Purpose

Issuing options

The following table identifies the eligible options for issuing the ALTDSD command:

For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.

For information on issuing this command as a RACF operator command, refer to RACF operator commands.

You must be logged on to the console to issue this command as a RACF operator command.

Related commands

• To create a data set profile, see ADDSD (Add data set profile).
• To delete a data set profile, see DELDSD (Delete data set profile).
• To list a data set profile, see LISTDSD (List data set profile).
• To permit or deny access to a data set profile, see PERMIT (Maintain resource access lists).
• To obtain a list of data set profiles, see SEARCH (Search RACF database).

Authorization required

When issuing this command as a RACF operator command, you might require sufficient authority to the proper resource in the OPERCMDS class. For details about OPERCMDS resources, see "Controlling the use of operator commands" in z/OS Security Server RACF Security Administrator's Guide.

To use the GLOBALAUDIT operand, you must have the AUDITOR attribute, or the data set profile must be within the scope of a group in which you have the group-AUDITOR attribute.

If you have the AUDITOR attribute or the data set profile is within the scope of a group in which you have the group-AUDITOR attribute, but you do not satisfy one of the above checks, you can specify only the GLOBALAUDIT operand.

To specify the AT keyword, you must have READ authority to the DIRECT.node resource in the RRSFDATA class and a user ID association must be established between the specified node.userid pair(s).

To specify the ONLYAT keyword you must have the SPECIAL attribute, the userid specified on the ONLYAT keyword must have the SPECIAL attribute, and a user ID association must be established between the specified node.userid pair(s) if the user IDs are not identical.

To assign a security category to a profile, or to delete a category from a profile, you must have the SPECIAL attribute, or the category must be in your user profile.

To assign a security level to a profile, you must have the SPECIAL attribute, or, in your own profile, a security level that is equal to, or greater than, the security level you are assigning.

Parameters

subsystem-prefix

Specifies that the RACF subsystem is the processing environment of the command. The subsystem prefix can be either the installation-defined prefix for RACF (1 - 8 characters) or, if no prefix has been defined, the RACF subsystem name followed by a blank. If the command prefix was registered with CPF, you can use the MVS command D OPDATA to display it or you can contact your RACF security administrator.

Only specify the subsystem prefix when issuing this command as a RACF operator command. The subsystem prefix is required when issuing RACF operator commands.

profile-name

Specifies the name of a discrete or generic data set profile. If you specify more than one profile name, the list of names must be enclosed in parentheses.

This operand is required and must be the first operand following ALTDSD.

Note:

1. Because RACF uses the RACF database and not the system catalog, you cannot use alias data set names.
2. If you specify a generic profile name, RACF ignores these operands:
   • ADDVOL | DELVOL | ALTVOL
   • SET | NOSET
   • UNIT
   • VOLUME

/password

Specifies the data set password if you are altering the profile for a password-protected data set. This operand applies only if you are using the ADDVOL and SET operands for a volume of a multivolume password-protected data set. The WRITE level password must then be specified.

If the command is executing in the foreground and you omit the password for a password-protected data set, RACF uses the logon password. You are prompted if the password you enter or the logon password is incorrect.

If the command is executing in a batch job and you either omit the password for a password-protected data set or supply an incorrect password, the operator is prompted.

You can use this operand only for tape data sets and non-VSAM DASD data sets. If you specify a generic profile, RACF ignores this operand.

ADDCATEGORY | DELCATEGORY

ADDCATEGORY(category-name …)

Specifies one or more names of installation-defined security categories. category-name must be defined as a member of the CATEGORY profile in the SECDATA class. (For information on defining security categories, see z/OS Security Server RACF Security Administrator's Guide.)

Specifying ADDCATEGORY on the ALTDSD command causes RACF to add any category names you specify to any list of required categories that already exists in the data set profile. All users previously allowed to access the data set can continue to do so only if their profiles also include the additional category names.

When the SECDATA class is active and you specify ADDCATEGORY, RACF performs security category checking in addition to its other authorization checking. If a user requests access to a data set, RACF compares the list of security categories in the user profile with the list of security categories in the data set profile. If RACF finds any security category in the data set profile that is not in the user's profile, RACF denies access to the data set. If the user's profile contains all the required security categories, RACF continues with other authorization checking.

