Purpose

Issuing options

The following table identifies the eligible options for issuing the ALTGROUP command:

For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.

For information on issuing this command as a RACF operator command, refer to RACF operator commands.

You must be logged on to the console to issue this command as a RACF operator command.

Related commands

• To create a group profile, see ADDGROUP (Add group profile).
• To delete a group profile, see DELGROUP (Delete group profile).
• To connect a user to a group, see CONNECT (Connect user to group).
• To list information for a group profile, see LISTGRP (List group profile).
• To remove a user from a group, see REMOVE (Remove user from group).
• To obtain a list of group profiles, see SEARCH (Search RACF database).

Authorization required

When issuing this command as a RACF operator command, you might require sufficient authority to the proper resource in the OPERCMDS class. For details about OPERCMDS resources, see "Controlling the use of operator commands" in z/OS Security Server RACF Security Administrator's Guide.

To add, delete, or alter segments, such as DFP or OMVS, in a group's profile, you must have at least one of the following authorizations:

To specify the AT keyword, you must have READ authority to the DIRECT.node resource in the RRSFDATA class and a user ID association must be established between the specified node.userid pair(s).

To specify the ONLYAT keyword you must have the SPECIAL attribute, the userid specified on the ONLYAT keyword must have the SPECIAL attribute, and a user ID association must be established between the specified node.userid pair(s) if the user IDs are not identical.

To specify the SHARED keyword, you must have the SPECIAL attribute or at least READ authority to the SHARED.IDS resource in the UNIXPRIV class.

Parameters

subsystem-prefix

Specifies that the RACF subsystem is the processing environment of the command. The subsystem prefix can be either the installation-defined prefix for RACF (1 - 8 characters) or, if no prefix has been defined, the RACF subsystem name followed by a blank. If the command prefix was registered with CPF, you can use the MVS command D OPDATA to display it or you can contact your RACF security administrator.

Only specify the subsystem prefix when issuing this command as a RACF operator command. The subsystem prefix is required when issuing RACF operator commands.

group-name

Specifies the name of the group whose definition you want to change. If you specify more than one group name, the list of names must be enclosed in parentheses.

This operand is required and must be the first operand following ALTGROUP.

AT | ONLYAT

The AT and ONLYAT keywords are only valid when the command is issued as a RACF TSO command.

AT([node].userid …)

Specifies that the command is to be directed to the node specified by node, where it runs under the authority of the user specified by userid in the RACF subsystem address space.

If node is not specified, the command is directed to the local node.

ONLYAT([node].userid …)

Specifies that the command is to be directed only to the node specified by node where it runs under the authority of the user specified by userid in the RACF subsystem address space.

If node is not specified, the command is directed only to the local node.

CSDATA | NOCSDATA

CSDATA

Specifies information to add, change, or remove a custom field for this group.

custom-field-name … | NOcustom-field-name …

Specifies the name and value of a custom field for this group.

You can define multiple custom field values with a single ALTGROUP command.

custom-field-name(custom-field-value) …

Specifies the name and value of a custom field for this group. You can specify values for multiple custom fields with a single ALTGROUP command.

Usage for each custom field is defined using the CFDEF operand of the RDEFINE command for resource profiles in the CFIELD class. Contact your security administrator to see how custom fields are used at your installation. For more information about custom fields, see z/OS Security Server RACF Security Administrator's Guide.

Rules:

• You must use the same custom-field-name as defined by the CFIELD profile named GROUP.CSDATA.custom-field-name. (The CFIELD profile is defined using the CFDEF operand of the RDEFINE command.)
• You must specify a custom-field-value that is valid for the attributes of this custom field. (The attributes, such as data type, are defined in the CFDEF segment of the CFIELD profile.)

NOcustom-field-name …

Removes the custom field information for this group. You can remove values for multiple custom fields with a single ALTGROUP command.

When you append the prefix NO to the name of the custom field, you delete the value for that custom field from the group's profile. For example, if your installation has defined a custom field named COMPADDR and you want to remove the COMPADDR field from the profile of the group ABCSUPLY, you might issue the following command:

Example:

ALTGROUP ABCSUPLY CSDATA(NOCOMPADDR)

NOCSDATA

Deletes the CSDATA segment from the group profile.

