|
Purpose Use the CONNECT command to connect
a user to a group, modify a user's connection to a group, or assign
the group-related user attributes. If you are creating a connection,
defaults are available
as stated for each operand. If you are modifying an existing connection,
no defaults apply.
RACF® date handling: RACF interprets dates with
2-digit years as follows. (The yy value represents the 2-digit
year.) - If 70 < yy <= 99, the date is interpreted
as 19yy.
- If 00 <= yy <= 70, the date is interpreted
as 20yy.
Issuing options The following table identifies
the eligible options for issuing the CONNECT command:
As a RACF TSO command? |
As a RACF operator command? |
With command direction? |
With automatic command direction? |
From the RACF parameter library? |
---|
Yes |
Yes |
Yes |
Yes |
Yes |
For information on issuing this command
as a RACF TSO command, refer
to RACF TSO commands.
For
information on issuing this command as a RACF operator command, refer to RACF operator commands.
You
must be logged on to the console to issue this command as a RACF operator command.
Authorization required The specified users and group
must already be defined to RACF.
When
issuing this command as a RACF operator
command, you might require sufficient authority to the proper resource
in the OPERCMDS class. For details about OPERCMDS resources, see "Controlling the use of operator commands" in z/OS Security Server RACF Security Administrator's Guide.
To
use the CONNECT command, you must have at least one of the following:
- The SPECIAL attribute
- The group-SPECIAL attribute in the group
- The ownership of the group
- JOIN or CONNECT authority in the group.
You cannot give a user a higher level of authority in
the group than you have.
To specify the AT keyword, you must
have READ authority to the DIRECT.node resource in the RRSFDATA
class and a user ID association must be established between the specified node.userid pair(s).
To
specify the ONLYAT keyword you must have the SPECIAL attribute, the userid specified
on the ONLYAT keyword must have the SPECIAL attribute, and a user
ID association must be established between the specified node.userid pair(s)
if the user IDs are not identical.
Note: If a user is added to
a RACF group as a result of
a CONNECT command while the user is logged on, the user must logoff
and logon again to use that authority to access resources in classes
that have been RACLISTed. In addition, started tasks have to STOP
and START to use the new authority. This might include started tasks
such as JES2 or JES3.
Syntax For the key to the symbols used in the command
syntax diagrams, see Syntax of RACF commands and operands. The
complete syntax of the CONNECT command is:
|
|
---|
[subsystem-prefix]{CONNECT
| CO} |
|
(userid …) |
|
[ ADSP | NOADSP ] |
|
[ AT([node].userid
…) | ONLYAT([node].userid
…) ] |
|
[ AUDITOR | NOAUDITOR ] |
|
[ AUTHORITY(group-authority)
] |
|
[ GROUP(group-name)
] |
|
[ GRPACC | NOGRPACC ] |
|
[ OPERATIONS | NOOPERATIONS ] |
|
[ OWNER(userid or group-name)
] |
|
[ RESUME [ (date)]
| NORESUME ] |
|
[ REVOKE [ (date)]
| NOREVOKE ] |
|
[ SPECIAL | NOSPECIAL ] |
|
[ UACC [ (access-authority)]
] |
For information on
issuing this command as a RACF TSO
command, refer to RACF TSO commands.
For information on issuing this command as a RACF operator command, refer to RACF operator commands.
Parameters - subsystem-prefix
- Specifies that the RACF subsystem
is the processing environment of the command. The subsystem
prefix can be either the installation-defined prefix for RACF (1 - 8 characters)
or, if no prefix has been defined, the RACF subsystem
name followed by a blank. If the command prefix was registered with
CPF, you can use the MVS command D OPDATA to display it or you can
contact your RACF security
administrator.
Only specify the subsystem prefix when issuing
this command as a RACF operator
command. The subsystem prefix is required when issuing RACF operator commands.
- userid
- Specifies
the RACF-defined user to be connected to, or modified in, the group
specified in the GROUP operand. If you are specifying more than one
user, you must enclose the user IDs in parentheses.
In general, the maximum number of users
you can connect to one group is 5957. See z/OS Security Server RACF Macros and Interfaces for
information about how to determine the exact maximum number.
The
exception to this is a group that has been defined as a UNIVERSAL
group. A UNIVERSAL group may have an unlimited number of users, with
USE authority, connected to it for the purpose of resource access.
The
number of users in a universal group with authority higher than USE,
or with the attributes SPECIAL, OPERATIONS or AUDITOR at the group
level, is still limited to 5957.
