• The static class descriptor table contains the entries that IBM supplies (shipped in the module ICHRRCDX), and, optionally, entries defined by the installation (in the module ICHRRCDE). You must not change ICHRRCDX. To create or modify ICHRRCDE, use the ICHERCDE macro. You must re-IPL for the updates to ICHRRCDE to take effect.
• The dynamic class descriptor table contains entries built from the CDT general resource class. RACF® treats the dynamic class descriptor table as a logical extension to the static class descriptor table. To create or modify the dynamic class descriptor table, use the RDEFINE and RALTER commands. You do not need to re-IPL for updates made to the dynamic class descriptor table to take effect.

[label] ICHERCDE [CLASS=classname]
                 [,CASE=UPPER|ASIS]
                 [,DFTRETC=0|4|8]
                 [,DFTUACC=ALTER|CONTROL|UPDATE|READ|NONE]
                 [,EQUALMAC=YES|NO]
                 [,FIRST=ALPHA|NUMERIC|ALPHANUM|ANY|NONATABC|NONATNUM]
                 [,GENLIST=ALLOWED|DISALLOWED]
                 [,GENERIC=ALLOWED|DISALLOWED]
                 [,GROUP=group-class|MEMBER=member-class]
                 [,ID=number]
                 [,KEYQUAL=0|nnn]
                 [,MAXLENX=number]
                 [,MAXLNTH=8|number]
                 [,OPER=YES|NO]
                 [,OTHER=ALPHA|NUMERIC|ALPHANUM|ANY|NONATABC|NONATNUM]
                 [,POSIT=number]
                 [,PROFDEF=YES|NO]
                 [,RACLIST=ALLOWED|DISALLOWED]
                 [,RACLREQ=YES|NO]
                 [,RVRSMAC=YES|NO]
                 [,SIGNAL=YES|NO]
                 [,SLBLREQ=YES|NO]

CLASS=class name

Specifies the name of the resource class. The name must be 1–8 characters long and must consist of the following: A through Z, 0 through 9, or # (X'7B'), @ (X'7C'), $ (X'5B'). The first character must be A through Z, # (X'7B'), @ (X'7C'), or $ (X'5B'). You must include a # (X'7B'), @ (X'7C'), $ (X'5B'), or numeric character in the name of any class you define in order to guarantee that installation-defined classes do not conflict with classes supplied by IBM. In this way, classes supplied by IBM should always have unique class names. If this rule is not followed, the assembler issues a severity 4 MNOTE warning.

If you specify any options on the ICHERCDE macro, you must specify the CLASS operand.

Note: A class defined in the dynamic class descriptor can have 0 through 9 as the first character of its name. For more information about the dynamic class descriptor table, see z/OS Security Server RACF Security Administrator's Guide.

CASE=UPPER | ASIS

Specifies whether mixed-case profile names are allowed for the class specified by the CLASS operand. UPPER is the default. When ASIS is specified, RACF commands preserve the case of profile names for the specified class. Lowercase characters are allowed in any position of the profile name where alphabetic characters are allowed, based on the character restrictions specified in the FIRST= and OTHER= operands.

DFTRETC=0|4|8

Specifies the return code that RACF provides from RACROUTE REQUEST=AUTH, or REQUEST=FASTAUTH when RACF and the class are active and (if required) the class has been processed using SETROPTS RACLIST, but RACF does not find a profile to protect the resource specified on the AUTH or FASTAUTH request.

0

The access request was accepted.

4

No profile exists.

8

The access request was denied.

If you do not specify this parameter, it defaults to 4.

DFTUACC= ALTER|CONTROL|UPDATE|READ|NONE

Specifies the minimum access allowed if the access level is not set when a resource profile is defined in the class. If you omit DFTUACC, and no access level is specified at the time the profile is created, RACF uses the default universal access authority from the command issuer's ACEE.

