The
following is the BASE segment of the USER template. |
USER |
001 |
00 |
00 |
00000000 |
00 |
|
|
ENTYPE |
002 |
00 |
00 |
00000001 |
02 |
Int |
The number (2) corresponding to user
profiles. |
VERSION |
003 |
00 |
00 |
00000001 |
01 |
Int |
The version field from the profile.
Always X'01'. |
AUTHDATE |
004 |
00 |
20 |
00000003 |
FF |
Date |
The date the user was defined to RACF. |
AUTHOR |
005 |
00 |
00 |
00000008 |
FF |
Char |
The owner (user ID or group name)
of the user profile. |
FLAG1 |
006 |
20 |
80 |
00000001 |
00 |
Bin |
Identifies the user as having (bit
0 is on) or not having the ADSP attribute. |
FLAG2 |
007 |
20 |
80 |
00000001 |
00 |
Bin |
Identifies the user as having (bit
0 is on) or not having the SPECIAL attribute. |
FLAG3 |
008 |
20 |
80 |
00000001 |
00 |
Bin |
Identifies the user as having (bit
0 is on) or not having the OPERATIONS attribute. |
FLAG4 |
009 |
20 |
80 |
00000001 |
00 |
Bin |
Identifies the user as having (bit
0 is on) or not having the REVOKE attribute. |
FLAG5 |
010 |
20 |
80 |
00000001 |
00 |
Bin |
Identifies the user as having (bit
0 is on) or not having the GRPACC attribute. |
PASSINT |
011 |
00 |
80 |
00000001 |
FF |
Int |
The interval in days (represented
by a number between 1 and 254) that the user's password is in effect.
If it is X'FF', the user's password never expires. See the
description of the SETR PASSWORD(INTERVAL...)) processing instructions
in z/OS Security Server RACF Command Language Reference for
more details. |
PASSWORD |
012 |
04 |
80 |
00000008 |
FF |
Char |
The password associated with the
user. For masking, the masked password is stored. For DES, the encrypted
user ID is stored. If the installation provides its own password authentication,
data returned by the ICHDEX01 exit is stored. |
PASSDATE |
013 |
00 |
20 |
00000003 |
FF |
Date |
The date the password was last changed. |
PGMRNAME |
014 |
00 |
00 |
00000020 |
FF |
Char |
The name of the user. |
DFLTGRP |
015 |
00 |
00 |
00000008 |
FF |
Char |
The default group associated with
the user. A value of X'FF' indicates that no group was specified. |
LJTIME |
016 |
01 |
00 |
00000004 |
FF |
Time |
The last recorded time that the user
entered the system by using RACROUTE REQUEST=VERIFY. |
LJDATE |
017 |
01 |
20 |
00000003 |
FF |
Date |
The last recorded date that the user
entered the system by using RACROUTE REQUEST=VERIFY. |
INSTDATA |
018 |
00 |
80 |
00000000 |
00 |
Char |
Installation data. |
UAUDIT |
019 |
20 |
80 |
00000001 |
00 |
Bin |
Identifies whether all RACROUTE REQUEST=AUTH,
RACROUTE REQUEST=DEFINE, (and, if the caller requests logging, RACROUTE
REQUEST=FASTAUTH) macros issued for the user and all RACF commands (except SEARCH, LISTDSD, LISTGRP,
LISTUSER, and RLIST) issued by the user is logged. If bit 0 is on,
they are logged. If bit 0 is off, logging might still occur for other
reasons, as identified in z/OS Security Server RACF Auditor's Guide. |
FLAG6 |
020 |
20 |
80 |
00000001 |
00 |
Bin |
Identifies the user as having (bit
0 is on) or not having the AUDITOR attribute. |
FLAG7 |
021 |
20 |
80 |
00000001 |
00 |
Bin |
If bit 0 is on, and FLAG8 has bit
0 on, an operator identification card (OID card) is needed to enter
the system. If bit 1 is on, this is a protected user ID, which
cannot enter the system by any means requiring a password or OID card.
