|
Purpose Use the RDEFINE command to: - Define to RACF® all resources
belonging to classes specified in the class descriptor table.
- Create entries in the global access checking table.
- Define security categories and security levels.
- Define classes (as profiles in the RACGLIST class) for which RACF saves RACLISTed results on
the RACF database.
- Define the attributes of classes in the dynamic class descriptor
table.
- Define a custom field and its attributes.
The RDEFINE command adds a profile for the resource to
the RACF database in order
to control access to the resource. It also places your user ID on
the access list and gives you ALTER authority to the resource unless
SETROPTS NOADDCREATOR is in effect.
You cannot use the RDEFINE
command to define users, groups, data sets, certificates, certificate
key rings, or certificate mappings.
To have changes take effect
after defining a generic profile if the class is not RACLISTed by
either the SETROPTS RACLIST or RACROUTE REQUEST=LIST, GLOBAL=YES,
one of the following steps is required:
To have changes take effect after defining a generic
profile if the class is RACLISTed, the security administrator issues
the following command: SETROPTS RACLIST(class-name) REFRESH
For
more information, refer to z/OS Security Server RACF Security Administrator's Guide.
Attention: - When the RDEFINE command is issued from ISPF, the TSO command
buffer (including SESSKEY and SSIGNON) is written to the ISPLOG data
set. As a result, you should not issue this command from ISPF or you
must control the ISPLOG data set carefully.
- If the RDEFINE command is issued as a RACF operator command, the command and all data
is written to the system log. Therefore, use of RDEFINE as a RACF operator command should either
be controlled or you should issue the command as a TSO command.
Issuing options The following table identifies
the eligible options for issuing the RDEFINE command:
As a RACF TSO command? |
As a RACF operator command? |
With command direction? |
With automatic command direction? |
From the RACF parameter library? |
---|
Yes |
Yes |
Yes |
Yes |
Yes |
For information on issuing this command
as a RACF TSO command, refer
to RACF TSO commands.
For
information on issuing this command as a RACF operator command, refer to RACF operator commands.
You
must be logged on to the console to issue this command as a RACF operator command.
Authorization required When issuing this command as a RACF operator command, you might
require sufficient authority to the proper resource in the OPERCMDS
class. For details about OPERCMDS resources, see "Controlling the use of operator commands" in z/OS Security Server RACF Security Administrator's Guide.
To
use the RDEFINE command, you must have either the SPECIAL attribute
or minimally the CLAUTH authority for the class.
If you have
CLAUTH authority but not the SPECIAL attribute, you may need to be
authorized as follows: - If you have CLAUTH authority for the GLOBAL class, and group-SPECIAL
authority in a group, you can add members whose high-level qualifier
is the group name or a user ID in the scope of the group. This applies
only to classes that are sensitive to high-level qualifiers, such
as DATASET.
- If the name to be defined is not already defined to RACF as a member of a resource group and you
are defining a profile in a normal (non-member, non-grouping) class,
you must be authorized to define resources for the specified class.
(This authority can be established with the CLAUTH operand on the
ADDUSER or ALTUSER command.)
- If the name to be defined is not already defined to RACF as a member of a resource group and you
are defining a profile in a member class or a member of a grouping
class, you must be authorized to define resources for the specified
class. (This authority can be established with the CLAUTH operand
on the ADDUSER or ALTUSER command.)
- If the resource to be defined is a discrete name already defined
to RACF as a member of a resource
group, you can define it as a resource to RACF if you have ALTER authority, or if the
resource group profile is within the scope of a group in which you
have the group-SPECIAL attribute, or if you are the owner of the resource
group profile. If authority conflicts arise because the resource is
a member of more than one group and the user's authority in those
groups differs, RACF resolves
the conflict by using the least restrictive authority (unless modified
by the installation).
- If you do not have the SPECIAL attribute and the SETROPTS GENERICOWNER
option is in effect, and if an existing generic profile protects the
profile name you are defining, you need to own the less specific
profile.
- If the less specific profile is within the scope of a group
in which you have group-SPECIAL, you are considered to own the profile.
- GENERICOWNER does not apply to the PROGRAM general resource class.
- For additional information on the GENERICOWNER option and restricting
the creation of general resource profiles, see z/OS Security Server RACF Security Administrator's Guide.
- To assign a security category to a profile, you must have the
category in your user profile.
- To assign a security level to a profile, your own profile must
have a security level that is equal to or greater than the security
level you are defining.
- To use the ADDMEM operand, see the description of the ADDMEM operand
for information on the authority required to use the operand.
- To specify the AT keyword, you must have READ authority to the
DIRECT.node resource in the RRSFDATA class and a user ID association
must be established between the specified node.userid pair(s).
- To specify the ONLYAT keyword you must have the SPECIAL attribute,
the userid specified on the ONLYAT keyword
must have the SPECIAL attribute, and a user ID association must be
established between the specified node.userid pair(s)
if the user IDs are not identical.
- To define segments other than the base segment, such as DLFDATA,
you must have the SPECIAL attribute or your installation must permit
you to do so through field-level access checking.
- To assign a security label to a profile, you must have READ access
to the security label profile. However, the security administrator
can limit the ability to assign security labels to only users with
the SPECIAL attribute.
- Only a SPECIAL user can define a delegated resource (by specifying
the RACF-DELEGATED string in the APPLDATA of the
profile protecting the resource) when the resource has a SECLABEL
and SETROPTS SECLABELCONTROL is in effect.
To define a profile in the FILE or DIRECTRY class, one
of the following must be true: - The second qualifier of the profile name must match your user
ID.
- You must have the SPECIAL attribute.
- The profile name must be within the scope of a group in which
you have the group-SPECIAL attribute.
Model profiles: To specify a model profile
(using, as required, FROM, FCLASS, FGENERIC, and FVOLUME), you must
have sufficient authority over the model profile (the from profile). RACF makes the following checks
until one of the conditions is met: - You have the SPECIAL attribute.
- The from profile is within the scope of a group in which
you have the group-SPECIAL attribute.
- You are the owner of the from profile.
- If the FCLASS operand is DATASET, the high-level qualifier of
the profile name (or the qualifier supplied by the naming conventions
routine or a command installation exit) is your user ID.
- For a discrete profile, you are on the access list in the from profile
with ALTER authority. (If you have any lower level of authority, you
cannot use the profile as a model.)
- For a discrete profile, your current connect group (or, if list-of-groups
checking is active, any group to which you are connected) is in the
access list in the from profile with ALTER authority.
- For a discrete profile, the universal access authority (UACC)
is ALTER.
Syntax For the key to the symbols used in the command
syntax diagrams, see Syntax of RACF commands and operands. The
complete syntax of the RDEFINE command is:
|
|
---|
[subsystem-prefix]{RDEFINE
| RDEF} |
|
class-name |
|
(profile-name-1 …) |
|
[ ADDCATEGORY(category-name
…) ] |
|
[ ADDMEM(member …)
] |
|
[ APPLDATA('application-data')
] |
|
[ AT([node].userid
…) | ONLYAT([node].userid
…) ] |
|
[ AUDIT( access-attempt[(audit-access-level)] …)
] |
|
[ CDTINFO(
[ CASE( UPPER | ASIS ) ]
[ DEFAULTRC( 0 | 4 | 8 ) ]
[ DEFAULTUACC( ACEE | ALTER | CONTROL
| UPDATE | READ | NONE ) ]
[ FIRST( characters-allowed … ) ]
[ GENERIC( ALLOWED | DISALLOWED ) ]
[ GENLIST( ALLOWED | DISALLOWED ) ]
[ GROUP( grouping-class-name ) ]
[ KEYQUALIFIERS( 0 | nnn ) ]
[ MACPROCESSING( NORMAL | REVERSE | EQUAL ) ]
[ MAXLENGTH( 8 | nnn ) ]
[ MAXLENX( nnn ) ]
[ MEMBER( member-class-name ) ]
[ OPERATIONS( YES | NO ) ]
[ OTHER( characters-allowed …) ]
[ POSIT( nnn ) ]
[ PROFILESALLOWED( YES | NO ) ]
[ RACLIST( ALLOWED | DISALLOWED | REQUIRED ) ]
[ SECLABELSREQUIRED( YES | NO ) ]
[ SIGNAL( YES | NO ) ]
) ]
|
|
[ CFDEF(
[ TYPE( CHAR | FLAG | HEX | NUM ) ]
[ FIRST( ALPHA | ALPHANUM | ANY
| NONATABC | NONATNUM | NUMERIC ) ]
[ HELP( help-text ) ]
[ LISTHEAD( list-heading-text ) ]
[ MAXLENGTH( maximum-field-length ) ]
[ MAXVALUE( maximum-numeric-value ) ]
[ MINVALUE( minimum-numeric-value ) ]
[ MIXED( YES | NO ) ]
[ OTHER( ALPHA | ALPHANUM | ANY
| NONATABC | NONATNUM | NUMERIC ) ]
) ]
|
|
[ DATA('installation-defined-data')
] |
|
[ DLFDATA(
[ RETAIN( YES | NO ) ]
[ JOBNAMES(jobname-1 …) ]
) ]
|
|
[ EIM(
[ DOMAINDN(eim_domain_dn) ]
[ OPTIONS( ENABLE | DISABLE ) ]
[ LOCALREGISTRY(registry_name) ]
[ KERBREGISTRY(registry_name) ]
[ X509REGISTRY(registry_name) ]
) ]
|
|
[ FCLASS(profile-name-2-class)
] |
|
[ FGENERIC ] |
|
[ FROM(profile-name-2)
] |
|
[ FVOLUME(profile-name-2-serial)
] |
|
[ ICSF(
[ ASYMUSAGE(
[ HANDSHAKE | NOHANDSHAKE ]
[ SECUREEXPORT | NOSECUREEXPORT ]
) ]
[ SYMEXPORTABLE(BYANY | BYLIST | BYNONE) ]
[ SYMEXPORTCERTS([qualifier]/label-name … | *) ]
[ SYMEXPORTKEYS(ICSF-key-label … | *) ]
[ SYMCPACFWRAP( YES | NO ) ]
) ]
|
|
[ ICTX(
[ USEMAP( YES | NO ) ]
[ DOMAP( YES | NO ) ]
[ MAPREQUIRED( YES | NO ) ]
[ MAPPINGTIMEOUT(nnnn) ]
) ]
|
|
[ KERB(
[ CHECKADDRS( YES | NO ) ]
[ DEFTKTLFE(def-ticket-life) ]
[ ENCRYPT(
[ DES | NODES ]
[ DES3 | NODES3 ]
[ DESD | NODESD ]
[ AES128 | NOAES128 ]
[ AES256 | NOAES256 ]
) ]
[ KERBNAME(kerberos-realm-name) ]
[ MAXTKTLFE(max-ticket-life) ]
[ MINTKTLFE(min-ticket-life) ]
[ PASSWORD(kerberos-password) ]
) ]
|
|
[ LEVEL(nn)
] |
|
[ NOTIFY(userid)
] |
|
[ OWNER(userid or group-name)
] |
|
[ PROXY(
[ LDAPHOST(ldap_url) ]
[ BINDDN(bind_distinguished_name) ]
[ BINDPW(bind_password) ]
) ]
|
|
[ SECLABEL(seclabel-name)
] |
|
[ SECLEVEL(seclevel-name)
] |
|
[ SESSION(
[ CONVSEC( NONE | CONV | ALREADYV | PERSISTV | AVPV ) ]
[ INTERVAL(n) ]
[ LOCK ]
[ SESSKEY(session-key) ]
) ]
|
|
[ SIGVER(
[ SIGREQUIRED( YES | NO ) ]
[ FAILLOAD( ANYBAD | BADSIGONLY | NEVER ) ]
[ SIGAUDIT( ALL | SUCCESS | ANYBAD | BADSIGONLY | NONE ) ]
) ]
|
|
[ SINGLEDSN ] |
|
[ SSIGNON(
[ KEYMASKED(key-value)
| KEYENCRYPTED(key-value) ]
) ]
|
|
[ STDATA(
[ USER(userid | =MEMBER) ]
[ GROUP(group-name | =MEMBER) ]
[ PRIVILEGED( YES | NO ) ]
[ TRACE( YES | NO ) ]
[ TRUSTED( YES | NO ) ]
) ]
|
|
[ SVFMR(
[ SCRIPTNAME(script-name) ]
[ PARMNAME(parm-name) ]
) ]
|
|
[ TIMEZONE( {E | W} hh[.mm]
) ] |
|
[ TME(
[ CHILDREN(profile-name …) ]
[ GROUPS(group-name …) ]
[ PARENT(profile-name) ]
[ RESOURCE(resource-access-specification …) ]
[ ROLES(role-access-specification …) ]
) ]
|
|
[ TVTOC ] |
|
[ UACC(access-authority) ] |
|
[ WARNING ] |
|
[ WHEN( [DAYS(day-info)
] [TIME(time-info) ] ) ] |
For information on issuing this command
as a RACF TSO command, refer
to RACF TSO commands.
For
information on issuing this command as a RACF operator command, refer to RACF operator commands.
Parameters - subsystem-prefix
- Specifies that the RACF subsystem
is the processing environment of the command. The subsystem
prefix can be either the installation-defined prefix for RACF (1 - 8 characters)
or, if no prefix has been defined, the RACF subsystem
name followed by a blank. If the command prefix was registered with
CPF, you can use the MVS command D OPDATA to display it or you can
contact your RACF security
administrator.
Only specify the subsystem prefix when issuing
this command as a RACF operator
command. The subsystem prefix is required when issuing RACF operator commands.
- class-name
- Specifies the
name of the class to which the resource belongs. The valid class names
are those defined in the class descriptor table. For
a list of general resource classes defined in the class descriptor
table supplied by IBM®, see Supplied RACF resource classes.
This operand is required
and must be the first operand following RDEFINE.
This command
is not intended to be used for profiles in the following classes:
- DCEUUIDS
- DIGTCERT
- DIGTNMAP
- DIGTRING
- IDIDMAP
- NDSLINK
- NOTELINK
- ROLE
- UNIXMAP
Note: If you have the CLAUTH attribute (class authority) to
a member or grouping class, the member or grouping class must be active
in order for you to define profiles in that class.
- profile-name-1
- Specifies
the name of the discrete or generic profile you want to add to the
specified class. RACF uses
the class descriptor table to determine if the class is defined to RACF, the syntax of resource names
within the class, and whether the resource is a group resource. For
more information, see Naming considerations for resource profiles and z/OS Security Server RACF Security Administrator's Guide.
Mixed-case
profile names are accepted and preserved when class-name refers
to a class defined in the static class descriptor table with CASE=ASIS
or in the dynamic class descriptor table with CASE(ASIS).
This
operand is required and must be the second operand following RDEFINE.
Note: - Do not specify a generic character unless SETROPTS GENERIC (or
SETROPTS GENCMD) is in effect.
- RACF processes each resource
you specify independently, and all operands you specify apply to each
named resource. If an error occurs while it is processing a resource, RACF issues a message and continues
processing with the next resource.
- ADDCATEGORY(category-name
…)
- Specifies
one or more names of installation-defined security categories. The
names you specify must be defined as members of the CATEGORY profile
in the SECDATA class. (For information on defining security categories,
see z/OS Security Server RACF Security Administrator's Guide.)
When
the SECDATA class is active and you specify ADDCATEGORY, RACF performs security category checking in
addition to its other authorization checking. If a user requests access
to a resource, RACF compares
the list of security categories in the user's profile with the list
of security categories in the resource profile. If RACF finds any security category in the resource
profile that is not in the user's profile, RACF denies access to the resource. If the user's
profile contains all the required security categories, RACF continues with other authorization checking.