EQUALMAC=YES|NO

Specifies whether equal mandatory access checking is required when users attempt to access resources protected by profiles in this class. If EQUALMAC=YES is specified, whenever RACF performs a mandatory access check the security label of the user and the security label of the resource must be equivalent to pass the mandatory access check. Security labels are equivalent when they have the same security level and category definitions. The SYSMULTI security label is equivalent to any other security label.

Use EQUALMAC=YES for classes where two-way communication is expected.

EQUALMAC=YES cannot be specified with RVRSMAC=YES.

FIRST=

Specifies a character type restriction for the first character of the profile name.

ALPHA

Specifies an alphabetic, # (X'7B'), @ (X'7C'), or $ (X'5B'). ALPHA is the default value for both the FIRST and OTHER operand.

NUMERIC

Specifies a digit (0–9).

ALPHANUM

Specifies an alphabetic, a numeric, # (X'7B'), @ (X'7C'), or $ (X'5B').

ANY

Specifies any character other than a blank, a comma, a parenthesis, or a semicolon.

Note:

1. Resource names (as opposed to profile names) for a class should not contain the characters *, %, or & because these characters do not work as expected when generic profile processing is active for the class.
2. This option includes the period ('.'), therefore, it is needed if you intend to use it as a delimiter.

NONATABC

Specifies an alphabetic character. Characters such as # (X'7B'), @ (X'7C'), $ (X'5B'), and numerics are excluded.

NONATNUM

Specifies an alphabetic or numeric character. Characters such as # (X'7B'), @ (X'7C'), and $ (X'5B') are excluded.

GENERIC=ALLOWED|DISALLOWED

Specifies whether SETROPTS GENERIC and SETROPTS GENCMD are to be allowed for the class. The SETROPTS GENERIC command activates generic profile checking for a class, and the SETROPTS GENCMD command activates generic profile command processing for a class.

If GENERIC=DISALLOWED is specified, GENLIST=ALLOWED cannot be specified.

Because generic processing is not allowed for grouping classes, GENERIC=ALLOWED cannot be specified if MEMBER= is also specified.

GENERIC keyword consideration for a class that shares a POSIT number:

• If the class shares a POSIT number with another class, all classes with the shared POSIT number must have the same setting for the GENERIC keyword. This is because the SETROPTS GENERIC and SETROPTS GENCMD commands process all classes that share a POSIT number.
• If your class that shares a POSIT number violates this rule, that is, at least one class specifies GENERIC=DISALLOWED and at least one class specifies GENERIC=ALLOWED, the assembler issues a severity 8 MNOTE error.
• If the class shares a POSIT number with an IBM class and it violates this rule, a warning message will be issued during RACF initialization, and the value of the GENERIC keyword will be changed by RACF to match the IBM class.
• If the class shares a POSIT number with another installation-defined class from a separate assembly and violates this rule, a warning message will be issued during RACF initialization, and the value of the GENERIC keyword in both classes will be set to the least restrictive attribute, GENERIC=ALLOWED.
• If your static installation class specifies GENERIC=DISALLOWED, and subsequently a dynamic class is added that shares a POSIT number and specifies GENERIC=ALLOWED, the static class will be changed to GENERIC=ALLOWED (the least restrictive attribute) during SETROPTS RACLIST(CDT) processing. The GENERIC=ALLOWED setting will remain for the duration of that IPL.
• If you want to change the setting in the static class back to GENERIC=DISALLOWED, do the following tasks:
  1. Change the dynamic class to specify either a different POSIT number or GENERIC=DISALLOWED. See z/OS Security Server RACF Security Administrator's Guide for more guidelines for changing dynamic CDT entries.
  2. Re-IPL the system.

Exception: A grouping class and member class can share a POSIT number. GENERIC=DISALLOWED should be specified for the grouping class and GENERIC=ALLOWED may be specified for the member class.

GENLIST=ALLOWED|DISALLOWED

Specifies whether SETROPTS GENLIST is to be allowed for the class. If you GENLIST the class on the SETROPTS command, then if a user requests access to a resource protected by a generic profile, a copy of that profile will be brought into the common storage area, rather than into the user's address space. RACF uses those generic profiles in common storage to check the authorization of any users who want to access the resource. The profiles remain in common storage until a REFRESH occurs.

