Summary of commands and their functions

RACF® commands allow you to list, modify, add, and delete profiles for users, groups, connect entries, and resources. Table 1 shows, in alphabetic order, each of the commands and its functions.

Table 1. Functions of RACF commands
RACF command	Command functions
ADDGROUP	Define one or more new groups as a subgroup of an existing group. Specify a model data set profile for a group. Add a custom field for a group. Define default DFP information for a group. Define the z/OS UNIX information for a group. Define a group as a universal group.
ADDSD	RACF-protect one or more existing data sets. RACF-define one or more data sets brought from another system where they were RACF-protected. RACF-define generic data set profiles. Create a new data set model profile.
ADDUSER	Define one or more new users and connect the users to their default connect group. Define a password, or a password and password phrase, for one or more users. Specify a model data set profile for a user. Add a custom field for a user. Specify information related to one or more segments, such as the TSO and OMVS segments, of the user profile.
ALTDSD	Change one or more discrete or generic data set profiles. Protect a single volume of a multivolume, non-VSAM DASD data set. Remove protection from a single volume of a multivolume, non-VSAM DASD data set.
ALTGROUP	Change information in one or more group profiles (such as the superior group, owner, or model profile name). Change or delete a custom field for a group. Change or delete the default DFP information for a group. Add, change, or delete information for the z/OS UNIX group.
ALTUSER	Change information in one or more user profiles (such as the owner, universal access authority, or security level). Revoke or reestablish one or more users' privileges to access the system. Specify logging of information about the user, such as the commands the user issues. Change the password or password phrase for one or more users. Add, change, or delete information related to one or more segments, such as the TSO and OMVS segments, of the user profile.
CONNECT	Connect one or more users to a group. Modify one or more users' connection to a group. Revoke or reestablish one or more users' privileges to access the system.
DELDSD	Delete one or more discrete or generic data set profiles. Delete a discrete data set profile for a tape data set, while retaining the data set name in the TVTOC. Remove a data set profile, but leave the data set RACF-indicated, when moving a RACF-protected data set to another system that has RACF.
DELGROUP	Delete one or more groups and their relationship to the superior group.
DELUSER	Delete one or more users and remove all of their connections to RACF groups.
DISPLAY	Display users signed on to a RACF subsystem.
HELP	Display the function and proper syntax of RACF commands.
LISTDSD	List the details of one or more discrete or generic data set profiles, including the users and groups authorized to access the data sets. Determine the most specific matching generic profile for a data set. Perform a local refresh of generic DATASET profiles.
LISTGRP	List the details of one or more group profiles, including the users connected to the group. List only the information contained in a specific segment (for example, OMVS or CSDATA) of the group profile. Display limited information if the group is a UNIVERSAL group.
LISTUSER	List the details of one or more user profiles, including all of the groups to which each user is connected. List only the information contained in a specific segment (for example, OMVS or CSDATA) of the user profile.
PASSWORD or PHRASE	Change your own user password or password phrase. Change one or more users' change interval for passwords and password phrases. Reset one or more user passwords to their default values.
PERMIT	Give or remove authority to access a resource to specific users or groups. Change the level of access authority to a resource for specific users or groups. Copy the list of authorized users from one resource profile to another. Delete an existing access list.
RACDCERT	List information about the certificates for a specified RACF-defined user ID, or your own user ID. Add a certificate and associate it with a specified RACF-defined user ID, or your own user ID, and set the TRUST status. Check to see if a certificate has been defined to RACF. Alter the TRUST status or label for a certificate. Delete a certificate. List a certificate contained in a data set and determine if it is associated with a RACF-defined user ID. Add or remove a certificate from a key ring. Create, delete, or list a key ring. Generate a public/private key pair and certificate, replicate a digital certificate with a new public/private key pair, or retire the use of an existing private key. Write (export) a certificate or certificate package to a data set. Create a certificate request. Create, alter, delete, or list a certificate name filter (user ID mapping). Add, delete, or list a z/OS® PKCS #11 token. Bind a certificate to a z/OS PKCS #11 token. Remove (unbind) a certificate from a z/OS PKCS #11 token. Import a certificate (with its private key, if present) from a z/OS PKCS #11 token and add it to RACF.
RACLINK	Define, approve, and delete (undefine) a user ID association. List information related to a user ID association. Establish password synchronization between user IDs.
RACMAP	Create an association between a distributed user identity and a RACF user ID. Define, delete, list, and query a distributed identity filter.
RACPRIV	List, activate, and inactivate the user's write-down setting. Reset the user's write-down setting to the installation-defined default.
RALTER	Change the discrete or generic profiles for one or more resources whose class is defined in the class descriptor table. Define, change, or delete attributes for classes in the dynamic class descriptor table. Maintain the global access checking table. Maintain security categories and security levels. Define, change, or delete information related to one or more segments of a general resource profile.
