Purpose
Use the RDELETE command to delete RACF® resources belonging to classes
specified in the class descriptor table.
This command removes
the profile for the resource from the RACF database.
To
have changes take effect after deleting a generic profile, if the
class is not RACLISTed by either the SETROPTS RACLIST or RACROUTE
REQUEST=LIST,GLOBAL=YES, one of the following steps is required:
To have changes take effect after deleting a generic
profile if the class is RACLISTed, the security administrator issues
the following command:
SETROPTS RACLIST(class-name) REFRESH
For
more information, refer to z/OS Security Server RACF Security Administrator's Guide.
Issuing options
The following table identifies
the eligible options for issuing the RDELETE command:
As a RACF TSO command? |
As a RACF operator command? |
With command direction? |
With automatic command direction? |
From the RACF parameter library? |
---|
Yes |
Yes |
Yes |
Yes |
Yes |
For information on issuing this command
as a RACF TSO command, refer
to RACF TSO commands.
For
information on issuing this command as a RACF operator command, refer to RACF operator commands.
You
must be logged on to the console to issue this command as a RACF operator command.
Authorization required
When issuing this command as a RACF operator command, you might
require sufficient authority to the proper resource in the OPERCMDS
class. For details about OPERCMDS resources, see "Controlling the use of operator commands" in z/OS Security Server RACF Security Administrator's Guide.
To
remove RACF protection from
a resource in a class specified in the class descriptor table, you
must have sufficient authority over the resource, so that one of the
following conditions is met:
- You have the SPECIAL attribute.
- The resource profile is within the scope of a group in which you
have the group-SPECIAL attribute.
- You are the owner of the resource.
- If the profile is in the FILE or DIRECTRY class, the second qualifier
of the profile name is your user ID.
- For a discrete profile, you are on the access list for the resource
and you have ALTER authority. (If you have any other level of authority,
you cannot use the command for this resource.)
- For a discrete profile, your current connect group (or, if list-of-groups
checking is active, any group to which you are connected) is in the
access list and has ALTER authority.
- For a discrete profile, the universal access authority for the
resource is ALTER.
To specify the AT keyword, you must have READ authority
to the DIRECT.node resource in the RRSFDATA class and a user
ID association must be established between the specified node.userid pair(s).
To
specify the ONLYAT keyword you must have the SPECIAL attribute, the userid specified
on the ONLYAT keyword must have the SPECIAL attribute, and a user
ID association must be established between the specified node.userid pair(s)
if the user IDs are not identical.
Syntax
For the key to the symbols used in the command
syntax diagrams, see Syntax of RACF commands and operands. The
complete syntax of the RDELETE command is:
|
|
---|
[subsystem-prefix]{RDELETE
| RDEL} |
|
class-name |
|
(profile-name …) |
|
[ AT([node].userid
…) | ONLYAT([node].userid
…) ] |
|
[ NOGENERIC ] |
For information on issuing this command
as a RACF TSO command, refer
to RACF TSO commands.
For
information on issuing this command as a RACF operator command, refer to RACF operator commands.
Parameters
- subsystem-prefix
- Specifies that the RACF subsystem
is the processing environment of the command. The subsystem
prefix can be either the installation-defined prefix for RACF (1 - 8 characters)
or, if no prefix has been defined, the RACF subsystem
name followed by a blank. If the command prefix was registered with
CPF, you can use the MVS command D OPDATA to display it or you can
contact your RACF security
administrator.
Only specify the subsystem prefix when issuing
this command as a RACF operator
command. The subsystem prefix is required when issuing RACF operator commands.
- class-name
- Specifies
the name of the class to which the resource belongs. Valid class names
are those specified in the class descriptor table. For
a list of general resource classes defined in the class descriptor
table supplied by IBM®, see Supplied RACF resource classes.
Restrictions:
- This operand is required and must be the first operand following
RDELETE.
- This command is not intended to be used for profiles in the following
classes:
- DCEUUIDS
- DIGTCERT
- DIGTRING
- IDIDMAP
- NDSLINK
- NOTELINK
- TMEADMIN
- UNIXMAP
- (profile-name
…)
- Specifies
the name of the existing discrete or generic profile RACF is to delete from the specified class. RACF deletes the profile for any
resource you name by deleting it from the RACF database. RACF uses
the class descriptor table to determine if the class is defined to RACF, the syntax of resource names
within the class, and whether the resource is a group.
This operand
is required and must be the second operand following RDELETE.