GROUP=group-class

Specifies the name of the class that groups the resources within the class specified by the CLASS operand. If you omit this operand, RACF does not allow resource grouping for the resource specified by the CLASS operand. If group is specified, the group entry must be in the same class descriptor table (IBM or installation) and in the same part of the class descriptor table (static or dynamic), as the member entry.

ID=number

Specifies a number from 1 to 255 that is associated with the class name. RACF stores this number in the general profile. Numbers 1 through 127 are reserved for use by IBM; numbers 128 through 255 are reserved for use by the installation.

The ID keyword does not need to be unique for each class; in fact, if more than 128 class descriptor table entries are defined by the installation, ID numbers have to be reused. An installation can use ID numbers to identify related classes; however, RACF does not use the ID number. Do not confuse the ID number with the POSIT number described below.

If you specify any options on the ICHERCDE macro, you must specify the ID operand.

KEYQUAL=nnn

Specifies the number of matching qualifiers RACF uses when loading generic profile names to satisfy an authorization request if a discrete profile does not exist for the resource. For example, if you specify two for the class, all generic profile names whose two highest level qualifiers match the two highest qualifiers of the entity name are loaded into the user's storage when the user requests access to a resource.

If you do not specify KEYQUAL, the default is 0, and profile names for the entire class are loaded and searched. The maximum value you can specify for KEYQUAL is 123, which is the maximum number of qualifiers in a name 246 characters long.

When KEYQUAL=nnn is coded in the ICHERCDE macro, generic profiles created in that class may not contain generic characters in the first nnn qualifiers of the profile.

If a KEYQUAL=nnn is greater than 0 for a class, all discrete and generic profiles in that class must have at least nnn+1 qualifiers in the profile name. The number of qualifiers is determined by counting the number of period characters in the profile and adding one; the first character is not examined. Any generic characters must be in the nnn+1 qualifier or beyond.

Examples of valid profile names for KEYQUALIFIERS(2) are:

• A.B.C
• A.B.**
• A.B.C.D*

KEYQUAL=nnn (where nnn is greater than 0) should be used for a class that has the following attributes:

• The class will generally not be RACLISTed.
• The class will generally not be GENLISTed.
• Profile names in the class have a naming convention where many generic profiles have the same nnn qualifiers at the beginning of the profile name.

For example, suppose that you have an application program that uses an installation class to protect reports on terminal usage, and you have the following profiles for every user on your z/OS® system:

REPORTS.USER1.TERMUSE.* 
REPORTS.USER1.TERMUSE.DEPT60.* 
REPORTS.USER1.TERMUSE.2006.JAN.* 
REPORTS.USER1.TERMUSE.2006.FEB.* 
REPORTS.USER1.TERMUSE.2006.MAR.* 
REPORTS.USER1.TERMUSE.2006.APR.* 
REPORTS.USER1.TERMUSE.2006.MAY.* 
REPORTS.USER1.TERMUSE.2006.JUN.* 
REPORTS.USER1.TERMUSE.2006.JUL.* 
REPORTS.USER1.TERMUSE.2006.AUG.* 
REPORTS.USER1.TERMUSE.2006.SEP.* 
REPORTS.USER1.TERMUSE.2006.OCT.* 
REPORTS.USER1.TERMUSE.2006.NOV.* 
REPORTS.USER1.TERMUSE.2006.DEC.* 

You might define your installation class with KEYQUAL=3 so that when an authorization check is done for a resource in your class, only the generic profile whose name matches the first three qualifiers of your report is loaded into storage for RACF to match against.

The FILE and DIRECTRY classes have different rules. For the syntax required for profiles in the DIRECTRY and FILE classes, see z/OS Security Server RACF Command Language Reference for your VM system.