Note: RACF does not perform security
category checking for a started task with the RACF privileged or trusted attribute. The RACF privileged or trusted attribute
can be assigned to a started task through the RACF started procedures table or STARTED class.
Also, RACF does not enforce
security category information specified on profiles in the PROGRAM
class.
- ADDMEM(member
…)
- Specifies the member names
that RACF is to add to the
profile indicated by profile-name-1. The
meaning of member varies, depending on the class.
You can
use the ADDMEM operand to perform tasks such as defining security
categories and security levels, entries in the global access checking
table, and entries for program control, or to implement security labels
on a system basis, as described in the following sections.
When
you specify ADDMEM to add multiple members, they are added to the
RACFVARS profile in the same order that you specify them with the
ADDMEM operand of the RDEFINE command. For example, if you specify
ADDMEM(A B) with the RDEFINE command, the members are stored in the
RACFVARS profile as A B.
Mixed-case member names are accepted
and preserved when class-name refers to
a class defined in the static class descriptor table with CASE=ASIS
or in the dynamic class descriptor table with CASE(ASIS). When class-name is
GLOBAL and profile-name is the name of a
class defined in the static class descriptor table with CASE=ASIS
or in the dynamic class descriptor table with CASE(ASIS), the name
part of a member entry in the GLOBAL access table is preserved as
entered.
If you define a profile and use generic characters
such as ( *) to add members to the profile, RLIST
RESGROUP will not return any of the matching profiles in its output
because it does not support generic matches. For example, you have:
RDEF GIMS GIMSGRP ADDMEM(ABC*)
and you are
looking for a specific member, so you enter: RLIST TIMS ABCD RESGROUP
The
GIMS profile GIMSGRP will not appear in the output.
Note: When
considering this example, if you are unable to define the profile
ABCD, it might be due to a generic definition somewhere in GIMS.
For
ADDMEM with the GLOBAL DATASET class, no characters including generic
characters, such as the asterisk (*) and the percent
sign (%), can be combined with the value &RACUID to
form a single qualifier level of the member name. This restriction
does not exist for ADDMEM with classes other than GLOBAL DATASET.
For
ADDMEM with the RACFVARS class, the following rules apply: - Do not specify generic characters, such as the ampersand (&),
the asterisk (*) and the percent sign (%)
in a member name.
- Issue the SETROPTS RACLIST(RACFVARS) REFRESH command to activate
your member change.
- If your member change affects profiles in a class with in-storage
profiles processed by RACLIST or GENLIST, you must also refresh that
class to activate your change.
For important guidelines, see "Administering
the RACFVARS member list" in z/OS Security Server RACF Security Administrator's Guide.
In
addition to the authority needed to issue the RDEFINE command, you
need one of the following authorities to add members using the RDEFINE
command: - For classes other than SECLABEL, PROGRAM, SECDATA, GLOBAL, RACFVARS,
and NODES, if the member resources are already RACF-protected by a
member class profile or as a member of a profile in the same grouping
class, one of the following must be true:
- You have ALTER access authority to the member.
- You are the owner of the member resource.
- The member resource is within the scope of a group in which you
have the group-SPECIAL attribute.
- You have the SPECIAL attribute.
- For classes other than SECLABEL, PROGRAM, SECDATA, GLOBAL, RACFVARS,
and NODES, if the member resources are not RACF-protected (that is,
there is no profile defined for that member), one of the following
must be true:
- You have CLAUTH authority to define resources in the member resource
class.
- You have the SPECIAL attribute.
- To add a member to a profile in the RACFVARS or NODES class, one
of the following must be true:
- You have CLAUTH authority to define resources in the specified
class (for example, RACFVARS or NODES).
- You have the SPECIAL attribute.
- You are the owner of the profile indicated by profile-name-1.
- You have ALTER access authority to the profile indicated by profile-name-1.
- To add a member to a profile in the SECLABEL, PROGRAM or SECDATA
class, one of the following must be true:
- You have CLAUTH authority to define resources in the specified
class (for example, PROGRAM or SECDATA).
- You have the SPECIAL attribute.
- To add a member to a profile in the GLOBAL class (other than the
GLOBAL DATASET, GLOBAL DIRECTRY, or GLOBAL FILE profile) using the
following syntax:
RDEF GLOBAL class-name
ADDMEM(resource-name/access-level)
- If the profile resource-name is already RACF-protected
by a profile in class class-name, one of the following
must be true:
- You have ALTER access authority to the profile resource-name in
class class-name.
- You are the OWNER of the profile resource-name.
- The profile resource-name in class class-name is
within the scope of a group in which you have the group-SPECIAL attribute.
- You have the SPECIAL attribute.
- If the profile resource-name is
not already RACF-protected (that is, there is no profile defined for
that member in class class-name):
- You have CLAUTH authority to define resources in the class class-name.
- You have the SPECIAL attribute.
- To add a member to the GLOBAL DATASET profile, one of the following
must be true:
- The member is within the scope of a group in which you have the
group-SPECIAL attribute, or the high-level qualifier of the member
name is your user ID.
- You have the SPECIAL attribute.
- To add a member to the GLOBAL DIRECTRY or GLOBAL FILE profile,
you must have the SPECIAL attribute.
RACF ignores the
ADDMEM operand if the class name you specify is not a resource grouping
class, SECLABEL, GLOBAL, SECDATA, NODES, or PROGRAM.
Specifying member on the ADDMEM operand
The
following sections describe how to specify members for each of the
following classes: - Resource grouping classes
- SECLABEL
- GLOBAL
- SECDATA
- NODES
- PROGRAM.
The descriptions for these classes are below. - When a resource grouping class is the class name
Resource Grouping Class: If the class name is a
resource grouping class, the members you specify through the ADDMEM
operand protects the resources in the related member class.
If
generic profile checking is active for the related member class, you
can include a generic character (*, **, &,
or % only) in the member to protect multiple resources.
For
more information on resource grouping classes and their related member
classes, see z/OS Security Server RACF Security Administrator's Guide.
- When SECLABEL is the class name
Security Label
By System: You can define a security label for use on specific
systems. Issue the RDEFINE command specifying the system identifier
(SMFID) of the system on which the security label can be used. Note
that RACF-defined SECLABELs (SYSHIGH, SYSLOW, SYSNONE, and SYSMULTI)
are not affected by SECLABEL by System.
The format of this
command is as follows: RDEFINE SECLABEL profile-name
ADDMEM(system-identifier)
The system-identifier is
the 4-character value specified for the SID parameter of the SMFPRMxx
member of SYS1.PARMLIB. See z/OS MVS Initialization and Tuning Reference for
additional information on SMFPRMxx. RACF does
not check that the specified system-identifier actually
exists in SMFPRMxx.
The
security label will only be restricted to the systems specified by
ADDMEM if the SETR SECLBYSYSTEM option is active. If this option is
not active, or ADDMEM is not specified, the security label can be
used on all systems. Changes to profiles in the SECLABEL class are
activated by issuing SETR RACLIST(SECLABEL) REFRESH.
- When GLOBAL is the class name
Global Access
Checking: You can define an entry in the global access checking
table by issuing the RDEFINE command with the following operands:
The format of this command is as follows: RDEFINE GLOBAL profile-name
ADDMEM(member/access-level)
Each entry
you define controls global access checking for the resources matching
that entry name.
Important: Because RACF performs global access checking before
security classification processing, an entry in the global access
checking table might allow access to a resource you are protecting
with a security category, security level, or both. To avoid a security
exposure to a sensitive resource, do not define an entry in the global
access checking table for a resource you are protecting with security
classification processing.
When you define an entry in the
global access checking table, specify member on
the ADDMEM operand as described in the following sections. - Global access checking for data sets
When you define
an entry in the global access checking table for a data set, enclose
the entry name in single quotation marks if you do not want your TSO
prefix (which might be your user ID) used as the high-level qualifier
of the entry name.
For example, assume that your user ID is
SMITH. If you issue the following command, you define the entry SMITH.ABC
in the global access table. RDEFINE GLOBAL DATASET ADDMEM('SMITH.ABC'/READ)
If
you do not enclose the entry name in single quotation marks, your
TSO prefix is used as the high-level qualifier of the entry name.
For example, if you issue the following command, you define the entry
SMITH.ABC in the global access table. RDEFINE GLOBAL DATASET ADDMEM(ABC/READ)
If
the entry name you specify contains * as the high-level
qualifier and you do not enclose the name in single quotation marks, RACF creates the entry exactly
as you specify it (your TSO prefix is not used as the high-level
qualifier of the entry name). For example, if you issue the following
command, you define the entry *.ABC in the global
access table. If you enclose *.ABC in single quotation
marks, you define the same entry ( *.ABC) in the global
access table. RDEFINE GLOBAL DATASET ADDMEM(*.ABC/READ)
- Global access checking for general resources
To
define an
entry in the global access checking table for a general resource,
specify any valid class name in the class descriptor table as a profile
name. (For a list of general resource classes
defined in the class descriptor table supplied by IBM, see Supplied RACF resource classes.) The
member name you specify with the ADDMEM operand can contain one or
more generic characters (%, *, or **).
For information on using generic characters, see Naming considerations for resource profilesz/OS Security Server RACF Command Language Reference.
- When SECDATA is the class name
Security
Classification of Users and Data: To define a security category
or security level for your installation, specify class-name as
SECDATA and profile-name as one of the following: - CATEGORY when defining a security category
- SECLEVEL when defining a security level.
If you specify SECDATA CATEGORY, the ADDMEM operand specifies
the name of an installation-defined category of users.
For
example, to define three categories of users named CODE, TEST, and
DOC, issue: RDEFINE SECDATA CATEGORY ADDMEM(CODE TEST DOC)
If
you specify SECDATA SECLEVEL, the ADDMEM operand specifies both the
name of an installation-defined security level and the number you
assign to that level, in the form: seclevel-name/seclevel-number
You
must separate the two items by a forward slash character ( /).
The seclevel-name can contain 1 - 44 characters
and must not contain a blank, comma, semicolon, or right parenthesis.
The seclevel-number can be any number 1 - 254. The
higher the number, the higher the security level. For example, to
define three security levels, where CONFIDENTIAL is the most restrictive,
enter: RDEFINE SECDATA SECLEVEL
ADDMEM(GENERAL/10 EXPERIMENTAL/75 CONFIDENTIAL/150)
Because RACF keeps track of security levels
by number, replacing an existing security level name does not affect
the protection that the security level number provides. If you had
defined the security levels shown in the preceding example and then
replaced GENERAL/10 with INTERNAL/10,
a listing of a user or resource profile that included security level 10 would
show the new name. Because the security level number is the same,
there is no need to change any resource or user profiles.
When
you actually change an existing CATEGORY profile or SECLEVEL profile,
however, RACF issues a warning
message to remind you that the change is not reflected in existing
resource or user profiles. In this case, you can use the SEARCH command
to locate the profiles you must modify.
- When NODES is the class name
Specify only one value
with the ADDMEM operand. If you specify multiple values, RACF stores them in the NODES profile but translates
using only the last one specified.
Restriction: When
more than one value is defined in a NODES profile, you cannot use
the RLIST command to determine which value was the last one specified.
Guideline: If one or more values are already defined
in a NODES profile, use the DELMEM operand to remove them before specifying
the new value.
For information on setting up NODES profiles,
see z/OS Security Server RACF Security Administrator's Guide.
Translation of User IDs, Group Name, or Security Labels
on Inbound Jobs or SYSOUT:
If
the class name is NODES, you can specify how user IDs, group names,
and security labels are translated. The translation depends on the
second and third qualifiers of the profile name, as follows: If the second qualifier is… |
The ADDMEM value specifies… |
---|
RUSER |
The user ID to be used on this system for the
jobs originating from NJE nodes to which the profile applies |
USERJ |
The user ID to be used on this system for the
inbound jobs to which the profile applies |
USERS |
The user ID to be used on this system for the
inbound SYSOUT to which the profile applies |
GROUPJ |
The group name to be used on this system for the
inbound jobs to which the profile applies |
GROUPS |
The group name to be used on this system for the
inbound SYSOUT to which the profile applies |
SECLJ |
The security label to be used on this system for
the inbound jobs to which the profile applies |
SECLS |
The security label to be used on this system for
the inbound SYSOUT to which the profile applies |
- When PROGRAM is the class name
Program
Control: If you specify class-name as
PROGRAM, profile-name must identify one
or more controlled programs (load modules or program objects), and member identifies
the library containing the programs, the volume serial of that library,
and a processing option. Additionally, APPLDATA may contain information
that RACF will process. You
specify the member entry in the following format: library-name/volume-serial/PADCHK or NOPADCHK
- library-name
- Specifies
the name of the library in which the controlled programs reside. If profile-name is * or **, RACF treats all load modules in
the specified library as controlled programs.
If it is necessary
to define a program that resides in the system's LPA or dynamic LPA
as a controlled program (for example: to give it the MAIN or BASIC attribute),
define the program with a profile-name that
does not end in *, specify 'LPALST' as
the library name, and omit the volume serial.
When it is necessary
to define a specific profile for a program in the LPA, 'LPALST' should
be used as the library name and the volume serial should be omitted.
The
following represent valid ADDMEM values for program XYZ which exists
in one of the LPA libraries or in the dynamic LPA: - 'LPALST'
- 'LPALST'//PADCHK
- 'LPALST'//NOPADCHK
- volume-serial (optional)
- Specifies
the serial number of the volume on which the library resides. You
can use six asterisks within single quotation marks to specify the
current SYSRES volume: library-name/'******'/PADCHK or NOPADCHK.
Note: - The '******' value works when the SYSRES resides
on more than one volume, but it applies only when the data set lives
on the IPL volume
- If volume-serial is not specified, the specified library
can exist on any volume. The alternate formats are:
library-name//NOPADCHK
or library-name
- PADCHK | NOPADCHK
- Specifies
that RACF is to make (PADCHK)
or not to make (NOPADCHK) the checks for program-accessed data sets
when a user is executing the controlled programs. If you specify PADCHK, RACF verifies that (1) the conditional
access list in the profile for a program-accessed data set allows
the access and (2) no task in the user's address space has previously
loaded a non-controlled program.
If you specify NOPADCHK, RACF does not perform this extra
checking to verify that a non-controlled program cannot access a program-accessed
data set. NOPADCHK allows you, for example, to define entire libraries
of modules (such as ISPF) as controlled programs without then having
to grant each of these modules access to many program-accessed data
sets.Examples show
two ways to define controlled programs. Before defining or modifying
PROGRAM profiles, see the program control sections of z/OS Security Server RACF Security Administrator's Guide.
- APPLDATA('application-data')
- Specifies
a text string that is associated with each of the named resources.
The text string can contain a maximum of 255 characters and must be
enclosed in single quotation marks. It can also contain double-byte
character set (DBCS) data.
Rules: - For profiles in the PROGRAM class, RACF will
examine the APPLDATA value (if any) and perform special processing
if you have specified MAIN or BASIC (optionally
followed by blanks).
- For the FACILITY class, RACF examines
the APPLDATA value of the following profiles:
- BPX.UNIQUE.USER
The APPLDATA value specifies the name
of a user profile from which RACF can
copy OMVS segment information (other than UID) when assigning unique
UIDs through a callable service.
- BPX.DEFAULT.USER
The APPLDATA value specifies
a user ID and group name from which RACF can
retrieve default OMVS segment information. Beginning with z/OS® Version 1 Release 11, the
BPX.DEFAULT.USER profile is ignored when the BPX.UNIQUE.USER profile
is defined. Beginning with z/OS Version 2 Release 1, the
BPX.DEFAULT.USER profile is no longer supported.
- BPX.NEXT.USER
The APPLDATA value specifies information
that RACF will use for the
automatic assignment of OMVS UIDs and GIDs.