DATA | NODATA

DATA('installation-defined-data')

Specifies up to 255 characters of installation-defined data to be stored in the group profile and must be enclosed in single quotation marks. It can also contain double-byte character set (DBCS) data.

Use the LISTGRP command to list this information.

NODATA

Specifies that the ALTGROUP command is to delete any installation-defined data in the group profile.

DFP | NODFP

DFP

Specifies that when you change the profile of a group, you can enter any of the following suboperands to add, change, or delete default values for the DFP data application, data class, management class, and storage class. DFP uses this information to determine data management and DASD storage characteristics when a user creates a new data set for a group.

DATAAPPL | NODATAAPPL

DATAAPPL(application-name)

Specifies the name of a DFP data application. The name you specify can contain up to 8 alphanumeric characters.

NODATAAPPL

Specifies that you want to delete the DFP data application name from the DFP segment of the group's profile.

DATACLAS | NODATACLAS

DATACLAS(data-class-name)

Specifies the default data class. The class name you specify can contain up to 8 alphanumeric characters.

A data class can specify some or all of the physical data set attributes associated with a new data set. During new data set allocation, data management uses the value you specify as a default unless it is preempted by a higher priority default, or overridden in some other way (for example, by JCL).

Note: The value you specify must be a valid data class name defined for use on your system. For more information, see z/OS Security Server RACF Security Administrator's Guide.

For information on defining DFP data classes, see z/OS DFSMSdfp Storage Administration.

NODATACLAS

Specifies that you want to delete the default data class name from the DFP segment of the group's profile.

MGMTCLAS | NOMGMTCLAS

MGMTCLAS(management-class-name)

Specifies the default management class. The class name you specify can contain up to 8 alphanumeric characters.

A management class contains a collection of management policies that apply to data sets. Data management uses the value you specify as a default unless it is preempted by a higher priority default, or overridden in some other way (for example, by JCL).

Note: The value you specify must be defined as a profile in the MGMTCLAS general resource class, and the group must be granted at least READ access to the profile. Otherwise, RACF does not allow the group access to the specified MGMTCLAS. For more information, see z/OS Security Server RACF Security Administrator's Guide.

For information on defining DFP management classes, see z/OS DFSMSdfp Storage Administration.

NOMGMTCLAS

Specifies that you want to delete the default management class name from the DFP segment of the group's profile.

STORCLAS | NOSTORCLAS

STORCLAS(storage-class-name)

Specifies the default storage class. The class name you specify can contain up to 8 alphanumeric characters.

A storage class specifies the service level (performance and availability) for data sets managed by the Storage Management Subsystem (SMS). During new data set allocation, data management uses the value you specify as a default unless it is preempted by a higher priority default, or overridden in some other way (for example, by JCL).

Note: The value you specify must be defined as a profile in the STORCLAS general resource class, and the group must be granted at least READ access to the profile. Otherwise, RACF does not allow the group access to the specified STORCLAS. For more information, see z/OS Security Server RACF Security Administrator's Guide.

For information on defining DFP storage classes, see z/OS DFSMSdfp Storage Administration.

NOSTORCLAS

Specifies that you want to delete the default storage class name from the DFP segment of the group's profile.

NODFP

Specifies that RACF should delete the DFP segment from the group's profile.

MODEL | NOMODEL

MODEL(dsname)

Specifies the name of a data set profile that RACF is to use as a model when new data set profiles are created that have group-name as the high-level qualifier. For this operand to be effective, the MODEL(GROUP) option on the SETROPTS command must be active. If the ALTGROUP command cannot find the dsname profile, it issues a warning message and places the profile name in the group entry.

RACF always prefixes dsname with the group name when it accesses the profile.

For information about automatic profile modeling, refer to z/OS Security Server RACF Security Administrator's Guide.

NOMODEL

Specifies that the ALTGROUP command is to delete the model name in the group profile.

OMVS | NOOMVS

OMVS

Specifies z/OS UNIX System Services information for the group profile being changed.

