z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Steps for changing a dynamic class to disallow generic profiles

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

Before you begin:
  • Determine if the dynamic class that you want to change to GENERIC(DISALLOWED) shares a POSIT value with other classes. If so, determine if the other classes sharing the POSIT value also have GENERIC(DISALLOWED). (See Rules about disallowing generics when sharing a POSIT value.)
  • Do not perform these steps if other classes sharing the POSIT value have GENERIC(ALLOWED) and you do not want to change those classes. Instead, first change this class to a unique POSIT value or to a POSIT value shared with classes that have GENERIC(DISALLOWED).
Perform the following steps to change an existing dynamic class called HORSES8 from GENERIC(ALLOWED) to GENERIC(DISALLOWED).
  1. Delete all generic profiles in the HORSES8 class. To do this:
    1. Execute the SEARCH command to create a CLIST containing a command to delete each generic profile in the class. 
      SEARCH CLASS(HORSES8) GENERIC CLIST('RDELETE HORSES8 ')
    2. Execute the CLIST.
      EXEC EXEC.RACF.CLIST LIST
    3. Verify that no generic profiles remain in the class.
      SEARCH CLASS(HORSES8) GENERIC

    ______________________________________________________________________

  2. If the class shares a POSIT value, repeat Step 1 for each class sharing the POSIT value.

    ______________________________________________________________________

  3. Deactivate generic processing for the HORSES8 class.
    SETROPTS NOGENERIC(HORSES8) NOGENCMD(HORSES8)
    If your class shares a POSIT value with other active classes, this command deactivates generic processing for those classes as well.

    ______________________________________________________________________

  4. Alter the HORSES8 class to prevent generic profiles.
    RALTER CDT HORSES8 CDTINFO(GENERIC(DISALLOWED))

    ______________________________________________________________________

  5. If the class shares a POSIT value, repeat Step 4 for each class sharing the POSIT value.

    ______________________________________________________________________

  6. Refresh the in-storage profiles for the CDT class.
    SETROPTS RACLIST(CDT) REFRESH

    ______________________________________________________________________

When you finish, you have changed an existing dynamic class, and all classes sharing its POSIT value, from GENERIC(ALLOWED) to GENERIC(DISALLOWED). You have also deleted all generic profiles from all classes sharing the POSIT value.
Parent topic: Defining a dynamic class with generics disallowed

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014