Note: RACF does not perform security category checking for a started task or user that has the RACF trusted or privileged attribute. The RACF trusted or privileged attribute can be assigned to a started task through the RACF started procedures table or STARTED class, or to other users by installation-supplied RACF exits.

DELCATEGORY[(category-name … | *)]

Specifies one or more names of installation-defined security categories you want to delete from the data set profile. Specifying an asterisk (*) deletes all categories; RACF no longer performs security category checking for the data set profile.

Specifying DELCATEGORY by itself causes RACF to delete from the profile only undefined category names (those category names that were once known to RACF but that the installation has since deleted from the CATEGORY profile.)

ADDVOL | DELVOL | ALTVOL

ADDVOL(volume-serial)

Specifies that you want to RACF-protect the portion of the data set residing on this volume. At least one other portion of the data set on a different volume must already have been RACF-protected. You can use this operand only for tape data sets and non-VSAM data sets.

The DASD volume must be online unless you also specify NOSET. If it is not online and you omit NOSET, the ALTDSD command processor will, if you have TSO MOUNT authority, request that the volume be mounted.

RACF ignores this operand if you specify a generic profile name.

Note: The maximum number of volume serials for a tape data set with an entry in the TVTOC is 42.

DELVOL(volume-serial)

Specifies that you want to remove RACF-protection from the portion of the data set residing on this volume. If no other portions of this data set on another volume are RACF-protected, the command terminates. (Use the DELDSD command to delete the profile from RACF.) You can use this operand only for tape data sets and non-VSAM DASD data sets.

The DASD volume must be online unless you also specify NOSET. If it is not online and you omit NOSET, the ALTDSD command processor requests that the volume be mounted.

RACF ignores this operand if you specify a generic profile name.

ALTVOL(old-volume-serial new-volume-serial)

Specifies that you want to change the volume serial number in the data set profile. You can specify this operand for both VSAM and non-VSAM DASD data sets, but you cannot specify it for tape data sets. If you specify ALTVOL for a tape data set, the command fails.

When you specify ALTVOL, RACF ignores the SET and NOSET operands and modifies the data set profile, but it does not process the RACF indicator.

RACF ignores this operand if you specify a generic profile name.

To specify ALTVOL, you must have the SPECIAL attribute, or the data set profile must be within the scope of a group in which you have the group-SPECIAL attribute, or the high-level qualifier of the data set name (or the qualifier supplied by a command installation exit routine) must be your user ID.

AT | ONLYAT

The AT and ONLYAT keywords are only valid when the command is issued as a RACF TSO command.

AT([node].userid …)

Specifies that the command is to be directed to the node specified by node, where it runs under the authority of the user specified by userid in the RACF subsystem address space.

If node is not specified, the command is directed to the local node.

ONLYAT([node].userid …)

Specifies that the command is to be directed only to the node specified by node where it runs under the authority of the user specified by userid in the RACF subsystem address space.

If node is not specified, the command is directed only to the local node.

AUDIT(access-attempt[(audit-access-level)] …)

Specifies which access attempts and access levels the user who has the AUDITOR attribute wants logged to the SMF data set.

access-attempt

Specifies which new access attempts you want logged to the SMF data set. The following options are available:

ALL

Specifies that you want to log both authorized accesses and detected unauthorized access attempts.

FAILURES

Specifies that you want to log detected unauthorized access attempts.

NONE

Specifies that you do not want any logging to be done.

SUCCESS

Specifies that you want to log authorized accesses.

If you specify AUDIT without a value, RACF ignores it.

audit-access-level

Specifies which access levels you want logged to the SMF data set. The levels you can specify are:

ALTER

Logs ALTER access-level attempts only.

CONTROL

Logs access attempts at the CONTROL and ALTER levels.

READ

Logs access attempts at any level. READ is the default value if you omit audit-access-level.

UPDATE

Logs access attempts at the UPDATE, CONTROL, and ALTER levels.

You cannot audit access attempts at the EXECUTE level.

DATA | NODATA

DATA('installation-defined-data')

Specifies up to 255 characters of installation-defined data to be stored in the data set profile and must be enclosed in single quotation marks. It can also contain double-byte character set (DBCS) data.