AUTOGID | GID | NOGID

Specifies whether RACF is to automatically assign an unused GID value to the group, if a specific GID value is to be assigned or if the group identifier from the OMVS segment of the group's profile is to be deleted.

AUTOGID

Specifies that RACF is to automatically assign an unused GID value to the group. The GID value is derived from information obtained from the BPX.NEXT.USER profile in the FACILITY class. For more information on setting up BPX.NEXT.USER, see z/OS Security Server RACF Security Administrator's Guide.

If you are using RRSF automatic command direction for the GROUP class, the command sent to other nodes will contain an explicit assignment of the GID value which was derived by RACF on the local node.

Rules:

• AUTOGID cannot be specified if more than one group is entered.
• The AUTOGID keyword is mutually exclusive with the SHARED keyword.
• If both GID and AUTOGID are specified, AUTOGID is ignored.
• If both NOGID and AUTOGID are specified, AUTOGID is ignored.
• Field-level access checking for the GID field applies when using AUTOGID.
• AUTOGID cannot be used to reassign a GID value if one already exists for the group. If AUTOGID is specified, but the group already has a GID assigned, one of two things will happen.
  • If the preexisting GID is unique to this group, this value will be identified in informational message IRR52177I, and the value will be left unchanged. If RRSF automatic command direction is in effect for the GROUP class, then the outbound ALTGROUP command will be altered to contain the preexisting GID value in the OMVS GID keyword.
  • If the preexisting GID is not unique to this group, error message IRR52178I will be issued, and the command will fail. See IRR52178I for information on changing the group's existing GID value.

GID(group-identifier) [SHARED]

GID(group-identifier)

Specifies the group identifier. The GID is a numeric value from 0 - 2 147 483 647.

When a GID is assigned to a group, all users connected to that group who have a user identifier (UID) in their user profile can use functions such as the TSO/E command, OMVS, and can access z/OS UNIX files based on the GID and UID values assigned.

Note:

1. If the security administrator has defined the SHARED.IDS profile in the UNIXPRIV class, the GID must be unique. Use the SHARED keyword in addition to GID to assign a value that is already in use.
2. If SHARED.IDS is not defined, RACF does not require the GID to be unique. The same value can be assigned to multiple groups, but this is not recommended because individual group control would be lost. However, if you want a set of groups to have exactly the same access to z/OS UNIX resources, you might decide to assign the same GID to more than one group.
3. RACF allows you to define and connect a user to more than 300 groups (which is the same as the NGROUPS_MAX variable defined in the POSIX standard), but when a process is created or z/OS UNIX group information is requested, only up to the first 300 z/OS UNIX groups are associated with the process or user.

   The first 300 z/OS UNIX groups that have GIDs to which a user is connected are used by z/OS UNIX. LISTUSER displays the groups in the order that RACF examines them when determining which of the user's groups are z/OS UNIX groups.

   See z/OS UNIX System Services Planning for information on NGROUPS_MAX.

SHARED

If the security administrator has chosen to control the use of shared GIDs, this keyword must be used in addition to the GID keyword to specify the group identifier if it is already in use by at least one other group. The administrator controls shared GIDs by defining the SHARED.IDS profile in the UNIXPRIV class.

Rules:

• If the SHARED.IDS profile is not defined, SHARED is ignored.
• If SHARED is specified in the absence of GID, it is ignored.
• If the SHARED.IDS profile is defined and SHARED is specified, but the value specified with GID is not currently in use, SHARED is ignored and UNIXPRIV authority is not required.
• Field- level access checking for the GID field applies when using SHARED.
• The SHARED keyword is mutually exclusive with the AUTOGID keyword.

NOGID

Specifies that you want to delete the group identifier from the OMVS segment of the group's profile.

NOOMVS

Specifies that RACF delete the OMVS segment from the group's profile.

OVM | NOOVM

OVM

Specifies OpenExtensions VM information for the group profile being changed.

GID | NOGID

GID(group-identifier)

Specifies the group identifier. The GID is a numeric value from 0 - 2 147 483 647.

