z/OS Security Server RACF Command Language Reference
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


CONNECT (Connect user to group)

z/OS Security Server RACF Command Language Reference
SA23-2292-00

Purpose

Use the CONNECT command to connect a user to a group, modify a user's connection to a group, or assign the group-related user attributes. If you are creating a connection, defaults are available as stated for each operand. If you are modifying an existing connection, no defaults apply.

RACF® date handling: RACF interprets dates with 2-digit years as follows. (The yy value represents the 2-digit year.)
  • If 70 <  yy <= 99, the date is interpreted as 19yy.
  • If 00 <= yy <= 70, the date is interpreted as 20yy.

Issuing options

The following table identifies the eligible options for issuing the CONNECT command:

As a RACF TSO command? As a RACF operator command? With command direction? With automatic command direction? From the RACF parameter library?
Yes Yes Yes Yes Yes

For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.

For information on issuing this command as a RACF operator command, refer to RACF operator commands.

You must be logged on to the console to issue this command as a RACF operator command.

Related commands

Authorization required

The specified users and group must already be defined to RACF.

When issuing this command as a RACF operator command, you might require sufficient authority to the proper resource in the OPERCMDS class. For details about OPERCMDS resources, see "Controlling the use of operator commands" in z/OS Security Server RACF Security Administrator's Guide.

To use the CONNECT command, you must have at least one of the following:
  • The SPECIAL attribute
  • The group-SPECIAL attribute in the group
  • The ownership of the group
  • JOIN or CONNECT authority in the group.

You cannot give a user a higher level of authority in the group than you have.

To specify the AT keyword, you must have READ authority to the DIRECT.node resource in the RRSFDATA class and a user ID association must be established between the specified node.userid pair(s).

To specify the ONLYAT keyword you must have the SPECIAL attribute, the userid specified on the ONLYAT keyword must have the SPECIAL attribute, and a user ID association must be established between the specified node.userid pair(s) if the user IDs are not identical.

Note: If a user is added to a RACF group as a result of a CONNECT command while the user is logged on, the user must logoff and logon again to use that authority to access resources in classes that have been RACLISTed. In addition, started tasks have to STOP and START to use the new authority. This might include started tasks such as JES2 or JES3.

Syntax

For the key to the symbols used in the command syntax diagrams, see Syntax of RACF commands and operands. The complete syntax of the CONNECT command is:

   
[subsystem-prefix]{CONNECT | CO}
  (userid …)
  [ ADSP | NOADSP ]
  [ AT([node].userid …) | ONLYAT([node].userid …) ]
  [ AUDITOR | NOAUDITOR ]
  [ AUTHORITY(group-authority) ]
  [ GROUP(group-name) ]
  [ GRPACC | NOGRPACC ]
  [ OPERATIONS | NOOPERATIONS ]
  [ OWNER(userid or group-name) ]
  [ RESUME [ (date)] | NORESUME ]
  [ REVOKE [ (date)] | NOREVOKE ]
  [ SPECIAL | NOSPECIAL ]
  [ UACC [ (access-authority)] ]

For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.

For information on issuing this command as a RACF operator command, refer to RACF operator commands.

Parameters

subsystem-prefix
Specifies that the RACF subsystem is the processing environment of the command. The subsystem prefix can be either the installation-defined prefix for RACF (1 - 8 characters) or, if no prefix has been defined, the RACF subsystem name followed by a blank. If the command prefix was registered with CPF, you can use the MVS command D OPDATA to display it or you can contact your RACF security administrator.

Only specify the subsystem prefix when issuing this command as a RACF operator command. The subsystem prefix is required when issuing RACF operator commands.

userid
Specifies the RACF-defined user to be connected to, or modified in, the group specified in the GROUP operand. If you are specifying more than one user, you must enclose the user IDs in parentheses.

In general, the maximum number of users you can connect to one group is 5957. See z/OS Security Server RACF Macros and Interfaces for information about how to determine the exact maximum number.

The exception to this is a group that has been defined as a UNIVERSAL group. A UNIVERSAL group may have an unlimited number of users, with USE authority, connected to it for the purpose of resource access.

The number of users in a universal group with authority higher than USE, or with the attributes SPECIAL, OPERATIONS or AUDITOR at the group level, is still limited to 5957.

When displayed with the LISTGRP command, all members of a UNIVERSAL group will be listed. Only users with authority higher than USE or with the attributes SPECIAL, OPERATIONS or AUDITOR at the group level will be shown in the member list.