If
bit 2 is on, this user can enter the system with a password phrase.
|
FLAG8 |
022 |
20 |
80 |
00000001 |
00 |
Bin |
If bit 0 is on, an operator identification
card (OID card) is required when logging on to the system. |
MAGSTRIP |
023 |
04 |
00 |
00000000 |
00 |
Bin |
The operator identification associated
with the user from the masked or encrypted OID card data required
to authenticate this user, as supplied by a supported 327x (such as
3270 and 3278) OID card reader. |
PWDGEN |
024 |
00 |
00 |
00000001 |
FF |
Int |
Current password generation number. |
PWDCNT |
025 |
10 |
00 |
00000004 |
00 |
Int |
Number of old passwords present. |
OLDPWDNM |
026 |
80 |
00 |
00000001 |
00 |
Int |
Generation number of previous password. |
OLDPWD |
027 |
84 |
00 |
00000008 |
FF |
Char |
Previous password. This is an encrypted
password value. |
REVOKECT |
028 |
01 |
80 |
00000001 |
FF |
Int |
Count of unsuccessful password attempts. Note: You
can use ALTER when setting this field, but you cannot use ALTERI.
|
MODELNAM |
029 |
00 |
80 |
00000000 |
00 |
Char |
Data set model profile name. The
profile name begins with the second qualifier; the high-level qualifier
is not stored. |
SECLEVEL |
030 |
00 |
80 |
00000001 |
FF |
Int |
The number that corresponds to the
user's security level. For more information on security levels, see z/OS Security Server RACF Security Administrator's Guide. |
NUMCTGY |
031 |
10 |
80 |
00000004 |
00 |
Int |
Number of security categories. |
CATEGORY |
032 |
80 |
80 |
00000002 |
00 |
Int |
A number that corresponds to the
security categories to which the user has access. |
REVOKEDT |
033 |
00 |
20 |
00000000 |
00 |
Date |
The date the user is revoked. This
field either has length 0, or contains a 3-byte revoke date. |
RESUMEDT |
034 |
00 |
20 |
00000000 |
00 |
Date |
The date the user is resumed. This
field either has length 0, or contains a 3-byte resume date. |
LOGDAYS |
035 |
20 |
00 |
00000001 |
00 |
Bin |
The days of the week the user cannot
log on (Bit 0 of this field equals Sunday, bit 1 equals Monday, and
so on). |
LOGTIME |
036 |
00 |
80 |
00000000 |
00 |
Time |
The time of the day the user can
log on. If present (length of variable field not equal to 0), it is
specified as 6 bytes formatted as two 3-byte packed decimal fields, 0ssssC0eeeeC,
where ssss represents the start time (hhmm)
from the ALU...WHEN(TIMES(...)) specification and eeee represents
the end time. For hhmm, hh represents
hours, and mm represents minutes. |
FLDCNT |
037 |
10 |
00 |
00000004 |
00 |
|
Reserved for IBM's use. |
FLDNAME |
038 |
80 |
00 |
00000008 |
00 |
|
Reserved for IBM's use. |
FLDVALUE |
039 |
80 |
00 |
00000000 |
00 |
|
Reserved for IBM's use. |
FLDFLAG |
040 |
A0 |
00 |
00000001 |
00 |
|
Reserved for IBM's use. |
CLCNT |
041 |
10 |
80 |
00000004 |
00 |
Int |
The number of classes in which the
user is allowed to define profiles. |
CLNAME |
042 |
80 |
80 |
00000008 |
00 |
Char |
A class in which the user is allowed
to define profiles. (The user has the CLAUTH attribute.) The user
can also define profiles in any other classes with POSIT values matching
these classes. |
CONGRPCT |
043 |
10 |
80 |
00000004 |
00 |
Int |
The number of groups that the user
is connected to. |
CONGRPNM |
044 |
80 |
80 |
00000008 |
00 |
Char |
A group that the user is connected
to. |
USRCNT
USRNM
USRDATA
USRFLG
|
045
046
047
048
|
10
80
80
A0
|
00
80
80
80
|
00000004
00000008
00000000
00000001
|
00
00
00
00
|
Int
|
Reserved for installation use. Note: Intended
usage: For installation to store additional data in this profile.
USRNM should have a field name to use as a key to identify each unique
occurrence of a row in the repeat group. USRDATA and USRFLG hold the
data associated with that name. For more information, see "Example
5: Updating the installation fields", in Appendix A of z/OS Security Server RACF Macros and Interfaces. |
SECLABEL |
049 |
00 |
80 |
00000008 |
00 |
Char |
Security label. |
CGGRPCT |
050 |
10 |
80 |
00000004 |
00 |
Int |
Number of Connect Group entries.
