|
Purpose Use the ALTGROUP command to change:
- The superior group of a group
- The owner of a group
- The terminal indicator for a group
- A model profile name for a group
- The installation-defined data associated with a group
- The default segment information for a group (for example, DFP
or OMVS)
Issuing options The following table identifies
the eligible options for issuing the ALTGROUP command:
As a RACF® TSO command? |
As a RACF operator command? |
With command direction? |
With automatic command direction? |
From the RACF parameter library? |
---|
Yes |
Yes |
Yes |
Yes |
Yes |
For information on issuing this command
as a RACF TSO command, refer
to RACF TSO commands.
For
information on issuing this command as a RACF operator command, refer to RACF operator commands.
You
must be logged on to the console to issue this command as a RACF operator command.
Authorization required When
issuing this command as a RACF operator
command, you might require sufficient authority to the proper resource
in the OPERCMDS class. For details about OPERCMDS resources, see "Controlling the use of operator commands" in z/OS Security Server RACF Security Administrator's Guide.
To
change the superior group of a group, you must have at least one of
the following authorizations: - You must have the SPECIAL attribute
- All the following group profiles must be within the scope of a
group in which you have the group-SPECIAL attribute:
- The group whose superior group you are changing
- The current superior group
- The new superior group
- You must be the owner of, or have JOIN authority in, both the
current and the new superior groups.
Note: You can have JOIN authority in one group and be the
owner of or have the group-SPECIAL attribute in the other group.
If
you have any of the following authorizations, you can specify any
operand except as otherwise listed below: - The SPECIAL attribute
- The group profile is within the scope of a group in which you
have the group-SPECIAL attribute
- You are the current owner of the group.
To add, delete, or alter segments, such as DFP or OMVS,
in a group's profile, you must have at least one of the following
authorizations:
To
specify the AT keyword, you must have READ authority to the DIRECT.node resource
in the RRSFDATA class and a user ID association must be established
between the specified node.userid pair(s).
To
specify the ONLYAT keyword you must have the SPECIAL attribute, the userid specified
on the ONLYAT keyword must have the SPECIAL attribute, and a user
ID association must be established between the specified node.userid pair(s)
if the user IDs are not identical.
To specify the SHARED keyword,
you must have the SPECIAL attribute or at least READ authority to
the SHARED.IDS resource in the UNIXPRIV class.
Syntax For the key to the symbols used in the command
syntax diagrams, see Syntax of RACF commands and operands. The
complete syntax of the ALTGROUP command is:
|
|
---|
[subsystem-prefix]{ALTGROUP
| ALG} |
|
(group-name …) |
|
[ AT([node].userid
…) | ONLYAT([node].userid
…) ] |
|
[ CSDATA(
[ custom-field-name(custom-field-value) | NOcustom-field-name ] … )
| NOCSDATA ]
|
|
[ DATA('installation-defined-data')
| NODATA ] |
|
[ DFP(
[ DATAAPPL(application-name) | NODATAAPPL ]
[ DATACLAS(data-class-name) | NODATACLAS ]
[ MGMTCLAS(management-class-name) | NOMGMTCLAS ]
[ STORCLAS(storage-class-name) | NOSTORCLAS ]
)
| NODFP ]
|
|
[ MODEL(dsname) | NOMODEL
] |
|
[ OMVS(
[ AUTOGID
| GID (group-identifier) [SHARED]
| NOGID ]
)
| NOOMVS ]
|
|
[ OVM(
[ GID(group-identifier) | NOGID ]
)
| NOOVM ]
|
|
[ OWNER(userid or group-name)
] |
|
[ SUPGROUP(group-name)
] |
|
[ TERMUACC | NOTERMUACC ] |
|
[ TME(
[ ROLES(profile-name …)
| ADDROLES(profile-name …)
| DELROLES(profile-name …)
| NOROLES ]
)
| NOTME ]
|
For information on issuing this command
as a RACF TSO command, refer
to RACF TSO commands.
For
information on issuing this command as a RACF operator command, refer to RACF operator commands.
Parameters - subsystem-prefix
- Specifies that the RACF subsystem
is the processing environment of the command. The subsystem
prefix can be either the installation-defined prefix for RACF (1 - 8 characters)
or, if no prefix has been defined, the RACF subsystem
name followed by a blank. If the command prefix was registered with
CPF, you can use the MVS command D OPDATA to display it or you can
contact your RACF security
administrator.
Only specify the subsystem prefix when issuing
this command as a RACF operator
command. The subsystem prefix is required when issuing RACF operator commands.
