z/OS Security Server RACF Command Language Reference
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


DELDSD (Delete data set profile)

z/OS Security Server RACF Command Language Reference
SA23-2292-00

Purpose

Use the DELDSD command to remove RACF® protection from tape or DASD data sets that are protected by either discrete or generic profiles.

When RACF-protection is removed from a data set protected by a discrete profile:
  • The RACF indicator for the data set is turned off. For a DASD data set, the indicator is in the DSCB for a non-VSAM data set or in the catalog entry for a VSAM data set. For a tape data set, the indicator is in the TVTOC entry for the data set in the corresponding TAPEVOL profile.
  • The data set profile is deleted from the RACF database. (Note that the data set itself is not physically deleted or scratched.)

    If all the data sets in the TVTOC have expired, then RACF deletes the TAPEVOL profiles and the associated tape DATASET profiles.

To remove RACF protection from a non-VSAM DASD data set that is protected by a discrete profile, the data set must be online and not currently in use. For a VSAM data set that is protected by a discrete profile, the catalog for the data set must be online. The VSAM data set itself must also be online if the VSAM catalog recovery option is being used. If the required data set or catalog is not online, the DELDSD command processor requests that the volume be mounted if you have the TSO MOUNT authority.

Changes made to discrete profiles take effect after the DELDSD command is processed. Changes made to generic profiles do not take effect until one or more of the following steps is taken:
  • The user of the data set issues the LISTDSD command: 
    LISTDSD DA(data-set-protected-by-the-profile) GENERIC
    Note: Use the data set name, not the profile name.
  • The security administrator issues the SETROPTS command: 
    SETROPTS GENERIC(DATASET) REFRESH

    See SETROPTS command for authorization requirements.

  • The user of the data set logs off and logs on again.
Note: For more information, refer to z/OS Security Server RACF Security Administrator's Guide.

Issuing options

The following table identifies the eligible options for issuing the DELDSD command:

As a RACF TSO command? As a RACF operator command? With command direction? With automatic command direction? From the RACF parameter library?
Yes Yes Yes Yes Yes

For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.

For information on issuing this command as a RACF operator command, refer to RACF operator commands.

You must be logged on to the console to issue this command as a RACF operator command.

Related commands

Authorization required

When issuing this command as a RACF operator command, you might require sufficient authority to the proper resource in the OPERCMDS class. For details about OPERCMDS resources, see "Controlling the use of operator commands" in z/OS Security Server RACF Security Administrator's Guide.

To remove RACF protection from a data set or to delete a generic data set profile, you must have sufficient authority over the data set. RACF performs authorization checking in the following sequence until you meet one of these conditions:
  • You have the SPECIAL attribute.
  • The data set profile is within the scope of a group in which you have the group-SPECIAL attribute.
  • The high-level qualifier of the profile name (or the qualifier supplied by a command installation exit) is your user ID.
  • You are the owner of the profile.
  • For a discrete profile, you are on the access list with ALTER authority.
  • For a discrete profile, your group or one of your groups (if checking list of groups is active) is on the access list and has ALTER authority.
  • For a discrete profile, the universal access authority is ALTER.

To specify the AT keyword, you must have READ authority to the DIRECT.node resource in the RRSFDATA class and a user ID association must be established between the specified node.userid pair(s).

To specify the ONLYAT keyword you must have the SPECIAL attribute, the userid specified on the ONLYAT keyword must have the SPECIAL attribute, and a user ID association must be established between the specified node.userid pair(s) if the user IDs are not identical.

Syntax

For the key to the symbols used in the command syntax diagrams, see Syntax of RACF commands and operands. The complete syntax of the DELDSD command is:

   
[subsystem-prefix]{DELDSD | DD}
  (profile-name…)
  [ AT([node].userid …) | ONLYAT([node].userid …) ]
  [ GENERIC | NOSET | SET ]
  [ VOLUME(volume-serial) ]
Note: If you specify a profile name containing generic characters, RACF ignores the VOLUME, SET and NOSET operands.

For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.

For information on issuing this command as a RACF operator command, refer to RACF operator commands.

Parameters

subsystem-prefix
Specifies that the RACF subsystem is the processing environment of the command. The subsystem prefix can be either the installation-defined prefix for RACF (1 - 8 characters) or, if no prefix has been defined, the RACF subsystem name followed by a blank. If the command prefix was registered with CPF, you can use the MVS command D OPDATA to display it or you can contact your RACF security administrator.