This operand is required and must be the first operand following CONNECT.

ADSP | NOADSP
ADSP
Specifies that when the user is connected to this group, all permanent tape and DASD data sets created by the user is RACF-protected by discrete profiles.

RACF ignores the ADSP attribute at LOGON/job initiation if SETROPTS NOADSP is in effect.

NOADSP
Specifies that the user is not to have the ADSP attribute. If you are creating a connection and omit both ADSP and NOADSP, NOADSP is the default. A user attribute of ADSP specified on the ADDUSER or ALTUSER command overrides NOADSP as a connect attribute.
AT | ONLYAT
The AT and ONLYAT keywords are only valid when the command is issued as a RACF TSO command.
AT([node].userid …)
Specifies that the command is to be directed to the node specified by node, where it runs under the authority of the user specified by userid in the RACF subsystem address space.

If node is not specified, the command is directed to the local node.

ONLYAT([node].userid …)
Specifies that the command is to be directed only to the node specified by node where it runs under the authority of the user specified by userid in the RACF subsystem address space.

If node is not specified, the command is directed only to the local node.

AUDITOR | NOAUDITOR
AUDITOR
Specifies that the user is to have the group-AUDITOR attribute when connected to this group.

To enter the AUDITOR operand, you must have either the SPECIAL attribute or the group-SPECIAL attribute in the group to which you are connecting or modifying the user's profile.

NOAUDITOR
Specifies that the user is not to have the group-AUDITOR attribute when connected to this group. When you are creating a connection and omit both AUDITOR and NOAUDITOR, NOAUDITOR is the default. If you are modifying an existing connection, you must have either the SPECIAL attribute or the group-SPECIAL attribute in the group in which you are modifying the user's profile.

A user attribute of AUDITOR specified on the ADDUSER or ALTUSER command overrides NOAUDITOR as a connect attribute.

AUTHORITY(group-authority)
Specifies the level of authority the user is to have in the group. The valid group authority values are USE, CREATE, CONNECT, and JOIN, as described in Group authorities. If you are creating a connection and omit AUTHORITY or enter it without a value, the default is USE.

You cannot give a user a higher level of authority in the group than you have.

GROUP(group-name)
Specifies a RACF-defined group. If you omit this operand, the user is connected to or modified in your current connect group.
Note: RACF allows you to connect a user to more than 300 groups, which is the same as NGROUPS_MAX variable defined in the POSIX standard, but when z/OS UNIX group information is requested, only up to the first 300 z/OS UNIX groups that have GIDs are associated with the process or user.

The first 300 z/OS UNIX groups that have GIDs to which a user is connected are used by z/OS UNIX. LISTUSER displays the groups in the order that RACF examines them when determining which of the user's groups are z/OS UNIX groups.

In addition, the number of users connected to a group should be within the limits allowed by the NFS client for remote access to files. See z/OS UNIX System Services Planning for information on NGROUPS_MAX.

GRPACC | NOGRPACC
GRPACC
Specifies that when the user is connected to this group, any group data sets defined by the user are automatically accessible to other users in the group. The group whose name is used as the high-level qualifier of the data set name (or the qualifier supplied by a command installation exit) has UPDATE access authority to the data set.
NOGRPACC
Specifies that the user is not to have the GRPACC attribute. If you are creating a connection and omit both GRPACC and NOGRPACC, NOGRPACC is the default. A user attribute of GRPACC specified on the ADDUSER or ALTUSER command overrides NOGRPACC as a connect attribute.
OPERATIONS | NOOPERATIONS
OPERATIONS
Specifies that the user is to have the group-OPERATIONS attribute when connected to this group. The group-OPERATIONS user has authorization to do maintenance operations on all RACF-protected DASD data sets, tape volumes, and DASD volumes within the scope of the group unless the access list for a resource specifically limits the OPERATIONS user to an access authority that is less than the operation requires.

You establish the lower access authority for the group-OPERATIONS user through the PERMIT command.

To enter the OPERATIONS operand, you must have the SPECIAL attribute or the group-SPECIAL attribute in the group to which you are connecting or modifying the user's profile.

NOOPERATIONS
Specifies that the user is not to have the group-OPERATIONS attribute in this group. If you are creating a connection and omit both OPERATIONS and NOOPERATIONS, NOOPERATIONS is the default. If you are modifying an existing connection, you must have the SPECIAL attribute or the group-SPECIAL attribute in the group in which you are modifying the user's profile.