- group-name
- Specifies
the name of the group whose definition you want to change. If you
specify more than one group name, the list of names must be enclosed
in parentheses.
This operand is required and must be the first
operand following ALTGROUP.
- AT
| ONLYAT
- The AT and ONLYAT keywords are only valid when the command is
issued as a RACF TSO command.
- AT([node].userid
…)
- Specifies
that the command is to be directed to the node specified by node,
where it runs under the authority of the user specified by userid in
the RACF subsystem address
space.
If node is not specified, the
command is directed to the local node.
- ONLYAT([node].userid
…)
- Specifies
that the command is to be directed only to the node specified by node where
it runs under the authority of the user specified by userid in
the RACF subsystem address
space.
If node is not specified, the
command is directed only to the local node.
- CSDATA
| NOCSDATA
-
- CSDATA
- Specifies information
to add, change, or remove a custom field for this group.
- custom-field-name … | NOcustom-field-name …
- Specifies the name and value of a custom field for this group.
You
can define multiple custom field values with a single ALTGROUP command.
- custom-field-name(custom-field-value) …
- Specifies the name and value of a custom field for this group.
You can specify values for multiple custom fields with a single ALTGROUP
command.
Usage for each custom field is defined using the CFDEF
operand of the RDEFINE command for resource profiles in the CFIELD
class. Contact your security administrator to see how custom fields
are used at your installation. For more information about custom fields,
see z/OS Security Server RACF Security Administrator's Guide.
Rules: - You must use the same custom-field-name as
defined by the CFIELD profile named GROUP.CSDATA.custom-field-name.
(The CFIELD profile is defined using the CFDEF operand of the RDEFINE
command.)
- You must specify a custom-field-value that
is valid for the attributes of this custom field. (The attributes,
such as data type, are defined in the CFDEF segment of the CFIELD
profile.)
- NOcustom-field-name …
- Removes the custom
field information for this group. You can remove values for multiple
custom fields with a single ALTGROUP command.
When you append the
prefix NO to the name of the custom field, you delete the value
for that custom field from the group's profile. For example, if your
installation has defined a custom field named COMPADDR and you want
to remove the COMPADDR field from the profile of the group ABCSUPLY,
you might issue the following command:
Example: ALTGROUP ABCSUPLY CSDATA(NOCOMPADDR)
- NOCSDATA
- Deletes
the CSDATA segment from the group profile.
- DATA
| NODATA
-
- DATA('installation-defined-data')
- Specifies up to 255 characters of installation-defined
data to be stored in the group profile and must be enclosed in single
quotation marks. It can also contain double-byte character set (DBCS)
data.
Use the LISTGRP command to list this information.
- NODATA
- Specifies
that the ALTGROUP command is to delete any installation-defined data
in the group profile.
- DFP
| NODFP
-
- DFP
- Specifies
that when you change the profile of a group, you can enter any of
the following suboperands to add, change, or delete default values
for the DFP data application, data class, management class, and storage
class. DFP uses this information to determine data management and
DASD storage characteristics when a user creates a new data set for
a group.
- DATAAPPL | NODATAAPPL
-
- DATAAPPL(application-name)
- Specifies
the name of a DFP data application. The name you specify can contain
up to 8 alphanumeric characters.
- NODATAAPPL
- Specifies
that you want to delete the DFP data application name from the DFP
segment of the group's profile.
- DATACLAS | NODATACLAS
-
- DATACLAS(data-class-name)
- Specifies
the default data class. The class name you specify can contain up
to 8 alphanumeric characters.
A data class can specify some or
all of the physical data set attributes associated with a new data
set. During new data set allocation, data management uses the value
you specify as a default unless it is preempted by a higher priority
default, or overridden in some other way (for example, by JCL).
For
information on defining DFP data classes, see z/OS DFSMSdfp Storage Administration.
- NODATACLAS
- Specifies
that you want to delete the default data class name from the DFP segment
of the group's profile.
- MGMTCLAS | NOMGMTCLAS
-
- MGMTCLAS(management-class-name)
- Specifies
the default management class. The class name you specify can contain
up to 8 alphanumeric characters.
A management class contains a
collection of management policies that apply to data sets. Data management
uses the value you specify as a default unless it is preempted by
a higher priority default, or overridden in some other way (for example,
by JCL).