- IRR.PGMSECURITY
The APPLDATA value specifies whether RACF will operate in basic, enhanced,
or enhanced-warning PGMSECURITY mode. - If the APPLDATA value contains the string ENHANCED,
then RACF will run in enhanced
PGMSECURITY mode.
- If the APPLDATA value contains the string BASIC,
then RACF will run in basic
PGMSECURITY mode.
- If the APPLDATA is empty or contains any other value, RACF will run in enhanced PGMSECURITY
mode but in warning mode rather than failure mode.
- IRR.PROGRAM.SIGNING.group.userid
- IRR.PROGRAM.SIGNING.userid
- IRR.PROGRAM.SIGNING.group
- IRR.PROGRAM.SIGNING
For any of the IRR.PROGRAM.SIGNING
profiles, the APPLDATA value specifies the signing hash algorithm,
and the SAF key ring to use when signing a program.
- IRR.PROGRAM.SIGNATURE.VERIFICATION
The APPLDATA value
specifies the SAF key ring to use when verifying the signature of
a signed program.
- For the TIMS and GIMS class, specify application-data as
REVERIFY to force the user to reenter his password whenever the transaction
or transactions listed in the profile-name or
ADDMEM operands are used.
- For the PTKTDATA class, the application data field can be used
to control the replay protection function of PassTicket support.
- For the APPL class, when the APPLDATA value contains the RACF-INITSTATS(DAILY) string, RACF records statistics only for
the first user verification of the day for the applications protected
by this profile. The RACF-INITSTATS(DAILY) string
is reserved text and may appear anywhere in the APPLDATA field. For
more information about statistics collection, see z/OS Security Server RACF Security Administrator's Guide.
- Specifying the RACF-DELEGATED string in the APPLDATA
designates the resources protected by the profile as delegated, meaning
that RACROUTE REQUEST=FASTAUTH should honor a nested ACEE during access
checking to this resource. The RACF-DELEGATED string
is reserved text and may appear anywhere in the APPLDATA field. For
more information on nested ACEEs and delegated resources, see z/OS Security Server RACF Security Administrator's Guide.
RACF does not
validate the APPLDATA value during RALTER. Depending on the function, RACF might or might not issue any
messages during subsequent processing if it finds an unexpected value.
The
APPLDATA value, if present, can be displayed with the RLIST command.
For
detailed information about each APPLDATA value, see z/OS Security Server RACF Security Administrator's Guide.
- AT
| ONLYAT
- The AT and ONLYAT keywords are only valid when the command is
issued as a RACF TSO command.
- AT([node].userid
…)
- Specifies
that the command is to be directed to the node specified by node,
where it runs under the authority of the user specified by userid in
the RACF subsystem address
space.
If node is not specified, the
command is directed to the local node.
- ONLYAT([node].userid
…)
- Specifies
that the command is to be directed only to the node specified by node where
it runs under the authority of the user specified by userid in
the RACF subsystem address
space.
If node is not specified, the
command is directed only to the local node.
- AUDIT(access-attempt[(audit-access-level)])
- Specifies
which access attempts and access levels you want logged to the SMF
data set.
- access-attempt
- Specifies which access attempts you want logged to the SMF data
set. The following options are available:
- ALL
- Specifies that you want to log both authorized accesses and detected
unauthorized access attempts.
- FAILURES
- Specifies that you want to log detected unauthorized access attempts.
This is the default value if you do not specify access-attempt.
- NONE
- Specifies that you do not want any logging to be done.
- SUCCESS
- Specifies that you want to log authorized accesses to the resource.
- audit-access-level
- Specifies which access levels you want
logged to the SMF data set. The levels you can specify are:
- ALTER
- Logs ALTER access-level attempts only.
- CONTROL
- Logs access attempts at the CONTROL and ALTER levels.
- READ
- Logs access attempts at any level. This is the default value if
no access level is specified.
- UPDATE
- Logs access attempts at the UPDATE, CONTROL, and ALTER levels.
FAILURES(READ) is the default value if the AUDIT
operand is omitted from the command.
You cannot audit access
attempts for the EXECUTE level.
- CDTINFO
- Specifies information used in the
definition of an installation-defined class in the dynamic class descriptor
table (CDT). For details about defining classes in the dynamic CDT,
see "Administering
the Dynamic Class Descriptor Table (CDT)" in z/OS Security Server RACF Security Administrator's Guide.
Note: CDTINFO
should only be specified for profiles in the CDT class.
- CASE ( UPPER |
ASIS )
- Specifies whether mixed-case profile names are allowed for the
class.
- ASIS
- When ASIS is specified, RACF commands
preserve the case of profile names for the specified class. Lowercase
characters are allowed in any position of the profile name where alphabetic
characters are allowed, based on the character restrictions in the
FIRST and OTHER keywords.
- UPPER
- When UPPER is specified, RACF translates
the profile names for the specified class to uppercase. If CASE is
not specified, CASE(UPPER) is the default.
- DEFAULTRC
- Specifies the return code that RACF will
provide from RACROUTE REQUEST=AUTH or REQUEST=FASTAUTH when both RACF and the class are active and
(if required) the class has been processed using SETROPTS RACLIST,
but RACF doesn't find a profile
to protect the resource specified on the AUTH or FASTAUTH request.
The return codes are interpreted as follows:
- 0
- The access request was accepted.
- 4
- No profile exists.
- 8
- The access request was denied.
If DEFAULTRC is not specified, DEFAULTRC(4) is
the default.
- DEFAULTUACC
-
- DEFAULTUACC ( ALTER | CONTROL | UPDATE | READ | NONE )
- Specifies the minimum access allowed if the access level is not
set when a resource profile is defined in the class.
- DEFAULTUACC ( ACEE )
- If no universal access level is specified at the time the profile
is created, RACF uses the default
universal access authority from the command issuer's ACEE, as specified
on the UACC operand of the ADDUSER, ALTUSER or CONNECT command.
If DEFAULTUACC is not specified, DEFAULTUACC(NONE)
is the default.
- FIRST (characters-allowed …)
- Specifies a character type restriction for the first character
of the profile name. One or more of the following may be specified.
- ALPHA - Allows
an alphabetic character (A - Z)
- NUMERIC - Allows a digit (0 - 9)
- NATIONAL - Allows characters # (X'7B'), @ (X'7C'), and $ (X'5B')
- SPECIAL - Allows any character except the following:
- a blank
- a comma
- a parenthesis
- a semicolon
- those characters in ALPHA, NUMERIC, or NATIONAL.
Note: This option includes the period ('.') and is needed if
you intend to use it as a delimiter.
If FIRST is
not specified, FIRST(ALPHA, NATIONAL) is the default.
- GENERIC ( ALLOWED |
DISALLOWED )
- Specifies whether or not SETROPTS GENERIC and SETROPTS GENCMD
are allowed for the class. The SETROPTS GENERIC command activates
generic profile checking for a class. The SETROPTS GENCMD command
activates generic profile command processing.
If GENERIC is not
specified, GENERIC(ALLOWED) is the default. If GENERIC(DISALLOWED)
is specified, GENLIST(ALLOWED) cannot also be specified.
Because
generic processing is not allowed for grouping classes, GENERIC(DISALLOWED)
should be specified if MEMBER(member-class-name) is also specified.
If GENERIC(ALLOWED) is specified or defaulted for a grouping class,
a warning message is issued. Subsequent processing for the dynamic
class being defined and for profiles in that class will be treated
as if GENERIC(DISALLOWED) was specified.
Rule: If the dynamic class you are defining
shares a POSIT number with other classes, all classes with the shared
POSIT number must have the same GENERIC keyword value. This is because
the SETROPTS GENERIC and SETROPTS GENCMD commands process all classes
that share a POSIT number. If at least one class specifies GENERIC(DISALLOWED)
and at least one class specifies GENERIC(ALLOWED), RACF issues a warning message. When you subsequently
add this class to the dynamic class descriptor table using the SETROPTS
RACLIST(CDT) command, RACF might
change the value of the GENERIC keyword to match the GENERIC keyword
value of the other classes sharing the POSIT number. - If this dynamic class shares a POSIT number with an IBM-supplied class, RACF changes
the value of the GENERIC keyword in the dynamic class to match the IBM class. (The class attribute
in the IBM-supplied class takes precedence).
- If this dynamic class shares a POSIT number with an installation-defined
class (static or dynamic), RACF determines the least restrictive attribute - GENERIC(ALLOWED)
is less restrictive than GENERIC(DISALLOWED) - and changes
the GENERIC(DISALLOWED) class attribute to GENERIC(ALLOWED).
Exception: A grouping class and member
class can share a POSIT number although their GENERIC keyword values
need not match. You must specify GENERIC(DISALLOWED) for the grouping
class. However, you can specify either ALLOWED or DISALLOWED for the
member class.
- GENLIST ( ALLOWED | DISALLOWED )
- Specifies whether SETROPTS GENLIST is to be allowed for the class.
If you GENLIST the class on the SETROPTS command and a user then requests
access to a resource protected by a generic profile, a copy of that
profile will be brought into the common storage area rather than into
the user's address space. RACF uses
those generic profiles in common storage to check the authorization
of any users who want to access the resource. The profiles remain
in common storage until a REFRESH occurs.
If GENLIST is not specified,
GENLIST(DISALLOWED) is the default.
- GROUP ( grouping-class-name )
- Specifies the name of the class that groups the resources within
the specified class. If GROUP is not specified, RACF does not allow resource grouping for the
class. The grouping-class-name must be 1 - 8 characters.
When
GROUP is specified, the class being defined is a member class.
If
GROUP is specified, then grouping-class-name must
also be defined in the CDT class and its MEMBER keyword should refer
to the class being defined. The GROUP and MEMBER keywords must have
matching class entries before SETROPTS RACLIST(CDT) is issued to build
or refresh the dynamic CDT or before the system is restarted; otherwise,
the class in error will not be added to the dynamic class descriptor
table.
- KEYQUALIFIERS ( 0 | nnn )
- Specifies the number of matching qualifiers RACF uses when loading generic profilenames
to satisfy an authorization request if a discrete profile does not
exist for a resource. For example, if you specify two for the class,
all generic profile names whose highest level qualifiers match the
two highest qualifiers of the entity name are loaded into the user's
storage when the user requests access to a resource. The nnn value
must be a number 0 - 123.
If
KEYQUALIFIERS is not specified, the default is 0 and profile names
for the entire class are loaded and searched.
The maximum value
you can specify is 123, which is the maximum number of qualifiers
in a name 246 characters long.
When KEYQUALIFIERS(nnn)
is specified, generic profiles created in that class may not contain
generic characters in the first nnn qualifiers
of the profile name.
When KEYQUALIFIERS(nnn)
is greater than 0 for a class, all discrete and generic profiles in
that class must have at least nnn+1 qualifiers
in each profile name. The number of qualifiers a profile name is determined
by counting the number of period characters in the profile and adding
one; the first character is not examined.
Examples of valid
profile names for KEYQUALIFIERS( 2) are: A.B.C
A.B.**
A.B.C.D*
Guideline: Specify KEYQUALIFIERS( nnn)
greater than 0 for classes that have the following characteristics: - The class is not usually RACLISTed or GENLISTed.
- Profile names in the class follow a naming convention where many
generic profiles have the same nnn qualifiers at the beginning of
the profile name.
For example, if you have an application that uses an installation-defined
class to protect reports on terminal usage, you might have profiles
such as these for each user on your z/OS system:
REPORTS.USER1.TERMUSE.*
REPORTS.USER1.TERMUSE.DEPT60.*
REPORTS.USER1.TERMUSE.2006.JAN.*
REPORTS.USER1.TERMUSE.2006.FEB.*
REPORTS.USER1.TERMUSE.2006.MAR.*
REPORTS.USER1.TERMUSE.2006.APR.*
REPORTS.USER1.TERMUSE.2006.MAY.*
REPORTS.USER1.TERMUSE.2006.JUN.*
REPORTS.USER1.TERMUSE.2006.JUL.*
REPORTS.USER1.TERMUSE.2006.AUG.*
REPORTS.USER1.TERMUSE.2006.SEP.*
REPORTS.USER1.TERMUSE.2006.OCT.*
REPORTS.USER1.TERMUSE.2006.NOV.*
REPORTS.USER1.TERMUSE.2006.DEC.*
In this example, you
might define your installation class using KEYQUALIFIERS( 3)
so that when RACF checks authorization
checks for resources in your class, only generic profile names that
match the first three qualifiers of your report are loaded into storage
for RACF to check.
Restriction: Different
rules apply for the FILE and DIRECTRY classes. For the syntax required
for profile names in the DIRECTRY and FILE classes, see the appropriate RACF Command Language Reference for
your VM system.
- MACPROCESSING ( NORMAL |
REVERSE | EQUAL)
- Specifies which type of mandatory access control (MAC) processing
is required for the class. If MACPROCESSING is not specified,
MACPROCESSING(NORMAL) is the default.
- NORMAL - specifies
normal MAC processing is required. If and when a MAC check is performed,
the user's SECLABEL must dominate that of the resource.
- REVERSE - specifies
reverse MAC processing is required. If and when a MAC check is performed,
the SECLABEL of the resource must dominate that of the user.
- EQUAL - specifies
equal MAC processing is required. If and when a MAC check is performed,
the SECLABEL of the user must be equivalent to that of the resource.
MACPROCESSING(EQUAL) should be used for classes where two-way communication
is expected. Writedown (SETROPTS MLS) does not apply to classes where
MACPROCESSING(EQUAL) is specified.
- MAXLENGTH ( 8 | nnn )
- Specifies the maximum length of resource and profile names for
the specified class when MAXLENX is not specified. When MAXLENX is
also specified, MAXLENGTH represents the maximum length of a resource
name only when a RACROUTE macro is invoked with the ENTITY keyword.
The value of nnn must be 1 - 246.
If
MAXLENGTH is not specified, the default is 8.
- MAXLENX ( nnn )
- Specifies the maximum length of resource and profile names for
the specified class when a RACROUTE macro is invoked with the ENTITYX
keyword, or when a profile is added or changed using a RACF command processor. The value of nnn value
must be 1 - 246.
If
MAXLENX is not specified before SETROPTS RACLIST(CDT) is issued to
build or refresh the dynamic CDT or before the system is restarted,
the value specified for MAXLENGTH is used for MAXLENX in subsequent
processing for the dynamic class.
- MEMBER ( member-class-name )
- Specifies the name of the class grouped by the resources within
the specified class. The member-class-name must
be 1 - 8
characters.
When MEMBER is specified, the class being defined is
a resource group.
If MEMBER is specified, then member-class-name must
also be defined in the CDT class and its GROUP keyword should refer
to the class being defined. The GROUP and MEMBER keywords must have
matching class entries before SETROPTS RACLIST(CDT) is issued to build
or refresh the dynamic CDT or before the system is restarted; otherwise,
the class in error will not be added to the dynamic class descriptor
table.
- OPERATIONS ( YES | NO )
- Specifies whether RACF is
to take the OPERATIONS attribute into account when it performs authorization
checking. If YES is specified, RACF considers
the OPERATIONS attribute; if NO is specified, RACF ignores the OPERATIONS attribute.
If
OPERATIONS is not specified, OPERATIONS(NO) is the default.
- OTHER ( characters-allowed …)
- Specifies a character type restriction for the characters of the
profile name other than the first character. One or more of the following
may be specified:
- ALPHA - Allows
an alphabetic character (A - Z)
- NUMERIC - Allows a digit (0 - 9)
- NATIONAL - Allows characters # (X'7B'), @ (X'7C'), and $ (X'5B')
- SPECIAL - Allows any character except the following:
- a blank
- a comma
- a parenthesis
- a semicolon
- those characters in ALPHA, NUMERIC, or NATIONAL.
