or without single quotation marks. The following rules apply:
- If parentheses, commas, blanks, or semicolons are to be entered as part of the registry_name, the character string must be enclosed in single quotation marks.
- If a single quotation mark is intended to be part of the registry_name, use two single quotation marks together for each single quotation mark within the string, and enclose the entire string within single quotation marks.
- Both uppercase and lowercase characters are accepted and maintained in the case in which they are entered.
- NOX509REGISTRY
- Deletes the X.509 registry name from the profile.
- NOEIM
- Deletes the EIM segment.
- GLOBALAUDIT(access-attempt[(audit-access-level)])
- Specifies
which access attempts and access levels the user who has the AUDITOR
attribute wants logged to the SMF data set.
- access-attempt
- Specifies which access attempts the user who has the AUDITOR attribute
wants to log on the SMF data set.
- ALL
- Specifies that you want to log both authorized accesses and detected unauthorized attempts to access the resource.
- FAILURES
- Specifies that you want to log detected unauthorized attempts to access the resource.
- NONE
- Specifies that you do not want any logging to be done for accesses to the resource.
- SUCCESS
- Specifies that you want to log authorized accesses to the resource.
- audit-access-level
- Specifies which access levels the user
who has the AUDITOR attribute wants to log on the SMF data set.
- ALTER
- Logs ALTER access-level attempts only.
- CONTROL
- Logs access attempts at the CONTROL and ALTER levels.
- READ
- Logs access attempts at any level. This is the default value if no access level is specified.
- UPDATE
- Logs access attempts at the UPDATE, CONTROL, and ALTER levels.
To use GLOBALAUDIT, you must have the AUDITOR attribute, or the resource profile must be within the scope of a group in which you have the group-AUDITOR attribute.
Regardless of the value you specify for GLOBALAUDIT, RACF always logs all access attempts specified on AUDIT.
- ICSF | NOICSF
-
- ICSF
- Specifies ICSF attributes for the keys that are controlled by
this profile. ICSF attributes are valid only for profiles in the CSFKEYS,
GCSFKEYS, XCSFKEY, and GXCSFKEY classes.
- ASYMUSAGE | NOASYMUSAGE
-
- ASYMUSAGE
- Specifies how an asymmetric key that is controlled by this profile
is eligible to be used.
If you specify ICSF operand to create a new ICSF segment and omit the ASYMUSAGE option, SECUREEXPORT and HANDSHAKE are the default settings.
- SECUREEXPORT | NOSECUREEXPORT
- Specifies whether the key is eligible to be used to export or import symmetric keys.
- HANDSHAKE | NOHANDSHAKE
- Specifies whether the key is eligible to be used to protect communication channels.
- NOASYMUSAGE
- Resets to SECUREEXPORT and HANDSHAKE.
- SYMEXPORTABLE | NOSYMEXPORTABLE
-
- SYMEXPORTABLE
- Specifies which public keys, if any, are eligible to be used to
export a symmetric key that is controlled by this profile.
If you specify ICSF operand to create a new ICSF segment and omit the SYMEXPORTABLE option, BYANY is the default setting.
- BYANY
- Any public key is eligible. The SYMEXPORTCERTS and SYMEXPORTKEYS settings are ignored.
- BYLIST
- Only public keys specified with the SYMEXPORTCERTS or SYMEXPORTKEYS option are eligible. If neither option is set for this symmetric key, no public key is eligible (as if BYNONE were specified).
- BYNONE
- No public key is eligible. The SYMEXPORTCERTS and SYMEXPORTKEYS settings are ignored.
- NOSYMEXPORTABLE
- Resets the SYMEXPORTABLE option to BYANY.
- SYMEXPORTCERTS | NOSYMEXPORTCERTS
-
- SYMEXPORTCERTS([qualifier]/label-name ... | *)
- Specifies a list of the labels of digital certificates that are eligible to be used to export
the symmetric keys controlled by this profile.
Each listed certificate must exist in the ICSF key store (the SAF key ring or PKCS #11 token specified by an ICSF configuration setting). For information about the ICSF key store, see z/OS Cryptographic Services ICSF Administrator's Guide.
Specify an asterisk (*) to indicate that any certificate in the ICSF key store is eligible to be used to export the symmetric keys controlled by this profile. Specifying an asterisk (*) overrides any listed labels.
Specify each certificate label using a certificate label string in the form of qualifier/label-name.- qualifier
- Specifies an optional qualifier in the certificate label string when multiple certificates have
the same label. If specified, RACF translates the qualifier
value to uppercase characters before storing it in the profile. The meaning of the qualifier value
depends on where the certificate resides.
When the certificate resides in a ... The qualifier value is ... SAF key ring The RACF user ID of the certificate owner. PKCS #11 token The value of the CKA_ID
attribute of the certificate. TheCKA_ID
value consists of up to 64 hexadecimal characters. Valid characters are0 - 9
andA - F
. - /label-name
- Specifies the certificate label assigned when the certificate was created. You must specify the
forward slash character (
/
) followed by the certificate label.If the certificate label contains blanks, or special characters that cause problems with TSO/E, such as the comma, parenthesis, or comment delimiter (
/*
), the entire certificate label string must be enclosed in single quotation marks.Any leading or trailing blanks specified in label-name are removed from this value before storing it in the profile.
Examples of certificate label strings:DENICE/CertForDenice
'ROGERS/Cert for Rogers'
'/DLR cert'
- ADDSYMEXPORTCERTS([qualifier]/label-name ... | *)
- Adds the specified certificate labels to the current list of labels.
- DELSYMEXPORTCERTS([qualifier]/label-name ... | *)
- Removes the specified certificate labels from the current list of labels.
- NOSYMEXPORTCERTS
- Removes the entire list of certificate labels.
- SYMEXPORTKEYS | NOSYMEXPORTKEYS
-
- SYMEXPORTKEYS(ICSF-key-label ... | *)
- Specifies a list of the ICSF key labels of public keys that are
eligible to be used to export the symmetric keys controlled by this
profile. Each listed public key must reside in the ICSF PKA key data
set (PKDS).
Specify an asterisk (*) to indicate that any public key in the ICSF PKDS is eligible to be used to export the symmetric keys controlled by this profile. Specifying an asterisk (*) overrides any listed labels.
- ICSF-key-label
- Specifies the ICSF key label for the public key. The label name
cannot exceed 64 characters. The first character must be an alphabetic
character or a national character (
#
,@
, or$
). Subsequent characters can be a period character (.
) or any alphanumeric or national character.
- ADDSYMEXPORTKEYS(ICSF-key-label ... | *)
- Adds the specified key labels to the current list of labels.
- DELSYMEXPORTKEYS(ICSF-key-label ... | *)
- Removes the specified key labels from the current list of labels.
- NOSYMEXPORTKEYS
- Removes the entire list of key labels.
- SYMCPACFWRAP
- Specifies whether the encrypted symmetric keys that are controlled
by this profile are eligible to be rewrapped by CP Assist for Cryptographic
Function (CPACF).
If you specify ICSF operand to create a new ICSF segment and omit the SYMCPACFWRAP option, NO is the default setting.
- YES
- Specifies that the encrypted symmetric keys that are controlled by this profile are eligible to be rewrapped by CPACF.
- NO
- Specifies that the encrypted symmetric keys that are controlled by this profile are ineligible to be rewrapped by CPACF.
- SYMCPACFRET
- Specifies whether the encrypted symmetric keys that are controlled by this profile and are
rewrapped by CP Assist for Cryptographic Function (CPACF) are eligible to be returned to an
authorized caller.
If you specify the ICSF operand to create a new ICSF segment and omit the SYMCPACFRET option, NO is the default setting.
- YES
- Specifies that the encrypted symmetric keys that are controlled by this profile and are rewrapped by CP Assist for Cryptographic Function (CPACF) are eligible to be returned to an authorized caller.
- NO
- Specifies that the encrypted symmetric keys that are controlled by this profile and are rewrapped by CP Assist for Cryptographic Function (CPACF) are ineligible to be returned to an authorized caller.
- NOICSF
- Deletes the ICSF segment.
- ICTX | NOICTX
-
- ICTX
- Specifies the ICTX configuration options that control the ICTX identity cache.
The ICTX identity cache uses an in-storage copy of the configuration options. Use SETROPTS RACLIST processing for the LDAPBIND class to activate these options. See z/OS Security Server RACF Security Administrator's Guide for more information about SETROPTS RACLIST processing.
For details about the ICTX configuration options, see z/OS Integrated Security Services EIM Guide and Reference.
The following operands are used only for the following profiles in the LDAPBIND class and are ignored for other profiles:- IRR.ICTX.DEFAULTS.sysid
- IRR.ICTX.DEFAULTS
- USEMAP (YES | NO)
- Specifies whether the ICTX identity cache stores an identity mapping to a local z/OS user ID when provided by the application.
- YES
- When the application provides a valid mapping to a local z/OS user ID, the ICTX identity cache stores it.
- NO
- Identity mappings provided by the application are not stored.
- NOUSEMAP
- Resets the USEMAP value to YES.
- DOMAP (YES | NO)
- Specifies whether the ICTX identity cache uses Enterprise Identity Mapping (EIM) services to
find a mapping to a z/OS user ID for an authenticated user,
and then stores the mapping.
