RDELETE (Delete general resource profile)

Purpose

Use the RDELETE command to delete RACF® resources belonging to classes specified in the class descriptor table.

This command removes the profile for the resource from the RACF database.

To have changes take effect after deleting a generic profile, if the class is not RACLISTed by either the SETROPTS RACLIST or RACROUTE REQUEST=LIST,GLOBAL=YES, one of the following steps is required:

The security administrator issues the SETROPTS command:
```
SETROPTS GENERIC(class-name) REFRESH
```
See the SETROPTS command for authorization requirements.
The user of the resource logs off and logs on again.

To have changes take effect after deleting a generic profile if the class is RACLISTed, the security administrator issues the following command:

SETROPTS RACLIST(class-name) REFRESH

For more information, refer to z/OS Security Server RACF Security Administrator's Guide.

Issuing options

The following table identifies the eligible options for issuing the RDELETE command:

As a RACF TSO command?	As a RACF operator command?	With command direction?	With automatic command direction?	From the RACF parameter library?
Yes	Yes	Yes	Yes	Yes

For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.

For information on issuing this command as a RACF operator command, refer to RACF operator commands.

You must be logged on to the console to issue this command as a RACF operator command.

Related commands

To delete a user profile, see DELUSER (Delete user profile).
To delete a group profile, see DELGROUP (Delete group profile).
To delete a data set profile, see DELDSD (Delete data set profile).
To obtain a list of general resource profiles, see SEARCH (Search RACF database).

Authorization required

When issuing this command as a RACF operator command, you might require sufficient authority to the proper resource in the OPERCMDS class. For details about OPERCMDS resources, see "Controlling the use of operator commands" in z/OS Security Server RACF Security Administrator's Guide.

To remove RACF protection from a resource in a class specified in the class descriptor table, you must have sufficient authority over the resource, so that one of the following conditions is met:

You have the SPECIAL attribute.
The resource profile is within the scope of a group in which you have the group-SPECIAL attribute.
You are the owner of the resource.
If the profile is in the FILE or DIRECTRY class, the second qualifier of the profile name is your user ID.
For a discrete profile, you are on the access list for the resource and you have ALTER authority. (If you have any other level of authority, you cannot use the command for this resource.)
For a discrete profile, your current connect group (or, if list-of-groups checking is active, any group to which you are connected) is in the access list and has ALTER authority.
For a discrete profile, the universal access authority for the resource is ALTER.

To specify the AT keyword, you must have READ authority to the DIRECT.node resource in the RRSFDATA class and a user ID association must be established between the specified node.userid pair(s).

To specify the ONLYAT keyword you must have the SPECIAL attribute, the userid specified on the ONLYAT keyword must have the SPECIAL attribute, and a user ID association must be established between the specified node.userid pair(s) if the user IDs are not identical.

Syntax

For the key to the symbols used in the command syntax diagrams, see Syntax of RACF commands and operands. The complete syntax of the RDELETE command is:


[subsystem-prefix]{RDELETE \| RDEL}
	*class-name*
	(*profile-name …*)
	[ AT([node].userid …) \| ONLYAT([node].userid …) ]
	[ NOGENERIC ]

For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.

For information on issuing this command as a RACF operator command, refer to RACF operator commands.

Parameters

subsystem-prefix

Specifies that the RACF subsystem is the processing environment of the command. The subsystem prefix can be either the installation-defined prefix for RACF (1 - 8 characters) or, if no prefix has been defined, the RACF subsystem name followed by a blank. If the command prefix was registered with CPF, you can use the MVS command D OPDATA to display it or you can contact your RACF security administrator.

Only specify the subsystem prefix when issuing this command as a RACF operator command. The subsystem prefix is required when issuing RACF operator commands.

class-name

Specifies the name of the class to which the resource belongs. Valid class names are those specified in the class descriptor table. For a list of general resource classes defined in the class descriptor table supplied by IBM®, see Supplied RACF resource classes.

Restrictions:

This operand is required and must be the first operand following RDELETE.
This command is not intended to be used for profiles in the following classes:
- DCEUUIDS
- DIGTCERT
- DIGTRING
- IDIDMAP
- NDSLINK
- NOTELINK
- TMEADMIN
- UNIXMAP

(profile-name …)

Specifies the name of the existing discrete or generic profile RACF is to delete from the specified class. RACF deletes the profile for any resource you name by deleting it from the RACF database. RACF uses the class descriptor table to determine if the class is defined to RACF, the syntax of resource names within the class, and whether the resource is a group.