Note: This option includes the period ('.') and is needed if
you intend to use it as a delimiter.
If
OTHER is not specified, OTHER(ALPHA, NATIONAL) is the default.
- POSIT ( nnn )
- Specifies the POSIT number associated with the class. Each class
in the class descriptor table has a POSIT number specified which identifies
a set of option flags that control the following RACF processing options:
- Whether authorization checking should take place for the class
(SETROPTS CLASSACT).
- Whether auditing should take place for resources within the class
(SETROPTS AUDIT).
- Whether statistics should be kept for resources within the class
(SETROPTS STATISTICS).
- Whether generic profile access checking is active for the class
(SETROPTS GENERIC).
- Whether generic command processing is active for the class (SETROPTS
GENCMD).
- Whether global access checking is active for the class (SETROPTS
GLOBAL).
- Whether the user has CLAUTH to a resource class.
- Whether special resource access auditing applies to the class
(SETROPTS LOGOPTIONS).
- Whether SETROPTS RACLIST will occur for this class (when RACLIST(ALLOWED)
or RACLIST(REQUIRED) is also specified).
- For all classes that have the same POSIT number specified, these
options are identical. If you change an option for one class, this
change will also affect all other classes that share the same POSIT
number.
Before you issue SETROPTS RACLIST(CDT) to build or refresh
the dynamic class descriptor table, you must decide whether to use
a unique set of option flags for each RACF class
or whether to have two or more RACF classes
share the same set of option flags. If you choose to use a unique
set of option flags for a class, assign the class a unique POSIT number.
If you choose to share the same set of option flags among several
classes, assign those classes the same POSIT number.
Before
you issue SETROPTS RACLIST(CDT), the POSIT keyword must specify a
valid value on the RDEFINE command. Otherwise, the new class will
not be added to the dynamic class descriptor table.
Once you
issue SETROPTS RACLIST(CDT) to build or refresh the dynamic class
descriptor table, you can activate the classes that comprise it and
their respective set of option flags by using the appropriate keywords
on the SETROPTS command.
There are 1024 POSIT numbers that
can identify 1024 sets of option flags. Installations can specify
POSIT numbers 19 - 56 and
128 - 527.
POSIT numbers 0 - 18,
57 - 127
and 528 - 1023
are reserved for IBM use and
should not be specified for installation-defined classes unless an
installation intends that one of its classes share SETROPTS options
with an IBM-defined class.
Guideline: A RACF class that has a default return code 8 should not share
a POSIT value with a RACF class
having a different default return code. If a class with a default
return code 8 is activated but no profiles are defined,
user activity that requires access in that class will be prevented.
- PROFILESALLOWED ( YES |
NO )
- Specifies whether you want RACF to
allow profiles to be defined for this RACF class.
If you specify PROFILESALLOWED(NO), RACF will
not allow profiles to be defined to this RACF class; if a user attempts to define a profile
to that class, the RDEFINE command responds with an appropriate message.
If
PROFILESALLOWED is not specified, PROFILESALLOWED(YES) is the default.
- RACLIST
- Specifies whether SETROPTS RACLIST is to be allowed, disallowed
or required for the specified class. If you process this class using
SETROPTS RACLIST, RACF brings
copies of all discrete and generic profiles within that class into
storage in a data space. RACF uses
those profiles in storage to check the authorization of any users
who want to access the resources. The profiles remain in storage until
removed by SETROPTS NORACLIST.
- ALLOWED
- Specifies that SETROPTS RACLIST may be used for the class, but
is not required for authorization checking.
- DISALLOWED
- Specifies that SETROPTS RACLIST may not be used for the class.
- REQUIRED
- Specifies that you must process the class using SETROPTS RACLIST
in order to use RACROUTE REQUEST=AUTH. The purpose of this keyword
is to allow routines that cannot tolerate I/O to invoke RACF. When this keyword is specified and the
class is not processed by SETROPTS RACLIST and a RACROUTE REQUEST=AUTH
is attempted, the return code is 4.
If RACLIST is not specified,
RACLIST(DISALLOWED) is the default.
- SECLABELSREQUIRED ( YES | NO )
- Specifies whether a SECLABEL is required for the profiles of the
specified class when SETROPTS MLACTIVE is on.
SECLABELSREQUIRED(NO)
means that RACF will not require
a SECLABEL for profiles in this class; however, if a SECLABEL exists
for this profile and the SECLABEL class is active, RACF will use it during authorization checking.
SECLABELSREQUIRED(NO) applies to general resource classes that have
no profiles, such as DIRAUTH, or for classes that contain no data,
such as OPERCMDS and SECLABEL.
SECLABELSREQUIRED(YES) means
that RACF will require a SECLABEL
for profiles in this class when SETROPTS MLACTIVE is on.
If
SECLABELSREQUIRED is not specified, SECLABELSREQUIRED(NO) is the default.
- SIGNAL ( YES | NO )
- Specifies whether an ENF signal should be sent to listeners when
RACLISTed profiles are created, updated or deleted for authorization
checking.
When SIGNAL(YES) is specified, RACF will send an ENF signal to listeners when
a SETROPTS RACLIST, SETROPTS NORACLIST or a SETROPTS RACLIST REFRESH
is issued for the class to activate, deactivate or update the profiles
used for authorization checking. For more information, "ENF
signals" in z/OS Security Server RACF System Programmer's Guide.
When
SIGNAL(NO) is specified, no ENF signal is sent.
SIGNAL(YES)
is not valid if RACLIST(DISALLOWED) is specified.
If SIGNAL
is not specified, SIGNAL(NO) is the default.
- CFDEF
- Defines
a custom field for profiles in the CFIELD class, and specifies the
name and attributes for the custom field. The custom fields you define
with the CFDEF operand can be used in the CSDATA segment of user and
group profiles. For more information about custom fields, including
the profile name format, see z/OS Security Server RACF Security Administrator's Guide.
New
custom fields are not effective until the system programmer rebuilds
the dynamic parse table using the IRRDPI00 UPDATE command. For information
about using the IRRDPI00 command, see z/OS Security Server RACF System Programmer's Guide.
Rule: Specify
CFDEF only for profiles in the CFIELD class.
- TYPE
- Specifies the data type of the custom field. If you do not specify
TYPE, CHAR is the default.
For each data type, you can restrict
the content of the custom field using the attributes shown in Table 1. For each attribute shown, the default
values based on data type, are as follows.
Rule: For
each data type, do not specify attributes noted in Table 1 with a dash ( -). Table 1. Default values for attributes that restrict
the content of a custom field, based on data type. Attribute
|
Default value based
on the TYPE attribute |
---|
CHAR |
FLAG |
HEX |
NUM |
---|
FIRST |
ALPHA |
NONATABC |
NONATNUM |
NUMERIC |
MAXLENGTH |
1100 |
3 |
512 |
10 |
MAXVALUE |
- |
- |
- |
(See Note.) |
MINVALUE |
- |
- |
- |
0 |
MIXED |
NO |
- |
- |
- |
OTHER |
ALPHA |
NONATABC |
NONATNUM |
NUMERIC |
Note: If
you do not specify MAXVALUE with TYPE(NUM), it defaults to the length
of the highest value based on the MAXLENGTH value. |
- CHAR
- Specifies that the custom field is a character field.
Guidelines:
- When you specify TYPE(CHAR), specify values for the following
attributes:
- FIRST: The default value is ALPHA.
- MAXLENGTH: The default value is 1100.
- MIXED: The default value is NO.
- OTHER: The default value is ALPHA.
- To allow a custom field value to be specified as a quoted string,
specify FIRST(ANY) and OTHER(ANY).
Rule: Do not specify MAXVALUE or MINVALUE with
TYPE(CHAR).
- FLAG
- Specifies that the custom field is a flag field.
Rule: Do
not specify any attributes with TYPE(FLAG). The default values are
sufficient and required. The default values are FIRST(NONATABC), OTHER(NONATABC),
and MAXLENGTH(3).
- HEX
- Specifies that the custom field is a hexadecimal field.
Guideline: When
you specify TYPE(HEX), specify a value for the MAXLENGTH attribute.
The default value is 512. Specify an even number because hexadecimal
data is stored and displayed as an even number of characters.
Rule: Do
not specify FIRST, OTHER, MAXVALUE, MINVALUE, or MIXED with TYPE(HEX).
- NUM
- Specifies that the custom field is a numeric field.
Guidelines:
- When you specify TYPE(NUM), specify values for the MAXVALUE and
MINVALUE attributes.
- You need not specify MAXLENGTH with TYPE(NUM) because MAXVALUE
limits the numeric value.
Rule: Do not specify FIRST, OTHER, or MIXED with
TYPE(NUM).
- FIRST
- Specifies a character restriction for the first character in the
custom field.
Guideline: Do not specify FIRST for custom
fields with FLAG, HEX, or NUM data type. If you incorrectly specify
the FIRST value for the data type, the custom field might be unusable.
Rules: The
valid options for the FIRST attribute apply as follows, based on TYPE
value (data type).
Valid
options
|
Data type based
on TYPE attribute |
---|
CHAR |
FLAG |
HEX |
NUM |
---|
ALPHA |
Allowed. |
|
|
|
ALPHANUM |
Allowed. |
|
|
|
ANY |
Allowed. |
|
|
|
NONATABC |
Allowed. |
Allowed. |
|
|
NONATNUM |
Allowed. |
|
Allowed. |
|
NUMERIC |
Allowed. |
|
|
Allowed. |
For each
option of the FIRST attribute, the characters allowed in the custom
field are as follows:
Valid
options
|
Characters
allowed |
---|
Alphabetic
characters
(A - Z)
|
National
characters # (X'7B'), @ (X'7C'),
and $ (X'5B')
|
Numeric
characters
(0 - 9)
|
Any
other
character
|
---|
ALPHA |
Allowed. |
Allowed. |
|
|
ALPHANUM |
Allowed. |
Allowed. |
Allowed. |
|
ANY |
Allowed. |
Allowed. |
Allowed. |
Allowed. |
NONATABC |
Allowed. |
|
|
|
NONATNUM |
Allowed. |
|
Allowed. |
|
NUMERIC |
|
|
Allowed. |
|
- ALPHA
- Allows alphabetic characters (A - Z) and national characters # (X'7B'), @ (X'7C'), and $ (X'5B').
- ALPHANUM
- Allows alphabetic characters (A - Z), numbers (0 - 9), and national characters # (X'7B'), @ (X'7C'), and $ (X'5B').
- ANY
- Allows alphabetic characters (A - Z), numbers (0 - 9), national characters # (X'7B'), @ (X'7C'), and $ (X'5B'), and any other character. When you specify both FIRST(ANY) and
OTHER(ANY), also allows quoted strings.
- NONATABC
- Allows alphabetic characters, and excludes numbers and national
characters # (X'7B'), @ (X'7C'), and $ (X'5B').
- NONATNUM
- Allows alphabetic characters and numbers, but excludes national
characters # (X'7B'), @ (X'7C'), and $ (X'5B').
- NUMERIC
- Allows numbers (0 - 9).
If you
do not specify FIRST, the values default as follows, based on TYPE
value (data type).
- Data type
- Default value
- CHAR
- ALPHA
- FLAG
- NONATABC
- HEX
- NONATNUM
- NUM
- NUMERIC
- HELP( help-text )
- Specifies the help text for this custom field. The help text is
displayed when the user is in TSO PROMPT mode and presses the PF1
key or enters a question mark (?). Lowercase alphabetic
characters in the help-text value
are translated to upper case.
Rules: - Length: 1 - 255
characters.
- If the help text contains parentheses, commas, blanks, or semicolons,
enclose the entire text string in single quotation marks.
- If a single quotation mark is intended to be part of the help
text, use two single quotation marks together for each single quotation
mark within the string, and enclose the entire string in single quotation
marks.
Example: To define help text for a customer's address
and indicate that the field can be up to 100 characters, you might
specify the following value: HELP('CUSTOMER''S ADDRESS. SPECIFY UP TO 100 CHARACTERS')
If you do not specify HELP, the value defaults to the
custom field name defined in CFIELD profile name.
- LISTHEAD( list-heading-text )
- Specifies the heading to display in the output for the LISTUSER
or LISTGRP command whenever the CSDATA segment is listed. Lowercase
alphabetic characters in the list-heading-text value
are translated to upper case.
Rules: - Length: 1 - 40
characters.
- If the heading text contains parentheses, commas, blanks, or semicolons,
enclose the entire text string in single quotation marks.
- If a single quotation mark is intended to be part of the help
text, use two single quotation marks together for each single quotation
mark within the string, and enclose the entire string in single quotation
marks.
Example: LISTHEAD('CUSTOMER''S ADDRESS =')
Guidelines: If you specify a LISTHEAD value, avoid
confusion for users who use the LISTUSER or LISTGRP command to list
custom field values by following these guidelines:
- Ensure that each custom field has a unique heading.
- Append an equal sign (=) or other delimiter to
your LISTHEAD value to indicate in the list output where the heading
ends and the data begins.
If you do not specify LISTHEAD, the value defaults to
the custom field name defined in CFIELD profile name and an equal
sign (=) is appended to the end of the value.
- MAXLENGTH( maximum-field-length )
- Specifies the maximum length of the custom field. You can specify
MAXLENGTH with any TYPE value (data type).
Guideline: Do
not specify with TYPE(FLAG) because 3 is the default
value and the only valid value.
Rules: The valid values
or value ranges shown in Table 2 apply
based on data type. Table 2. Valid values
or value range and default values for the MAXLENGTH attribute, based
on data typeData type |
Valid value or range |
Default value |
---|
CHAR |
1 - 1100 |
1100 |
FLAG |
3 |
3 |
HEX |
1 - 512 |
512 |
NUM |
1 - 10 |
10 |
If you do not specify MAXLENGTH, the default values shown
in Table 2 apply based on data type.
- MAXVALUE( maximum-numeric-value )
- Specifies the maximum numeric value for a custom field with TYPE(NUM).
Rules: - Valid range: 0 - 2 147 483 647
- Do not specify a MAXVALUE value for custom fields with CHAR, FLAG,
or HEX data type.
- Do not specify a MAXVALUE value lower than the MINVALUE value.
- Do not specify a MAXVALUE value longer than the highest value
based on MAXLENGTH value.
If you do not specify MAXVALUE, the value defaults to the length
of the highest value based on the MAXLENGTH value. For example, if
you specify MAXLENGTH(4), the default MAXVALUE is
9999.
- MINVALUE( minimum-numeric-value )
- Specifies the minimum numeric value for a custom field with TYPE(NUM).
Rules: - Valid range: 0 - 2 147 483 647
- Do not specify a MINVALUE value for fields with CHAR, FLAG, or
HEX data type.
- Do not specify a MINVALUE value higher than the MAXVALUE value.
- Do not specify a MINVALUE value longer than the highest value
based on MAXLENGTH value.
If you do not specify MINVALUE, the value defaults to 0.
- MIXED( YES | NO )
- Specifies whether mixed-case alphabetic characters are allowed
for a custom field with TYPE(CHAR).
- YES
- Lowercase characters are allowed in any position of the custom
field where alphabetic characters are allowed, based on the character
restrictions specified with the FIRST and OTHER attributes. RACF commands, such as ADDUSER,
do not translate lowercase alphabetic characters in the field
to upper case.
Rule: Do not specify MIXED(YES) for custom
fields with FLAG, HEX, or NUM data type.
- NO
- RACF commands translate
lowercase alphabetic characters in the field to upper case.
If you do not specify MIXED, the value defaults
to NO.
- OTHER
- Specifies a character restriction for characters in the custom
field other than the first character.
Guideline: Do not
specify OTHER for custom fields with FLAG, HEX, or NUM data type.