- YES
- When EIM finds a mapping to a z/OS user ID for an authenticated user, the ICTX identity cache stores it.
- NO
- The ICTX identity cache does not use EIM to find an identity mapping.
- NODOMAP
- Resets the DOMAP value to NO.
- MAPREQUIRED (YES | NO)
- Specifies whether the ICTX identity cache requires identity mapping to a z/OS user ID for an authenticated user.
- YES
- The ICTX identity cache fails the request when no valid mapping is provided by the application or found using EIM.
- NO
- The ICTX identity cache does not fail the request when no valid mapping is provided by the application or found using EIM.
- NOMAPREQUIRED
- Resets the MAPREQUIRED value to NO.
- MAPPINGTIMEOUT(1 - 3600)
- Specifies how long (one second to one hour) the ICTX identity cache stores an identity mapping
to a z/OS user ID for an authenticated user.
Guideline: If you frequently modify your EIM mappings, consider a low MAPPINGTIMEOUT value. A shorter timeout period causes the ICTX identity cache to invoke EIM more frequently. This allows your cached mappings to be refreshed more frequently and improves their currency.
- NOMAPPINGTIMEOUT
- Resets the MAPPINGTIMEOUT value to 3600 seconds (one hour).
- NOICTX
- Deletes the ICTX segment.
- IDTPARMS | NOIDTPARMS
-
- IDTPARMS
- Specifies information for the IDTDATA class profile being changed.
- SIGTOKEN | NOSIGTOKEN
-
- SIGTOKEN(pkcs11-token-name)
- Specifies the name of an ICSF PKCS#11 token name for the generation and validation of Identity
Token (IDT) signatures associated with this profile.
The token name may consist of alphanumeric characters, national characters (@, #, $) and the period symbol. The token name is not case sensitive.
The minimum token name length is 1. The maximum token name length is 32.
There is no default value.
For more information see, handl in z/OS Cryptographic Services ICSF Application Programmer's Guide.
- NOSIGTOKEN
- Deletes the SIGTOKEN in the profile.
- SIGSEQNUM | NOSIGSEQNUM
-
- SIGSEQNUM(pkcs11-sequence-number)
- Specifies the ICSF PKCS#11 sequence number of the key for the generation and validation of
Identity Token (IDT) signatures associated with this profile.
The sequence number must be a hexadecimal number.
The minimum sequence number is 1. The maximum sequence number length is 8 hexadecimal digits. The default value is 1.
- NOSIGSEQNUM
- Deletes the SIGSEQNUM in the profile.
- SIGCAT | NOSIGCAT
-
- SIGCAT(pkcs11-category)
- Specifies the ICSF PKCS#11 category of the key for the generation and validation of Identity
Token (IDT) signatures associated with this profile.The category must be one of the following values:
- T - Specifies a clear token object.
- Y - Specifies a secure token object.
The default value is T.
- NOSIGCAT
- Deletes the SIGCAT in the profile.
- SIGALG | NOSIGALG
-
- SIGALG(HS256) | HS384 | HS512)
- Specifies the signature algorithm for the generation of Identity Token (IDT) signatures
associated with this profile. The default value is HS256.
- HS256
- Specifies the signature algorithm as HMAC with SHA-256.
- HS384
- Specifies the signature algorithm as HMAC with SHA-384.
- HS512
- Specifies the signature algorithm as HMAC with SHA-512.
- NOSIGALG
- Deletes the SIGALG in the profile.
- ANYAPPL(YES | NO)
- Specifies whether the IDT that RACROUTE generates can be used for any application name or only
for the application name that performed authentication. The default value is YES.
When ANYAPPL(YES) is specified, RACROUTE will generate the IDT so it can be used for any application name.
When ANYAPPL(NO) is specified, RACROUTE will generate the IDT so that it can only be used by the application name that performed the authentication.
When an IDT is generated by RACROUTE, which is not for an end user, by specifying the IDTA parameter field IDTA_End_User_IDT off, RACROUTE will ignore this setting and generate the IDT so that it can be used with any application name.
- IDTTIMEOUT |NOIDTTIMEOUT
-
- IDTTIMEOUT(timeout-minutes)
- Specifies the number of minutes that the Identity Token (IDT) associated with the profile is
active.
The value of timeout-minutes can be between 1 and 1440. The default value is 5.
- NOIDTTIMEOUT
- Deletes the IDTTIMEOUT in the profile. The default value of 5 goes into effect.
- PROTALLOWED (YES | NO )
-
Specifies whether an Identity Token (IDT) validated with this profile can be used to authenticate a protected user.
- NOIDTPARMS
- Deletes the IDTPARMS segment.
- JES | NOJES
-
- JES
- Specifies the JES
information for the profile being changed.
- KEYLABEL | NOKEYLABEL
-
- KEYLABEL(key-label)
- Specifies the name of an ICSF key-label to be used when encrypting spool data for resources that are covered by the profile.
- NOKEYLABEL
- Specifies that you want to delete the key-label from the JES segment of the profile.
- KERB | NOKERB
-
- KERB
- Specifies z/OS Integrated Security Services
Network Authentication Service information for a REALM class profile.
- CHECKADDRS | NOCHECKADDRS
-
- CHECKADDRS
- Specifies whether
the Kerberos server validates addresses in tickets as part of ticket validation processing.
This keyword is only applicable when defining the KERBDFLT REALM profile for the local realm.
- YES
- The server validates addresses in tickets.
- NO
- The server ignores addresses in tickets.
- NOCHECKADDRS
- Resets the CHECKADDRS value to NO.
- DEFTKTLFE | NODEFTKTLFE
-
- DEFTKTLFE(def-ticket-life)
- Specifies the
default ticket lifetime for the local z/OS Network Authentication
Service
in seconds. The value for DEFTKTLFE is 1 - 2 147 483 647. Note that 0 is not a valid value.
This keyword is only applicable when defining the KERBDFLT REALM profile for the local realm.
The RALTER command only requires specification of all of the ticket lifetime keywords on the same command invocation if RALTER is being used to initially define these values. If values have been previously defined, RACF uses both the previous values and new values specified to verify the specified def-ticket-life value.
- NODEFTKTLFE
- Deletes the def-ticket-lifetime value for the local z/OS Network Authentication Service.
- ENCRYPT | NOENCRYPT
-
- ENCRYPT
- Specifies which keys can be used by the z/OS Network Authentication
Service realm you are changing.
- DES | NODES
- Whether DES encrypted keys can be used.
- DES3 | NODES3
- Whether DES3 encrypted keys can be used.
- DESD | NODESD
- Whether DESD encrypted keys can be used.
- AES128 | NOAES128
- Whether AES128 encrypted keys can be used.
- AES256 | NOAES256
- Whether AES256 encrypted keys can be used.
- AES128SHA2 | NOAES128SHA2
- AES128 SHA2 encryption keys can be used.
- AES256SHA2 | NOAES256SHA2
- AES256 SHA2 encryption keys can be used.
When a realm's password changes, a key of each type is generated and stored in the principal's user profile. The use of each key is based on the z/OS Network Authentication Service configuration.
See z/OS Integrated Security Services Network Authentication Service Administration for information about how z/OS Network Authentication Service uses keys and how to customize environment variables related to keys.
- NOENCRYPT
- Specifies that
there is no restriction on which generated keys the realm can use, and resets the KERB ENCRYPT
values to the default settings.
See z/OS Integrated Security Services Network Authentication Service Administration for information about how z/OS Network Authentication Service uses keys and how to customize environment variables related to keys.
- KERBNAME | NOKERBNAME
-
- KERBNAME(kerberos-realm-name)
- Specifies the local
realm name or a trust relationship for z/OS Network Authentication
Service.
The maximum length of this field is 117 characters.
- When you specify the local realm name for the KERBDFLT realm, you must specify KERBNAME using
the unqualified form of the local realm name. For example:
RALTER REALM KERBDFLT KERB(KERBNAME(KRB2000.IBM.COM)
Important: Avoid renaming your local realm name. If you rename your local realm, the keys for existing principals become unusable.
- When you specify a trust relationship, you must specify the fully qualified principal
name using the following form:
For more information about defining trust relationships, see z/OS Integrated Security Services Network Authentication Service Administration./.../kerberos_realm_name_1/krbtgt/kerberos_realm_name_2
Syntax rules for naming your local realm:
The local realm name that you define to RACF can consist of any character, except the/
(X'61') character. You can enter the name with or without single quotation marks, depending on the following:- If parentheses, commas, blanks, or semicolons are entered as part of the name, the character string must be enclosed in single quotation marks.
- If a single quotation mark is intended to be part of the name and the entire character string is enclosed in single quotation marks, you must use two single quotation marks together to represent each single quotation mark within the string.
- If the first character of the name is a single quotation mark, you must enter the string within single quotation marks, with two single quotation marks entered for the single quotation mark.
Guidelines for naming your local realm:- Avoid using EBCDIC variant characters to prevent problems with different code pages.