If
you specify more than one value for profile-name,
you must enclose the list of names in parentheses.
Mixed-case
profile names are accepted and preserved when class-name refers
to a class defined in the static class descriptor table with CASE=ASIS
or in the dynamic class descriptor table with CASE(ASIS).
If
you specify the class-name as CACHECLS, profile-name can
either be cachename_ddd_nnnnn or cachename.
Profiles
in the CACHECLS hold the contents of a cache in profiles each containing
50K pieces of the cache. The profiles are named cachename_001_00001, cachename_001_00002 and
so forth, for as many profiles as are needed to hold the contents
of the cache, where cachename was the Cache_name given
as input on the R_cacheserv callable service. RDELETE
command processing for these profiles should only be used to correct
an error condition, and is expected to be used in response to an IRRL100xI
message that was issued in response to invocation of the R_cacheserv SAF
callable service. If for some reason, you want to delete the entire
cache contents (perhaps because you do not want the contents used
for authorization right after an IPL), you can delete all of the cachename_ddd_nnnnn profiles
as well as the base profile by specifying just the cachename on
the RDELETE.
If you specify class-name as
a resource grouping class, you cannot specify a generic profile.
Note: - If the resource you specify is a tape volume serial number that
is a member of a tape volume set, RACF deletes
the definitions for all of the volumes in the set.
- RACF processes each resource
you specify independently. If an error occurs while it is processing
a resource, RACF issues a message
and continues processing with the next resource.
- You can use RDELETE to remove the profiles for a class defined
to RACGLIST. For example, RDELETE RACGLIST TCICSTRN would
remove the TCICSTRN base profile and any RACF-created TCICSTRN_nnnnn profiles
from the RACGLIST class. If you want to stop using RACGLIST for a
particular class, issue the command RDELETE RACGLIST class-name.
Do not delete specific RACF-created profiles unless RDELETE RACGLIST class-name was
issued and failed to remove the profiles.
- AT
| ONLYAT
- The AT and ONLYAT keywords are only valid when the command is
issued as a RACF TSO command.
- AT([node].userid
…)
- Specifies
that the command is to be directed to the node specified by node,
where it runs under the authority of the user specified by userid in
the RACF subsystem address
space.
If node is not specified, the
command is directed to the local node.
- ONLYAT([node].userid
…)
- Specifies
that the command is to be directed only to the node specified by node where
it runs under the authority of the user specified by userid in
the RACF subsystem address
space.
If node is not specified, the
command is directed only to the local node.
- NOGENERIC
- Specifies
that RACF is to delete the specified profile only if it is a discrete
profile. If a generic profile exists with the same name, it is not
deleted.
Examples
|
|
|
---|
Example 1 |
Operation |
User ADM2 wants to remove RACF protection from the terminals protected
by the generic profile TERM*. |
Known |
User ADM2 has the SPECIAL attribute. User ADM2
wants to issue the command as a RACF TSO
command. |
Command |
RDELETE TERMINAL TERM* |
Defaults |
None. |
Example 2 |
Operation |
User JHT01 wants to remove RACF protection from the tape volume set VOL001. |
Known |
User JHT01 has the SPECIAL attribute. User JHT01
wants to issue the command as a RACF operator
command, and the RACF subsystem
prefix is @. |
Command |
@RDELETE TAPEVOL VOL001 |
Defaults |
None. |
Example 3 |
Operation |
User ADM1 wants to remove the generic profile
T* from the TIMS class. |
Known |
User ADM1 has the SPECIAL attribute. User ADM1
wants to issue the command as a RACF TSO
command. |
Command |
RDELETE TIMS T* |
Defaults |
None. |
Example 4 |
Operation |
User ADM1 wants to delete the TERMINAL profiles
in the RACGLIST class from the RACF database
and stop using RACGLIST processing with the TERMINAL class. User ADM1
wants to direct the command to run at the node MVSFL under the authority
of user JCARTER and prohibit the command from being automatically
directed to other nodes. |
Known |
Users ADM1 and JCARTER at MVSFL have the SPECIAL
attribute. Users ADM1 and JCARTER at MVSFL have an already established
user ID association. User ADM1 wants to issue the command as a RACF TSO command. |
Command |
RDELETE RACGLIST TERMINAL ONLYAT(MVSFL.JCARTER) |
Results |
The command is only run at node MVSFL and not
automatically directed to any other nodes in the RRSF configuration. |