Note: The value you specify must be defined as a profile
in the MGMTCLAS general resource class, and the group must be granted
at least READ access to the profile. Otherwise, RACF does not allow the group access to the
specified MGMTCLAS. For more information, see z/OS Security Server RACF Security Administrator's Guide.
For
information on defining DFP management classes, see z/OS DFSMSdfp Storage Administration.
- NOMGMTCLAS
- Specifies
that you want to delete the default management class name from the
DFP segment of the group's profile.
- STORCLAS | NOSTORCLAS
-
- STORCLAS(storage-class-name)
- Specifies
the default storage class. The class name you specify can contain
up to 8 alphanumeric characters.
A storage class specifies the
service level (performance and availability) for data sets managed
by the Storage Management Subsystem (SMS). During new data set allocation,
data management uses the value you specify as a default unless it
is preempted by a higher priority default, or overridden in some other
way (for example, by JCL).
Note: The value you specify must be
defined as a profile in the STORCLAS general resource class, and the
group must be granted at least READ access to the profile. Otherwise, RACF does not allow the group access
to the specified STORCLAS. For more information, see z/OS Security Server RACF Security Administrator's Guide.
For
information on defining DFP storage classes, see z/OS DFSMSdfp Storage Administration.
- NOSTORCLAS
- Specifies
that you want to delete the default storage class name from the DFP
segment of the group's profile.
- NODFP
- Specifies
that RACF should delete the
DFP segment from the group's profile.
- MODEL
| NOMODEL
-
- MODEL(dsname)
- Specifies the name of a data
set profile that RACF is to
use as a model when new data set profiles are created that have group-name as
the high-level qualifier. For this operand to be effective, the MODEL(GROUP)
option on the SETROPTS command must be active. If
the ALTGROUP command cannot find the dsname profile,
it issues a warning message and places the profile name in the group
entry.
RACF always prefixes dsname with
the group name when it accesses the profile.
For information
about automatic profile modeling, refer to z/OS Security Server RACF Security Administrator's Guide.
- NOMODEL
- Specifies
that the ALTGROUP command is to delete the model name in the group
profile.
- OMVS
| NOOMVS
-
- OMVS
- Specifies z/OS UNIX System Services information
for the group profile being changed.
- AUTOGID | GID | NOGID
- Specifies whether RACF is
to automatically assign an unused GID value to the group, if a specific
GID value is to be assigned or if the group identifier from the OMVS
segment of the group's profile is to be deleted.
- AUTOGID
- Specifies
that RACF is to automatically
assign an unused GID value to the group. The GID value is derived
from information obtained from the BPX.NEXT.USER profile in the FACILITY
class. For more information on setting up BPX.NEXT.USER, see z/OS Security Server RACF Security Administrator's Guide.
If
you are using RRSF automatic command direction for the GROUP class,
the command sent to other nodes will contain an explicit assignment
of the GID value which was derived by RACF on
the local node.
Rules: - AUTOGID cannot be specified if more than one group is entered.
- The AUTOGID keyword is mutually exclusive with the SHARED keyword.
- If both GID and AUTOGID are specified, AUTOGID is ignored.
- If both NOGID and AUTOGID are specified, AUTOGID is ignored.
- Field-level access checking for the GID field applies when using
AUTOGID.
- AUTOGID cannot be used to reassign a GID value if one already
exists for the group. If AUTOGID is specified, but the group already
has a GID assigned, one of two things will happen.
- If the preexisting GID is unique to this group, this value will
be identified in informational message IRR52177I, and the value will
be left unchanged. If RRSF automatic command direction is in effect
for the GROUP class, then the outbound ALTGROUP command will be altered
to contain the preexisting GID value in the OMVS GID keyword.
- If the preexisting GID is not unique to this group, error message
IRR52178I will be issued, and the command will fail. See IRR52178I
for information on changing the group's existing GID value.
- GID(group-identifier) [SHARED]
-
- GID(group-identifier)
- Specifies
the group identifier. The GID is a numeric value from 0 - 2 147 483 647.
When
a GID is assigned to a group, all users connected to that group who
have a user identifier (UID) in their user profile can use functions
such as the TSO/E command, OMVS, and can access z/OS UNIX files
based on the GID and UID values assigned.
Note: - If the security administrator has defined the SHARED.IDS profile
in the UNIXPRIV class, the GID must be unique. Use the SHARED keyword
in addition to GID to assign a value that is already in use.
- If SHARED.IDS is not defined, RACF does
not require the GID to be unique. The same value can be assigned to
multiple groups, but this is not recommended because individual group
control would be lost. However, if you want a set of groups to have
exactly the same access to z/OS UNIX resources,
you might decide to assign the same GID to more than one group.