- Carefully consider the length of the local realm name. Its length limits the length of local
principal names because fully qualified local principal names use the following form and cannot
exceed 240 characters:
The length of the fully qualified local principal name is checked by RACF only when a local kerberos-principal-name is added or altered. Therefore, plan ahead to ensure that the maximum length of your principal names is sufficient and help you avoid renaming the local realm. If you rename your local realm (using the RALTER command), the keys for existing principals become unusable./.../kerberos_realm_name/principal_name
- When you specify the local realm name for the KERBDFLT realm, you must specify KERBNAME using
the unqualified form of the local realm name. For example:
- NOKERBNAME
- Deletes the kerberos-realm-name value.
- MAXTKTLFE | NOMAXTKTLFE
-
- MAXTKTLFE(max-ticket-life)
- Specifies the
max-ticket-life for the local z/OS Integrated Security Services
Network Authentication Service in seconds. The value for MAXTKTLFE is 1 - 2 147 483 647. Note that 0 is
not a valid value.
This keyword is only applicable when defining the KERBDFLT REALM profile for the local z/OS Network Authentication Service realm.
The RALTER command only requires specification of all of the ticket lifetime keywords on the same command invocation if RALTER is being used to initially define these values. If values have been previously defined, RACF uses both these previous values and new values specified on the command, to verify the specified max-ticket-life value.
- NOMAXTKTLFE
- Deletes the max-ticket-lifetime value for the local z/OS Network Authentication Service.
- MINTKTLFE | NOMINTKTLFE
-
- MINTKTLFE(min-ticket-life)
- Specifies the
min-ticket-life for the z/OS Network Authentication
Service in seconds. The value of MINTKTLFE is 1 - 2 147 483 647. Note that 0 is
not a valid value.
This keyword is only applicable when defining the KERBDFLT REALM profile for the local realm.
The RALTER command only requires specification of all of the ticket lifetime keywords on the same command invocation if RALTER is being used to initially define these values. If values have been previously defined, RACF uses both the previous values and new values specified on the command to verify the specified min-ticket-life value.
- NOMINTKTLFE
- Deletes the min-ticket-lifetime value for the local z/OS Network Authentication Service principal.
- PASSWORD | NOPASSWORD
-
- PASSWORD(kerberos-password)
- Specifies the value
of the kerberos-password. The maximum length of this value is 128
characters. The PASSWORD keyword is applicable to all REALM class profile definitions. A password
must be associated with the definition of a trust relationship or else the definition is incomplete.
Guideline: Avoid using EBCDIC variant characters to prevent problems with different code pages.
The kerberos-password that you define to RACF might consist of any character. You can enter a password with or without single quotation marks, depending on the following:- If parentheses, commas, blanks, or semicolons are entered as part of the password, the character string must be enclosed in single quotation marks.
- If a single quotation mark is intended to be part of the password and the entire character string is enclosed in single quotation marks, you must use two single quotation marks together for each single quotation mark within the string.
- If the first character of the password is a single quotation mark, you must enter the string within single quotation marks, with two single quotation marks entered for the character.
Both uppercase and lowercase characters are accepted and maintained in the case in which they are entered.
Note: This keyword is intended for administrators to be able to associate a password with the definition of a realm. It is not the same as a RACF user password and is not constrained by the SETROPTS password rules and change interval values that might be established for RACF user passwords. ICSF must be available prior to changing the password as the encryption keys for the REALM class profile are generated using ICSF services. - NOPASSWORD
- Deletes the z/OS Network Authentication Service password. If this is the local z/OS Network Authentication Service realm (KERBDFLT), it will no longer be able to grant ticket-granting tickets. Removal of the password from a foreign realm definition will invalidate the inter-realm trust relationship.
- NOKERB
- Deletes the KERB segment.
- LEVEL(nn)
- Specifies a level indicator, where nn is an integer in the range of 00 - 99. Your installation assigns the meaning of the value. It is included on all records that log resource accesses and is listed by the RLIST command.
- MFA | NOMFA
- The MFA segment is intended to be updated only by IBM Multi-Factor
Authentication for z/OS.
- MFA
- Specifies that RACF create an MFA segment in the MFADEF profile.
- NOMFA
- Specifies that RACF delete the MFA segment from the MFADEF profile.
- MFPOLICY | NOMFPOLICY
- Specifies multi-factor authentication policy information for the MFADEF class profile being changed.
- FACTORS | ADDFACTORS | DELFACTORS | NOFACTORS
- Specifies the list of factors that are required to satisfy this authentication policy.
- FACTORS(factor-name1 ...)
- specifies the list of factor names that are required in order to satisfy this authentication policy.
- ADDFACTORS(factor-name1 ...)
- Adds to the list of factor names that are required in order to satisfy this authentication policy.
- DELFACTORS(factor-name1 ...)
- Deletes from the list of factor names that are required in order to satisfy this authentication policy.
- NOFACTORS
- Removes the list of factor names from the authentication policy.
- TOKENTIMEOUT(timeout-seconds)
- Specifies the number of seconds for which out-of-band authentication with the policy is valid. That is, after having authenticated out-of-band with the policy to IBM MFA, the user must logon to a z/OS application within this number of seconds or the out-of-band authentication record will time out. When an out-of-band authentication record times out, a user must authenticate out-of-band again to IBM MFA in order to logon.
The value of timeout-seconds can be between 1 and 86,400® (the number of seconds in a day).
The default value is 300 (5 minutes).
- REUSE(YES|NO)
- Specifies whether this out-of-band authentication policy allows multiple z/OS logons using the out-of-band token within the TOKENTIMEOUT setting. When REUSE(NO) is specified, the user must authenticate out-of-band with the policy prior to every z/OS logon.
REUSE(NO) is the default.
- NOMFPOLICY
- Specifies that RACF deletes the MFPOLICY segment from the MFADEF profile.
- NOTIFY | NONOTIFY
-
- NOTIFY[(userid)]
- Specifies the user ID of a RACF-defined user to be notified whenever RACF uses this profile to deny access to a resource.
If you specify NOTIFY without specifying a user ID, RACF takes your user ID as the default; you
are notified whenever the profile denies access to a resource.
If you receive NOTIFY messages, you should log on frequently to take action in response to the unauthorized access attempt described in each message. RACF sends NOTIFY messages to the SYS1.BRODCAST data set. When the resource profile also includes WARNING, RACF might have granted access to the resource to the user identified in the message.
When RACF denies access to a resource, it does not notify a user:- When the resource is in the PROGRAM class
- When the resource is in a class for which an application has built in-storage profiles using
RACROUTE REQUEST=LIST
Some applications, such as IMS and CICS®, load all the profiles for a given class into storage. After these profiles are in storage, the applications can do a fast authorization check using RACROUTE REQUEST=FASTAUTH. Fast authorization checking is different from normal authorization checking in several ways. One difference is that, in some cases, fast authorization checking does not issue warning messages, notification messages or support auditing. In cases where it does not, return and reason codes are returned to the application to allow support of these functions. The application can examine the return and reason codes and use RACROUTE REQUEST=AUTH to create the messages and audit records. If the application uses RACROUTE REQUEST=AUTH to support auditing or specifies LOG=ASIS on RACROUTE REQUEST=FASTAUTH, the specified user is notified. Otherwise, notification, warning, and such do not occur.
For details on using RACF with IMS, visit IMS in IBM Documentation.
For details on using RACF with CICS, visit CICS Transaction Server for z/OS.
- When the profile is used to disallow the creation or deletion
of a data set
NOTIFY is used only for resource access checking, not for resource creation or deletion.
- NONOTIFY
- Specifies that no user is to be notified when RACF uses this profile to deny access to a resource.
- OWNER(userid or group-name)
- Specifies a RACF-defined user or group to be assigned as the new owner of the resource you are changing.
To change the owner of a resource, you must be the current owner of the resource or have the SPECIAL attribute, or the profile must be within the scope of a group in which you have the group-SPECIAL attribute. The user specified as the owner does not automatically have access to the resource. Use the PERMIT command to add the owner to the access list as desired.
- PROXY | NOPROXY
-
- PROXY
- Specifies information which the z/OS LDAP
server will use when acting as a proxy on behalf of a requester. The
R_proxyserv
(IRRSPY00) SAF callable service will attempt to retrieve this information when it is not explicitly supplied with the invocation parameters. Applications or other services which use theR_proxyserv
callable service, such as IBM Policy Director Authorization Services for z/OS and OS/390®, may instruct their invokers to define PROXY segment information.- LDAPHOST | NOLDAPHOST
-
- LDAPHOST(ldap_url)
- Specifies the URL of the LDAP server which
the z/OS LDAP server will contact when acting as a proxy on
behalf of a requester. An LDAP URL has a format such as
ldap://12.34.56.78:389
orldaps://12.34.56.78:636
, whereldaps
indicates that an SSL connection is desired for a higher level of security. LDAP will also allow you to specify the host name portion of the URL using either the text form (BIGHOST.POK.IBM.COM
) or the dotted decimal address (12.34.56.78
). The port number is appended to the host name, separated by a colon:
(X'7A').For more information about LDAP URLs and how to enable LDAP servers for SSL connections, see z/OS IBM Tivoli Directory Server Administration and Use for z/OS.