When displayed with the LISTGRP
command, all members of a UNIVERSAL group will be listed. Only users
with authority higher than USE or with the attributes SPECIAL, OPERATIONS
or AUDITOR at the group level will be shown in the member list.
This
operand is required and must be the first operand following CONNECT.
- ADSP
| NOADSP
-
- ADSP
- Specifies that when the user is connected
to this group, all permanent tape and DASD data sets created by the
user is RACF-protected by discrete profiles.
RACF ignores the ADSP attribute at LOGON/job
initiation if SETROPTS NOADSP is in effect.
- NOADSP
- Specifies
that the user is not to have the ADSP attribute. If you are creating
a connection and omit both ADSP and NOADSP, NOADSP is the default.
A user attribute of ADSP specified on the ADDUSER or ALTUSER command
overrides NOADSP as a connect attribute.
- AT
| ONLYAT
- The AT and ONLYAT keywords are only valid when the command is
issued as a RACF TSO command.
- AT([node].userid
…)
- Specifies
that the command is to be directed to the node specified by node,
where it runs under the authority of the user specified by userid in
the RACF subsystem address
space.
If node is not specified, the
command is directed to the local node.
- ONLYAT([node].userid
…)
- Specifies
that the command is to be directed only to the node specified by node where
it runs under the authority of the user specified by userid in
the RACF subsystem address
space.
If node is not specified, the
command is directed only to the local node.
- AUDITOR
| NOAUDITOR
-
- AUDITOR
- Specifies
that the user is to have the group-AUDITOR attribute when connected
to this group.
To enter the AUDITOR operand, you must have either
the SPECIAL attribute or the group-SPECIAL attribute in the group
to which you are connecting or modifying the user's profile.
- NOAUDITOR
- Specifies
that the user is not to have the group-AUDITOR attribute when connected
to this group. When you are creating a connection and omit both AUDITOR
and NOAUDITOR, NOAUDITOR is the default. If you are modifying an existing
connection, you must have either the SPECIAL attribute or the group-SPECIAL
attribute in the group in which you are modifying the user's profile.
A user attribute of AUDITOR specified on the ADDUSER or ALTUSER
command overrides NOAUDITOR as a connect attribute.
- AUTHORITY(group-authority)
- Specifies
the level of authority the user is to have in the group. The valid
group authority values are USE, CREATE, CONNECT, and JOIN, as described in Group authorities.
If you are creating a connection and omit AUTHORITY or enter it without
a value, the default is USE.
You cannot give a user a higher level
of authority in the group than you have.
- GROUP(group-name)
- Specifies a
RACF-defined group. If you omit this operand, the user is connected
to or modified in your current connect group.
Note: RACF allows you to connect a user to more than
300 groups, which is the same as NGROUPS_MAX variable defined in the
POSIX standard, but when z/OS UNIX group
information is requested, only up to the first 300 z/OS UNIX groups
that have GIDs are associated with the process or user.
The
first 300 z/OS UNIX groups
that have GIDs to which a user is connected are used by z/OS UNIX. LISTUSER
displays the groups in the order that RACF examines
them when determining which of the user's groups are z/OS UNIX groups.
In
addition, the number of users connected to a group should be within
the limits allowed by the NFS client for remote access to files. See z/OS UNIX System Services Planning for
information on NGROUPS_MAX.
- GRPACC
| NOGRPACC
-
- GRPACC
- Specifies
that when the user is connected to this group, any group data sets
defined by the user are automatically accessible to other users in
the group. The group whose name is used as the high-level qualifier
of the data set name (or the qualifier supplied by a command installation
exit) has UPDATE access authority to the data set.
- NOGRPACC
- Specifies
that the user is not to have the GRPACC attribute. If you are creating
a connection and omit both GRPACC and NOGRPACC, NOGRPACC is the default.
A user attribute of GRPACC specified on the ADDUSER or ALTUSER command
overrides NOGRPACC as a connect attribute.
- OPERATIONS
| NOOPERATIONS
-
- OPERATIONS
- Specifies
that the user is to have the group-OPERATIONS attribute when connected
to this group. The group-OPERATIONS user has authorization to do maintenance
operations on all RACF-protected DASD data sets, tape volumes, and
DASD volumes within the scope of the group unless the access list
for a resource specifically limits the OPERATIONS user to an access
authority that is less than the operation requires.
You establish
the lower access authority for the group-OPERATIONS user through the
PERMIT command.
To enter the OPERATIONS operand, you must have
the SPECIAL attribute or the group-SPECIAL attribute in the group
to which you are connecting or modifying the user's profile.
