Using the SETROPTS command

RACF® provides many system-wide options for controlling the way it works on your system. You specify most of these options by issuing the SETROPTS command with the appropriate operands or filling in the appropriate ISPF panels.

This topic discusses SETROPTS options that are useful to the RACF security administrator. It assumes that you have the SPECIAL attribute.

For a description of the SETROPTS options that are useful to the RACF auditor (with the AUDITOR attribute), see z/OS Security Server RACF Auditor's Guide.

See z/OS Security Server RACF Command Language Reference for a complete description of the SETROPTS command.

Guidelines for using selected SETROPTS options:
  • If you are installing RACF for the first time, activate enhanced generic naming: 
    SETROPTS EGN
  • Do not issue the SETROPTS TERMINAL(NONE) command unless you have RACF-protected enough terminals so that users can log on. SETROPTS TERMINAL(NONE) prevents users from logging on to unprotected terminals.

    To recover from such a situation, submit a batch job that runs under a user ID with the SPECIAL attribute and that issues SETROPTS TERMINAL(READ).

  • Some classes have a default return code of 8. If such a class is activated, but no profiles are defined, user activity that requires access in that class is prevented.

    Do not activate a class with a default return code of 8, either explicitly (by name) or implicitly (by means of a shared POSIT value), unless you have defined profiles for that class.

    RACF prevents you from accidentally activating all classes by misusing the SETROPTS CLASSACT(*) operand.

    If security labels have been assigned to resource profiles, do not activate the SECLABEL class by using SETROPTS CLASSACT(SECLABEL) unless you have assigned appropriate security labels to appropriate users.

    To recover from such a situation, log on as a user with the SPECIAL attribute, specifying SYSHIGH as the current security label. Then either assign security labels, or issue SETROPTS NOCLASSACT(SECLABEL).

  • Do not issue the following SETROPTS commands unless you have assigned appropriate security labels to all users and to the resources that they must access:
    • SETROPTS MLACTIVE(FAILURES)
    • SETROPTS MLFSOBJ(FAILURES)
    • SETROPTS MLIPCOBJ(FAILURES).
    To recover from such a situation, log on as a user with the SPECIAL attribute, specifying SYSHIGH as the current security label. Then, either assign security labels, or issue one of the following SETROPTS commands, as appropriate:
    • SETROPTS NOMLACTIVE
    • SETROPTS MLFSOBJ(ACTIVE)
    • SETROPTS MLIPCOBJ(ACTIVE).

Restriction: The ISPF panels do not support all options of the SETROPTS command. For example, the SETROPTS option to activate and deactivate mixed-case password support is not available through the RACF panels. For information about using the SETROPTS command to implement mixed-case passwords, see Allowing mixed-case passwords (PASSWORD option).

Parent topic: Specifying RACF options