The LDAP URL that you define to RACF can consist of 10 - 1023 characters. A valid URL must start with either
ldap://
orldaps://
. RACF will allow any characters to be entered for the remaining portion of the URL, but you should ensure that the URL conforms to TCP/IP conventions. For example, parentheses, commas, blanks, semicolons, and single quotation marks are not typically allowed in a host name. The LDAP URL can be entered with or without single quotation marks.RACF does not ensure that a valid LDAP URL has been specified.
- NOLDAPHOST
- Deletes the URL of the LDAP server which the z/OS LDAP server will contact when acting as a proxy on behalf of a requester.
- BINDDN | NOBINDN
-
- BINDDN(bind_distinguished_name)
- Specifies the distinguished name (DN) which
the z/OS LDAP server will use when acting as a proxy on
behalf of a requester. This DN will be used in conjunction with the BIND password, if the z/OS LDAP server needs to supply an administrator or user
identity to BIND with another LDAP server. A DN is made up of
attribute
:
value pairs, separated by commas. For example:cn=Ben Gray,ou=editing,o=New York Times,c=US cn=Lucille White,ou=editing,o=New York Times,c=US cn=Tom Brown,ou=reporting,o=New York Times,c=US
When you define a BIND DN to RACF, it can contain 1 - 1023 characters. The BIND DN can consist of any characters and can be entered with or without single quotation marks. The following rules apply:- If parentheses, commas, blanks, or semicolons are to be entered as part of the BIND DN, the character string must be enclosed in single quotation marks.
- If a single quotation mark is intended to be part of the BIND DN, use two single quotation marks together for each single quotation mark within the string, and enclose the entire string within single quotation marks.
Both uppercase and lowercase characters are accepted and maintained in the case in which they are entered. For more information about LDAP distinguished names, see z/OS IBM Tivoli Directory Server Administration and Use for z/OS.
If you issue the RALTER command as a RACF operator command and you specify the BIND DN in lowercase, you must include the BIND DN within single quotations.
RACF does not ensure that a valid BIND DN has been specified.
- NOBINDDN
- Deletes the distinguished name (DN) used by the z/OS LDAP server when acting as a proxy on behalf of a requester.
- BINDPW | NOBINDPW
-
- BINDPW
- Specifies the password which the z/OS LDAP server will use when acting as a proxy on behalf of a
requester. When you define a BIND password to RACF, it can contain 1 - 128 characters. The BIND password can consist of any characters (except where noted in the following rules) and can be entered with or without single quotation marks. The following rules apply:
- The BIND password cannot start with a left brace
{
character (X'8B'). - If parentheses, commas, blanks, or semicolons are to be entered as part of the BIND password, the character string must be enclosed in single quotation marks.
- If a single quotation mark is intended to be part of the BIND password, use two single quotation marks together for each single quotation mark within the string, and enclose the entire string within single quotation marks.
Both uppercase and lowercase characters are accepted and maintained in the case in which they are entered. For more information about LDAP passwords, see z/OS IBM Tivoli Directory Server Administration and Use for z/OS..
If you issue the RALTER command as a RACF operator command and you specify the BIND password in lowercase, you must include the BIND password within single quotations.
RACF does not ensure that a valid BIND password has been specified.
- The BIND password cannot start with a left brace
- NOBINDPW
- Deletes the password used by the z/OS LDAP server when acting as a proxy on behalf of a requester.
- NOPROXY
- Deletes LDAP proxy information.
- SECLABEL | NOSECLABEL
-
- SECLABEL(seclabel-name)
- Specifies
an installation-defined security label for this profile. A security
label corresponds to a particular security level (such as CONFIDENTIAL)
with a set of zero or more security categories (such as PAYROLL or
PERSONNEL).
If you are authorized to use the SECLABEL, RACF stores the name of the security label you specify in the resource profile.
If you are not authorized to the SECLABEL or if the name you had specified is not defined as a SECLABEL profile in the SECLABEL class, the resource profile is not updated. If the SECLABEL class is active and the security level is specified in this profile, any security levels and categories in the profile are ignored.
- NOSECLABEL
- Removes the security label, if one had been specified, from the profile.
- SECLEVEL | NOSECLEVEL
-
- SECLEVEL(seclevel-name)
- Specifies
the name of an installation-defined security level. This name corresponds
to the number that is the minimum security level that a user must
have to access the resource. The seclevel-name must
be a member of the SECLEVEL profile in the SECDATA class.
When you specify SECLEVEL and the SECDATA class is active, RACF adds security level access checking to its other authorization checking. If global access checking does not grant access, RACF compares the security level allowed in the user profile with the security level required in the resource profile. If the security level in the user profile is less than the security level in the resource profile, RACF denies the access. If the security level in the user profile is equal to or greater than the security level in the resource profile, RACF continues with other authorization checking.
RACF does not perform security level checking for a started task that has the RACF privileged or trusted attribute. The RACF privileged or trusted attribute can be assigned to a started task through the RACF started procedures table or STARTED class. Also, RACF does not enforce security level information specified on profiles in the PROGRAM class.
If the SECDATA class is not active, RACF stores the name you specify in the resource profile. When the SECDATA class is activated and the name you specified is defined as a SECLEVEL profile, RACF can perform security level access checking for the resource profile. If the name you specify is not defined as a SECLEVEL profile, you are prompted to provide a valid seclevel-name.
- NOSECLEVEL
- Specifies that the RALTER command is to delete the security level name from the profile. RACF no longer performs security level checking for the resource.
- SESSION | NOSESSION
-
- SESSION
- Controls
the establishment of sessions between logical units under LU6.2. This
operand is only valid for the APPCLU resource class. It allows the
following suboperand to add, change, or delete SESSION segment field
values when changing an APPCLU class profile.
- CONVSEC | NOCONVSEC
-
- CONVSEC(security-checking-level)
- Specifies the level or levels of security checking performed when
conversations are established with the LU protected by this profile.
The security-checking-level value can be one of the following levels.
Guideline: Specify a CONVSEC option for each APPCLU profile.
- NONE
- All inbound allocate requests pass without RACF checking for a valid user ID. No RACROUTE REQUEST=VERIFY is issued.
- CONV
- APPC/MVS issues a RACROUTE REQUEST=VERIFY to verify the user ID and password for all inbound allocate requests.
- ALREADYV
- APPC/MVS RACF does not verify the user ID and password for any inbound allocate requests. If you specify ALREADYV, you assume that user IDs and passwords have already been verified by the partner LU. You must specify this only if the partner LU is trustworthy.
- PERSISTV
- Specifies persistent verification.
- AVPV
- The user ID/password is already verified and persistent verification is requested. In general, you should select one of NONE, CONV, and ALREADYV for each APPCLU profile.
- NOCONVSEC
- Delete any existing conversation security parameters.
- INTERVAL | NOINTERVAL
-
- INTERVAL(n)
- Sets the maximum number of days the session key is valid. This value of n is 1 - 32767. If the key interval is longer than the installation maximum (set with SETROPTS SESSIONINTERVAL), the INTERVAL is not changed.
- NOINTERVAL
- There is no limit on the number of days the key is valid.
- LOCK | NOLOCK
-
- LOCK
- Marks the profile as locked.
- NOLOCK
- Unlocks a previously locked profile.
- SESSKEY | NOSESSKEY
-
- SESSKEY(session-key)
- Changes the key for this profile. The session-key value can be
expressed in two ways:
- X'y' where y is a hexadecimal number of 1 - 16 digits
- z or 'z' where z is a string of 1 - 8 characters
If the entire 16 digits or 8 characters are not used, the field is padded to the right with binary zeros.
Note: Session keys are 64-bit Data Encryption Standard (DES) keys. With DES, 8 of the 64 bits are reserved for use as parity bits, so those 8 bits are not part of the 56-bit key. In hexadecimal notation, the DES parity bits are: X'0101 0101 0101 0101'. Any two 64-bit keys are equivalent DES keys if their only difference is in one or more of these parity bits. For instance, the following SESSKEY values, although appearing to be different , are equivalent because they differ only in the last bit of each byte:- BDF0KM4Q, which is X'C2C4 C6F0 D2D4 F4D8'
- CEG1LN5R, which is X'C3C5 C7F1 D3D5 F5D9'
- NOSESSKEY
- Deletes the session key for this profile.
- NOSESSION
- Deletes the SESSION segment from this profile.
- SIGVER | NOSIGVER
-
- SIGVER
- Specifies the options
for verifying the signatures of programs that are protected by this general resource profile.
Rule: Specify SIGVER only for profiles in the PROGRAM class. Any options that are specified with the SIGVER operand are ignored for profiles in a class other than the PROGRAM class.
Restriction: Digital signature verification is supported only for program objects that are stored as members of a partitioned data set extended (PDSE) library. Digital signature verification is not supported for programs that are stored as members of a partitioned data set (PDS) library.
Any options that are specified with the SIGVER operand are ignored for unsupported programs.
Note: Regardless of the SIGREQUIRED setting, specifying FAILLOAD(NEVER) and SIGAUDIT(NONE) is equivalent to having no SIGVER segment.
For detailed information, see Program signing and verification in z/OS Security Server RACF Security Administrator's Guide.
- SIGREQUIRED | NOSIGREQUIRED
-
- SIGREQUIRED
- Specifies whether programs that are protected by this profile must be digitally signed.