A user attribute of OPERATIONS specified on the ADDUSER or ALTUSER command overrides NOOPERATIONS as a connect attribute.

OWNER(userid or group-name)
Specifies a RACF-defined user or group to be assigned as the owner of the connect profile. If you are creating a connection and you do not specify an owner, you are defined as the owner of the connect profile.
RESUME | NORESUME
RESUME[(date)]
Specifies that the user, when connected to the group specified on the GROUP operand, is to be allowed to access the system again. You normally use RESUME to restore access to the system that has been prevented by a prior REVOKE operand. (RESUME, using the current date, is also the default when you are using the CONNECT command to create an initial connection between a user and this group.)

If you specify a date, RACF does not allow the user to access the system until the date you specify. The date must be a future date; if it is not, you are prompted to provide a future date.

Between the time you specify the RESUME and the time the RESUME takes effect, the RESUME is called a pending resumption (or a pending RESUME).

You specify a date in the form mm/dd/yy, and you need not specify leading zeros; specifying 9/1/06 is the same as specifying 09/01/06. The date must be a future date; if it is not, you are prompted to provide a future date. RACF interprets dates as 20yy when yy is less than 71, and 19yy when yy is 71 or higher. So, 09/01/94 would be in the year 1994, and 09/01/14 would be in the year 2014.

If you specify RESUME without a date, the RESUME takes effect immediately.

When no REVOKE is in effect for the user, RACF ignores the RESUME operand and issues a message.

Note:
  1. If you use the ALTUSER command to issue a REVOKE for a user, you must use the ALTUSER command to issue the corresponding RESUME. Issuing RESUME on the CONNECT command does not restore access revoked on the ALTUSER command.
  2. If you specify both REVOKE(date) and RESUME(date), RACF acts on them in date order. For example, if you specify RESUME(8/19/06) and REVOKE(8/5/06), RACF prevents the user from accessing the system from August 5, 2006, to August 18, 2006. On August 19, the user can again access the system.

    If a user is already revoked and you specify RESUME(8/5/06) and REVOKE(8/19/06), RACF allows the user to access the system from August 5, 2006, to August 18, 2006. On August 19, RACF prevents the user from accessing the system.

  3. If RACF detects a conflict between REVOKE and RESUME (for example, you specify both without a date), RACF uses REVOKE.
  4. To clear the RESUME date field, specify NORESUME.
  5. To successfully resume a user whose revoke date has passed, you must specify NOREVOKE to clear the revoke date as well as specifying the RESUME keyword.
  6. Downlevel systems sharing the RACF database should not be affected by the changes to REVOKE and RESUME processing. A user who is considered revoked on a z/OS® V1R7 system should also be considered revoked on a downlevel system.
NORESUME
Specifies that RACF is to clear the RESUME date field in the user's group connection. You can use the NORESUME option to cancel the pending resumption (of a user's group connection) that resulted from a previous CONNECT command specified with RESUME(date).
REVOKE | NOREVOKE
REVOKE[(date)]
Specifies that RACF is to prevent the user from accessing the system by attempting to connect to the group specified on the GROUP operand. The user's profile and data sets are not deleted from the RACF database.

If you specify a date, RACF does not prevent the user from accessing the system until the date you specify. The date must be a future date; if it is not, you are prompted to provide a future date.

You specify a date in the form mm/dd/yy, and you need not specify leading zeros; specifying 9/1/06 is the same as specifying 09/01/06. The date must be a future date; if it is not, you are prompted to provide a future date. RACF interprets dates as 20yy when yy is less than 71, and 19yy when yy is 71 or higher. So, 09/01/94 would be in the year 1994, and 09/01/14 would be in the year 2014.

Between the time you specify the REVOKE and the time the REVOKE takes effect, the REVOKE is called a pending revocation (or a pending REVOKE).

When you specify REVOKE without a date, the following conditions apply:
  • The REVOKE takes effect the next time the user tries to log on to the system.
  • Any pending RESUME date remains in effect unless you also specify NORESUME.

    Important: To permanently revoke system access, specify both REVOKE and NORESUME.

When a REVOKE is already in effect for the user, RACF ignores the REVOKE operand and issues a message.

Note:
  1. If you specify both REVOKE(date) and RESUME(date), RACF acts on them in date order. For example, if you specify RESUME(8/19/06) and REVOKE(8/5/06), RACF prevents the user from accessing the system from August 5, 2006, to August 18, 2006. On August 19, the user can again access the system.