If you incorrectly specify the OTHER value for the data type, the
custom field might be unusable.
For each option of the OTHER
attribute, the characters allowed in the custom field are as follows:
Valid
options
|
Characters
allowed |
---|
Alphabetic
characters
(A - Z)
|
National
characters # (X'7B'), @ (X'7C'),
and $ (X'5B')
|
Numeric
characters
(0 - 9)
|
Any
other
character
|
---|
ALPHA |
Allowed. |
Allowed. |
|
|
ALPHANUM |
Allowed. |
Allowed. |
Allowed. |
|
ANY |
Allowed. |
Allowed. |
Allowed. |
Allowed. |
NONATABC |
Allowed. |
|
|
|
NONATNUM |
Allowed. |
|
Allowed. |
|
NUMERIC |
|
|
Allowed. |
|
- ALPHA
- Allows alphabetic characters (A - Z) and national characters # (X'7B'), @ (X'7C'), and $ (X'5B').
- ALPHANUM
- Allows alphabetic characters (A - Z), numbers (0 - 9), and national characters # (X'7B'), @ (X'7C'), and $ (X'5B').
- ANY
- Allows alphabetic characters (A - Z), numbers (0 - 9), national characters # (X'7B'), @ (X'7C'), and $ (X'5B'), and any other character. When you specify both FIRST(ANY) and
OTHER(ANY), also allows quoted strings.
- NONATABC
- Allows alphabetic characters, and excludes numbers and national
characters # (X'7B'), @ (X'7C'), and $ (X'5B').
- NONATNUM
- Allows alphabetic characters and numbers, but excludes national
characters # (X'7B'), @ (X'7C'), and $ (X'5B').
- NUMERIC
- Allows numbers (0 - 9).
Rules: The
valid options for the OTHER attribute apply as follows, based on TYPE
value (data type).
Valid
options
|
Data type based
on TYPE attribute |
---|
CHAR |
FLAG |
HEX |
NUM |
---|
ALPHA |
Allowed. |
|
|
|
ALPHANUM |
Allowed. |
|
|
|
ANY |
Allowed. |
|
|
|
NONATABC |
Allowed. |
Allowed. |
|
|
NONATNUM |
Allowed. |
|
Allowed. |
|
NUMERIC |
Allowed. |
|
|
Allowed. |
If you do
not specify OTHER, the values default as follows, based on TYPE value
(data type).
- Data type
- Default value
- CHAR
- ALPHA
- FLAG
- NONATABC
- HEX
- NONATNUM
- NUM
- NUMERIC
- DATA('installation-defined-data')
- Specifies
up to 255 characters of installation-defined data to be stored in
the profile for the resource and the data must be enclosed in single
quotation marks. It can also contain double-byte character set (DBCS)
data.
This information is listed by the RLIST command.
- DLFDATA
- Specifies information
used in the control of DLF objects in profiles in the DLFCLASS.
- RETAIN(YES | NO)
- Specifies
whether the DLF object can be retained after use.
- JOBNAMES(jobname-1 …)
- Specifies
the list of objects which can access the DLF objects protected by
this profile.
You can specify any job name valid on your system.
You can also specify generic job names with an asterisk (*)
as the last character of the job name. For example, JOBNAMES(ABC)
allows only job ABC to access the DLF objects protected by the profile.
JOBNAMES(ABC*) allows any job whose name begins with
ABC (such as ABC, ABC1, or ABCDEF and so forth) to access the DLF
objects.
If DLFDATA is not specified, or is specified
without the RETAIN suboperand, RETAIN(NO) is defaulted.
- EIM
- The
EIM and PROXY segment keywords and subkeywords combine to define the
EIM domain, the LDAP host it resides on, and the bind information
required by the EIM services to establish a connection with an EIM
domain. The EIM services will attempt to retrieve this information
when it is not explicitly supplied with the invocation parameters.
- DOMAINDN(eim_domain_dn)
- Specifies the distinguished name of the EIM domain. A valid EIM
domain distinguished name begins with ibm-eimDomainName=.
Uppercase and lowercase characters are accepted and maintained in
the case in which they are entered. The EIM domain distinguished name
is one component of an EIM domain name.
An EIM domain name identifies
the LDAP server that stores the EIM domain information. The EIM domain
name begins with the ldap_url from the LDAPHOST
suboperand of the PROXY keyword, followed by / and
ends with the eim_domain_dn from the DOMAINDN
suboperand. The length of a valid EIM domain name is determined by
the combination of those factors. RACF allows
the input of 1023 characters for the domain distinguished name. RACF does not ensure that an EIM
domain name created from the LDAP URL and EIM domain distinguished
name forms a valid EIM domain name.
For more information about
LDAP distinguished names, see z/OS IBM Tivoli Directory Server Administration and Use for z/OS.
- OPTIONS
- Specifies options that control the EIM configuration.
- ENABLE | DISABLE
-
- ENABLE
- Specifies that new connections may be established with the specified
EIM domain. This is the default.
- DISABLE
- Specifies that new connections may not be established with the
specified EIM domain.
- LOCALREGISTRY(registry_name)
- Specifies the name of the local RACF registry
in EIM domains. This operand is valid only with the following profiles
and is ignored for all others:
- The IRR.PROXY.DEFAULTS profile in the FACILITY class
- The IRR.ICTX.DEFAULTS.sysid profile
in the LDAPBIND class
- The IRR.ICTX.DEFAULTS profile in the LDAPBIND class.
EIM uses the registry_name value
defined in the IRR.PROXY.DEFAULTS profile. The ICTX identity cache registry_name uses
the value defined in the IRR.ICTX.DEFAULTS.sysid or
IRR.ICTX.DEFAULTS profile.
The registry_name value
is 1 - 255
characters in length. It can consist of any characters and can be
entered with or without single quotation marks. The following rules
apply: - If parentheses, commas, blanks, or semicolons are intended as
part of the registry_name, you must enclose
the entire character string in single quotation marks.
- If a single quotation mark is intended as part of the registry_name,
use two single quotation marks together for each single quotation
mark within the string, and enclose the entire string within single
quotation marks.
- Both uppercase and lowercase characters are accepted and maintained
in the case in which they are entered.
- KERBREGISTRY(registry_name)
- Specifies the name of the Kerberos registry in the EIM domain
that the system is configured to use. This operand is only valid for
the IRR.PROXY.DEFAULTS FACILITY class profile. The value is ignored
when used on other profiles.
The Kerberos registry_name may
be 1 - 255
characters long. Uppercase and lowercase characters are allowed, but
are not significant because the Kerberos registry name is stored in
the RACF database in uppercase.
- X509REGISTRY(registry_name)
- Specifies the name of the X.509 registry in the EIM domain that
the system is configured to use. This operand is only valid for the
IRR.PROXY.DEFAULTS FACILITY class profile. The value is ignored when
used on other profiles.
The X.509 registry_name may
be 1 - 255
characters long. Uppercase and lowercase characters are allowed, but
are not significant because the X.509 registry name is stored in the RACF database in uppercase.
- FCLASS(profile-name-2-class)
- Specifies
the name of the class to which profile-name-2 belongs.
The valid class names are DATASET and those classes defined in the
class descriptor table. For a list of general
resource classes defined in the class descriptor table supplied by IBM, see Supplied RACF resource classes.
If you omit this operand, RACF assumes that profile-name-2 belongs
to the same class as profile-name-1. This
operand is valid only when you also specify the FROM operand; otherwise, RACF ignores it.
- FGENERIC
- Specifies
that RACF is to treat profile-name-2 as
a generic name, even if it is fully qualified (meaning that it does
not contain any generic characters). This operand is needed only if profile-name-2 is
a DATASET profile.
- FROM(profile-name-2)
- Specifies
the name of an existing discrete or generic profile that RACF is to use as a model for the new profile.
The model profile name you specify on the FROM operand overrides any
model name specified in your user or group profile. If you specify
FROM and omit FCLASS, RACF assumes
that profile-name-2 is the name of a profile
in the same class as profile-name-1.
Mixed-case
profile names are accepted and preserved when FCLASS refers to a class
defined in the static class descriptor table with CASE=ASIS or in
the dynamic class descriptor table with CASE(ASIS).
To specify
FROM, you must have sufficient authority to both profile-name-1 and profile-name-2, as
described under "Authorization Required".
Possible
Changes to Copied Profiles When Modeling Occurs: When a profile
is copied during profile modeling, the new profile might differ from
the model in the following ways:
For information about automatic profile modeling, refer
to z/OS Security Server RACF Security Administrator's Guide.
- FVOLUME(volume-serial)
- Specifies
the volume RACF is to use to
locate the model profile (profile-name-2).
If you specify
FVOLUME and RACF does not find profile-name-2 associated
with that volume, the command fails. If you omit this operand and profile-name-2 appears
more than once in the RACF data
set, the command fails.
FVOLUME is valid only when FCLASS either
specifies or defaults to DATASET and when profile-name-2 specifies
a discrete profile. Otherwise, RACF ignores
FVOLUME.
- ICSF
- Specifies ICSF attributes
for the keys that are controlled by this profile. ICSF attributes
are valid only for profiles in the CSFKEYS, GCSFKEYS, XCSFKEY, and
GXCSFKEY classes.
- ASYMUSAGE
- Specifies how an asymmetric key that is controlled by this profile
is eligible to be used. If you do not specify ASYMUSAGE, the key is
eligible for all uses.
- SECUREEXPORT | NOSECUREEXPORT
- Specifies whether the key is eligible to be used to export or
import symmetric keys.
- HANDSHAKE | NOHANDSHAKE
- Specifies whether the key is eligible to be used to protect communication
channels.
- SYMEXPORTABLE
- Specifies which public keys, if any, are eligible for use to export
a symmetric key that is controlled by this profile. If you do not
specify SYMEXPORTABLE, any public key is eligible.
- BYANY
- Any public key is eligible. The SYMEXPORTCERTS and SYMEXPORTKEYS
settings are ignored. This option is the default setting.
- BYLIST
- Only public keys specified with the SYMEXPORTCERTS or SYMEXPORTKEYS
option are eligible. If neither option is set for this symmetric key,
no public key is eligible (as if BYNONE were specified).
- BYNONE
- No public key is eligible. The SYMEXPORTCERTS and SYMEXPORTKEYS
settings are ignored.
- SYMEXPORTCERTS([qualifier]/label-name
… | *)
- Specifies a list of the labels of digital certificates that are eligible to
be used to export the symmetric keys controlled by this profile.
Each
listed certificate must exist in the ICSF key store (the SAF key ring
or PKCS #11 token specified by an ICSF configuration setting). For
information about the ICSF key store, see z/OS Cryptographic Services ICSF Administrator's Guide.
Specify
an asterisk (*) to indicate that any certificate in the ICSF key store
is eligible to be used to export the symmetric keys controlled by
this profile. Specifying an asterisk (*) overrides any listed labels.
Specify
each certificate label using a certificate label string in the form
of qualifier/ label-name.
- qualifier
- Specifies an optional qualifier in the certificate label string
when multiple certificates have the same label. If specified, RACF translates the qualifier value
to uppercase characters before storing it in the profile. The meaning
of the qualifier value depends on where the certificate resides.
When the certificate resides in a … |
The qualifier value is … |
---|
SAF key ring |
The RACF user
ID of the certificate owner. |
PKCS #11 token |
The value of the CKA_ID attribute
of the certificate. The CKA_ID value consists of
up to 64 hexadecimal characters. Valid characters are 0 - 9 and A - F. |
- /label-name
- Specifies the certificate label assigned when the certificate
was created. You must specify the forward slash character (/)
followed by the certificate label.
If the certificate label contains
blanks, or special characters that cause problems with TSO/E, such
as the comma, parenthesis, or comment delimiter (/*),
the entire certificate label string must be enclosed in single quotation
marks.
Any leading or trailing blanks specified in label-name are
removed from this value before storing it in the profile.
Examples
of certificate label strings: - DENICE/CertForDenice
- 'ROGERS/Cert for Rogers'
- '/DLR cert'
- SYMEXPORTKEYS(ICSF-key-label … | *)
- Specifies a list of the ICSF key labels of public keys that are
eligible to be used to export the symmetric keys controlled by this
profile. Each listed public key must reside in the ICSF PKA key data
set (PKDS).
Specify an asterisk (*) to indicate that any public
key in the ICSF PKDS is eligible to be used to export the symmetric
keys controlled by this profile. Specifying an asterisk (*) overrides
any listed labels.
- ICSF-key-label
- Specifies the ICSF key label for the public key. The label name
cannot exceed 64 characters. The first character must be an alphabetic
character or a national character (# , @ ,
or $ ). Subsequent characters can be a period character
(.) or any alphanumeric or national character.
- SYMCPACFWRAP
- Specifies whether the encrypted symmetric keys that are controlled
by this profile are eligible to be rewrapped by CP Assist for Cryptographic
Function (CPACF). If you do not specify SYMCPACFWRAP, the keys are
ineligible.
- YES
- Specifies that the encrypted symmetric keys that are controlled
by this profile are eligible to be rewrapped by CPACF.
- NO
- Specifies that the encrypted symmetric keys that are controlled
by this profile are ineligible to be rewrapped by CPACF. This option
is the default setting.
- ICTX
- Specifies the ICTX
configuration options that control the ICTX identity cache.
The
ICTX identity cache uses an in-storage copy of the configuration options.
Use SETROPTS RACLIST processing for the LDAPBIND class to activate
these options. (See the z/OS Security Server RACF Security Administrator's Guide for
more information about SETROPTS RACLIST processing.)
For details
about the ICTX configuration options, see z/OS Integrated Security Services EIM Guide and Reference.
The following operands are used only for the following
profiles in the LDAPBIND class and are ignored for other profiles: - IRR.ICTX.DEFAULTS.sysid
- IRR.ICTX.DEFAULTS
- USEMAP (YES | NO)
- Specifies whether the ICTX identity cache stores a valid identity
mapping to a z/OS user ID when
provided by the application. If you do not specify this, USEMAP(YES)
is the default.
- YES
- When the application provides a valid mapping to a local z/OS user ID, the ICTX identity
cache stores it. (This is the default value.)
- NO
- Identity mappings provided by the application are not stored.
- DOMAP (YES | NO)
- Specifies whether the ICTX identity cache uses Enterprise Identity
Mapping (EIM) services to find a mapping to a z/OS user ID for an authenticated user, and
then stores the mapping. If you do not specify this, DOMAP(NO) is
the default.
- YES
- When EIM finds a mapping to a z/OS user
ID for an authenticated user, the ICTX identity cache stores it.
- NO
- The ICTX identity cache will not use EIM to find an identity mapping.
(This is the default value.)
- MAPREQUIRED(YES | NO)
- Specifies whether the ICTX identity cache requires identity mapping
to a z/OS user ID for an authenticated
user. If you do not specify this, MAPREQUIRED(NO) is the default.
- YES
- The ICTX identity cache fails the request when no valid mapping
is provided by the application or found using EIM.
- NO
- The ICTX identity cache does not fail the request when
no valid mapping is provided by the application or found using EIM.
- MAPPINGTIMEOUT(1 - 3600)
- Specifies how long (one second to one hour) the ICTX identity
cache stores an identity mapping to a z/OS user
ID for an authenticated user. If you do not specify this, MAPPINGTIMEOUT(3600)
is the default.
Guideline: If you frequently modify your
EIM mappings, consider a low MAPPINGTIMEOUT value. A shorter timeout
period causes the ICTX identity cache to invoke EIM more frequently.
This allows your cached mappings to be refreshed more frequently and
improves their currency.
- KERB
- Specifies z/OS Integrated Security Services Network Authentication
Service information
for a REALM class profile.
- CHECKADDRS
- Specifies
whether the Kerberos server validates addresses in tickets as part
of ticket validation processing.