- YES
- Specifies that programs must be digitally signed. When you specify SIGREQUIRED(YES), the following conditions apply to any program that is protected by this general resource profile:
- If the program has a digital signature:
- Signature verification processing occurs.
- The program continues to load according to the FAILLOAD setting.
- Logging occurs according to the SIGAUDIT setting.
- If the program has no digital signature:
- Signature verification processing occurs, resulting in a signature verification failure.
- The program continues to load according to the FAILLOAD setting.
- Logging occurs according to the SIGAUDIT setting.
Important: If you share the RACF database with other z/OS systems, do not specify SIGREQUIRED(YES) until you determine if another version of any program that is protected by this profile runs on a shared system. If so, ensure that each version of a protected program on the shared system is digitally signed. An unsigned version of a program that is protected with SIGREQUIRED(YES) might fail to load. Alternatively, consider protecting the other version with a separate program profile.
- If the program has a digital signature:
- NO
- Specifies that programs need not be digitally signed. When you specify SIGREQUIRED(NO), the following conditions apply to any program that is protected by this general resource profile:
- If the program has a digital signature:
- Signature verification processing occurs.
- The program continues to load according to the FAILLOAD setting.
- Logging occurs according to the SIGAUDIT options.
- If the program has no digital signature:
- No signature verification occurs.
- The program continues to load. The FAILLOAD setting is ignored.
- No logging occurs. The SIGAUDIT setting is ignored.
- If the program has a digital signature:
- NOSIGREQUIRED
- Resets the SIGREQUIRED value to NO.
- FAILLOAD | NOFAILLOAD
-
- FAILLOAD
- Specifies the conditions under which the program fails to load in the event that a signature
verification failure occurs.
- ANYBAD
- Specifies that the program fails to load when a signature verification failure occurs,
regardless of the cause. Such failures include those resulting from an incorrect signature, or an
error establishing the trust of the signer. This setting includes failures related to administrative
errors, such as a missing or incorrectly defined key ring.
The ANYBAD setting includes the failures covered by the BADSIGONLY setting, and also includes errors establishing the trust of the signer.
- BADSIGONLY
- Specifies that the program fails to load only when the signature verification failure is caused
by an incorrect digital signature. Such failures include only those resulting from a signature that
fails verification or a signature structure that is missing or improperly formatted.
In contrast to ANYBAD, the BADSIGONLY setting does not cause a program to fail to load when the program has a valid signature originating from an untrusted signer.
- NEVER
- Specifies that the program never fails to load when a signature verification failure is detected.
- NOFAILLOAD
- Resets the FAILLOAD value to NEVER.
- SIGAUDIT | NOSIGAUDIT
-
- SIGAUDIT
- Specifies which signature verification events are logged. Messages are issued to the console
only for signature verification failures that are logged.
- ALL
- Logs all signature verifications, whether successful or not.
- SUCCESS
- Logs only signature verification successes. In other words, the digital signature is valid and the root CA certificate is trusted.
- ANYBAD
- Logs all signature verification failures, regardless of the cause of the failure. Such failures
include those resulting from an incorrect signature, or an error establishing the trust of the
signer. This setting includes failures related to administrative errors, such as a missing or
incorrectly defined key ring.
The ANYBAD setting logs the failures covered by the BADSIGONLY setting, and also logs errors that are encountered when establishing the trust of the signer.
- BADSIGONLY
- Logs only signature verification failures caused by an incorrect digital signature. Such
failures include only those resulting from a signature that fails verification or a signature
structure that is missing or improperly formatted.
In contrast to ANYBAD, the BADSIGONLY setting does not log a signature verification failure when the program has a valid signature originating from an untrusted signer.
- NONE
- Logs no digital signature verification events.
- NOSIGAUDIT
- Resets the SIGAUDIT value to NONE.
- NOSIGVER
- Deletes the SIGVER segment.
- SINGLEDSN | NOSINGLEDSN
-
- SINGLEDSN
- Specifies that the tape volume can contain only one data set. SINGLEDSN is valid only for a TAPEVOL profile. If the volume already contains more than one data set, RACF issues a message and ignores the operand.
- NOSINGLEDSN
- Specifies that the tape volume can contain multiple data sets, up to a maximum of 9999. NOSINGLEDSN is valid only for a TAPEVOL profile.
- SSIGNON | NOSSIGNON
-
- SSIGNON
- Defines PassTicket keys and associated configuration
settings. RACF PassTickets can be configured with two different algorithms:
- The legacy PassTicket algorithm
- The enhanced PassTicket algorithm
The legacy PassTicket algorithm is the original PassTicket implementation and uses a DES secret key. The enhanced PassTicket algorithm is an updated version of the PassTicket algorithm and uses an HMAC secret key. RACF supports generation and evaluation of PassTickets with either the legacy PassTicket algorithm or the enhanced PassTicket algorithm based on the SSIGNON segment keywords.
The KEYMASKED, KEYENCRYPTED, ENCRYPTKEY and KEYLABEL keywords control the key to be used for the generation and evaluation of legacy PassTickets. These keywords indicates the method you want to use to protect the legacy PassTicket key value within the RACF database. You can mask or encrypt the key. The key-value represents a 64-bit (8-byte) key that must be represented as 16 hexadecimal characters. The valid characters are
0 - 9
andA - F
.The EPTKEYLABEL, TYPE, TIMEOUT and REPLAY keywords control the key and settings to be used for the generation and evaluation of enhanced PassTickets.Note:- Before defining PassTicket keys, please read and understand the PassTicket documentation in the z/OS Security Server RACF Security Administrator's Guide, specifically, the topic Protecting PassTicket keys. That documentation contains important information on setup and authorization issues, especially pertaining to the use of ICSF with encrypted keys.
- As with RACF passwords, the database unload facility does not unload application keys or PassTicket keys. It will, however, indicate the method of protection of the key, and if the key is encrypted, the key label name.
- The RLIST command does not list the value of the application key or the PassTicket key. Therefore, when you define the keys, you should note the value and keep it in a secure place. Note that RLIST will, however, indicate the method of protection of the key, and if the key is encrypted, the key label name.
- The KEYMASKED, KEYENCRYPTED, ENCRYPTKEY and KEYLABEL legacy PassTicket keywords all work against the same field in the RACF database. Use of any of these RALTER keywords replaces the previous legacy PassTicket key (or its label) in the RACF database.
- KEYMASKED(legacy-passticket-key-value)
- Specifies that you want to mask the legacy PassTicket key value using the masking algorithm. Note:
- IBM STRONGLY recommends that masked PassTicket keys are not used outside of a test environment.
- You can specify this operand only once for each application key.
- If you mask a key, you cannot encrypt it. These are mutually exclusive.
- KEYENCRYPTED(legacy-passticket-key-value)
- Specifies that you want to encrypt the legacy PassTicket key value. Note:
- Before using the KEYENCRYPTED keyword, please read and understand the documentation describing Encrypting the PassTicket key in the z/OS Security Server RACF Security Administrator's Guide.
- You can specify this operand only once for each application key.
- If you encrypt a key, you cannot mask it. These are mutually exclusive.
- ICSF must be installed and active on the system.
You can use the RLIST command to verify that the key is protected.
- ENCRYPTKEY
- Specifies that you want to
request conversion of a legacy PassTicket key to a
KEYENCRYPTED key with a key label.
If the existing key is KEYMASKED, it is converted to a KEYENCRYPTED key and the data in the RACF database is replaced with the ICSF key label. Knowledge of the existing key value is not necessary.
If the existing key is KEYENCRYPTED in the form of a key token, it is moved into the ICSF CKDS and data in the RACF database is replaced with a key label. Knowledge of the existing key value is not necessary.
If the existing key is KEYENCRYPTED and already referenced by a key label, message IRR52254I is issued and ENCRYPTKEY is ignored.
RACF generates key label names in the form IRR.SSIGNON.sysname.mmddyyyy.hhmmss.nnnnnn. The key label name is not user configurable. RLIST displays the key label name. Sysname indicates the name of the system on which the ENCRYPTKEY operation was performed.
The SEARCH command with the CLIST option provides a way of creating a 'utility' to convert all your PassTicket keys to KEYENCRYPTED in ICSF.
- KEYLABEL(legacy-passticket-label-value)
- Specifies the name of an ICSF
key label to be used when generating or evaluating a legacy PassTicket.
ICSF must be installed and active, and the key must be defined in the ICSF CKDS at the time of use. However, this is not checked when the KEYLABEL keyword is specified.
When using KEYLABEL, RACF does not make any calls to ICSF. The key label is saved in the RACF database, and it is up to the installation to ensure that the key is added to the ICSF CKDS before any PassTicket operations occur which need it. The key must refer to a DES key with a type of DATA and a length of 8 bytes.
Note:The KEYLABEL operand cannot be used to override the key label generated by RACF when KEYENCRYPTED or ENCRYPTKEY is specified.
- NOLEGACYKEY
- Removes an existing legacy PassTicket key from the PTKTDATA profile set by the KEYMASKED, KEYENCRYPTED or KEYLABEL keywords.
- EPTKEYLABEL | NOEPTKEYLABEL
- EPTKEYLABEL(enhanced-passticket-label-value)
- Specifies the name of an ICSF key label to be used when generating or
evaluating an enhanced PassTicket.