Use the LISTDSD command to list this information.

NODATA

Specifies that the ALTDSD command is to delete any installation-defined data in the data set profile.

DFP | NODFP

DFP

Specifies that for an SMS-managed data set, you can change the following information:

RESOWNER(userid or group-name) | NORESOWNER

Specifies the user ID or group name of the actual owner of the data sets protected by the profile specified in profile-name-1. The name specified for RESOWNER must be a RACF-defined user or group. (The data set resource owner, or RESOWNER, is distinguished from the OWNER, which represents the user or group that owns the data set profile).

If NORESOWNER is specified, the user or group represented by the high level qualifier of the data set profile is assigned as the owner of data sets protected by the profile when SMS needs to determine the RESOWNER.

You can control access to the entire DFP segment or to individual fields within the DFP segment by using field-level access checking. For more information, see z/OS Security Server RACF Security Administrator's Guide.

NODFP

Specifies that RACF should delete the DFP segment from the data set profile.

ERASE | NOERASE

ERASE

Specifies that when SETROPTS ERASE is active, data management is to physically erase the contents of deleted data sets and scratched or released DASD extents. Erasing the data set means overwriting its contents with binary zeroes so that it cannot be read.

Restrictions: The ERASE operand is ignored when any of the following conditions exist:

• When the data set is a tape data set and your installation did not activate the TAPEAUTHDSN option in the DEVSUPxx member of SYS1.PARMLIB. See "Erasing Scratched or Release Data (ERASE Option)" in z/OS Security Server RACF Security Administrator's Guide for more information.
• When SETROPTS NOERASE is active for your installation. (User and data set profile definitions are overridden.)

NOERASE

Specifies that data management is not to physically erase the contents of deleted data sets and scratched or released DASD extents.

Restrictions: Setting NOERASE has no effect and does not prevent a scratched data set from being erased for either one of the following conditions:

• SETROPTS ERASE(ALL) is in effect.
• SETROPTS ERASE(SECLEVEL(security-level)) is in effect and the scratched data set has security level that is equal or higher than the security-level specified with SETROPTS.

GENERIC | SET | NOSET

If you do not specify GENERIC, SET, or NOSET, the default value is SET.

GENERIC

Specifies that RACF is to treat the profile name as a generic name, even if it does not contain any generic characters.

SET | NOSET

Specifies whether the data set is to be RACF-indicated. RACF ignores SET and NOSET if you do not use the ADDVOL or DELVOL operand or specify a generic profile name.

SET

Specifies that:

• The data set on this volume is to be RACF-indicated if you also specify the ADDVOL operand. If the indicator is already on, the command fails.
• The RACF-indicator for the data set on this volume is to be set off if you also specify the DELVOL operand. If the indicator is already off, the command fails.

For a DASD data set, the volume indicated in the ADDVOL or DELVOL operand must be online.

NOSET

Specifies that RACF is not to change the RACF indicator for the data set.

The volume indicated in the ADDVOL or DELVOL operand does not have to be online.

To use NOSET, you must have the SPECIAL attribute, or the data set profile must be within the scope of a group in which you have the group-SPECIAL attribute, or the high-level qualifier of the data set name (or the qualifier supplied by a command installation exit) must be your user ID. If you are not authorized, RACF ignores the NOSET and ADDVOL or DELVOL operands.

GLOBALAUDIT(access-attempt[(audit-access-level)] …)

Specifies which access attempts and access levels the user who has the AUDITOR attribute wants logged to the SMF data set.

access-attempt

Specifies which access attempts the user who has the AUDITOR attribute wants logged to the SMF data set. The following options are available:

ALL

Specifies that you want to log both authorized accesses and detected unauthorized access attempts.

FAILURES

Specifies that you want to log detected unauthorized access attempts.

NONE

Specifies that you do not want any logging to be done.

SUCCESS

Specifies that you want to log authorized accesses.

If you specify AUDIT without a value, RACF ignores it.

audit-access-level

Specifies which access levels the user who has the AUDITOR attribute wants logged to the SMF data set. The levels you can specify are:

ALTER

Logs ALTER access-level attempts only.

