|
Purpose Use the DELDSD command to remove RACF® protection from tape or DASD
data sets that are protected by either discrete or generic profiles.
When RACF-protection is removed from a data set protected by a discrete
profile:
To remove RACF protection from a non-VSAM DASD data set that is protected by a
discrete profile, the
data set must be online and not currently in use. For a VSAM data
set that is protected by a discrete profile, the catalog for the data
set must be online. The VSAM data set itself must also be online if
the VSAM catalog recovery option is being used. If the required data
set or catalog is not online, the DELDSD command processor requests
that the volume be mounted if you have the TSO MOUNT authority.
Changes made to discrete profiles take effect after the DELDSD
command is processed. Changes made to generic profiles do not take
effect until one or more of the following steps is taken: - The user of the data set issues the LISTDSD command:
LISTDSD DA(data-set-protected-by-the-profile) GENERIC
Note: Use the data set name, not the profile name.
- The security administrator issues the SETROPTS command:
SETROPTS GENERIC(DATASET) REFRESH
See SETROPTS command
for authorization requirements.
- The user of the data set logs off and logs on again.
Issuing options The following table identifies
the eligible options for issuing the DELDSD command:
As a RACF TSO command? |
As a RACF operator command? |
With command direction? |
With automatic command direction? |
From the RACF parameter library? |
---|
Yes |
Yes |
Yes |
Yes |
Yes |
For information on issuing this command
as a RACF TSO command, refer
to RACF TSO commands.
For
information on issuing this command as a RACF operator command, refer to RACF operator commands.
You must be logged on to the console to issue this
command as a RACF operator
command.
Authorization required When issuing this
command as a RACF operator
command, you might require sufficient authority to the proper resource
in the OPERCMDS class. For details about OPERCMDS resources, see "Controlling the use of operator commands" in z/OS Security Server RACF Security Administrator's Guide.
To remove RACF protection from a data set
or to delete a generic data set profile, you must have sufficient
authority over the data set. RACF performs authorization checking in the following sequence until
you meet one of these conditions: - You have the SPECIAL attribute.
- The data set profile is within the scope of a group in which you
have the group-SPECIAL attribute.
- The high-level qualifier of the profile name (or the qualifier
supplied by a command installation exit) is your user ID.
- You are the owner of the profile.
- For a discrete profile, you are on the access list with ALTER
authority.
- For a discrete profile, your group or one of your groups (if checking
list of groups is active) is on the access list and has ALTER authority.
- For a discrete profile, the universal access authority is ALTER.
To specify the AT keyword, you must have READ authority
to the DIRECT.node resource in the RRSFDATA class and a user
ID association must be established between the specified node.userid pair(s).
To specify the ONLYAT keyword
you must have the SPECIAL attribute, the userid specified on the ONLYAT keyword must have the SPECIAL attribute,
and a user ID association must be established between the specified node.userid pair(s) if the user IDs are not identical.
Syntax For the key to the symbols used in the command syntax diagrams, see Syntax of RACF commands and operands. The complete syntax of the DELDSD
command is:
|
|
---|
[subsystem-prefix]{DELDSD
| DD} |
|
(profile-name…) |
|
[ AT([node].userid …) | ONLYAT([node].userid …) ] |
|
[ GENERIC | NOSET | SET ] |
|
[ VOLUME(volume-serial) ] |
Note: If you specify
a profile name containing generic characters, RACF ignores the VOLUME, SET and NOSET operands.
|
For information on issuing this command
as a RACF TSO command, refer
to RACF TSO commands.
For
information on issuing this command as a RACF operator command, refer to RACF operator commands.
Parameters - subsystem-prefix
- Specifies that the RACF subsystem is the processing environment of the command. The subsystem prefix can be either the installation-defined prefix
for RACF (1 - 8 characters)
or, if no prefix has been defined, the RACF subsystem name followed by a blank. If the command prefix
was registered with CPF, you can use the MVS command D OPDATA to display
it or you can contact your RACF security administrator.
Only specify the subsystem prefix when
issuing this command as a RACF operator command. The subsystem prefix is required when issuing RACF operator commands.
- profile-name …
- Specifies
the name of the discrete or generic profile. If you specify more than
one profile, the list must be enclosed in parentheses.
This operand
is required and must be the first operand following DELDSD.