- RACF allows you to define
and connect a user to more than 300 groups (which is the same as the
NGROUPS_MAX variable defined in the POSIX standard), but when a process
is created or z/OS UNIX group
information is requested, only up to the first 300 z/OS UNIX groups
are associated with the process or user.
The first 300 z/OS UNIX groups
that have GIDs to which a user is connected are used by z/OS UNIX. LISTUSER
displays the groups in the order that RACF examines
them when determining which of the user's groups are z/OS UNIX groups.
See z/OS UNIX System Services Planning for
information on NGROUPS_MAX.
- SHARED
- If the security
administrator has chosen to control the use of shared GIDs, this keyword
must be used in addition to the GID keyword to specify the group identifier
if it is already in use by at least one other group. The administrator
controls shared GIDs by defining the SHARED.IDS profile in the UNIXPRIV
class.
Rules: - If the SHARED.IDS profile is not defined, SHARED is ignored.
- If SHARED is specified in the absence of GID, it is ignored.
- If the SHARED.IDS profile is defined and SHARED is specified,
but the value specified with GID is not currently in use, SHARED is
ignored and UNIXPRIV authority is not required.
- Field- level access checking for the GID field applies when using
SHARED.
- The SHARED keyword is mutually exclusive with the AUTOGID keyword.
- NOGID
- Specifies
that you want to delete the group identifier from the OMVS segment
of the group's profile.
- NOOMVS
- Specifies
that RACF delete the OMVS segment
from the group's profile.
- OVM
| NOOVM
-
- OVM
- Specifies OpenExtensions VM information for the group profile
being changed.
- GID | NOGID
-
- GID(group-identifier)
- Specifies the group identifier. The GID is a numeric value from
0 - 2 147 483 647.
Note: - RACF does not require the
GID to be unique. The same value can be assigned to multiple groups,
but this is not recommended because individual group control would
be lost. However, if you want a set of groups to have exactly the
same access to the OpenExtensions VM resources, you might decide to
assign the same GID to more than one group.
- Exercise caution when changing the GID for a group. The following
situations might occur:
- If the file system contains files that contain the old GID as
the file owner GID, the members of the group lose access to those
files, depending on the permission bits associated with the file.
- If files exist with an owner GID equal to the group's new GID
value, the members of the group gain access to these files.
- If another group is subsequently added with the old value as its
GID, the members of the group might have access to the old files.
- If you have an EXEC.Ggid profile in
the VMPOSIX class for the old GID value, make sure you delete this
profile and create another to reflect the new value.
- The value defined for the NGROUPS_MAX variable in the ICHNGMAX
macro on VM defines the maximum number of OpenExtensions VM groups
to be associated with an OpenExtensions VM process or user. The NGROUPS_MAX
variable on VM is a number 32 - 125, inclusive.
However, RACF allows you to
define and connect a user to more than the number of groups defined
in this variable. If the NGROUPS_MAX variable is n and
a process is created or OpenExtensions VM group information is requested,
only up to the first n OpenExtensions VM
groups are associated with the process or user. The first n OpenExtensions
VM groups to which a user is connected are used by OpenExtensions
VM. LISTUSER displays the groups in the order that RACF examines them when determining which of
the user's groups are OpenExtensions VM groups.
See z/OS Security Server RACF Macros and Interfaces for
information on NGROUPS_MAX.
- NOGID
- Specifies that you want to delete the group identifier from the
OVM segment of the group's profile.
If NOGID is specified for
the group, the default GID of 4294967295 (X'FFFFFFFF') is
assigned on VM. The LISTGRP command displays the field name followed
by the word NONE.
- NOOVM
- Specifies
that RACF delete the OVM segment
from the group's profile.
- OWNER(userid
or group-name)
- Specifies
a RACF-defined user or group you want to be the new owner of the group.
To change the owner of a group, you must be the current owner
of the group, or have the SPECIAL attribute, or have the group-SPECIAL
attribute in the group owning the profile.
If you specify a
group name, then OWNER and SUPGROUP must specify the same group name.
- SUPGROUP(group-name)
- Specifies
the name of the RACF-defined group you want to make the new superior
group for the group profile you are changing.
The new superior
group must not be the same as the current one, and it must not have
any level of subgroup relationship to the group you are changing.