Information from the following CGxxx fields is also available through
the logical connect profiles (ICHEINTY with CLASS=CONNECT) in the
database. See Connect template for the RACF database for more details. |
CGGRPNM |
051 |
82 |
80 |
00000008 |
00 |
Char |
Connect Group Entry Name. |
CGAUTHDA |
052 |
80 |
A0 |
00000003 |
FF |
Date |
Date the user was connected. |
CGAUTHOR |
053 |
80 |
80 |
00000008 |
FF |
Char |
Owner of connect occurrence. |
CGLJTIME |
054 |
81 |
00 |
00000004 |
FF |
Time |
Time of RACROUTE REQUEST=VERIFY. |
CGLJDATE |
055 |
81 |
20 |
00000003 |
FF |
Date |
Date of RACROUTE REQUEST=VERIFY. |
CGUACC |
056 |
A0 |
80 |
00000001 |
00 |
Bin |
Default universal access. |
CGINITCT |
057 |
81 |
00 |
00000002 |
FF |
Int |
Number of RACROUTE REQUEST=VERIFY
requests that were successfully processed where the value specified
in the CGRPNM field was the current connect group. |
CGFLAG1 |
058 |
A0 |
80 |
00000001 |
00 |
Bin |
If bit 0 is on, the user has the
ADSP attribute in that group. |
CGFLAG2 |
059 |
A0 |
80 |
00000001 |
00 |
Bin |
If bit 0 is on, the user has the
SPECIAL attribute in that group. |
CGFLAG3 |
060 |
A0 |
80 |
00000001 |
00 |
Bin |
If bit 0 is on, the user has the
OPERATIONS attribute in that group. |
CGFLAG4 |
061 |
A0 |
80 |
00000001 |
00 |
Bin |
If bit 0 is on, the user has the
REVOKE attribute in that group. |
CGFLAG5 |
062 |
A0 |
80 |
00000001 |
00 |
Bin |
If bit 0 is on, the user has the
GRPACC attribute in that group. |
CGNOTUAC |
063 |
A0 |
80 |
00000001 |
00 |
Bin |
If bit 0 is on, the user must be
specifically authorized (by the PERMIT command) to use a terminal.
If off, RACF uses the terminal's
UACC. |
CGGRPAUD |
064 |
A0 |
80 |
00000001 |
00 |
Bin |
If bit 0 is on, the user has the
GROUP AUDITOR attribute in that group. |
CGREVKDT |
065 |
80 |
20 |
00000000 |
00 |
Date |
The date the user is revoked. This
field either has length 0, or contains a 3-byte revoke date. |
CGRESMDT |
066 |
80 |
20 |
00000000 |
00 |
Date |
The date the user is resumed. This
field either has length 0, or contains a 3-byte resume date. |
TUCNT |
067 |
10 |
00 |
00000002 |
00 |
Int |
Number of user ID associations. |
TUKEY |
068 |
80 |
00 |
00000016 |
00 |
Char |
Associated node and user ID. - Byte
- Meaning when set
- 0–7
- The associated node name.
- 8–15
- The associated user ID.
|
TUDATA |
069 |
80 |
00 |
00000000 |
|
|
Associated user ID
association data - Byte
- Meaning when set
- 0
- Version number of the TUDATA entry.
|
|
Bin |
- 1
- Bitstring
- 0
- Specifies the user as having (bit is on) or not having (bit is
off) a peer user ID association.
- 1
- Specifies the user as being (bit is on) the manager of a managed
user ID association.
- 2
- Specifies the user as being (bit is on) managed by a managed user
ID association.
- 3
- An association request for this user is pending (bit is on) on
a remote RRSF node.
- 4
- An association request for this user is pending (bit is on) on
the local RRSF node.
- 5
- Specifies that password synchronization is in effect (bit is on)
for this peer-user ID association.
- 6
- Specifies that the association request for this user was rejected
(bit is on).
- 7
- Reserved for IBM's use.
|
|
|
- 2–20
- Reserved for IBM's use.
|
|
Date |
- 2–24
- The date the user ID association was defined. (yyyymmdd)
|
|
Time |
- 25–32
- The time the user ID association was defined.