Note:

1. RACF does not require the GID to be unique. The same value can be assigned to multiple groups, but this is not recommended because individual group control would be lost. However, if you want a set of groups to have exactly the same access to the OpenExtensions VM resources, you might decide to assign the same GID to more than one group.
2. Exercise caution when changing the GID for a group. The following situations might occur:
   • If the file system contains files that contain the old GID as the file owner GID, the members of the group lose access to those files, depending on the permission bits associated with the file.
   • If files exist with an owner GID equal to the group's new GID value, the members of the group gain access to these files.
   • If another group is subsequently added with the old value as its GID, the members of the group might have access to the old files.
   • If you have an EXEC.Ggid profile in the VMPOSIX class for the old GID value, make sure you delete this profile and create another to reflect the new value.
3. The value defined for the NGROUPS_MAX variable in the ICHNGMAX macro on VM defines the maximum number of OpenExtensions VM groups to be associated with an OpenExtensions VM process or user. The NGROUPS_MAX variable on VM is a number 32 - 125, inclusive. However, RACF allows you to define and connect a user to more than the number of groups defined in this variable. If the NGROUPS_MAX variable is n and a process is created or OpenExtensions VM group information is requested, only up to the first n OpenExtensions VM groups are associated with the process or user. The first n OpenExtensions VM groups to which a user is connected are used by OpenExtensions VM. LISTUSER displays the groups in the order that RACF examines them when determining which of the user's groups are OpenExtensions VM groups.

   See z/OS Security Server RACF Macros and Interfaces for information on NGROUPS_MAX.

NOGID

Specifies that you want to delete the group identifier from the OVM segment of the group's profile.

If NOGID is specified for the group, the default GID of 4294967295 (X'FFFFFFFF') is assigned on VM. The LISTGRP command displays the field name followed by the word NONE.

NOOVM

Specifies that RACF delete the OVM segment from the group's profile.

OWNER(userid or group-name)

Specifies a RACF-defined user or group you want to be the new owner of the group.

To change the owner of a group, you must be the current owner of the group, or have the SPECIAL attribute, or have the group-SPECIAL attribute in the group owning the profile.

If you specify a group name, then OWNER and SUPGROUP must specify the same group name.

SUPGROUP(group-name)

Specifies the name of the RACF-defined group you want to make the new superior group for the group profile you are changing.

The new superior group must not be the same as the current one, and it must not have any level of subgroup relationship to the group you are changing.

To change a superior group, you must have the SPECIAL attribute, the group profile must be within the scope of a group in which you have the group-SPECIAL attribute, or you must have JOIN authority in, or be the owner of, both the current and new superior groups. Note that you can have JOIN authority in one group and be the owner of or have the group-SPECIAL attribute in the other group.

If owner is a group name, OWNER and SUPGROUP must specify the same group name.

TERMUACC | NOTERMUACC

TERMUACC

Specifies that during terminal authorization checking, RACF is to allow the use of the universal access authority for a terminal when it checks whether a user in the group is authorized to access a terminal.

NOTERMUACC

Specifies that the group or a user connected to the group must be authorized (using the PERMIT command with at least READ authority) to access a terminal.

TME | NOTME

TME

Specifies that information for the Tivoli® Security Management Application is to be added, changed, or deleted.

Note: The TME segment fields are intended to be updated only by the Tivoli Security Management Application, which manages updates, permissions, and cross references. A security administrator should only directly update Tivoli Security Management fields on an exception basis.

ROLES | ADDROLES | DELROLES | NOROLES

ROLES(profile-name)

Specifies a list of roles that reference this group.

The profile-name value should be the name of a defined role, which is a discrete general resource profile in the ROLE class.

ADDROLES(profile-name)

Specifies a list of roles that reference this group.

The profile-name value should be the name of a defined role, which is a discrete general resource profile in the ROLE class.

DELROLES(profile-name)

Specifies that specific roles from the current list of roles are to be removed.

The profile-name value should be the name of a defined role, which is a discrete general resource profile in the ROLE class.

NOROLES

Specifies that the entire list of roles be removed.

NOTME

Specifies that RACF delete the TME segment from the group profile.