    If a user is already revoked and you specify RESUME(8/5/06) and REVOKE(8/19/06), RACF allows the user to access the system from August 5, 2006, to August 18, 2006. On August 19, RACF prevents the user from accessing the system.

  2. If RACF detects a conflict between REVOKE and RESUME (for example, you specify both without a date), RACF uses REVOKE.
  3. To clear the REVOKE date field, specify NOREVOKE.
  4. Downlevel systems sharing the RACF database should not be affected by the changes to REVOKE and RESUME processing. A user who is considered revoked on a z/OS V1R7 system should also be considered revoked on a downlevel system.
NOREVOKE
Specifies that RACF is to clear the REVOKE date field in the user's group connection. You can use the NOREVOKE option to cancel the pending revocation (of a user's group connection) that resulted from a previous CONNECT command specified with REVOKE(date).

To successfully resume a user whose revoke date has passed, you must specify NOREVOKE to clear the revoke date as well as specifying the RESUME keyword.

The NOREVOKE option does not resume the user's group connection after it was revoked by the CONNECT REVOKE command.

SPECIAL | NOSPECIAL
SPECIAL
Specifies that the user is to have the group-SPECIAL attribute when connected to this group. To enter the SPECIAL operand, you must have the SPECIAL attribute or the group-SPECIAL attribute in the group to which you are connecting or modifying the user's profile.
NOSPECIAL
Specifies that the user is not to have the group-SPECIAL attribute. If you are creating a connection and omit both SPECIAL and NOSPECIAL, NOSPECIAL is the default. If you are modifying an existing connection, you must have the SPECIAL attribute or the group-SPECIAL attribute in the group in which you are modifying the user's profile.

A user attribute of SPECIAL specified on the ADDUSER or ALTUSER command overrides NOSPECIAL as a connect attribute.

UACC[(access-authority)]
Specifies the default value for the universal access authority for all new resource profiles the user defines while the specified group is the user's current connect group. The universal access authorities are ALTER, CONTROL, UPDATE, READ, and NONE. (RACF does not accept EXECUTE access authority with the CONNECT command.) If you are creating a connection and omit UACC or enter it without a value, the default is NONE.

This operand is group-related. The user can have a different default universal access authority in each of the groups to which the user is connected (with the CONNECT command).

Examples

     
Example 1 Operation User WJE10 wants to connect users AFG5 and GMD2 to group PAYROLL and to make PAYROLL the owner of the connect profiles.
Known User WJE10 has JOIN authority to group PAYROLL.

User WJE10 is currently connected to group PAYROLL.

Users AFG5 and GMD2 are defined to RACF but not connected to group PAYROLL.

User WJE10 wants to issue the command as a RACF TSO command.
Command CONNECT (AFG5 GMD2) OWNER(PAYROLL)
Defaults GROUP(PAYROLL) AUTHORITY(USE) UACC(NONE) NOADSP NOGRPACC RESUME NOOPERATIONS NOSPECIAL NOAUDITOR
Example 2 Operation User WRH0 wants to CONNECT user PDJ6 to group RESEARCH with CREATE authority and universal access of UPDATE. User WRH0 wants to direct the command to run under the authority of user EMWIN at node RALNC.
Known User EMWIN at RALNC has CONNECT authority to group RESEARCH.

RESEARCH is not the default group of user EMWIN at RALNC.

User PDJ6 is defined to RACF on node RALNC but is not connected to group RESEARCH.

User WRH0 wants to issue the command as a RACF TSO command.

WRH0 and EMWIN at RALNC have an already established user ID association.
Command CONNECT PDJ6 GROUP(RESEARCH) AUTHORITY(CREATE) UACC(UPDATE) AT(RALNC.EMWIN)
Defaults NOGRPACC RESUME NOOPERATIONS NOSPECIAL NOAUDITOR NOADSP OWNER(WRH0)
Example 3 Operation User IRB01 wants to revoke the user ID of an employee, user D5819, who will be on vacation for three weeks, starting on August 5, 1994.
Known User IRB01 is the owner of the profile for user D5819. Today's date is August 3, 1994. User IRB01 wants to issue the command as a RACF operator command, and the RACF subsystem prefix is @.
Command @CONNECT D5819 REVOKE(8/5/94) RESUME(8/26/94)
Defaults None.
Parent topic: RACF command syntax

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014