This keyword is only applicable
when defining the KERBDFLT REALM profile for the local realm.
- YES
- The server validates addresses in tickets.
- NO
- The server ignores addresses in tickets. This is the default value.
- DEFTKTLFE(def-ticket-life)
- Specifies the default ticket lifetime for the local z/OS Network Authentication Service in seconds.
The value of DEFTKTLFE is 1 - 2 147 483 647.
Note that 0 is not a valid value.
This keyword is only applicable
when defining the KERBDFLT REALM profile for the local realm.
If
DEFTKTLFE is specified, MAXTKTLFE and MINTKTLFE must also be specified.
- ENCRYPT
- Specifies
which keys can be used by the z/OS Network Authentication Service realm
you are defining.
ENCRYPT is the default value when you specify
KERB. The default values for ENCRYPT are DES, DES3, DESD, AES128,
and AES256.
- DES | NODES
- Whether DES encrypted keys can be used.
- DES3 | NODES3
- Whether DES3 encrypted keys can be used.
- DESD | NODESD
- Whether DESD encrypted keys can be used.
- AES128 | NOAES128
- Whether AES128 encrypted keys can be used.
- AES256 | NOAES256
- Whether AES256 encrypted keys can be used.
When a realm's password changes, a key of each
type is generated and stored in the principal's user profile. The
use of each key is based on the z/OS Network Authentication Service configuration.
See z/OS Integrated Security Services Network Authentication Service Administration for
information about how z/OS Network Authentication Service uses
keys and how to customize environment variables related to keys.
- KERBNAME(kerberos-realm-name)
- Specifies
the local realm name or a trust relationship for z/OS Network Authentication Service. The
maximum length of this field is 117 characters.
Syntax
rules for naming your local realm:
The local realm name
that you define to RACF can
consist of any character, except the / ( X'61')
character. You can enter the name with or without single quotation
marks, depending on the following: - If parentheses, commas, blanks, or semicolons are entered as part
of the name, the character string must be enclosed in single quotation
marks.
- If a single quotation mark is intended to be part of the name
and the entire character string is enclosed in single quotation marks,
you must use two single quotation marks together to represent each
single quotation mark within the string.
- If the first character of the name is a single quotation mark,
you must enter the string within single quotation marks, with two
single quotation marks entered for the single quotation mark.
Regardless of the case in which it is entered, RACF translates the name of the local z/OS Network Authentication Service realm
to upper case. However, RACF does
not ensure that a valid kerberos-realm-name has
been specified.
Guidelines for naming your local realm:
- MAXTKTLFE(max-ticket-life)
- Specifies
the max-ticket-life for the local z/OS Network Authentication Service in seconds.
The value of MAXTKTLFE is 1 - 2 147 483 647.
Note that 0 is not a valid value.
This keyword is only applicable
when defining the KERBDFLT REALM profile for the local z/OS Network Authentication Service realm.
If
MAXTKTLFE is specified, DEFTKTLFE and MINTKTLFE must also be specified.
- MINTKTLFE(min-ticket-life)
- Specifies
the min-ticket-life for the z/OS Network Authentication Service in seconds.
The value of MINTKTLFE is 1 - 2 147 483 647.
Note that 0 is not a valid value.
This keyword is only applicable
when defining the KERBDFLT REALM profile for the local Kerberos realm.
If
MINTKTLFE is specified, DEFTKTLFE and MAXTKTLFE must also be specified.
- PASSWORD(kerberos-password)
- Specifies
the value of the kerberos-password. The
maximum length of this value is 128 characters. The PASSWORD
keyword is applicable to all REALM class profile definitions. A
password must be associated with the definition of a trust relationship
or else the definition is incomplete.
Guideline: Avoid
using EBCDIC variant characters to prevent problems with different
code pages.
The password that you define to RACF can consist of any character. You can enter
a password with or without single quotation marks, depending on the
following: - If parentheses, commas, blanks, or semicolons are entered as part
of the password, the character string must be enclosed in single quotation
marks.
- If a single quotation mark is intended to be part of the password
and the entire character string is enclosed in single quotation marks,
you must use two single quotation marks together for each single quotation
mark within the string.
- If the first character of the password is a single quotation mark,
you must enter the string within single quotation marks, with two
single quotation marks entered for the character.
Both uppercase and lowercase characters are accepted
and maintained in the case in which they are entered.
Note: This
keyword is intended for administrators to be able to associate a kerberos-password with
the definition of a realm. It is not the same as a RACF user password and is not constrained by
the SETROPTS password rules or change interval values that might be
established for RACF user passwords.
- LEVEL(nn)
- Specifies
a level indicator, where nn is an integer
from 0 - 99.
The default is 0.
Your installation assigns the meaning of the
value. It is included on all records that log resource accesses and
is listed by the RLIST command.
- NOTIFY[(userid)]
- Specifies
the user ID of a user to be notified whenever RACF uses this profile to deny access to a resource.
If you specify NOTIFY without specifying a user ID, RACF takes your user ID as the default; you
are notified whenever the profile denies access to a resource.
A
user who is to receive NOTIFY messages should log on frequently to
take action in response to the unauthorized access attempt described
in each message. RACF sends
NOTIFY messages to the SYS1.BRODCAST data set. When the resource profile
also includes WARNING, RACF might
have granted access to the resource to the user identified in the
message.
When RACF denies
access to a resource, it does not notify a user: - When the resource is in the PROGRAM class
- When the resource is in a class for which an application has built
in-storage profiles using RACROUTE REQUEST=LIST
Some applications,
such as IMS™ and CICS®, load all the profiles for
a given class into storage. After these profiles are in storage, the
applications can do a fast authorization check using RACROUTE
REQUEST=FASTAUTH. One difference is that, in some cases, fast authorization
checking does not issue warning messages, notification messages, or
support auditing. In cases where it does not, return and reason codes
are returned to the application to allow support of these functions.
Return and reason codes are returned to the application to allow support
of these functions. The application can examine the return and reason
codes and use RACROUTE REQUEST=AUTH to create the messages and audit
records. If the application uses RACROUTE REQUEST=AUTH to support
auditing, the specified user is notified. Otherwise, notification,
warning, and such does not occur.
For details on using RACF with IMS, visit IBM Information Management Software for
z/OS Solutions Information Center.
For details on using RACF with CICS, visit CICS Transaction Server for z/OS Information Center.
- When the profile is used to disallow the creation or deletion
of a data set
NOTIFY is used only for resource access checking,
not for resource creation or deletion.
- OWNER(userid
or group-name)
- Specifies
a RACF-defined user or group to be assigned as the owner of the resource
you are defining. If you omit this operand, you are defined as the
owner. The user specified as the owner does not automatically have
access to the resource. Use the PERMIT command to add the owner to
the access list as desired.
- PROXY
- Specifies
information which the z/OS LDAP
server will use when acting as a proxy on behalf of a requester. The R_proxyserv (IRRSPY00)
SAF callable service will attempt to retrieve this information when
it is not explicitly supplied with the invocation parameters. Applications
or other services which use the R_proxyserv callable
service, such as IBM Policy Director Authorization Services for
z/OS and OS/390, may
instruct their invokers to define PROXY segment information.
- LDAPHOST(ldap_url)
- Specifies
the URL of the LDAP server which the z/OS LDAP
server will contact when acting as a proxy on behalf of a requester.
An LDAP URL has a format such as ldap://123.45.6:389 or ldaps://123.45.6:636,
where ldaps indicates that an SSL connection is desired
for a higher level of security. LDAP will also allow you to specify
the host name portion of the URL using either the text form (BIGHOST.POK.IBM.COM)
or the dotted decimal address (123.45.6). The port number is appended
to the host name, separated by a colon : (X'7A').
For
more information about LDAP URLs and how to enable LDAP servers for
SSL connections, see z/OS IBM Tivoli Directory Server Administration and Use for z/OS.
The
LDAP URL that you define to RACF can
consist of 10 - 1023
characters. A valid URL must start with either ldap:// or ldaps://. RACF will allow any characters
to be entered for the remaining portion of the URL, but you should
ensure that the URL conforms to TCP/IP conventions. For example, parentheses,
commas, blanks, semicolons, and single quotation marks are not typically
allowed in a host name. The LDAP URL can be entered with or without
single quotation marks, however, in both cases, it will be translated
to uppercase.
RACF does
not ensure that a valid LDAP URL has been specified.
- BINDDN(bind_distinguished_name)
- Specifies the distinguished name (DN)
which the z/OS LDAP server
will use when acting as a proxy on behalf of a requester. This DN
will be used in conjunction with the BIND password, if the z/OS LDAP server needs to supply
an administrator or user identity to BIND with another LDAP server.
A DN is made up of attribute value pairs, separated by commas. For
example:
cn=Ben Gray,ou=editing,o=New York Times,c=US
cn=Lucille White,ou=editing,o=New York Times,c=US
cn=Tom Brown,ou=reporting,o=New York Times,c=US
When
you define a BIND DN to RACF,
it can contain 1 - 1023 characters.
The BIND DN can consist of any characters and can be entered with
or without single quotation marks. The following rules apply: - If parentheses, commas, blanks, or semicolons are to be entered
as part of the BIND DN, the character string must be enclosed in single
quotation marks.
- If a single quotation mark is intended to be part of the BIND
DN, use two single quotation marks together for each single quotation
mark within the string, and enclose the entire string within single
quotation marks.
Both uppercase and lowercase characters are accepted
and maintained in the case in which they are entered. For more information
about LDAP distinguished names, see z/OS IBM Tivoli Directory Server Administration and Use for z/OS.
If
you issue the RDEFINE command as a RACF operator
command and you specify the BIND DN in lowercase, you must include
the BIND DN within single quotations.
RACF does not ensure that a valid BIND DN has
been specified.
- BINDPW
- Specifies
the password which the z/OS LDAP
server will use when acting as a proxy on behalf of a requester.
When
you define a BIND password to RACF,
it can contain 1 - 128 characters.
The BIND password can consist of any characters (see exception below)
and can be entered with or without single quotation marks. The following
rules apply: - The BIND password cannot start with a left brace { character (X'8B').
- If parentheses, commas, blanks, or semicolons are to be entered
as part of the BIND password, the character string must be enclosed
in single quotation marks.
- If a single quotation mark is intended to be part of the BIND
password, use two single quotation marks together for each single
quotation mark within the string, and enclose the entire string within
single quotation marks.
Both uppercase and lowercase characters are accepted
and maintained in the case in which they are entered. For more information
about LDAP passwords, see z/OS IBM Tivoli Directory Server Administration and Use for z/OS.
If
you issue the RDEFINE command as a RACF operator
command and you specify the BIND password in lowercase, you must include
the BIND password within single quotations.
RACF does not ensure that a valid BIND password
has been specified.
Attention: - When the command is issued from ISPF, the TSO command buffer (including
possible BINDPW password data) is written to the ISPLOG data set.
As a result, you should not issue this command from ISPF or you must
control the ISPLOG data set carefully.
- When the command is issued as a RACF operator
command, the command and the possible BINDPW password data is written
to the system log. Therefore, use of RDEFINE as a RACF operator command should either be controlled
or you should issue the command as a TSO command.
- SECLABEL(seclabel-name)
- Specifies
the installation-defined security label for this profile.
A security
label corresponds to a particular security level (such as CONFIDENTIAL)
with a set of zero or more security categories (such as PAYROLL or
PERSONNEL).
RACF stores
the name of the security label you specify in the resource profile
if you are authorized to use that SECLABEL.
If you are not
authorized to the SECLABEL or if the name you had specified is not
defined as a SECLABEL profile in the SECLABEL class, the resource
profile is not created.
If SECLABEL is not specified, the created
profile will not have a SECLABEL associated with the resource, unless
the SETROPTS MLACTIVE option is turned on. In this case, the user's
current logon SECLABEL will automatically be assigned to the profile.
- SECLEVEL(seclevel-name)
- Specifies
the name of an installation-defined security level. The name corresponds
to the number that is the minimum security level that a user must
have to access the resource. The seclevel-name must
be a member of the SECLEVEL profile in the SECDATA class.
When
you specify SECLEVEL and the SECDATA class is active, RACF adds security level checking to its other
authorization checking. If global access checking grants access, RACF compares the security level
allowed in the user profile with the security level required in the
resource profile. If the security level in the user profile is less
than the security level in the resource profile, RACF denies the access. If the security level
in the user profile is equal to or greater than the security level
in the resource profile, RACF continues
with other authorization checking. The SECLEVEL operand is required
for the SECLABEL class.
Note: RACF does
not perform security level checking for a started task that has the RACF privileged or trusted attribute.
The RACF privileged or trusted
attribute can be assigned to a started task through the RACF started procedures table or STARTED class.
Also, RACF does not enforce
security level information specified on profiles in the PROGRAM class.
If
the SECDATA class is not active, RACF stores
the name you specify in the resource profile. When the SECDATA class
is activated and the name you specified is defined as a SECLEVEL profile, RACF can perform security level
access checking for the resource profile. If the name you specify
is not defined as a SECLEVEL profile, you are prompted to provide
a valid SECLEVEL name.
- SESSION
- Is
only valid for the APPCLU resource class. It specifies that when changing
an APPCLU class profile, the following suboperands add, change, or
delete SESSION segment field values. The SESSION segment is used to
control the establishment of sessions between logical units under
LU6.2.
- CONVSEC
- Specifies the level or levels of security checking performed when
conversations are established with the LU protected by this profile.
Guideline: Specify a CONVSEC option for each APPCLU profile.
- ALREADYV
- APPC/MVS RACF does not verify
the user ID and password for any inbound allocate requests. If you
specify ALREADYV, you assume that user IDs and passwords have already
been verified by the partner LU. You must specify this only if the
partner LU is trustworthy.
- AVPV
- The user ID/password is already verified and persistent verification
is requested.
- CONV
- APPC/MVS issues a RACROUTE REQUEST=VERIFY to verify the user ID
and password for all inbound allocate requests.
- NONE
- All inbound allocate requests pass without RACF checking for a valid user ID. No RACROUTE
REQUEST=VERIFY is issued.
- PERSISTV
- Specifies persistent verification.
- INTERVAL(n)
- Sets the maximum number of days the session key is valid. The n value
can be 1 - 32767.
If the key interval is longer than the installation maximum (set with
SETROPTS SESSIONINTERVAL), then the profile is created.
If the
key interval is not specified and there is a SETROPTS SESSIONINTERVAL
value, the profile is created with that value. If there is no SETROPTS
SESSIONINTERVAL value, there is no limit to the number of days the
session key is valid.
- LOCK
- Mark the profile as locked. This prevents all session establishment
from succeeding.
- SESSKEY(session-key)
- Change the key for this profile. The session-key value
can be expressed in two ways:
- X'y' where y is a hexadecimal number of 1 - 16 digits
- z or 'z' where z is a string of 1 - 8 characters
If the entire 16 digits or 8 characters are not used, the
field is padded to the right with binary zeros.
Note: Session
keys are 64-bit Data Encryption Standard (DES) keys. With DES, 8 of
the 64 bits are reserved for use as parity bits, so those 8 bits are
not part of the 56-bit key. In hexadecimal notation, the DES parity
bits are: X'0101 0101 0101 0101'. Any two 64-bit
keys are equivalent DES keys if their only difference is in one or
more of these parity bits. For instance, the following SESSKEY values,
although appearing to be quite different, are equivalent because they
differ only in the last bit of each byte: - BDF0KM4Q, which is X'C2C4 C6F0 D2D4 F4D8'
- CEG1LN5R, which is X'C3C5 C7F1 D3D5 F5D9'
- SIGVER
- Specifies
the options for verifying the signatures of programs that are protected
by this general resource profile.