ICSF must be installed and active, and the key must be defined in the ICSF CKDS at the time of use. However, this is not checked when the EPTKEYLABEL keyword is specified.
When using EPTKEYLABEL, RACF does not make any calls to ICSF. The key label is saved in the RACF database, and it is up to the installation to ensure that the key is added to the ICSF CKDS before any enhanced PassTicket operations occur which need it.
The key label must refer to an ICSF HMAC key with a key algorithm of HMAC, a key type of MAC and the key usage fields must indicate GENERATE. The supported HMAC key size range is from 32 to 256 bytes. The recommended minimum key size is 64 bytes.
The RACF enhanced PassTicket support uses ICSF HMAC keys which require that the ICSF CKDS is defined in either the variable length record format or common record format (KDSR). For more information on ICSF CKDS formats, please refer to Introduction to z/OS ICSF in z/OS Cryptographic Services ICSF System Programmer's Guide.
The label name cannot exceed 64 characters. The first character must be an alphabetic character or a national character (#, @, or $). Subsequent characters can be a period character (.) or any alphanumeric or national character.
- NOEPTKEYLABEL
- Removes the enhanced PassTicket key label.
- TYPE | NOTYPE
- TYPE(UPPER | MIXED)
- Specifies the character set to use for generating and evaluating an
enhanced PassTicket. The type must be one of the following values:
-
UPPER – The enhanced PassTicket will be generated and evaluated with only uppercase characters
A - Z
and digits0 - 9
. -
MIXED – The enhanced PassTicket will be generated and evaluated with only uppercase characters
A - Z
, lowercase charactersa - z
, digits0 - 9
and the symbols dash ( – ) and underscore ( _ ).
Using type MIXED is recommended as it provides a larger set of possible PassTicket values and therefore provides more security. Type UPPER may be required when an application does not yet support mixed case passwords.
The default value is MIXED.
-
- NOTYPE
- Resets TYPE to the default value of MIXED.
- TIMEOUT | NOTIMEOUT
- TIMEOUT(timeout-seconds )
- Specifies the number of seconds that the enhanced PassTicket is
active.
The value of timeout-seconds can be between 1 and 600 seconds (10 minutes).
The default value is 60 seconds.
- NOTIMEOUT
- Resets TIMEOUT to the default value of 60 seconds.
- REPLAY (YES | NO)
- Specifies whether an enhanced PassTicket is allowed to be replayed
within the TIMEOUT value.
The default value is NO.
This setting only applies to enhanced PassTickets and does not apply to legacy PassTickets.
The replay protection setting in the APPLDATA field only applies to legacy PassTickets and does not apply to enhanced PassTickets.
- NOSSIGNON
- Specifies that the SSIGNON segment should be deleted.
- STDATA | NOSTDATA
-
- STDATA
- Used
to control security for started tasks. STDATA should only be specified
for profiles in the STARTED class.
- USER | NOUSER
-
- USER(userid)
- Specifies the user ID to
be associated with this entry.
RACF issues a warning message if the specified userid does not exist, but information is added to the STDATA segment. If the error is not corrected, RACF uses the started procedures table to process START requests that would have used this STARTED profile.
- USER(=MEMBER)
- Specifies that the procedure name should be used as the user ID. If
=MEMBER
is specified for USER, a group-name value should be specified for the GROUP operand. If=MEMBER
is specified for both USER and GROUP, a warning message is issued and problems might result when the profile is used. For information, see z/OS Security Server RACF Security Administrator's Guide. - NOUSER
- Specifies the user ID should be deleted from this entry, leaving it unspecified. A warning message is issued because the absence of a user specification in the STDATA segment normally indicates that the segment information is incomplete. IF NOUSER is specified, RACF uses the started procedures table to process START requests that would have used this STARTED profile.
- GROUP | NOGROUP
-
- GROUP(group-name)
- Specifies the group name to be associated with this entry.
RACF issues a warning message if the specified group-name does not exist. If userid and group-name are specified, RACF verifies that the user is connected to the group. If there is an error in the specification of the group name, the started task runs as an undefined user.
- GROUP(=MEMBER)
- Specifies that the procedure name should be used as the group name. If
=MEMBER
is specified for GROUP, a userid value must be specified for the USER operand or RACF uses the started procedures table to assign an identifier for this started task. If=MEMBER
is specified for both USER and GROUP, a warning message is issued and problems might result when the profile is used. For information, see z/OS Security Server RACF Security Administrator's Guide. - NOGROUP
- Specifies the group name should be deleted from this entry, leaving it unspecified. IF NOGROUP is specified, the started task runs with the default group of the specified user ID.
- PRIVILEGED( YES | NO) | NOPRIVILEGED
- Specifies whether the started task should run with the RACF PRIVILEGED attribute. The PRIVILEGED attribute allows the started task to pass most
authorization checking. No installation exits are called, no SMF records are generated, and no
statistics are updated. (Note that bypassing authorization checking includes bypassing the checks
for security classification of users and data.) For more information, see Associating started procedures and jobs with user IDs
in z/OS Security Server RACF System Programmer's Guide.
PRIVILEGED(NO) and NOPRIVILEGED indicate that the started task should run without the PRIVILEGED attribute.
If neither PRIVILEGED nor NOPRIVILEGED is specified, PRIVILEGED(NO) is the default.
- TRACE( YES | NO) | NOTRACE
- Specifies whether a message should be issued to the operator when
this entry is used to assign an ID to the started task.
If TRACE(YES) is specified, RACF issues an informational message to the operator to record the use of this entry when it is used to assign an ID to a started task. This record can be useful in finding started tasks that do not have a specific entry defined and in diagnosing problems with the user IDs assigned for started tasks.
TRACE(NO) and NOTRACE specify that an informational message should not be issued when this entry is used to assign an ID to the started task.
If neither TRACE nor NOTRACE is specified, TRACE(NO) is the default.
- TRUSTED( YES | NO) | NOTRUSTED
- Specifies whether the started task should run with the RACF TRUSTED attribute. The TRUSTED attribute is similar to the PRIVILEGED attribute except
that auditing can be requested using the SETROPTS LOGOPTIONS command. For more information about the
TRUSTED attribute, see Associating started procedures and jobs with user IDs in z/OS Security Server RACF System Programmer's Guide.
TRUSTED(NO) and NOTRUSTED indicate that the started task should run without the RACF TRUSTED attribute.
If neither TRUST nor NOTRUSTED is specified, TRUSTED(NO) is the default.
- NOSTDATA
- Specifies that all the STDATA information for this entry should be deleted. When this entry is used, and no STDATA was specified (or when the STDATA has been deleted), then RACF issues a message and use the started procedures table to assign information for this START command.
- SVFMR | NOSVFMR
-
- SVFMR
- Defines
profiles associated with a particular SystemView for MVS application.
- SCRIPTNAME | NOSCRIPTNAME
-
- SCRIPTNAME(script-name)
- Specifies the name of the list of default logon scripts associated
with this application. This operand is optional. If you omit this
operand, no scripts are changed for the application.
The script-name is the 1 - 8 character alphanumeric name of a member of an MVS partitioned data set (PDS). RACF accepts both uppercase and lowercase characters for script-name, but lowercase characters are translated to uppercase.
The PDS member specified by script-name contains a list of other PDS members that contain the scripts associated with this application's profile. The PDS and members, including the member that contains the list of other members, are created by the administrator of the SystemView for MVS application.
- NOSCRIPTNAME
- Specifies that the logon script name should be deleted from this entry.
- PARMNAME | NOPARMNAME
-
- PARMNAME(parm-name)
- Specifies the name of the parameter list associated with this
application. This operand is optional. If this operand is omitted,
no parameters are changed for the application.
The parm-name is the 1 - 8 character alphanumeric name of a member of an MVS partitioned data set (PDS). RACF accepts both uppercase and lowercase characters for parm-name, but lowercase characters are translated to uppercase.
The PDS member specified by parm-name contains a list of other PDS members that contain the parameters associated with this application's profile. The PDS and members, including the list of other members, are created by System View for the MVS administrator.
- NOPARMNAME
- Specifies that the parameter list name should be deleted from this entry.
- NOSVFMR
- Specifies that the SVFMR segment should be deleted.
- TIMEZONE | NOTIMEZONE
-
- TIMEZONE( {E | W} hh[.mm])
- Specifies the time zone in which a terminal
resides. TIMEZONE is valid only for resources in the TERMINAL class; RACF ignores it for all other resources.
Specify TIMEZONE only when the terminal is not in the same time zone as the processor on which RACF is running. In this situation, TIMEZONE provides the information RACF needs to calculate the time and day values correctly. If you identify more than one terminal in the profile-name operand, all the terminals must be in the same time zone.
On TIMEZONE, you specify whether the terminal is east (E) or west (W) of the system and by how many hours (hh) and, optionally, minutes (mm). The terminal time zone is different from the processor time zone. Valid hour values are 0 - 11, and valid minute values are 00 - 59.
For example, if the processor is in New York and the terminal is in Los Angeles, specify TIMEZONE(W 3). If the processor is in Houston and the terminal is in New York, specify TIMEZONE(E 1).