CONTROL

Logs access attempts at the CONTROL and ALTER levels.

READ

Logs access attempts at any level. READ is the default value if you omit audit-access-level.

UPDATE

Logs access attempts at the UPDATE, CONTROL, and ALTER levels.

You cannot audit access attempts at the EXECUTE level.

To use the GLOBALAUDIT operand, you must have the AUDITOR attribute, or the profile must be within the scope of a group in which you have the group-AUDITOR attribute.

Note: Regardless of the value specified in GLOBALAUDIT, RACF always logs all access attempts specified on the AUDIT operand.

LEVEL(nn)

Specifies a new level indicator, where nn is an integer 0 - 99.

Your installation assigns the meaning of the value.

RACF includes it in all records that log data set accesses and in the LISTDSD command display.

NOTIFY | NONOTIFY

NOTIFY[(userid)]

Specifies the user ID of a user to be notified whenever RACF uses this profile to deny access to a data set. If you specify NOTIFY without specifying a user ID, RACF takes your user ID as the default; you are notified whenever the profile denies access to a data set.

A user who is to receive NOTIFY messages should log on frequently, both to take action in response to the unauthorized access attempts the messages describe and to clear the messages from the SYS1.BRODCAST data set. (When the profile also includes WARNING, RACF might have granted access to the data set to the user identified in the message.)

Note: The user ID specified on the NOTIFY operand is not notified when the profile disallows creation or deletion of a data set. NOTIFY is only used for resource access checking, not for resource creation or deletion.

NONOTIFY

Specifies that no user is to be notified when RACF uses this profile to deny access to a data set.

OWNER(userid or group-name)

Specifies a RACF-defined user or group to be the new owner of the data set profile. If you specify a user ID as the owner of a group data set profile, the specified user must have at least USE authority in the group to which the data set profile belongs.

To change the owner of a profile, you must be the current owner of the profile or have the SPECIAL attribute, or the profile must be within the scope of a group in which you have the group-SPECIAL attribute.

Note: The user specified as the owner does not automatically have access to the data set. Use the PERMIT command to add the owner to the access list as desired.

RETPD(nnnnn)

Specifies the RACF security retention period for a tape data set. The security retention period is the number of days that must elapse before a tape data set profile expires. (Note that, even though the data set profile expires, RACF-protection for data sets protected by the profile is still in effect. For more information, see z/OS Security Server RACF Security Administrator's Guide.

The number you specify must be 1 to 5 digits in the range of 0 through 65533 or, to indicate a data set that never expires, 99999.

Using RETPD to change the RACF security retention period for a data set means that the RACF security retention period and the data set retention period specified by the EXPDT/RETPD parameters on the JCL DD statement are longer be the same.

When the TAPEVOL class is active, RACF checks the RACF security retention period before it allows a data set to be overwritten. RACF adds the number of days in the retention period to the creation date for the data set. If the result is less than the current date, RACF continues to protect the data set.

When the TAPEVOL class is not active, RACF ignores the RETPD operand.

Specifying this operand for a DASD data set does not cause an error, but it has no meaning because RACF ignores the operand during authorization checking.

SECLABEL | NOSECLABEL

SECLABEL(seclabel-name)

Specifies an installation-defined security label for this profile. A security label corresponds to a particular security level (such as CONFIDENTIAL) with a set of zero or more security categories (such as PAYROLL or PERSONNEL).

RACF stores the name of the security label you specify in the data set profile if you are authorized to use that SECLABEL.

If you are not authorized to the SECLABEL or if the name you had specified is not defined as a SECLABEL profile in the SECLABEL class, the data set profile is not updated.

Note: If the SECLABEL class is active and the security label is specified in this profile, any security levels and categories in the profile are ignored.

NOSECLABEL

removes the security label, if one had been specified, from the profile.

SECLEVEL | NOSECLEVEL

SECLEVEL(seclevel-name)

Specifies the name of an installation-defined security level. This name corresponds to the number that is the minimum security level that a user must have to access the data set. The seclevel-name must be a member of the SECLEVEL profile in the SECDATA class.