This operand is required and must be the second operand following RDELETE.

If you specify more than one value for profile-name, you must enclose the list of names in parentheses.

Mixed-case profile names are accepted and preserved when class-name refers to a class defined in the static class descriptor table with CASE=ASIS or in the dynamic class descriptor table with CASE(ASIS).

If you specify the class-name as CACHECLS, profile-name can either be cachename_ddd_nnnnn or cachename.

Profiles in the CACHECLS hold the contents of a cache in profiles each containing 50K pieces of the cache. The profiles are named cachename_001_00001, cachename_001_00002 and so forth, for as many profiles as are needed to hold the contents of the cache, where cachename was the Cache_name given as input on the R_cacheserv callable service. RDELETE command processing for these profiles should only be used to correct an error condition, and is expected to be used in response to an IRRL100xI message that was issued in response to invocation of the R_cacheserv SAF callable service. If for some reason, you want to delete the entire cache contents (perhaps because you do not want the contents used for authorization right after an IPL), you can delete all of the cachename_ddd_nnnnn profiles as well as the base profile by specifying just the cachename on the RDELETE.

If you specify class-name as a resource grouping class, you cannot specify a generic profile.

Note:

If the resource you specify is a tape volume serial number that is a member of a tape volume set, RACF deletes the definitions for all of the volumes in the set.
RACF processes each resource you specify independently. If an error occurs while it is processing a resource, RACF issues a message and continues processing with the next resource.
You can use RDELETE to remove the profiles for a class defined to RACGLIST. For example, RDELETE RACGLIST TCICSTRN would remove the TCICSTRN base profile and any RACF-created TCICSTRN_nnnnn profiles from the RACGLIST class. If you want to stop using RACGLIST for a particular class, issue the command RDELETE RACGLIST class-name. Do not delete specific RACF-created profiles unless RDELETE RACGLIST class-name was issued and failed to remove the profiles.

AT | ONLYAT

The AT and ONLYAT keywords are only valid when the command is issued as a RACF TSO command.

AT([node].userid …): Specifies that the command is to be directed to the node specified by node, where it runs under the authority of the user specified by userid in the RACF subsystem address space.
If node is not specified, the command is directed to the local node.
ONLYAT([node].userid …): Specifies that the command is to be directed only to the node specified by node where it runs under the authority of the user specified by userid in the RACF subsystem address space.
If node is not specified, the command is directed only to the local node.

NOGENERIC

Specifies that RACF is to delete the specified profile only if it is a discrete profile. If a generic profile exists with the same name, it is not deleted.

Examples


Example 1	Operation	User ADM2 wants to remove RACF protection from the terminals protected by the generic profile TERM`*`.
	Known	User ADM2 has the SPECIAL attribute. User ADM2 wants to issue the command as a RACF TSO command.
	Command	`RDELETE TERMINAL TERM*`
	Defaults	None.
Example 2	Operation	User JHT01 wants to remove RACF protection from the tape volume set VOL001.
	Known	User JHT01 has the SPECIAL attribute. User JHT01 wants to issue the command as a RACF operator command, and the RACF subsystem prefix is `@`.
	Command	`@RDELETE TAPEVOL VOL001`
	Defaults	None.
Example 3	Operation	User ADM1 wants to remove the generic profile T`*` from the TIMS class.
	Known	User ADM1 has the SPECIAL attribute. User ADM1 wants to issue the command as a RACF TSO command.
	Command	`RDELETE TIMS T*`
	Defaults	None.
Example 4	Operation	User ADM1 wants to delete the TERMINAL profiles in the RACGLIST class from the RACF database and stop using RACGLIST processing with the TERMINAL class. User ADM1 wants to direct the command to run at the node MVSFL under the authority of user JCARTER and prohibit the command from being automatically directed to other nodes.
	Known	Users ADM1 and JCARTER at MVSFL have the SPECIAL attribute. Users ADM1 and JCARTER at MVSFL have an already established user ID association. User ADM1 wants to issue the command as a RACF TSO command.
	Command	`RDELETE RACGLIST TERMINAL ONLYAT(MVSFL.JCARTER)`
	Results	The command is only run at node MVSFL and not automatically directed to any other nodes in the RRSF configuration.