You can dynamically add new class descriptor table (CDT) entries or modify or delete existing entries that you have added in the dynamic installation-defined CDT by administering resources in the CDT resource class. See Administering the dynamic class descriptor table (CDT) for details. If you need to administer installation-defined entries in the static CDT (module ICHRRCDE), see z/OS Security Server RACF System Programmer's Guide and consult your system programmer.

When you define a new resource class, you can optionally designate that class as either a resource group class or a resource member class. For a resource group class, each user or group of users that is permitted access to that resource group is permitted access to all members of the resource group. Note that for each resource group class you create, you must also create a second class that represents the members of the group.

RACF® refers to the class descriptor table (CDT) when it needs to make a class-related decision (such as, "What is the maximum length of profile names?"). With the CDT and appropriate use of RACF authorization checking services, you can extend RACF protection to any part of your system.

For more information on creating installation-defined classes, see Administering the dynamic class descriptor table (CDT).