Profiles

The profiles, or entity records, contain the actual descriptions of the attributes and authorities for every entity (users, groups, DASD data sets, and resource classes defined in the class descriptor table) defined to RACF®. The number in the entry-type field identifies the type of profile and corresponds to the number of the template that maps this type of profile.

The record data (including the type of profile that it is) follows the header. This data consists of the fields that are mapped by a template. See the template description corresponding to each type of profile for the contents of these fields. The template descriptions are in z/OS Security Server RACF Macros and Interfaces.

Because there can be duplicate entry names in different classes, the RACF manager adds a class identifier to the beginnings of general-resource entry names (for example; DASDVOL -, TAPEVOL -, or TERMINAL- for DASD volumes, tape volumes, or terminals, respectively). General-resource class names that are not eight characters in length are padded with trailing blanks.

Note: If you define a profile and use generic characters such as (*) to add members to the profile, RLIST RESGROUP does not return any of the matching profiles in its output because it does not support generic matches.

Generic profile names have the first period in a DATASET profile replaced by X'01', and the dash in the class identifier for general-resource classes replaced by X'02'. Although these expanded names are transparent to the user, they appear when using the block update utility command or the IRRUT200 utility. You also need to be aware of them when constructing a database range table.

When a tape volume profile is initially created, RACF places the tape volume serial in the volume list of the profile. RACF creates an index entry and profile name in the standard way. If another tape volume is to be added (creating a volume set), RACF adds its volume serial to the volume list in the profile and creates an index entry for the volume that points to the profile.

For example, if there are six tape volumes in a tape volume set, there are six index entries pointing to the same profile and six volume serials in the profile's volume list. When a tape volume is deleted, RACF removes the volume serial from the volume list in the profile and deletes the index entry. The profile name does not change, even if the volume after which the profile might have been named is deleted.

It is possible to have a profile name of TAPEVOL -TAPE01 without having a corresponding index entry and without having TAPE01 in the volume serial list.

The database profiles consist of segments that are made up of fields and repeat groups that follow a record header. The record header, the field structure, and the repeat group structure are described in this document.

Record header
The record header consists of these fields:
Bytes

Description

Byte 0:

X'83' Record identifier.

Bytes 1-4:

Physical length of this record, in bytes.

Bytes 5-8:

Logical record length. Length, in bytes, of the portion of the record that actually contains data.

Bytes 9-16:

Segment name.

Bytes 17-18:

Length of profile name (in Byte 20).

Byte 19:

Reserved

Bytes 20+n:

Profile name. Its length is specified in Bytes 17-18.

Field structure
Following the record header is a set of one or more segment data fields. Although the potential total length of these fields is 2GB, that might be limited by the type of DASD and the amount of virtual storage available to the user.

All data fields are in a variable-length format. The first byte is the field ID. See the template descriptions in z/OS Security Server RACF Macros and Interfaces for field identifiers. Where indicated in the template descriptions, the field can be a member of a repeat group.

If the field is not a member of a repeat group, the field ID is followed by a field indicating the length of the data that follows. If the high-order bit of the length field is zero, this field is one byte and the data can be up to 127 bytes; if the high-order is set, the length field is 4 bytes (for example, X'80000022'), and the data can be up to 2 to the 31st power.

This figure shows the structure of a profile field when the length field is one byte. The structure is:
where:
- i is the field ID. i is 1 byte.
- l is the length of the data that follows. l is 1 byte.
- The high-order bit of this field is zero.
- data is 1 to 127 bytes of data.
This figure shows the structure of a profile field when the length field is 4 bytes. The structure is:
where:
- i is the field ID. i is 1 byte.
- l is the length of the data that follows. l is 4 bytes.
- The high-order bit of this field is set to one.
- data is up to 2³¹ bytes of data.

Repeat group structure
A repeat group structure contains a set of fields that are part of a repeat group. It contains all occurrences of a repeat group and, for each occurrence, it contains the count of fields and every field in the occurrence, including those with null values.

The field ID (first byte) is associated with the entire repeat group. Fields in a repeat group structure do not have individual ID fields.

Each repeat group is limited to 64KB of installation data.

The structure of a repeat group is:
where:
- i is the field ID. i is 1 byte.
- l is the length of the entire repeat group. l is 4 bytes.
- m is the count of repeat group occurrences. m is 4 bytes.
- c1, c2, and c3 are counts of fields in each occurrence. Each is 1 byte.
- a1, a2, and b2 are data, up to 2³¹ bytes each.
Each data field has this format:
where:
- l is the length of data that follows. If its high-order bit is zero, l is one byte and the data length can be up to 127 bytes. If its high-order bit is set to one, l is 4 bytes.
- data is up to 2³¹ bytes of data.

When displaying a profile with the BLKUPD command, you might want to have the RACF database templates available for reference. These can be found in z/OS Security Server RACF Macros and Interfaces. They include a list of the field IDs in numeric order. The field IDs are in decimal in z/OS Security Server RACF Macros and Interfaces but in hexadecimal when displayed by the BLKUPD command.