Controlling automatic direction of commands

Profiles in the RRSFDATA class control which commands are automatically directed to which nodes. The resource name format is:

AUTODIRECT.target-node.classname.command-name

where:

target-node: Is the remote node where the command is to be directed.
classname: Is the class name associated with the command issued. The class name can be USER, GROUP, DATASET, or any general resource class defined in the class descriptor table (CDT).
command-name: Is the name of the command issued.

The use of these profiles provides security for automatic command direction. An authorization check is made against these resource names to determine if the user is allowed to automatically direct the specified command. The command is directed to the remote node if:

The RRSFDATA class has been activated.
SET AUTODIRECT is in effect.
There is a profile for the resource name associated with the command.
The command issuer has at least READ access to that resource.

Table 1 lists the resource name for each RACF® command that can be used with automatic command direction.

Table 1. Automatic command direction: Resource names
Command	Class	Resource name
ADDUSER or AU	USER	AUTODIRECT.`target-node`.USER.ADDUSER
ALTUSER or ALU	USER	AUTODIRECT.`target-node`.USER.ALTUSER
CONNECT or CO	USER	AUTODIRECT.`target-node`.USER.CONNECT
DELUSER or DU	USER	AUTODIRECT.`target-node`.USER.DELUSER
PASSWORD or PW or PHRASE	USER	AUTODIRECT.`target-node`.USER.PASSWORD
REMOVE or RE	USER	AUTODIRECT.`target-node`.USER.REMOVE
ADDGROUP or AG	GROUP	AUTODIRECT.`target-node`.GROUP.ADDGROUP
ALTGROUP or ALG	GROUP	AUTODIRECT.`target-node`.GROUP.ALTGROUP
DELGROUP or DG	GROUP	AUTODIRECT.`target-node`.GROUP.DELGROUP
ADDSD or AD	DATASET	AUTODIRECT.`target-node`.DATASET.ADDSD
ALTDSD or ALD	DATASET	AUTODIRECT.`target-node`.DATASET.ALTDSD
DELDSD or DD	DATASET	AUTODIRECT.`target-node`.DATASET.DELDSD
PERMIT or PE	any general resource class or DATASET	AUTODIRECT.`target-node.classname`.PERMIT
RALTER or RALT	any general resource class	AUTODIRECT.`target-node.classname`.RALTER
RDEFINE or RDEF	any general resource class	AUTODIRECT.`target-node.classname`.RDEFINE
RDELETE or RDEL	any general resource class	AUTODIRECT.`target-node.classname`.RDELETE
SETROPTS or SETR	none (use RACF)	AUTODIRECT.`target-node`.RACF.SETROPTS

Note:

To activate automatic command direction, issue the SET AUTODIRECT command. See Automatic direction and z/OS Security Server RACF Command Language Reference for more information.
Automatic command direction occurs only at the command level. You cannot direct a command operand or segment information for a command. For example, if you direct the ADDUSER command, you direct all ADDUSER commands, including the TSO, DFP, and OPERPARM segment information. You cannot specify automatic command direction for only the TSO segment information in the ADDUSER command.
You can use generic profiles to define these profiles. No commands will be directed if the RRSFDATA class is inactive or if no RRSFDATA profiles that protect AUTODIRECT exist.
These profiles are only checked on the node where the command was issued. Once the command is directed to another node, no authorization check is made against these profiles on the receiving node.
Profiles for turning on automatic direction of passwords and application updates are similar. Therefore, using * for the command names will turn on these functions, too.
If your installation renames any RACF TSO commands, they are still protected under the resource names shown in Table 1. For example, if you renamed ADDGROUP as ADDBUNCH, RACF would still use AUTODIRECT.target-node.GROUP.ADDGROUP as the resource name.