To
change a superior group, you must have the SPECIAL attribute, the
group profile must be within the scope of a group in which you have
the group-SPECIAL attribute, or you must have JOIN authority in, or
be the owner of, both the current and new superior groups. Note that
you can have JOIN authority in one group and be the owner of or have
the group-SPECIAL attribute in the other group.
If owner is
a group name, OWNER and SUPGROUP must specify the same group name.
- TERMUACC
| NOTERMUACC
-
- TERMUACC
- Specifies
that during terminal authorization checking, RACF is to allow the use of the universal access
authority for a terminal when it checks whether a user in the group
is authorized to access a terminal.
- NOTERMUACC
- Specifies
that the group or a user connected to the group must be authorized
(using the PERMIT command with at least READ authority) to access
a terminal.
- TME
| NOTME
-
- TME
- Specifies that information for the Tivoli® Security Management Application is
to be added, changed, or deleted.
Note: The TME segment fields are
intended to be updated only by the Tivoli Security
Management Application, which manages updates, permissions, and cross
references. A security administrator should only directly update Tivoli Security Management fields
on an exception basis.
- ROLES | ADDROLES | DELROLES | NOROLES
-
- ROLES(profile-name)
- Specifies a list of roles that reference this group.
The profile-name value
should be the name of a defined role, which is a discrete general
resource profile in the ROLE class.
- ADDROLES(profile-name)
- Specifies a list of roles that reference this group.
The profile-name value
should be the name of a defined role, which is a discrete general
resource profile in the ROLE class.
- DELROLES(profile-name)
- Specifies that specific roles from the current list of roles are
to be removed.
The profile-name value
should be the name of a defined role, which is a discrete general
resource profile in the ROLE class.
- NOROLES
- Specifies that the entire list of roles be removed.
- NOTME
- Specifies that RACF delete
the TME segment from the group profile.
Examples
|
|
|
---|
Example 1 |
Operation |
User WJB10 wants to change the superior group
and owning group for PROJECTA from RESEARCH to PAYROLL. Users connected
to group PROJECTA are authorized access to terminals according to
the universal access authority of the terminal. |
Known |
User WJB10 has JOIN authority in RESEARCH and
is the owner of PAYROLL. PROJECTA is a subgroup of RESEARCH.
User
WJB10 wants to issue the command as a RACF TSO
command.
|
Command |
ALTGROUP PROJECTA SUPGROUP(PAYROLL) OWNER(PAYROLL)
TERMUACC |
Defaults |
None. |
Example 2 |
Operation |
User MULES wants to change the superior group
for PROJECTB from SYS1 to RESEARCH and assign RESEARCH as the new
owner. |
Known |
User MULES has the SPECIAL attribute. PROJECTB
is a subgroup of SYS1. User MULES wants to issue the command as a RACF operator command, and the RACF subsystem prefix is @.
|
Command |
@ALTGROUP PROJECTB SUPGROUP(RESEARCH)
OWNER(RESEARCH) |
Defaults |
None. |
Example 3 |
Operation |
User SJR2 wants to change the installation-defined
information associated with the RSC1 group and delete the model name.
User SJR2 wants to direct the command to run under the authority of
user ANW01. |
Known |
User SJR2 is the owner of group RSC1. User SJR2
wants to issue the command as a RACF TSO
command. SJR2 and ANW01 have an already established user ID association.
User ANW01 is the owner of group RSC1. |
Command |
ALTGROUP RSC1 DATA('RESOURCE USAGE ADMINISTRATION')
NOMODEL AT(.ANW01) |
Defaults |
Command direction defaults to the local node. |
Example 4 |
Operation |
User BILLC wants to make the following changes
to the profile for group PROJECT6. - Change the default DFP management class to MCLASS7
- Change the default DFP storage class to SCLASS3
- Change the default DFP data class to DCLASS15
- Delete the default DFP data application.
|
Known |
- User BILLC has the SPECIAL attribute.
- Group PROJECT6 has been defined to RACF,
and PROJECT6's group profile contains a DFP segment.
- MCLASS7 has been defined to RACF as
a profile in the MGMTCLAS general resource class, and group PROJECT6
has been given READ access to this profile.
- SCLASS3 has been defined to RACF as
a profile in the STORCLAS general resource class, and group PROJECT6
has been given READ access to this profile.
- User BILLC wants to issue the command as a RACF TSO command.
|
Command |
ALTGROUP PROJECT6 DFP(MGMTCLAS(MCLASS7)
STORCLAS(SCLASS3) DATACLAS(DCLASS15) NODATAAPPL)) |
Defaults |
None. |
|