If you change the local time on the processor (to accommodate daylight saving time, for instance), RACF adjusts its time calculations accordingly. However, if the processor time zone and the terminal time zone do not change in the same way, you must adjust the terminal time zones yourself, as described for the WHEN(TIME) operand.
- NOTIMEZONE
- Specifies that the terminal is in the same time zone as the processor. NOTIMEZONE is valid only for resources in the terminal class; RACF ignores it for all other resources.
- TME | NOTME
-
- TME
- Specifies that information for the Tivoli® Security Management Application is
to be added, changed, or deleted. Note: The TME segment fields are intended to be updated only by the Tivoli Security Management Application, which manages updates, permissions, and cross references. A security administrator should only directly update Tivoli Security Management fields on an exception basis.
All TME suboperands, with the exception of those for ROLES, can be specified when changing a resource profile in the ROLE class. Conversely, only the ROLES suboperand can be specified when changing a resource profile in any other class.
- CHILDREN | NOCHILDREN | ADDCHILDREN | DELCHILDREN
-
- CHILDREN(profile-name ...)
- Specifies the complete list of roles which inherit attributes from this role. A role is a discrete general resource profile defined in the ROLE class.
- ADDCHILDREN(profile-name ...)
- Specifies the addition of specific child roles to the current list of roles.
- DELCHILDREN(profile-name ...)
- Specifies the removal of specific child roles from the current list of roles.
- NOCHILDREN
- Specifies the removal of the entire list of child roles.
- GROUPS | NOGROUPS | ADDGROUPS | DELGROUPS
-
- GROUPS(group-name ...)
- Specifies the complete list of groups which should be permitted
to resources defined in this role profile.
The group-name value should be the name of a defined group.
- ADDGROUPS(group-name ...)
- Specifies the addition of specific groups to the current list of groups.
- DELGROUPS(group-name ...)
- Specifies the removal of specific groups from the current list of groups.
- NOGROUPS
- Specifies the removal of the entire list of groups.
- PARENT | NOPARENT
-
- PARENT(profile-name)
- Specifies the name of a role from which this role inherits attributes. A role is a discrete general resource profile defined in the ROLE class.
- NOPARENT
- Specifies the deletion of the parent role from this profile.
- RESOURCE | NORESOURCE | ADDRESOURCE | DELRESOURCE
-
- RESOURCE(resource-access-specification ...)
- Specifies the complete list of resources and associated access
levels for groups defined in this role profile. One or more resource-access-specification values can be specified, each separated by blanks. Each value should contain no imbedded blanks and should have the following format:
where origin-role is the name of the role profile from which the resource access is inherited. The class-name value is an existing resource class name and profile-name is a resource profile defined in that class. The authority is the access authority (NONE, EXECUTE, READ, UPDATE, CONTROL, or ALTER) with which groups in the role definition should be permitted to the resource.origin-role:class-name:profile-name:authority [:conditional-class:conditional-profile]
The conditional-class value is a class name (APPCPORT, CONSOLE, JESINPUT, PROGRAM, TERMINAL, or SYSID) for conditional access permission, and is followed by the conditional-profile value, a resource profile defined in the conditional class.
- ADDRESOURCE(resource-access-specification ...)
- Specifies the addition of specific resource-access-specifications to the current list.
- DELRESOURCE(resource-access-specification ...)
- Specifies the removal of specific resource-access-specifications from the current list.
- NORESOURCE
- Specifies the removal of the entire list of resources.
- ROLES | NOROLES | ADDROLES | DELROLES
-
- ROLES(role-access-specification ...)
- Specifies a list of roles and associated access levels related
to this profile. One or more role-access-specification values can be specified, each separated by blanks. Each value should contain no imbedded blanks and should have the following format:
where role-name is a discrete general resource profile defined in the ROLE class. The authority value is the access authority (NONE, EXECUTE, READ, UPDATE, CONTROL, or ALTER) with which groups in the role definition should be permitted to the resource.role-name:authority [:conditional-class:conditional-profile]
The conditional-class value is a class name (APPCPORT, CONSOLE, JESINPUT, PROGRAM, TERMINAL, or SYSID) for conditional access permission, and is followed by the conditional-profile value, a resource profile defined in the conditional class.
- ADDROLES(role-access-specification ...)
- Specifies that specific roles and access levels are to be added to the current list.
- DELROLES(role-access-specification ...)
- Specifies that specific roles from the current list of roles are to be removed.
- NOROLES
- Specifies that the entire list of roles be removed.
- NOTME
- Specifies that RACF delete the TME segment from the profile.
- TVTOC | NOTVTOC
-
- TVTOC
- Specifies, for a TAPEVOL profile, that
RACF is to create a TVTOC in the TAPEVOL profile when a user
creates the first output data set on the volume. Specifying TVTOC affects the access list for the TAPEVOL profile:
- When RACF processes the RALTER command with the TVTOC operand, it places the user ID of the command issuer (perhaps the tape librarian) in the access list with ALTER authority.
- When the first output data set is created on the volume, RACF adds the user ID associated with the job or task to the access list with ALTER authority.
The TVTOC operand is valid only for a discrete profile in the TAPEVOL class. If you specify TVTOC and the volume already contains a TVTOC, RACF issues a message and ignores the operand.
- NOTVTOC
- Specifies
that RACF cannot create a TVTOC
in the resource profile. The NOTVTOC operand is valid only for a discrete
profile in the TAPEVOL class. It is also invalid if a TVTOC with at
least one entry already exists in the TAPEVOL profile. When NOTVTOC
is invalid, RACF issues a message
and ignores the operand. If your installation uses DFSMShsm and you activate tape data
set protection, the TVTOC for DFSMShsm tapes might become too large. To
avoid this problem, issue the following RALTER command:
RALTER TAPEVOL HSMHSM NOTVTOC
- UACC(access-authority)
- Specifies the
universal access authority to be associated with this resource. The
universal access authorities are ALTER, CONTROL, UPDATE, READ, EXECUTE
(for controlled programs only), and NONE. Note:
- For tape volumes and DASD volumes, RACF treats CONTROL authority as UPDATE authority.
- For all other resources listed in the class descriptor table, RACF treats CONTROL and UPDATE authority as READ authority.
- If a user accessing a data set has the RESTRICTED attribute, RACF treats the universal access authority (UACC) as NONE for that access attempt.
- WARNING | NOWARNING
-
- WARNING
- Specifies that even if access authority is
insufficient, RACF is to issue a warning message and allow
access to the resource. RACF also records the access attempt
in the SMF record if logging is specified in the profile. Restriction: RACF does not issue a warning message for a resource when the resource is:
- In the PROGRAM or NODES class
- In a class for which an application has built in-storage profiles using RACROUTE REQUEST=LIST.
When SETROPTS MLACTIVE(FAILURES) is in effect: A user or task can access a resource that is in WARNING mode and has no security label even when MLACTIVE(FAILURES) is in effect and the class requires security labels. The user or task receives a warning message and gains access.
Applications that use REQUEST=LIST: Some applications, such as IMS and CICS, load all the profiles for a given class into storage. After these profiles are in storage, the applications can do a fast authorization check using RACROUTE REQUEST=FASTAUTH. Fast authorization checking is different from normal authorization checking in several ways. One difference is that, in some cases, fast authorization checking does not issue warning messages, notification messages or support auditing. In cases where it does not, return and reason codes are returned to the application to allow support of these functions. The application can examine the return and reason codes and use RACROUTE REQUEST=AUTH to create the messages and audit records. If the application uses RACROUTE REQUEST=AUTH to support auditing or specifies LOG=ASIS on the RACROUTE REQUEST=FASTAUTH, the specified user is notified. Otherwise, notification, warning, and so on, does not occur.
For details on using RACF with IMS, visit IMS in IBM Documentation.
For details on using RACF with CICS, visit CICS Transaction Server for z/OS.
- NOWARNING
- Specifies that if access authority is insufficient, RACF is to deny the user access to the resource and not issue a warning message.
- WHEN
- Specifies, for resources
in the TERMINAL class, the days of the week or the hours in the day
when the terminal can be used to access the system. The day-of-week
and time restrictions apply only when a user logs on to the system;
that is, RACF does not force
the user off the system if the end-time occurs while the user is logged
on.
If you specify the WHEN operand, you can restrict the use of the terminal to certain days of the week or to a certain time period on each day. You can also restrict access to both certain days of the week and to a certain time period within each day.
- DAYS(day-info)
- Specifies days of the week when the terminal can be used. The day-info value
can be any one of the following:
- ANYDAY
- Allows use of the terminal on any day.
- WEEKDAYS
- Allows use of the terminal only on weekdays (Monday through Friday).
- day ...
- Allows use of the terminal only on the days specified, where day can be MONDAY, TUESDAY, WEDNESDAY, THURSDAY, FRIDAY, SATURDAY, or SUNDAY, and you can specify the days in any order.
- TIME(time-info)
- Specifies the time period each day when the terminal can be used.
The time-info value can be any one of the
following:
- ANYTIME
- RACF allows use of the terminal at any time.
- start-time:end-time
- RACF allows use of the
terminal only during the specified time period. The format of both
the start-time and end-time values is hhmm,
where hh is the hour in 24-hour notation
(00 - 24)
and mm is the minutes (00 - 59) within
the range 0001 - 2400.