Rule: Specify SIGVER only
for profiles in the PROGRAM class. Any options specified with the
SIGVER operand are ignored for profiles in a class other than the
PROGRAM class.
Restriction: Digital signature verification
is supported only for program objects that are stored as members of
a partitioned data set extended (PDSE) library.
Digital signature verification is not supported for programs
that are stored as members of a partitioned data set (PDS) library.
Any
options specified with the SIGVER operand are ignored for unsupported
programs.
Note: Regardless of the SIGREQUIRED setting,
specifying FAILLOAD(NEVER) and SIGAUDIT(NONE) is equivalent to having
no SIGVER segment.
For detailed information, see "Program
signing and verification" in z/OS Security Server RACF Security Administrator's Guide.
- SIGREQUIRED
- Specifies whether programs that are protected by this profile
must be digitally signed.
- YES
- Specifies that programs must be digitally signed.
When you
specify SIGREQUIRED(YES), the following conditions apply to any program
that is protected by this general resource profile: - If the program has a digital signature:
- Signature verification processing occurs.
- The program continues to load according to the FAILLOAD setting.
- Logging occurs according to the SIGAUDIT setting.
- If the program has no digital signature:
- Signature verification processing occurs, resulting in a signature
verification failure.
- The program continues to load according to the FAILLOAD setting.
- Logging occurs according to the SIGAUDIT setting.
- NO
- Specifies that programs need not be digitally signed.
When
you specify SIGREQUIRED(NO), the following conditions apply to any
program that is protected by this general resource profile: - If the program has a digital signature:
- Signature verification processing occurs.
- The program continues to load according to the FAILLOAD setting.
- Logging occurs according to the SIGAUDIT options.
- If the program has no digital signature:
- No signature verification occurs.
- The program continues to load. The FAILLOAD setting is ignored.
- No logging occurs. The SIGAUDIT setting is ignored.
If SIGREQUIRED is not specified, SIGREQUIRED(NO) is the default
value.
- FAILLOAD
- Specifies the conditions under which the program fails to load
in the event that a signature verification failure occurs.
- ANYBAD
- Specifies that the program fails to load when a signature verification
failure occurs, regardless of the cause. Such failures include those
resulting from an incorrect signature, or an error establishing the
trust of the signer. This setting includes failures related to administrative
errors, such as a missing or incorrectly defined key ring.
The
ANYBAD setting includes the failures covered by the BADSIGONLY setting,
and also includes errors establishing the trust of the signer.
- BADSIGONLY
- Specifies that the program fails to load only when the signature
verification failure is caused by an incorrect digital signature.
Such failures include only those resulting from a signature that fails
verification or a signature structure that is missing or improperly
formatted.
In contrast to ANYBAD, the BADSIGONLY setting does
not cause a program to fail to load when the program has a valid signature
originating from an untrusted signer.
- NEVER
- Specifies that the program never fails to load when a signature
verification failure is detected.
If FAILLOAD is not specified, FAILLOAD(NEVER)
is the default value.
- SIGAUDIT
- Specifies which signature verification events are logged. Messages
are issued to the console only for signature verification failures
that are logged.
- ALL
- Logs all signature verifications, whether successful or not.
- SUCCESS
- Logs only signature verification successes. In other words, the
digital signature is valid and the root CA certificate is trusted.
- ANYBAD
- Logs all signature verification failures, regardless of the cause
of the failure. Such failures include those resulting from an incorrect
signature, or an error establishing the trust of the signer. This
setting includes failures related to administrative errors, such as
a missing or incorrectly defined key ring.
The ANYBAD setting logs
the failures covered by the BADSIGONLY setting, and also logs errors
encountered when establishing the trust of the signer.
- BADSIGONLY
- Logs only signature verification failures caused by an incorrect
digital signature. Such failures include only those resulting from
a signature that fails verification or a signature structure that
is missing or improperly formatted.
In contrast to ANYBAD, the
BADSIGONLY setting does not log a signature verification failure when
the program has a valid signature originating from an untrusted signer.
- NONE
- Logs no digital signature verification events.
If SIGAUDIT is not specified, SIGAUDIT(NONE)
is the default value.
- SINGLEDSN
- Specifies
that the tape volume can contain only one data set. SINGLEDSN is valid
only for a TAPEVOL profile. If the volume already contains more than
one data set, RACF issues a
message and ignores the operand.
- SSIGNON
- Defines
the application key or a secured signon key
and indicates the method you want to use to protect the key value
within the RACF database on
the host. When defining the profile, you can either mask or encrypt
the key. The key-value represents a 64-bit
(8-byte) key that must be represented as 16 hexadecimal characters.
The valid characters are 0 - 9 and A - F.
Restrictions: - As with RACF passwords,
the database unload facility does not unload application keys or the secured signon keys.
- The RLIST command does not list the value of the application keys
or a secured signon keys.
Therefore, when you define the keys, you should note the value and
keep it in a secure place.
- KEYMASKED(key-value)
- Specifies
that you want to mask the key value using the masking algorithm.
Rules: - You can specify this operand only once for each application key.
- If you mask a key, you cannot encrypt it. These are mutually
exclusive.
You can use the RLIST command to verify that the key
is protected.
- KEYENCRYPTED(key-value)
- Specifies that you want to encrypt
the key value.
Rules: - You can specify this operand only once for each application key.
- If you encrypt a key, you cannot mask it. These are mutually
exclusive.
- A cryptographic product must be installed and active on the system.
You can use the RLIST command to verify that the key
is protected.
- STDATA
- Used
to control security for started tasks. STDATA should only be specified
for profiles in the STARTED class.
- USER
-
- USER(userid)
- Specifies the user ID to
be associated with this entry.
RACF issues
a warning message if the specified userid does
not exist, or if the USER operand is not specified, but data is placed
into the STDATA segment. If the error is not corrected, RACF uses the started procedures table to process
START requests that would have used this STARTED profile.
- USER(=MEMBER)
- Specifies that the procedure name should be used as the user ID.
If =MEMBER is specified for USER, a group-name value
should be specified for the GROUP operand. If =MEMBER is
specified for both USER and GROUP, a warning message is issued and
problems might result when the profile is used. For information, see z/OS Security Server RACF System Programmer's Guide.
- GROUP
-
- GROUP(group-name)
- Specifies the group name to be associated with this entry.
RACF issues a warning message if
the specified group-name does not exist.
If userid and group-name are
specified, RACF verifies that
the user is connected to the group. If GROUP is specified incorrectly,
the started task runs as an undefined user.
- GROUP(=MEMBER)
- Specifies that the procedure name should be used as the group
name. If =MEMBER is specified for GROUP, a userid value
must be specified for the USER operand or RACF uses the started procedures table to assign
an identity for this started task. If =MEMBER is
specified for both USER and GROUP, a warning message is issued and
problems might result when the profile is used. For information, see z/OS Security Server RACF System Programmer's Guide.
If
GROUP is not specified the started task runs with the default group
of the specified user ID.
- PRIVILEGED( YES | NO )
- Specifies whether the started task should run with the RACF PRIVILEGED attribute. The
PRIVILEGED attribute allows the started task to pass most authorization
checking. No installation exits are called, no SMF records are generated,
and no statistics are updated. (Note that bypassing authorization
checking includes bypassing the checks for security classification
of users and data.) For more information, see z/OS Security Server RACF System Programmer's Guide.
If
PRIVILEGED(NO) is specified, the started tasks runs without the RACF PRIVILEGED attribute.
If
PRIVILEGED is not specified PRIVILEGED(NO) is defaulted.
- TRACE( YES | NO )
- Specifies whether a message should be issued to the operator when
this entry is used to assign an ID to the started task.
If TRACE(YES)
is specified, RACF issues an
informational message to the operator to record the use of this entry
when it is used to assign an ID to a started task. This record can
be useful in finding started tasks that do not have a specific entry
defined and in diagnosing problems with the user IDs assigned for
started tasks.
If TRACE(NO) is specified, RACF does not issue an informational message
when this entry is used.
If TRACE is not specified, TRACE(NO)
is defaulted.
- TRUSTED( YES | NO )
- Specifies whether the started task should run with the RACF TRUSTED attribute. The TRUSTED
attribute is similar to the PRIVILEGED attribute except that auditing
can be requested using the SETROPTS LOGOPTIONS command. For more information
about the TRUSTED attribute, see z/OS Security Server RACF System Programmer's Guide.
If
TRUSTED(NO) is specified, the started tasks runs without the RACF TRUSTED attribute.
If
TRUSTED is not specified, TRUSTED(NO) is defaulted.
- SVFMR
- Defines
profiles associated with a particular SystemView® for MVS application.
- SCRIPTNAME(script-name)
- Specifies the name of the list of default logon scripts associated
with this application. This operand is optional. If this operand is
omitted, no scripts are associated with the application.
The script-name is
a 1 - 8
character alphanumeric name of a member of an MVS partitioned data
set (PDS). RACF accepts both
uppercase and lowercase characters for script-name,
but lowercase characters are translated to uppercase.
The PDS
member specified by the script-name contains
a list of other PDS members that contain the scripts associated with
this application's profile. The PDS and members, including the member
that contains the list of other members, are created by the SystemView for MVS administrator.
- PARMNAME(parm-name)
- Specifies the name of the parameter list associated with this
application. If this operand is omitted, no parameters are associated
with the application.
The parm-name is
a 1 - 8
character alphanumeric name of a member of an MVS partitioned data
set (PDS). RACF accepts both
uppercase and lowercase characters for parm-name,
but lowercase characters are translated to uppercase.
The PDS
member specified by parm-name contains a
list of other PDS members that contain the parameters associated with
this application's profile. The PDS and members, including the list
of other members, are created by System View for the MVS administrator.
- TIMEZONE({E
| W} hh[.mm])
- Specifies the time zone in which a terminal
resides. TIMEZONE is valid only for resources in the TERMINAL class; RACF ignores it for all other resources.
Specify TIMEZONE only when the terminal is not in the same time
zone as the processor on which RACF is
running and you are also specifying WHEN to limit access to the terminal
to specific time periods. In this situation, TIMEZONE provides the
information RACF needs to calculate
the time values correctly. If you identify more than one terminal
in the profile-name-1 operand, all the terminals
must be in the same time zone.
On TIMEZONE, you specify whether
the terminal is east (E) or west (W) of the system and by how many
hours (hh) and, optionally, minutes (mm) that the terminal
time zone is different from the processor time zone. Valid hour values
are 0 - 11,
and valid minute values are 00 - 59.
For
example, if the processor is in New York and the terminal is in Los
Angeles, specify TIMEZONE(W 3). If the processor is in Houston and
the terminal is in New York, specify TIMEZONE(E 1).
If you
change the local time on the processor (to accommodate daylight savings
time, for instance), RACF adjusts
its time calculations accordingly. However, if the processor time
zone and the terminal time zone do not change in the same way, you
must adjust the terminal time zones yourself, as described earlier
for the WHEN(TIME) operand.
- TME
- Specifies
that information for the Tivoli® Security
Management Application be added.
Note: The TME segment fields are
intended to be updated only by the Tivoli Security
Management Application, which manages updates, permissions, and cross
references. A security administrator should only directly update Tivoli Security Management fields
on an exception basis.
All TME suboperands, with the exception
of those for ROLES, can be specified when changing a resource profile
in the ROLE class. Conversely, only the ROLES suboperands can be specified
when changing a resource profile in any other class.
- CHILDREN(profile-name …)
- Specifies the complete list of roles that inherit attributes from
this role. A role is a discrete general resource profile defined in
the ROLE class.
- GROUPS(group-name …)
- Specifies the complete list of groups that should be permitted
to resources defined in this role profile.
- PARENT(profile-name)
- Specifies the name of a role from which this role inherits attributes.
A role is a discrete general resource profile defined in the ROLE
class.
- RESOURCE(resource-access-specification …)
- Specifies the complete list of resources and associated access
levels for groups defined in this role profile.
One or more resource-access-specification values
can be specified, each separated by blanks. Each value should contain
no imbedded blanks and should have the following format: origin-role:class-name:profile-name:authority
[:conditional-class:conditional-profile]
where origin-role is
the name of the role profile from which the resource access is inherited.
The class-name value is an existing resource
class name and profile-name is a resource
profile defined in that class. The authority is
the access authority (NONE, EXECUTE, READ, UPDATE, CONTROL, or ALTER)
with which groups in the role definition should be permitted to the
resource.
The conditional-class is
a class name (APPCPORT, CONSOLE, JESINPUT, PROGRAM, TERMINAL, or SYSID)
for conditional access permission, and is followed by the conditional-profile value,
a resource profile defined in the conditional class.
- ROLES(role-access-specification …)
- Specifies a list of roles and associated access levels related
to this profile.
One or more role-access-specification values
can be specified, each separated by blanks. Each value should contain
no imbedded blanks and should have the following format: role-name:authority[:conditional-class:conditional-profile]
where role-name is
a discrete general resource profile defined in the ROLE class. The authority is
the access authority (NONE, EXECUTE, READ, UPDATE, CONTROL, or ALTER)
with which groups in the role definition should be permitted to the
resource.
The conditional-class is
a class name (APPCPORT, CONSOLE, JESINPUT, PROGRAM, TERMINAL, or SYSID)
for conditional access permission, and is followed by the conditional-profile value,
a resource profile defined in the conditional class.
- TVTOC
- Specifies,
for a TAPEVOL profile, that RACF is
to create a TVTOC in the TAPEVOL profile when a user creates the first
output data set on the volume. The RDEFINE command creates a nonautomatic
TAPEVOL profile; RACF creates
and maintains the TVTOC for data sets residing on tape.
Specifying
TVTOC also affects the access list for the TAPEVOL profile: - When RACF processes the
RDEFINE command with the TVTOC operand, it places the user ID of the
command issuer (perhaps the tape librarian) in the access list with
ALTER authority.
- When the first output data set is created on the volume, RACF adds the user ID associated
with the job or task to the access list with ALTER authority.
See z/OS Security Server RACF Security Administrator's Guide for
further information.
The TVTOC operand is valid only for a
discrete profile in the TAPEVOL class.
- UACC(access-authority)
- Specifies
the universal access authority to be associated with this resource.
The universal access authorities are ALTER, CONTROL, UPDATE, READ,
EXECUTE (for controlled programs only), and NONE. If UACC is not specified, RACF uses the value in the ACEE
or the class descriptor table. If UACC is specified without access-authority, RACF uses the value in the current
connect group. For tape volumes and DASD volumes, RACF treats CONTROL authority as UPDATE authority.
For all other resources listed in the class descriptor table and for
applications, RACF treats CONTROL
and UPDATE authority as READ authority.
If the user ID accessing
the general resource has the RESTRICTED attribute, RACF treats the access authority as NONE.
- WARNING
- Specifies
that even if access authority is insufficient, RACF is to issue a warning message and allow
access to the resource. RACF also
records the access attempt in the SMF record if logging is specified
in the profile.
Restriction: RACF does not issue
a warning message for a resource when the resource is: - In the PROGRAM or NODES class
- In a class for which an application has built in-storage profiles
using RACROUTE REQUEST=LIST.
When SETROPTS MLACTIVE(FAILURES) is in effect: A
user or task can access a resource that is in WARNING mode and has
no security label even when MLACTIVE(FAILURES) is in effect and the
class requires security labels. The user or task receives a warning
message and gains access.
Applications that use REQUEST=LIST: Some
applications, such as IMS and CICS, load all the profiles for
a given class into storage. After these profiles are in storage, the
applications can do a fast authorization check using RACROUTE
REQUEST=FASTAUTH. Fast authorization checking is different from normal
authorization checking in several ways. One difference is that, in
some cases, fast authorization checking does not issue warning messages,
notification messages or support auditing. In cases where it does
not, return and reason codes are returned to the application to allow
support of these functions. The application can examine the return
and reason codes and use RACROUTE REQUEST=AUTH to create the messages
and audit records. If the application uses RACROUTE REQUEST=AUTH to
support auditing or specifies LOG=ASIS on the RACROUTE REQUEST=FASTAUTH,
the specified user is notified. Otherwise, notification, warning,
and so on does not occur.