MAXLENX=number

Specifies the maximum length of resource and profile names for this class when a RACROUTE macro is invoked with the ENTITYX keyword, or a profile is added or changed via a RACF command processor. For installation-defined classes, you can specify a number from 1 to 246. If MAXLENX is not specified, the value specified for MAXLNTH is used.

Note:

1. Do not assemble a static class descriptor table using MAXLENX and share it with a system running a RACF release earlier than OS/390 V2R8.
2. If you specify a MAXLENX value greater than the MAXLNTH value for a class, before you define any profiles with names longer than MAXLNTH, you should verify that any programs using RACROUTE REQUEST=EXTRACT, TYPE=EXTRACTN or ICHEINTY NEXT for that class will properly handle the longer names.

MAXLNTH=8|number

Specifies the maximum length of resource and profile names for this class when MAXLENX is not specified. When MAXLENX is also specified, MAXLNTH represents the maximum length of a resource name only when a RACROUTE macro is invoked with the ENTITY keyword. For installation-defined classes, you can specify a number from 1 to 246; the default is 8.

Note: You cannot use the MAXLNTH or MAXLENX parameters to change the maximum size allowed for a resource name by the resource manager. For example, CICS® allows a maximum of 13 characters in a transaction name. Thus, if you define additional CICS transaction classes, you must also specify MAXLNTH=13.

This restriction does not apply to transaction grouping classes.

MEMBER=member-class

Specifies the name of the class grouped by the resources within the class specified by the CLASS operand. The class name must be from 1 to 8 alphanumeric characters. When this operand is specified, the class being defined is a resource group. If a member is specified, the member entry must be in the same class descriptor table (IBM or installation), and in the same part of the class descriptor table (static or dynamic), as the group entry.

OPER=YES|NO

Specifies whether RACF is to take the OPERATIONS attribute into account when it performs authorization checking. If YES is specified, RACF considers the OPERATIONS attribute; if NO is specified, RACF ignores the OPERATIONS attribute. YES is the default.

OTHER=

Specifies a character type restriction for the characters of the profile name other than the first character.

ALPHA

Specifies an alphabetic or # (X'7B'), @ (X'7C'), $ (X'5B'). ALPHA is the default value for both the FIRST and OTHER operand.

NUMERIC

Specifies a digit (0–9).

ALPHANUM

Specifies an alphabetic, numeric, or # (X'7B'), @ (X'7C'), $ (X'5B').

ANY

Specifies any character other than a blank, comma, a parenthesis, or semicolon.

Note:

1. Resource names (as opposed to profile names) for a class should not contain the characters *, %, or & because these characters do not work as expected when generic profile processing is active for the class.
2. This option includes the period ('.'), therefore, it is needed if you intend to use it as a delimiter.

NONATABC

Specifies an alphabetic character. Characters such as # (X'7B'), @ (X'7C'), $ (X'5B'), and numerics are excluded.

NONATNUM

Specifies an alphabetic or numeric character. Characters such as # (X'7B'), @ (X'7C'), and $ (X'5B') are excluded.

POSIT=number

Specifies the POSIT number associated with the class. Each class in the static class descriptor table has a POSIT number specified on the ICHERCDE macro. The POSIT number identifies a set of option flags that controls the following RACF processing options:

• Whether authorization checking should take place for the class (SETROPTS CLASSACT)
• Whether auditing should take place for resources within the class (SETROPTS AUDIT)
• Whether statistics should be kept for resources within the class (SETROPTS STATISTICS)
• Whether generic profile access checking is active for the class (SETROPTS GENERIC)
• Whether generic command processing is active for the class (SETROPTS GENCMD)
• Whether global access checking is active for the class (SETROPTS GLOBAL)
• Whether user has CLAUTH to a resource class
• Whether special resource access auditing applies to the class (SETROPTS LOGOPTIONS)
• Whether SETROPTS RACLIST will occur for this class (when the parameter RACLIST=ALLOWED is also coded)

Before you assemble the static class descriptor table (CDT), you must decide whether to use a unique set of option flags for each RACF class or whether to have two or more RACF classes share the same set of option flags.