Only specify the subsystem prefix when issuing this command as a RACF operator command. The subsystem prefix is required when issuing RACF operator commands.

profile-name …
Specifies the name of the discrete or generic profile. If you specify more than one profile, the list must be enclosed in parentheses.

This operand is required and must be the first operand following DELDSD.

Note: Because RACF uses the RACF database and not the system catalog, you cannot use alias data set names.
AT | ONLYAT
The AT and ONLYAT keywords are only valid when the command is issued as a RACF TSO command.
AT([node].userid …)
Specifies that the command is to be directed to the node specified by node, where it runs under the authority of the user specified by userid in the RACF subsystem address space.

If node is not specified, the command is directed to the local node.

ONLYAT([node].userid …)
Specifies that the command is to be directed only to the node specified by node where it runs under the authority of the user specified by userid in the RACF subsystem address space.

If node is not specified, the command is directed only to the local node.

GENERIC | NOSET | SET
If you do not specify GENERIC, NOSET, or SET, the default value is SET.
GENERIC
Specifies that RACF is to treat the profile name as a generic name, even if it does not contain any generic characters.
NOSET | SET
Specifies whether the RACF indicator should be set off or not.
If the profile name contains a generic character or if you specify GENERIC, RACF ignores this operand.
NOSET
Specifies that RACF is not to turn off the RACF indicator for the data set.

Use NOSET when you are transferring a RACF-indicated data set to another system where it is also to be RACF-protected. Leaving the indicator on prevents unauthorized access to the data set until it can be redefined on the new system. (To delete multiple data set profiles, see Example 2 for the SEARCH command.)

When you specify NOSET for a tape data set protected by a discrete profile, RACF deletes the discrete profile but retains the TVTOC entry for the data set name. You can then use a generic profile to protect the data set.

If you specify NOSET, the volumes on which the data set or catalog resides need not be online.

To use NOSET, you must have the SPECIAL attribute, the data set profile must be within the scope of a group in which you have the group-SPECIAL attribute, or the high-level qualifier of the data set name (or the qualifier supplied by the naming conventions table or by a command installation exit) must be your user ID.

SET
Specifies that RACF is to turn off the RACF indicator for the data set. Use SET, which is the default value, when you are removing RACF protection for a data set. If the indicator is already off, the command fails.
VOLUME(volume-serial)
Specifies the volume on which the tape data set, the non-VSAM DASD data set, or the catalog for the VSAM data set resides.

If you specify this operand and volume-serial does not appear in the profile for the data set, the command fails.

If the data set name appears more than once in the RACF database and you do not specify VOLUME, the command fails. If the data set name appears only once and you do not specify VOLUME, no volume serial number checking is performed, and processing continues.

If the profile name contains a generic character or if you specify GENERIC, RACF ignores this operand.

Examples

     
Example 1 Operation User EH0 wants to remove discrete profile RACF protection from data set CD0.DEPT1.DATA. User EH0 wants to direct the command to run at node CPPD0 under the authority of user GCP02 and prohibit the command from being automatically directed to other nodes.
Known User GCP02 at CPPD0 owns data set CD0.DEPT1.DATA. User EH0 wants to issue the command as a RACF TSO command. Users EH0 and GCP02 at CPPD0 have an already established user ID association. Users EH0 and GCP02 at CPPD0 have the SPECIAL attribute.
Command DELDSD 'CD0.DEPT1.DATA' ONLYAT(CPPDO.GCP02)
Results The command is only processed at node CPPD0 and not automatically directed to any other nodes in the RRSF configuration.
Example 2 Operation User KLE05 wants to enter a RACF TSO command to remove discrete profile protection from data set KLE05.DUPDS1.DATA. The data set is a duplicate data set, and the user wants to remove the profile for the data set on volume DU2 without turning off the RACF indicator.
Command DELDSD DUPDS1.DATA VOLUME(DU2) NOSET
Defaults None.
Example 3 Operation User JTB01 wants to delete the generic profile and remove RACF protection from the data set or sets protected by the profile SALES.*.DATA
Known User JTB01 has the group-SPECIAL attribute in group SALES. User JTB01 wants to issue the command as a RACF operator command, and the RACF subsystem prefix is @.
Command @DELDSD 'SALES.*.DATA'
Defaults None.
Parent topic: RACF command syntax

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014