- NOOPERATIONS
- Specifies
that the user is not to have the group-OPERATIONS attribute in this
group. If you are creating a connection and omit both OPERATIONS and
NOOPERATIONS, NOOPERATIONS is the default. If you are modifying an
existing connection, you must have the SPECIAL attribute or the group-SPECIAL
attribute in the group in which you are modifying the user's profile.
A user attribute of OPERATIONS specified on the ADDUSER or ALTUSER
command overrides NOOPERATIONS as a connect attribute.
- OWNER(userid
or group-name)
- Specifies
a RACF-defined user or group to be assigned as the owner of the connect
profile. If you are creating a connection and you do not specify an
owner, you are defined as the owner of the connect profile.
- RESUME
| NORESUME
-
- RESUME[(date)]
- Specifies that the user, when connected
to the group specified on the GROUP operand, is to be allowed to access
the system again. You normally use RESUME to restore access to the
system that has been prevented by a prior REVOKE operand. (RESUME,
using the current date, is also the default when you are using the
CONNECT command to create an initial connection between a user and
this group.)
If you specify a date, RACF does
not allow the user to access the system until the date you specify.
The date must be a future date; if it is not, you are prompted to
provide a future date.
Between the time you specify the RESUME
and the time the RESUME takes effect, the RESUME is called a pending resumption
(or a pending RESUME).
You specify a date in the form mm/dd/yy,
and you need not specify leading zeros; specifying 9/1/06 is
the same as specifying 09/01/06. The date must be
a future date; if it is not, you are prompted to provide a future
date. RACF interprets dates
as 20yy when yy is less than 71, and 19yy when yy is
71 or higher. So, 09/01/94 would be in the year 1994,
and 09/01/14 would be in the year 2014.
If
you specify RESUME without a date, the RESUME takes effect immediately.
When
no REVOKE is in effect for the user, RACF ignores
the RESUME operand and issues a message.
Note: - If you use the ALTUSER command to issue a REVOKE for a user, you
must use the ALTUSER command to issue the corresponding RESUME. Issuing
RESUME on the CONNECT command does not restore access revoked on the
ALTUSER command.
- If you specify both REVOKE(date) and RESUME(date), RACF acts on them in date order.
For example, if you specify RESUME(8/19/06) and REVOKE(8/5/06), RACF prevents the user from accessing
the system from August 5, 2006, to August 18, 2006. On August 19,
the user can again access the system.
If a user is already revoked
and you specify RESUME(8/5/06) and REVOKE(8/19/06), RACF allows the user to access the system from
August 5, 2006, to August 18, 2006. On August 19, RACF prevents the user from accessing the system.
- If RACF detects a conflict
between REVOKE and RESUME (for example, you specify both without a
date), RACF uses REVOKE.
- To clear the RESUME date field, specify NORESUME.
- To successfully resume a user whose revoke date has passed, you
must specify NOREVOKE to clear the revoke date as well as specifying
the RESUME keyword.
- Downlevel systems sharing the RACF database
should not be affected by the changes to REVOKE and RESUME processing.
A user who is considered revoked on a z/OS® V1R7
system should also be considered revoked on a downlevel system.
- NORESUME
- Specifies that RACF is to clear the RESUME date field in the
user's group connection. You can use the NORESUME option to cancel
the pending resumption (of a user's group connection) that resulted
from a previous CONNECT command specified with RESUME(date).
- REVOKE
| NOREVOKE
-
- REVOKE[(date)]
- Specifies that RACF is to prevent the user from
accessing the system by attempting to connect to the group specified
on the GROUP operand. The user's profile and data sets are not deleted
from the RACF database.
If
you specify a date, RACF does
not prevent the user from accessing the system until the date you
specify. The date must be a future date; if it is not, you are prompted
to provide a future date.
You specify a date in the form mm/dd/yy,
and you need not specify leading zeros; specifying 9/1/06 is
the same as specifying 09/01/06. The date must be
a future date; if it is not, you are prompted to provide a future
date. RACF interprets dates
as 20yy when yy is less than 71, and 19yy when yy is
71 or higher. So, 09/01/94 would be in the year 1994,
and 09/01/14 would be in the year 2014.
Between
the time you specify the REVOKE and the time the REVOKE takes effect,
the REVOKE is called a pending revocation (or a pending REVOKE).
When
you specify REVOKE without a date, the following conditions apply:
When
a REVOKE is already in effect for the user, RACF ignores the REVOKE operand and issues a
message.
Note: - If you specify both REVOKE(date) and RESUME(date), RACF acts on them in date order.
For example, if you specify RESUME(8/19/06) and REVOKE(8/5/06), RACF prevents the user from accessing
the system from August 5, 2006, to August 18, 2006. On August 19,
the user can again access the system.