If you choose to use a unique set of option flags for a class, assign the class a unique POSIT number. If you choose to share the same set of option flags among several classes, assign those classes the same POSIT number. After creating your class descriptor table, you can activate the classes that comprise it and their respective set of option flags via the appropriate keywords on the SETROPTS command.

Guidelines:

• A RACF class that has a default return code of 8 should not share a POSIT value with a RACF class having a default return code not equal to 8. If a class with a default return code of 8 is activated but no profiles are defined, user activity that requires access in that class will be prevented.

  There are 1024 POSIT numbers that can identify 1024 sets of option flags. Installations can specify POSIT numbers 19–56 and 128–527. Numbers 0–18, 57–127, and 528–1023 are reserved for IBM's use.

• If a class shares a POSIT number with another class, all classes with the shared POSIT number must have the same setting for the GENERIC keyword. See the GENERIC keyword for more information.

Note: The following text describes the use of POSIT numbers for classes in the static class descriptor table. You can add, delete, and change classes and change their POSIT numbers without the need for re-IPLing if you define your classes in the dynamic class descriptor table. For information about the dynamic class descriptor table, see z/OS Security Server RACF Security Administrator's Guide.

Adding a new class where a unique POSIT number is wanted to the static class descriptor table: Suppose that you decide to define a new class called $TSTCLAS. Since you want this class to be administered separately from any other class, you select a new POSIT number, 22, which is not being used by any other class. Now, when you activate or deactivate SETROPTS options for $TSTCLAS, or grant CLAUTH to this class, no other classes are affected.

Adding a new class that shares a POSIT number with an existing class to the static class descriptor table: Suppose that you have a class called $PONIES that was previously defined with a unique POSIT number, 21. SETROPTS CLASSACT, SETROPTS AUDIT, and SETROPTS STATISTICS are currently in effect on your system for class $PONIES as a result of issuing those commands for class $PONIES.

Later, you decide to define the class of $HORSES, a class related to $PONIES, and logically requiring the same RACF processing options. Therefore, when you code the ICHERCDE macro to include the $HORSES class in the class descriptor table, specify the POSIT number as 21, the same as for $PONIES.

When IPLing with the new ICHRRCDE, the same RACF processing options that are in effect for class $PONIES are automatically in effect for the new class $HORSES: SETROPTS CLASSACT, SETROPTS AUDIT, and SETROPTS STATISTICS.

Further, issuing either of the following commands:

• SETROPTS GLOBAL($PONIES)
• SETROPTS GLOBAL($HORSES)

activates global access checking for both the $PONIES and the $HORSES classes. Similarly, issuing either of the following commands:

• SETROPTS STATISTICS($PONIES)
• SETROPTS STATISTICS($HORSES)

activates STATISTICS for both the $PONIES and the $HORSES classes.

Any number of classes can share the same POSIT number. For example, a third class called $MARES could be added and could also share POSIT number 21 with $PONIES and $HORSES. Sharing a POSIT number simplifies administration of related classes.

Because you have specified the same POSIT number for both $PONIES and $HORSES (the classes share the same option flag), you do not need to reissue the SETROPTS command to activate the same set of options for $HORSES. RACF does it automatically because a relationship has been established between the POSIT number (on the ICHERCDE macro) and the set of options it represents (activated on the SETROPTS command.)

Be aware that if two or more classes share the same POSIT number, and you make a change to the option flag set of one of the classes via the SETROPTS command, the change will also be in effect for all the classes that share that POSIT number. Thus, if you turn off the STATISTICS option for the class of $PONIES, that action turns off the STATISTICS option for the class of $HORSES, because both classes share the same POSIT number. You must code a unique POSIT number for each class if you want RACF to independently control processing options.

Changing an existing installation-defined class in the static class descriptor table: If you change the POSIT value, be aware that changing the POSIT value could cause unexpected results. For example, you could deactivate a class if you change it to use a POSIT value associated with a class that is not active.