RDEFINE	RACF-protect by a discrete or generic profile any resource whose class is defined in the class descriptor table. Define attributes for classes in the dynamic class descriptor table. Define entries in the global access checking table. Define security categories and security levels. Define information related to one or more segments of a general resource profile.
RDELETE	Remove RACF-protection from one or more resources whose class is defined in the class descriptor table. Delete the global access checking tables. Delete the security category and security level tables. Delete a class from the list of classes for which RACF saves RACLISTed results on the RACF database.
REMOVE	Remove one or more users from a group and assign a new owner for any group data sets owned by the users.
RESTART	Restart a function in the RACF subsystem address space. Restart the connection to a specific member system on a multisystem node.
RLIST	List the details of discrete or generic profiles for one or more resources whose class is defined in the class descriptor table. List the contents of one or more segments of a general resource profile. Perform a local refresh of generic general resource profiles.
RVARY	Dynamically deactivate and reactivate the RACF function. Dynamically deactivate and reactivate the RACF primary and backup database. Switch the primary and backup RACF databases. Deactivate resource protection, for any resource whose class is defined in the class descriptor table, while RACF is deactivated. Select operational mode when RACF is enabled for sysplex communication.
SEARCH	Obtain a list of RACF profile names that meet the search criteria for a class of, resources, users, or groups. These profile names can then be displayed on your terminal. Profile names that contain a specific character string Profiles for resources that have not been referenced for more than a specific number of days Profiles that RACF recognizes as model profiles Data set and general resource profiles that contain a level equal to or greater than the level you specify User and resource profiles that contain a security label that matches the security label you specify. User and resource profiles that contain a security level that matches the security level that you specify User and resource profiles that contain an access category that matches the access category that you specify. User profiles that contain an OMVS UID equal to the UID you specify. Group profiles that contain an OMVS GID equal to the GID you specify. Profiles for tape volumes that contain only data sets with an expiration date that matches the criteria you specify. Profiles for data sets that reside on specific volumes (or VSAM data sets that are cataloged in catalogs on specific volumes). Profiles for tape data sets, non-VSAM DASD data sets, or VSAM data sets. Format the selected profile names with specific character strings into a series of commands or messages and retain them in a CLIST data set. Create a CLIST of the RACF profile names that meet a search criteria for a class of resources.
SET	List information related to RACF remote sharing facility (RRSF) on the local node. List the value for the template version following the FMID/APAR value. Specify the name of a member of the RACF parameter library to be processed by RACF. Enable and disable tracing for specified events. Specify options for automatic command direction. Improve performance of generic profiles by specifying GENERICANCHOR options.
SETROPTS	Dynamically set system-wide options relating to resource protection, specifically: Choose the resource classes that RACF is to protect. Gather and display RACF statistics. Set the universal access authority (UACC) for terminals. Specify logging of certain RACF commands and events. Permit list-of-groups access checking. Display options currently in effect. Enable or disable generic profile checking on a class-by-class basis. Control user password syntax rules. Activate checking for previous passwords and password phrases. Limit unsuccessful attempts to access the system using incorrect passwords and password phrases. Control maximum and minimum change intervals for passwords and password phrases. Control mixed-case passwords. Warn of password expiration. Control global access checking for selected individual resources or generic names with selected generalized access rules. Set the passwords for authorizing use of the RVARY command. Initiate® refreshing of in-storage generic profile lists and global access checking tables. Enable or disable shared generic profiles for general resources in common storage. Enable or disable shared profiles through RACLIST processing for general resources. Activate or deactivate auditing of access attempts to RACF-protected resources based on installation-defined security levels. Activate enhanced generic naming. Control the use of automatic data set protection (ADSP). Activate profile modeling for GDG, group, and user data sets. Activate protection for data sets with single-level names. Control logging of real data set names. Control the job entry subsystem (JES) options. Activate tape data set protection. Control whether or not data sets must be RACF-protected. Control the erasure of scratched DASD data sets. Activate program control. Control whether a profile creator's user ID is automatically added to the profile's access list. Make the name of the local RACF registry available to EIM services. Control use of the dynamic class descriptor table. Control multilevel security options.
SIGNOFF	Sign off users from a RACF subsystem.
STOP	Stop the RACF subsystem address space.
TARGET	List the operational and network protocol attributes of one or more RRSF nodes. Add or modify an RRSF node. Convert a remote RRSF node from one network protocol to another. Add a network protocol or modify protocol attributes for an RRSF node. Activate or inactivate an RRSF node or a protocol instance for an RRSF node. Specify a prefix and other attributes for the workspace data sets allocated and used by each RRSF node. Purge a workspace data set for an RRSF node. Delete an RRSF node or a protocol instance for an RRSF node.