z/OS Security Server RACF Macros and Interfaces
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Conversion rules of the database unload utility

z/OS Security Server RACF Macros and Interfaces
SA23-2288-00

In unloading the database, these rules were followed:
  • Each repeat group has its own record type.

    For example, the repeat group representing the access list for data sets covered by a profile is ACL2CNT (the field name in the template). There is a data set access record (type 0404) created for each entry in the access list.

  • Flag fields that are not mutually exclusive values (for example, 8-bit flags where more than one bit could be on at once) are defined as separate fields.

    When this field is processed, it is unloaded as a 4-character field, with the values YES and NO as valid values. The field is left-justified.

  • Flag fields that have mutually exclusive settings are unloaded as 8-character fields with a value corresponding to each bit setting.

    For example, the UACC in a data set profile is a flag field in which each bit position corresponds to a universal access. The utility translates this single flag field into an 8-byte string with the value NONE, READ, UPDATE, CONTROL, or ALTER. If the flag field contains a value which is undefined, then the utility unloads the value as X<cc>, where cc is the hexadecimal value of the flag field.

  • Encrypted and reserved fields are not unloaded.
  • A maximum of 255 bytes are unloaded, except for the following fields:
    Segment Field Bytes unloaded
    PROXY LDAP_HOST 1023
    BIND_DN 1023
    EIM DOMAIN_DN 1023
    OMVS HOME_PATH 1023
    PROGRAM 1023
    OVM HOME_PATH 1023
    PROGRAM 1023
    FSROOT 1023
    DCE DCE_NAME 1023
    HOMECELL 1023
    CSDATA All fields Maximum available bytes are unloaded.
  • Fields for the installation's data, such as INSTDATA or the USRxx fields, are unloaded without any decoding. The USRFLG field, however, is treated as a hexadecimal value and is represented by X<cc>.
  • A single byte with the value blank (X'40') is placed between each field in the output record. This makes it easier to understand the output file when it is viewed.
  • Fields in the database which contain null data have blanks unloaded, except for integer fields, which have a zero value unloaded. (Data is treated as null if 'FF' is coded as the default value for a character set in the base segment or if zeros are used in the character field in any segment other than the base segment.)
  • Fields are converted to a readable form without interpretation of the current date or other information within the database.

    For example, a user who shows as revoked when listed by LISTUSER, does not show as revoked with the raw UNLOAD data. If the revoked date is past, LISTUSER processes the data and shows the user as ATTRIBUTES=REVOKED, however the FLAG4 (USBD_REVOKE) bit in the unload data shows as NO.

    Also, a protected user might show as N/A in the LISTUSER field for PASS-INTERVAL=, however the UNLOAD data might show a residual value in USBD_PWD_INTERVAL.

    For more information, see in z/OS Security Server RACF Security Administrator's Guide.

Parent topic: RACF database unload utility (IRRDBU00) records

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014