If you are changing the POSIT value, do the following before making the change:

1. Issue the SETROPTS LIST command and record each active option for the class.
2. Examine your classes to see if any other class is using the current POSIT value. If not, use the SETROPTS command to turn off all the options associated with the class, so that you will not get any extraneous options set if you later add a class using that POSIT value.
3. Change the POSIT number associated with the class by updating the ICHERCDE command for the class with the new POSIT number, re-creating ICHRRCDE, and re-IPLing all systems that use the class.
4. Use the SETROPTS command to set any of the options that are still relevant for the class, using the output of the previous SETROPTS LIST command as reference.

Deleting an installation-defined class from the static class descriptor table: You can delete a class entry from the static class descriptor table by specifying the name of the class to be deleted on the OS-linkage-editor REPLACE statement. For the deletion to take effect, re-IPL all systems that used the class.

You should ensure that all profiles relating to this class are deleted before deleting the class descriptor table entry.

Pay special attention to any unique POSIT values you use. If the class you are deleting has a unique POSIT value, issue a SETROPTS LIST to check what options you are using with the class, for example, CLASSACT, LOGOPTIONS, AUDIT, RACLIST, and so on. Turn off each of the options for the class.

An example: You might have activated your class. You should deactivate the class before re-IPLing your system. If you do not deactivate the class and, at a future date, you create a class with the POSIT value previously used, the class will automatically be active. The same consideration applies to each option controlled by the POSIT value.

PROFDEF=YES|NO

Specifies whether you want RACF to allow profiles to be defined for this RACF resource class. If you specify PROFDEF=NO, RACF will not allow profiles to be defined to this RACF resource class; if a user attempts to define a profile to that class, the RDEFINE command responds with an appropriate message.

RACLIST=ALLOWED|DISALLOWED

Specifies whether SETROPTS RACLIST is to be allowed for the class. If you process the class using SETROPTS RACLIST, RACF brings copies of all discrete and generic profiles within that class into storage in a data space. RACF uses those profiles in storage to check the authorization of any users who want to access the resources. The profiles remain in storage until removed by SETROPTS NORACLIST.

RACLREQ=YES|NO

Specifies whether you must process the class using SETROPTS RACLIST in order to use RACROUTE REQUEST=AUTH. The purpose of this keyword is to allow routines that cannot tolerate I/O to invoke RACF. If you specify YES, and the class is not processed by SETROPTS RACLIST and a RACROUTE REQUEST=AUTH is attempted, the return code is 4. If you do not specify the parameter, it defaults to NO.

RVRSMAC=YES|NO

Specifies whether reverse mandatory access checking is required.

If RVRSMAC=YES is specified, RACF performs a reverse mandatory access check (MAC) when and if a mandatory access check is required. In a reverse mandatory access check, the security label of the resource must dominate that of the user.

RVRSMAC=YES cannot be specified with EQUALMAC=YES.

Note that if this parameter is omitted, it is assigned the default value of RVRSMAC=NO, which means that when and if a mandatory access check is required, the user's security label must dominate that of the resource.

SIGNAL=YES|NO

Specifies whether an ENF signal is sent to listeners when a SETROPTS RACLIST, SETROPTS NORACLIST, or SETROPTS RACLIST REFRESH is issued for the class, activating, deactivating, or updating the profiles used for authorization checking. For information about signals, see the topic on signals in z/OS Security Server RACF System Programmer's Guide.

SLBLREQ=YES|NO

Specifies whether a security label is required for the profiles of this class.

When MLACTIVE is on, each profile in the class must have a security label. The default, SLBLREQ=NO, means that RACF will not require a security label for profiles in this class; however, if a security label exists for this profile, and the SECLABEL class is active, RACF will use it during authorization checking.

SLBLREQ=NO applies to general resource classes that have no profiles, such as DIRAUTH, or for classes that contain no data, such as OPERCMDS and SECLABEL.