Note that
2400
indicates 12:00 a.m. (midnight).If start-time is greater than end-time, the interval spans midnight and extends into the following day.
Specifying start-time and end-time is straightforward when the processor on which RACF is running and the terminal are in the same time zone; you specify the time values in local time.
However, if the terminal is in a different time zone from the processor and you want to restrict access to certain time periods, you have two choices. You can specify the TIMEZONE operand to allow RACF to calculate the time and day values correctly. Or, you can adjust the time values yourself, by translating the start-time and end-time for the terminal to the equivalent local time for the processor.
For example, assume that the processor is in New York and the terminal is in Los Angeles, and you want to allow access to the terminal from 8:00 A.M. to 5:00 P.M. in Los Angeles. In this situation, you would specify TIME(
1100:2000
). If the processor is in Houston and the terminal is in New York, you would specify TIME(0900:1800
).
If you omit DAYS and specify TIME, the time restriction applies to any day-of-week restriction already specified in the profile. If you omit TIME and specify DAYS, the days restriction applies to any time restriction already specified in the profile. If you specify both DAYS and TIME, RACF allows use of the terminal only during the specified time period and only on the specified days.
Examples
Example | Activity label | Description |
---|---|---|
1 | Operation | User TRA02 wants to change the owner and universal access for terminal TERMID01 and restrict use of the terminal to weekdays during regular business hours (8:00 A.M. - 6:00 P.M.). |
Known | User TRA02 has the SPECIAL attribute. Terminal TERMID01 is defined to RACF. Terminal TERMID01 is in the same time zone as the processor on which RACF is running. User TRA02 wants to issue the command as a RACF TSO command. |
|
Command | RALTER TERMINAL TERMID01 OWNER(TRA02)
UACC(ALTER) WHEN(DAYS(WEEKDAYS)TIME(0800:1800)) |
|
Defaults | None. | |
2 | Operation | User RFF23 wants to delete the two data fields associated with the terminal T3E8. The user wants to be notified whenever the terminal profile denies access to the terminal. |
Known | User RFF23, who is a RACF-defined user, is the owner of the T3E8 terminal entry. User RFF23 wants to issue the
command as a RACF operator
command, and the RACF subsystem
prefix is |
|
Command | @RALTER TERMINAL T3E8 NODATA NOAPPLDATA
NOTIFY(RFF23) |
|
Defaults | None. | |
3 | Operation | User ADM1 wants to delete the data fields associated
with the generic profile * in the TERMINAL class. |
Known | User ADM1 has the SPECIAL attribute. User ADM1 wants to issue the command as a RACF TSO command. |
|
Command | RALTER TERMINAL * NODATA NOAPPLDATA |
|
Defaults | None. | |
4 | Operation | User PAYADM1 wants to add the PAYROLL category to the list of security categories known to RACF. |
Known | User PAYADM1 has the SPECIAL attribute. RACF security category checking
is active. User PAYADM1 wants to issue the command as a RACF TSO command. |
|
Command | RALTER SECDATA CATEGORY ADDMEM(PAYROLL) |
|
Defaults | None. | |
5 | Operation | User RFF22 wants to add volume TAP02 to the tape volume set, change the level of the tape volume set, and change the AUDIT and GLOBALAUDIT logging options. |
Known | User RFF22 is the owner of the tape volume set. User RFF22 has the AUDITOR attribute. TAP01 is a volume of the tape volume set. User RFF22 wants to issue the command as a RACF TSO command. | |
Command | RALTER TAPEVOL TAP01 AUDIT(SUCCESS(READ))
LEVEL(22) GLOBALAUDIT(SUCCESS(UPDATE)FAILURES(READ)) ADDVOL(TAP02) |
|
Defaults | None. | |
6 | Operation | User ADM1 wants to add AMASPZAP to the in-storage profile table of controlled programs. AMASPZAP requires program-accessed data set checking. |
Known | User ADM1 has the SPECIAL attribute. AMASPZAP
resides in SYS1.LINKLIB on the SYSRES volume. RACF program control is active. User ADM1 wants to issue the command as a RACF TSO command. |
|
Command | RALTER PROGRAM AMASPZAP ADDMEM('SYS1.LINKLIB'/SYSRES/PADCHK) |
|
Defaults | None. | |
7 | Operation | User ADM1 wants to add all load modules that start with IKF to the in-storage profile table of controlled programs. These load modules do not require program-accessed data set checking. User ADM1 wants to direct the command to run at the local node under the authority of user EMILIE and prohibit the command from being automatically directed to other nodes. |
Known | Users ADM1 and EMILY have the SPECIAL attribute.
All load modules whose names begin with IKF reside in SYS1.COBLIB
on the SYSRES volume. RACF program
control is active. Users ADM1 and EMILIE have an already established
user ID association. User ADM1 wants to issue the command as a RACF TSO command. |
|
Command |
|
|
Results | The command is only processed on the local node and not automatically directed to any other nodes in the RRSF configuration. | |
8 | Operation | The security administrator wants to change the key value of a profile in the PTKTDATA class so the value becomes encrypted. |
Known | NONNEL is the user ID of the security administrator. The profile name is TSOR004. The key-value is B004194019641980. The security administrator wants to issue the command as a RACF TSO command. | |
Command |
|
|
Defaults | None. | |
9 | Operation | The administrator wants to change the script and parameter definitions for an existing SystemView for MVS application that has been defined to the SYSMVIEW class. |
Known | The new script definition is APPL2SC. The new parameter definition is APPL2P. |
|
Command |
|
|
Defaults | None. | |
10 | Operation | Local realm KRB2000.IBM.COM is
being defined with a minimum ticket lifetime of 5 minutes, a default
ticket lifetime of 10 hours, a maximum ticket lifetime of 24 hours,
and a password of 744275. All of the ticket lifetime values are specified
in seconds. |
Known | The administrator has access to the KERBDFLT profile in the REALM class. | |
Command |
|
|
Defaults | None. | |
11 | Operation | A trust relationship is being defined between
the kerb390.endicott.ibm.com realm and the realm
at ker2000.endicott.ibm.com . |
Known | The administrator has access to the /.../KERB390.ENDICOTT.IBM.COM/KRBTGT/KER2000.ENDICOTT.IBM.COM profile
in the REALM class. |
|
Command | RALTER REALM /.../KERB390.ENDICOTT.IBM.COM/KRBTGT/KER2000.ENDICOTT.IBM.COM
KERB(PASSWORD(12345678)) |
|
Defaults | None. | |
12 | Operation | The system default EIM values are being altered by changing the domaindn and disabling it. |
Known | IRR.PROXY.DEFAULTS is the profile being changed
in the FACILITY class. The EIM domain distinguished name begins with Pok
EIM Domain,o=IBM,c=US . |
|
Command |
|
|
Defaults | None. | |
13 | Operation | The security administrator wants to change an attribute of the installation-defined class TSTCLAS8. He wants to change the value of RACLIST(REQUIRED) to RACLIST(ALLOWED). |
Known | The administrator has the SPECIAL attribute. | |
Command | RALTER CDT TSTCLAS8 CDTINFO(RACLIST(ALLOWED)) Note: The
dynamic CDT must be refreshed to make this change effective:
SETROPTS
RACLIST(CDT) REFRESH |
|
Defaults | None. | |
14 | Operation | At Rui's installation, identity mappings in EIM change frequently and identity mapping changes are not refreshed often enough. She wants to reduce the MAPPINGTIMEOUT value so that mappings in the identity cache expire sooner and are refreshed more frequently from EIM. She reduces the timeout value to 1800 seconds (one-half hour). |
Known | When the IRR.ICTX.DEFAULTS profile was defined in the LDAPBIND class, the MAPPINGTIMEOUT value was defaulted to 3600 seconds (one hour). | |
Command |
|
|
Defaults | None. | |
15 | Operation | At Rui's installation, identity mappings in EIM change frequently and identity mapping changes are not refreshed often enough. She wants to reduce the MAPPINGTIMEOUT value so that mappings in the identity cache expire sooner and are refreshed more frequently from EIM. She reduces the timeout value to 1800 seconds (one-half hour). |
Known | When the IRR.ICTX.DEFAULTS profile was defined in the LDAPBIND class, the MAPPINGTIMEOUT value was defaulted to 3600 seconds (one hour). | |
Command |
|
|
Defaults | None. | |
16 | Operation | The security administrator uses a custom field called ADDRESS in her user profiles. She wants to update the help text and modify the maximum length of this custom field. |
Known | The user has the SPECIAL attribute. The changes in the custom field are not effective until the system programmer rebuilds the dynamic parse table using the IRRDPI00 UPDATE command. | |
Command |
|
|
Defaults | None. | |
17 | Operation | User SECADM wants to update the signature verification options for a controlled program called MYPROG14 program to specify that it must now be digitally signed before it can be loaded, that the program should fail to load if its digital signature cannot be verified for any reason, and that logging of signature verification events should occur for only failures. |
Known | The user has the SPECIAL attribute. The MYPROG14 program is a program object that resides in a partitioned data set extended (PDSE) library. | |
Command |
|
|
Defaults | None. |