For details on using RACF with IMS, visit IBM Information Management Software for z/OS Solutions
Information Center.
For details on using RACF with CICS,
visit CICS Transaction
Server for z/OS Information Center.
- WHEN
- Specifies, for a resource
in the TERMINAL class, the days of the week or the hours in the day
when a user can access the system from the terminal. The day-of-week
and time restrictions apply only when a user logs on to the system;
that is, RACF does not force
the user off the system if the end-time occurs while the user is logged
on.
If you omit the WHEN operand, a user can access the system
from the terminal at any time. If you specify the WHEN operand, you
can restrict the use of the terminal to certain days of the week or
to a certain time period on each day. Or, you can restrict access
to both certain days of the week and to a certain time period within
each day.
- DAYS(day-info)
- Specifies days of the week when the terminal can be used. The day-info value
can be any one of the following:
- ANYDAY
- RACF allows use of the
terminal on any day. If you omit DAYS, ANYDAY is the default.
- WEEKDAYS
- RACF allows use of the
terminal only on weekdays (Monday through Friday).
- day …
- RACF allows use of the
terminal only on the days specified, where day can be MONDAY, TUESDAY,
WEDNESDAY, THURSDAY, FRIDAY, SATURDAY, or SUNDAY. You can specify
the days in any order.
- TIME(time-info)
- Specifies the time period each day when the terminal can be used.
The time-info value can be any one of the
following:
- ANYTIME
- RACF allows use of the
terminal at any time. If you omit TIME, ANYTIME is the default.
- start-time:end-time
- RACF allows use of the
terminal only during the specified time period. The format of both start-time and end-time is hhmm,
where hh is the hour in 24-hour notation
(00 - 24)
and mm is the minutes (00 - 59) within
the range 0001 - 2400.
Note that 2400 indicates 12:00 a.m. (midnight).
If start-time is
greater than end-time, the interval spans
midnight and extends into the following day.
Specifying start-time and end-time is
straightforward when the processor on which RACF is running and the terminal are in the
same time zone; you specify the time values in local time.
However,
if the terminal is in a different time zone from the processor and
you want to restrict access to certain time periods, you have two
choices. You can specify the TIMEZONE operand to allow RACF to calculate the time and day values correctly.
Otherwise, you can adjust the time values yourself, by translating
the start-time and end-time for
the terminal to the equivalent local time for the processor.
For
example, assume that the processor is in New York and the terminal
is in Los Angeles, and you want to allow access to the terminal from
8:00 A.M. to 5:00 P.M. in Los Angeles. In this situation, you would
specify TIME(1100:2000). If the processor is in Houston
and the terminal is in New York, you would specify TIME(0900:1800).
If you omit DAYS and specify TIME, the time
restriction applies to all seven days of the week. If you specify
both DAYS and TIME, RACF allows
use of the terminal only during the specified time period and only
on the specified days.
Examples
|
|
|
---|
Example 1 |
Operation |
User TBK20 wants to define resource GIMS600 in
class GIMS which is a resource group class. He also wants to define
TIMS200, TIMS111, TIMS300, and TIMS333 as members of the resource
group (GIMS600). |
Known |
User TBK20 has the CLAUTH attribute for the GIMS
and TIMS classes. GIMS is a resource group class, and TIMS is its
associated resource member class. TIMS200 and TIMS111 are members
of another resource group. The user has ALTER authority to the other
resource group. User TBK20 wants to issue the command as a RACF TSO command. |
Command |
RDEFINE GIMS GIMS600 ADDMEM(TIMS200 TIMS111
TIMS300 TIMS333) |
Defaults |
OWNER (TBK20) LEVEL(0) AUDIT(FAILURES(READ)) UACC(NONE) |
Example 2 |
Operation |
User ADM1 wants to define a generic profile for
all resources starting with a T belonging to the
TIMS class, and to require that users must reenter their passwords
whenever they enter any IMS transaction
starting with a T. |
Known |
User ADM1 has the SPECIAL attribute. User ADM1
wants to issue the command as a RACF TSO
command. |
Command |
RDEFINE TIMS T* APPL('REVERIFY') |
Defaults |
UACC(NONE) OWNER(ADM1) LEVEL(0) AUDIT(FAILURES(READ)) |
Example 3 |
Operation |
User ADM1 wants to define AMASPZAP as a controlled
program with program-accessed data set checking. |
Known |
User ADM1 has the SPECIAL attribute. AMASPZAP
resides in SYS1.LINKLIB on the SYSRES volume. RACF program control is active. User ADM1 wants
to issue the command as a RACF TSO
command. |
Command |
RDEFINE PROGRAM AMASPZAP ADDMEM('SYS1.LINKLIB'/SYSRES/PADCHK) |
Defaults |
UACC(NONE) OWNER(ADM1) LEVEL(0) AUDIT(FAILURES(READ)) |
Example 4 |
Operation |
User ADM1 wants to define all load modules that
start with IKF as controlled programs that do not
require program-accessed data set checking. |
Known |
User ADM1 has the SPECIAL attribute. All load
modules whose names begin with IKF reside in SYS1.COBLIB
on the SYSRES volume. User ADM1 wants to issue the command as a RACF operator command, and the RACF subsystem prefix is @. |
Command |
@RDEFINE PROGRAM IKF* ADDMEM('SYS1.COBLIB'/SYSRES/NOPADCHK) |
Defaults |
UACC(NONE) OWNER(ADM1) LEVEL(0) AUDIT(FAILURES(READ)) |
Example 5 |
Operation |
User JPQ12 wants to define a tape volume labeled
DP0123 and allow it to hold a TVTOC. The tape volume is assigned a
UACC of NONE. |
Known |
User JPQ12 has the SPECIAL attribute. User JPQ12
wants to issue the command as a RACF TSO
command. |
Command |
RDEFINE TAPEVOL DP0123 TVTOC UACC(NONE) |
Defaults |
OWNER (JPQ12) LEVEL(0) AUDIT(FAILURES(READ)) |
Example 6 |
Operation |
User ADM1 wants to prepare the TCICSTRN class
to be used for RACGLIST processing. |
Known |
User ADM1 has the SPECIAL attribute User ADM1
wants to issue the command as a RACF TSO
command. |
Command |
RDEFINE RACGLIST TCICSTRN UACC(NONE) |
Defaults |
OWNER(ADM1) LEVEL(0) AUDIT(FAILURES(READ)) |
Example 7 |
Operation |
The security administrator wants to define a profile
for TSO in the PTKTDATA class. The security administrator wants to
direct the command to run under the authority of user OJC11 at node
NYTSO. |
Known |
ELVIS1 is the user ID of the security administrator.
OJC11 has the SPECIAL attribute on node NYTSO.
The profile
name is TSOR001.
The key-value is e001193519561977 and
is to be masked. The security administrator wants to issue the command
as a RACF TSO command.
The
security administrator and OJC11 at NYTSO have an already established
user ID association.
|
Command |
RDEFINE PTKTDATA TSOR001 SSIGNON(KEYMASKED(e001193519561977))
AT(NYTSO.OJC11) |
Defaults |
UACC(NONE) |
Example 8 |
Operation |
The security administrator wants to create an
entry in the dynamic started procedures table for the OMVS started
procedure by defining a generic profile in the STARTED class. |
Known |
The administrator wants to use the procedure name
as the user ID. The group name is STCGRP. SETROPTS GENERIC(STARTED)
has been issued to allow generic profiles to be created in this class.
The security administrator wants to issue the command as a RACF TSO command.
|
Command |
RDEFINE STARTED OMVS.* STDATA(USER(=MEMBER)
GROUP(STCGRP)) |
Defaults |
PRIVILEGED(NO) TRACE(NO) TRUSTED(NO) UACC(NONE) |
Example 9 |
Operation |
User ADM1 wants to define the following: - A SystemView for
the MVS application named APPL1.HOST1.USER1
- TSOR220 application data
- A list of scripts named APPL1SC for the application
- A list of parameters named APPL1P for the application
|
Known |
User ADM1 has CLAUTH authority for the SYSMVIEW
class. |
Command |
RDEFINE SYSMVIEW APPL1.HOST1.USER1 APPLDATA('TSOR220')
SVFMR(SCRIPTNAME(APPL1SC) PARMNAME(APPL1P))
|
Defaults |
UACC(NONE) |
Example 10 |
Operation |
Local realm KRB2000.IBM.COM is
being defined with a minimum ticket lifetime of 5 minutes, a default
ticket lifetime of 10 hours, a maximum ticket lifetime of 24 hours,
and a password of 744275. All of the ticket lifetime values are specified
in seconds. |
Known |
The administrator has access to the KERBDFLT profile
in the REALM class. |
Command |
RDEFINE REALM KERBDFLT KERB(KERBNAME(KRB2000.IBM.COM)
MINTKTLFE(300) DEFTKTLFE(36000)
MAXTKTLFE(86400) PASSWORD(744275))
|
Defaults |
CHECKADDRS(NO) ENCRYPT(DES DES3 DESD AES128
AES256) |
Example 11 |
Operation |
A trust relationship is being defined between
the kerb390.endicott.ibm.com realm and the realm
at ker2000.endicott.ibm.com. |
Known |
The administrator has access to the /.../KERB390.ENDICOTT.IBM.COM/KERBTGT/KER2000.ENDICOTT.IBM.COM profile
in the REALM class. |
Command |
RDEFINE REALM /.../KERB390.ENDICOTT.IBM.COM/KRBTGT/KER2000.ENDICOTT.IBM.COM
KERB(PASSWORD(12345678)) |
Defaults |
CHECKADDRS(NO) ENCRYPT(DES DES3 DESD AES128
AES256) |
Example 12 |
Operation |
The administrator wants to create a profile (TSOIM13)
in the PTKTDATA class with replay protection bypassed. |
Known |
The administrator has the SPECIAL attribute. |
Command |
RDEFINE PTKTDATA TSOIM13 APPLDATA('NO REPLAY PROTECTION')
|
Defaults |
None. |
Example 13 |
Operation |
The administrator is defining the system wide
defaults for Enterprise Identity Mapping (EIM) applications. One of
the applications uses the default name given to RACF. |
Known |
The EIM domain's distinguished name is ibm-eimDomainName=Pok
EIM Domain,o=IBM,c=US. The domain resides in LDAP at http://some.big.host/.
The bind distinguished name has authority to retrieve lookup information.
The name given to the local RACF registry
is RACFSYS2. |
Command |
RDEFINE FACILITY IRR.PROXY.DEFAULTS EIM(
DOMAINDN('ibm-eimDomainName=Pok EIM Domain,o=IBM,c=US')
OPTIONS(ENABLE)
LOCALREGISTRY(RACFSYS2))
|
Defaults |
None. |
Example 14 |
Operation |
The administrator wants to define the SAFDFLT
profile in the REALM class using the APPLDATA field to define the RACF realm name. |
Known |
The administrator has the SPECIAL attribute.
The realm name racf.winmvs2c is selected by the security
administrator to give a name to the set of user ids and other user
information held in the security manager database. If Kerberos is
in use in the installation, the Kerberos realm name would be expected
to be different than the SAFDFLT realm name. |
Command |
RDEFINE REALM SAFDFLT APPLDATA('racf.winmvs2c')
|
Defaults |
None. |
Example 15 |
Operation |
The security administrator with user ID ADMIN1
wants to add a new class to the class descriptor table (CDT) named
TSTCLAS8. |
Known |
The administrator has the SPECIAL attribute. |
Command |
RDEFINE CDT TSTCLAS8 UACC(NONE)
CDTINFO(DEFAULTUACC(NONE) FIRST(ALPHA) MAXLENGTH(42)
OTHER(ALPHA,NUMERIC,SPECIAL) POSIT(303) RACLIST(REQUIRED)
SECLABELSREQUIRED(YES))
|
Note |
The dynamic CDT must be built or refreshed to
make this change effective. Use the SETROPTS RACLIST(CDT) or the SETROPTS
RACLIST(CDT) REFRESH command. |
|
Defaults |
AUDIT(FAILURES(READ)) OWNER(ADMIN1) LEVEL(0) CDTINFO(CASE(UPPER)
DEFAULTRC(4) GENLIST(DISALLOWED) KEYQUALIFIERS(0) MACPROCESSING(NORMAL)
OPERATIONS(NO) PROFILESALLOWED(YES) SIGNAL(NO))
|
Example 16 |
Operation |
The security administrator Rui wants to specify
that the identity cache should never store a mapping to a local z/OS user ID when it is provided
by an application. The identity cache must always use EIM to find
a mapping and it must always reject a store request if it cannot find
a mapping. |
Known |
At Rui's installation, identity mappings in
EIM are not changed frequently so the default MAPPINGTIMEOUT value
of 3600 seconds (one hour) is acceptable. |
Command |
RDEFINE LDAPBIND IRR.ICTX.DEFAULTS
ICTX(USEMAP(NO) DOMAP(YES) MAPREQUIRED(YES))
|
Defaults |
MAPPINGTIMEOUT defaults to 3600 seconds. |
Example 17 |
Operation |
Rui wants to protect a DB2® table owned by ZHAOHUI by defining a general
resource called DSN.ZHAOHUI.TABLE.ALTER in the MDSNTB class. |
Known |
Rui's user ID ADMRUI has the SPECIAL attribute.
The installation uses the DB2 RACF access control module (ACM)
and the ACM is configured for multiple-subsystem scope. |
Command |
RDEFINE MDSNTB DSN.ZHAOHUI.TABLE.ALTER UACC(NONE)
|
Defaults |
OWNER(ADMRUI) LEVEL(0) AUDIT(FAILURES(READ)) |
Example 18 |
Operation |
User SECADM wants to define a custom field to
store employee home addresses in the CSDATA segment of her user profiles.
The custom field will be named ADDRESS. It will be a character field
and will contain a quoted string. |
Known |
The user has the SPECIAL attribute. The new
custom field is not effective until the system programmer rebuilds
the dynamic parse table using the IRRDPI00 UPDATE command. |
Command |
RDEFINE CFIELD USER.CSDATA.ADDRESS UACC(NONE)
CFDEF(TYPE(CHAR)
MAXLENGTH(100)
FIRST(ANY)
OTHER(ANY)
HELP('EMPLOYEE''S HOME ADDRESS. SPECIFY UP TO 100 CHARACTERS.')
MIXED(YES)
LISTHEAD('HOME ADDRESS ='))
|
Defaults |
AUDIT(FAILURES(READ)) OWNER(SECADM) LEVEL(0) |
Example 19 |
Operation |
User SECADM wants to control the XYZLIB64 program
and specify that it must be digitally signed before it can be loaded,
that the program should fail to load if its digital signature cannot
be verified for any reason, and that logging of signature verification
events should occur for only failures. The XYZLIB64 program does not
require program-accessed data set checking. |
Known |
The user has the SPECIAL attribute. The XYZLIB64
program is a program object that resides in a partitioned data set extended (PDSE) library named
SYS1.XYZ.LOADDLL. |
Command |
RDEFINE PROGRAM XYZLIB64 UACC(READ)
ADDMEM('SYS1.XYZ.LOADDLL'//NOPADCHK)
SIGVER(SIGREQUIRED(YES) FAILLOAD(ANYBAD) SIGAUDIT(ANYBAD))
|
Defaults |
AUDIT(FAILURES(READ)) OWNER(SECADM) LEVEL(0) |
|