Note: Because RACF uses the RACF database and not the system
catalog, you cannot use alias data set names.
- AT | ONLYAT
- The AT and ONLYAT keywords are only valid when the command is
issued as a RACF TSO command.
- AT([node].userid …)
- Specifies that the command is to be directed to the node specified
by node, where it runs under the authority
of the user specified by userid in the RACF subsystem address space.
If node is not specified, the command is
directed to the local node.
- ONLYAT([node].userid …)
- Specifies that the command is to be directed only to
the node specified by node where it runs
under the authority of the user specified by userid in the RACF subsystem
address space.
If node is not specified,
the command is directed only to the local node.
- GENERIC | NOSET | SET
- If you do not specify GENERIC, NOSET, or SET, the default
value is SET.
- GENERIC
- Specifies that RACF is to treat the profile name
as a generic name, even if it does not contain any generic characters.
- NOSET | SET
- Specifies whether the RACF indicator should be set off or not.
If the profile name contains
a generic character or if you specify GENERIC, RACF ignores this operand. - NOSET
- Specifies that RACF is not
to turn off the RACF indicator
for the data set.
Use NOSET when you are transferring a RACF-indicated
data set to another system where it is also to be RACF-protected.
Leaving the indicator on prevents unauthorized access to the data
set until it can be redefined on the new system. (To delete multiple data set profiles, see Example 2 for the SEARCH
command.)
When you specify NOSET for a tape data set protected
by a discrete profile, RACF deletes the discrete profile but retains the TVTOC entry for the
data set name. You can then use a generic profile to protect the data
set.
If you specify NOSET, the volumes on which the data set
or catalog resides need not be online.
To use NOSET, you must
have the SPECIAL attribute, the data set profile must be within the
scope of a group in which you have the group-SPECIAL attribute, or
the high-level qualifier of the data set name (or the qualifier supplied
by the naming conventions table or by a command installation exit)
must be your user ID.
- SET
- Specifies that RACF is to
turn off the RACF indicator
for the data set. Use SET, which is the default value, when you are
removing RACF protection for
a data set. If the indicator is already off, the command fails.
- VOLUME(volume-serial)
- Specifies the volume on which the
tape data set, the non-VSAM DASD data set, or the catalog for the
VSAM data set resides.
If you specify this operand and volume-serial does not appear in the profile for the data set, the command fails.
If the data set name appears more than once in the RACF database and you do not specify VOLUME,
the command fails. If the data set name appears only once and you
do not specify VOLUME, no volume serial number checking is performed,
and processing continues.
If the profile name contains a generic
character or if you specify GENERIC, RACF ignores this operand.
Examples
|
|
|
---|
Example 1 |
Operation |
User EH0 wants to remove discrete profile RACF protection from data set CD0.DEPT1.DATA.
User EH0 wants to direct the command to run at node CPPD0 under the
authority of user GCP02 and prohibit the command from being automatically
directed to other nodes. |
Known |
User GCP02 at CPPD0 owns data set CD0.DEPT1.DATA.
User EH0 wants to issue the command as a RACF TSO command. Users EH0 and GCP02 at CPPD0
have an already established user ID association. Users EH0 and GCP02
at CPPD0 have the SPECIAL attribute. |
Command |
DELDSD 'CD0.DEPT1.DATA' ONLYAT(CPPDO.GCP02) |
Results |
The command is only processed at node CPPD0 and
not automatically directed to any other nodes in the RRSF configuration. |
Example 2 |
Operation |
User KLE05 wants to enter a RACF TSO command to remove discrete profile
protection from data set KLE05.DUPDS1.DATA. The data set is a duplicate
data set, and the user wants to remove the profile for the data set
on volume DU2 without turning off the RACF indicator. |
Command |
DELDSD DUPDS1.DATA VOLUME(DU2) NOSET |
Defaults |
None. |
Example 3 |
Operation |
User JTB01 wants to delete the generic profile
and remove RACF protection
from the data set or sets protected by the profile SALES.*.DATA |
Known |
User JTB01 has the group-SPECIAL attribute in
group SALES. User JTB01 wants to issue the command as a RACF operator command, and the RACF subsystem prefix is @. |
Command |
@DELDSD 'SALES.*.DATA' |
Defaults |
None. |
|