When you specify SECLEVEL and the SECDATA class is active, RACF adds security level access checking to its other authorization checking. If global access checking does not grant access, RACF compares the security level allowed in the user profile with the security level required in the data set profile. If the security level in the user profile is less than the security level in the data set profile, RACF denies the access. If the security level in the user profile is equal to or greater than the security level in the data set profile, RACF continues with other authorization checking.

Note: RACF does not perform security level checking for a started task or user that has the RACF privileged or trusted attribute. The RACF privileged or trusted attribute can be assigned to a started task through the RACF started procedures table or STARTED class, or to other users by installation-supplied RACF exits.

If the SECDATA class is not active, RACF stores the name you specify in the data set profile. When the SECDATA class is activated and the name you specified is defined as a SECLEVEL profile, RACF can perform security level access checking for the data set profile. If the name you specify is not defined as a SECLEVEL profile and the SECDATA class is active, you are prompted to provide a valid security level name.

NOSECLEVEL

Specifies that the ALTDSD command is to delete the security level name from the profile. RACF no longer performs security level access checking for the data set.

TME | NOTME

TME

Specifies that information for the Tivoli® Security Management Application is to be added, changed, or deleted.

Note: The TME segment fields are intended to be updated only by the Tivoli Security Management Application, which manages updates, permissions, and cross references. A security administrator should only directly update Tivoli Security Management fields on an exception basis.

ROLES(role-access-specification …)

Specifies a list of roles and associated access levels related to this profile.

One or more role-access-specification values can be specified, each separated by blanks. Each value should contain no imbedded blanks and should have the following format:

role-name:authority[:conditional-class:conditional-profile]

where role-name is a discrete general resource profile defined in the ROLE class. The authority is the access authority (NONE, EXECUTE, READ, UPDATE, CONTROL, or ALTER) with which groups in the role definition should be permitted to the resource.

The conditional-class is a class name (APPCPORT, CONSOLE, JESINPUT, PROGRAM, TERMINAL, or SYSID) for conditional access permission, and is followed by the conditional-profile value, a resource profile defined in the conditional class.

ADDROLES(role-access-specification …)

Specifies that specific roles and access levels are to be added to the current list.

DELROLES(role-access-specification …)

Specifies that specific roles from the current list of roles are to be removed.

NOROLES

Specifies that the entire list of roles be removed.

NOTME

Specifies that RACF delete the TME segment from the profile.

UACC(access-authority)

Specifies the universal access authority to be associated with the data sets. The universal access authorities are ALTER, CONTROL, READ, UPDATE, EXECUTE, and NONE. If you specify CONTROL for a tape data set or a non-VSAM DASD data set, RACF treats the access authority as UPDATE. If you specify EXECUTE for a tape data set or a DASD data set not used as a program library, RACF treats the access authority as NONE.

If a user accessing a data set has the RESTRICTED attribute, RACF treats the universal access authority (UACC) as NONE for that access attempt.

If you enter UACC without a value, RACF retains the old universal access authority for the data sets.

UNIT(type)

Specifies the unit type to be added to the data set profile on which a non-VSAM data set resides. You can specify an installation-defined unit name, a generic device type, or a specific device address. RACF ignores this operand if you specify a generic profile name.

VOLUME(volume-serial)

Specifies the volume on which the tape data set, the non-VSAM DASD data set, or the catalog for the VSAM data set resides.

If you specify VOLUME and volume-serial does not appear in the profile for the data set, the command fails. If you omit VOLUME and the data set name appears more than once in the RACF database, the command fails. If you omit VOLUME and the data set name appears only once in the RACF database, no volume serial checking is performed and processing continues.

RACF ignores this operand if you specify a generic profile name.

WARNING | NOWARNING

WARNING

Specifies that even if access authority is insufficient, RACF is to issue a warning message and allow access to the resource. RACF also records the access attempt in the SMF record if logging is specified in the profile.

When SETROPTS MLACTIVE(FAILURES) is in effect: A user or task can access a data set that is in WARNING mode and has no security label even when MLACTIVE(FAILURES) is in effect and the class requires security labels. The user or task receives a warning message and gains access.

NOWARNING

Specifies that if access authority is insufficient, RACF is to deny the user access to the resource and not issue a warning message.