For the format
of the time, see the TIME macro as documented in z/OS MVS Programming: Assembler Services Reference IAR-XCT.
|
|
Char |
- 32–36
- The date the user ID association was approved or refused. (yyyymmdd)
|
|
Int |
- 37–44
- The time the user ID association was approved or refused.
For
the format of the time, see the TIME macro as documented in z/OS MVS Programming: Assembler Services Reference IAR-XCT.
|
|
|
- 45–56
- Reserved for IBM's use.
|
|
Char |
- 57–64
- The user ID that created the entry.
|
CERTCT |
070 |
10 |
00 |
00000004 |
00 |
|
Number of certificate
names. |
CERTNAME |
071 |
80 |
00 |
00000000 |
00 |
|
Name of certificate.
Names correspond to profiles in the DIGTCERT class for the user. |
CERTLABL |
072 |
80 |
00 |
00000000 |
00 |
|
Label associated with
the certificate. |
CERTSJDN |
073 |
80 |
00 |
00000000 |
00 |
|
Subject's distinguished
name. |
CERTPUBK |
074 |
80 |
00 |
00000000 |
00 |
|
Public key associated
with the certificate. |
CERTRSV3 |
075 |
80 |
00 |
00000000 |
00 |
|
Reserved for IBM's
use. |
FLAG9 |
076 |
20 |
80 |
00000001 |
00 |
|
Restricted Access =
BIT0. |
NMAPCT |
077 |
10 |
00 |
00000004 |
00 |
|
Number of DIGTNMAP
Mapping Profiles that specify this user ID. |
NMAPLABL |
078 |
80 |
00 |
00000000 |
00 |
|
Label associated with
this mapping. |
NMAPNAME |
079 |
80 |
00 |
00000000 |
00 |
|
Name of mapping profile.
The names correspond to profiles in the DIGTNMAP class. |
NMAPRSV1 |
080 |
80 |
00 |
00000000 |
00 |
|
Reserved for IBM's
use. |
NMAPRSV2 |
081 |
80 |
00 |
00000000 |
00 |
|
Reserved for IBM's
use. |
NMAPRSV3 |
082 |
80 |
00 |
00000000 |
00 |
|
Reserved for IBM's
use. |
NMAPRSV4 |
083 |
80 |
00 |
00000000 |
00 |
|
Reserved for IBM's
use. |
NMAPRSV5 |
084 |
80 |
00 |
00000000 |
00 |
|
Reserved for IBM's
use. |
PWDENV |
085 |
00 |
08 |
00000000 |
00 |
Bin |
Internal form of the
enveloped RACF password. |
PASSASIS |
086 |
20 |
80 |
00000001 |
00 |
Bin |
Identifies the user as having (bit 0 is on)
or not having used a mixed case password. |
PHRASE |
087 |
04 |
80 |
00000000 |
FF |
BIN |
The password phrase associated with this user. |
PHRDATE |
088 |
00 |
20 |
00000003 |
FF |
BIN |
The date the password phrase was last changed. |
PHRGEN |
089 |
00 |
00 |
00000001 |
FF |
INT |
Current password phrase generation number. |
PHRCNT |
090 |
10 |
00 |
00000004 |
00 |
INT |
Number of old password phrases. |
OLDPHRNM |
091 |
80 |
00 |
00000001 |
00 |
INT |
Generation number of password phrase. |
OLDPHR |
092 |
84 |
00 |
00000008 |
FF |
BIN |
Previous password phrase, truncated to 8 bytes. |
CERTSEQN |
093 |
00 |
00 |
00000004 |
00 |
INT |
Sequence number that is incremented whenever
a certificate for the user is added, deleted, or altered. |
PPHENV |
094 |
00 |
00 |
00000000 |
00 |
BIN |
Internal form of the enveloped RACF password phrase. |
DMAPCT |
095 |
10 |
00 |
00000004 |
00 |
|
Number of IDIDMAP Mapping Profiles that specify
this user ID. |
DMAPLABL |
096 |
80 |
00 |
00000000 |
00 |
|
Label associated with this mapping. |
DMAPNAME |
097 |
80 |
00 |
00000000 |
00 |
|
Name of mapping profile. The names correspond
to profiles in the IDIDMAP class. |
DMAPRSV1 |
098 |
80 |
00 |
00000000 |
00 |
|
Reserved for IBM's use. |
DMAPRSV2 |
099 |
80 |
00 |
00000000 |
00 |
|
Reserved for IBM's use. |