If a user is already revoked
and you specify RESUME(8/5/06) and REVOKE(8/19/06), RACF allows the user to access the system from
August 5, 2006, to August 18, 2006. On August 19, RACF prevents the user from accessing the system.
- If RACF detects a conflict
between REVOKE and RESUME (for example, you specify both without a
date), RACF uses REVOKE.
- To clear the REVOKE date field, specify NOREVOKE.
- Downlevel systems sharing the RACF database
should not be affected by the changes to REVOKE and RESUME processing.
A user who is considered revoked on a z/OS V1R7
system should also be considered revoked on a downlevel system.
- NOREVOKE
- Specifies that RACF is to clear the REVOKE date
field in the user's group connection. You can use the NOREVOKE option
to cancel the pending revocation (of a user's group connection) that
resulted from a previous CONNECT command specified with REVOKE(date).
To successfully resume a user whose revoke date has passed, you
must specify NOREVOKE to clear the revoke date as well as specifying
the RESUME keyword.
The NOREVOKE option does not resume the
user's group connection after it was revoked by the CONNECT REVOKE
command.
- SPECIAL
| NOSPECIAL
-
- SPECIAL
- Specifies
that the user is to have the group-SPECIAL attribute when connected
to this group. To enter the SPECIAL operand, you must have the SPECIAL
attribute or the group-SPECIAL attribute in the group to which you
are connecting or modifying the user's profile.
- NOSPECIAL
- Specifies
that the user is not to have the group-SPECIAL attribute. If you are
creating a connection and omit both SPECIAL and NOSPECIAL, NOSPECIAL
is the default. If you are modifying an existing connection, you must
have the SPECIAL attribute or the group-SPECIAL attribute in the group
in which you are modifying the user's profile.
A user attribute
of SPECIAL specified on the ADDUSER or ALTUSER command overrides NOSPECIAL
as a connect attribute.
- UACC[(access-authority)]
- Specifies
the default value for the universal access authority for all new resource
profiles the user defines while the specified group is the user's
current connect group. The universal access authorities are ALTER,
CONTROL, UPDATE, READ, and NONE. (RACF does
not accept EXECUTE access authority with the CONNECT command.) If
you are creating a connection and omit UACC or enter it without a
value, the default is NONE.
This operand is group-related. The
user can have a different default universal access authority in each
of the groups to which the user is connected (with the CONNECT command).
Examples
|
|
|
---|
Example 1 |
Operation |
User WJE10 wants to connect users AFG5 and GMD2
to group PAYROLL and to make PAYROLL the owner of the connect profiles. |
Known |
User WJE10 has JOIN authority to group PAYROLL.
User WJE10 is currently connected to group PAYROLL.
Users
AFG5 and GMD2 are defined to RACF but
not connected to group PAYROLL.
User WJE10 wants to issue the
command as a RACF TSO command.
|
Command |
CONNECT (AFG5 GMD2) OWNER(PAYROLL) |
Defaults |
GROUP(PAYROLL) AUTHORITY(USE) UACC(NONE) NOADSP
NOGRPACC RESUME NOOPERATIONS NOSPECIAL NOAUDITOR |
Example 2 |
Operation |
User WRH0 wants to CONNECT user PDJ6 to group
RESEARCH with CREATE authority and universal access of UPDATE. User
WRH0 wants to direct the command to run under the authority of user
EMWIN at node RALNC. |
Known |
User EMWIN at RALNC has CONNECT authority to group
RESEARCH. RESEARCH is not the default group of user EMWIN at RALNC.
User
PDJ6 is defined to RACF on
node RALNC but is not connected to group RESEARCH.
User WRH0
wants to issue the command as a RACF TSO
command.
WRH0 and EMWIN at RALNC have an already established
user ID association.
|
Command |
CONNECT PDJ6 GROUP(RESEARCH) AUTHORITY(CREATE)
UACC(UPDATE) AT(RALNC.EMWIN) |
Defaults |
NOGRPACC RESUME NOOPERATIONS NOSPECIAL NOAUDITOR
NOADSP OWNER(WRH0) |
Example 3 |
Operation |
User IRB01 wants to revoke the user ID of an employee,
user D5819, who will be on vacation for three weeks, starting on August
5, 1994. |
Known |
User IRB01 is the owner of the profile for user
D5819. Today's date is August 3, 1994. User IRB01 wants to issue the
command as a RACF operator
command, and the RACF subsystem
prefix is @. |
Command |
@CONNECT D5819 REVOKE(8/5/94) RESUME(8/26/94) |
Defaults |
None. |
|