ALTUSER (Alter user profile)

Purpose

Use the ALTUSER command to change the information in a user's profile, including the user's system-wide attributes and authorities. The user profile consists of a BASE segment and, optionally, other segments such as a TSO segment or a DFP segment. You can use this command to change information in any segment of the user's profile.

Issuing options

The following table identifies the eligible options for issuing the ALTUSER command:

For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.

For information on issuing this command as a RACF operator command, refer to RACF operator commands.

You must be logged on to the console to issue this command as a RACF operator command.

Related commands

• To add a user profile, see ADDUSER (Add user profile).
• To delete a user profile, see DELUSER (Delete user profile).
• To display information from a user profile, see LISTUSER (List user profile).
• To administer user ID associations, see RACLINK (Administer user ID associations).
• To obtain a list of user profiles, see SEARCH (Search RACF database).

Authorization required

When issuing this command as a RACF operator command, you might require sufficient authority to the proper resource in the OPERCMDS class. For details about OPERCMDS resources, see Controlling the use of operator commands in z/OS Security Server RACF Security Administrator's Guide.

Parameters

subsystem-prefix

Specifies that the RACF subsystem is the processing environment of the command. The subsystem prefix can be either the installation-defined prefix for RACF (1 - 8 characters) or, if no prefix has been defined, the RACF subsystem name followed by a blank. If the command prefix was registered with CPF, you can use the MVS command D OPDATA to display it or you can contact your RACF security administrator.

Only specify the subsystem prefix when issuing this command as a RACF operator command. The subsystem prefix is required when issuing RACF operator commands.

userid

Specifies the RACF-defined user or users whose profile you want to change. If you specify more than one user ID, the list must be enclosed in parentheses.

This operand is required and must be the first operand following ALTUSER.

ADDCATEGORY | DELCATEGORY

ADDCATEGORY(category-name)

Specifies one or more names of installation-defined security categories. The names you specify must be defined as members of the CATEGORY profile in the SECDATA class. For information on defining security categories, see z/OS Security Server RACF Security Administrator's Guide.

When the SECDATA class is active and you specify ADDCATEGORY, RACF performs security category checking in addition to its other authorization checking. If a user requests access to a data set, RACF compares the list of security categories in the user profile with the list of security categories in the data set profile. If RACF finds any security category in the data set profile that is not in the user's profile, RACF denies access to the data set. If the user's profile contains all the required security categories, RACF continues with other authorization checking.

Note: RACF does not perform security category checking for a started task or user that has the RACF privileged or trusted attribute. The RACF privileged or trusted attribute can be assigned to a started task through the RACF started procedures table or STARTED class, or to other users by installation-supplied RACF exits.

DELCATEGORY[(category-name... |*)]

Specifies one or more names of the installation-defined security categories you want to delete from the user profile. Specifying an asterisk (*) deletes all categories; the user no longer has access to any resources protected by security category checking.

Specifying DELCATEGORY without category-name causes RACF to delete only undefined category names (those names that once were valid names but that the installation has since deleted from the CATEGORY profile).

ADSP | NOADSP

ADSP

Assigns the ADSP attribute to the user. This means that all permanent tape and DASD data sets the user creates are automatically RACF-protected by discrete profiles. ADSP specified on the ALTUSER command overrides NOADSP specified on the CONNECT command.

The ADSP attribute has no effect (even if assigned to a user) if SETROPTS NOADSP is in effect.

NOADSP

Specifies that the user no longer has the ADSP attribute.

AT | ONLYAT

The AT and ONLYAT keywords are only valid when the command is issued as a RACF TSO command.

AT([node].userid ...)

Specifies that the command is to be directed to the node specified by node, where it runs under the authority of the user specified by userid in the RACF subsystem address space.

If node is not specified, the command is directed to the local node.

ONLYAT([node].userid ...)

Specifies that the command is to be directed only to the node specified by node where it runs under the authority of the user specified by userid in the RACF subsystem address space.

If node is not specified, the command is directed only to the local node.

AUDITOR | NOAUDITOR

AUDITOR

Specifies that the user is to have full responsibility for auditing the use of system resources. An AUDITOR user can control the logging of detected accesses to any RACF-protected resources during RACF authorization checking and accesses to the RACF database.

You must have the SPECIAL attribute to enter the AUDITOR operand.

NOAUDITOR

Specifies that the user no longer has the AUDITOR attribute.

You must have the SPECIAL attribute to enter the NOAUDITOR operand.

AUTHORITY(group-authority)

Specifies the new level of authority the user is to have in the group specified in the GROUP operand. The valid group authority values are USE, CREATE, CONNECT, and JOIN, as described in Group authorities. If you specify AUTHORITY without group-authority, RACF ignores the operand and the existing group authority remains unchanged.

CICS | NOCICS

Adds, alters, or deletes CICS® operator information for a CICS terminal user.

If you are adding a CICS segment to a user profile, omitting a suboperand is equivalent to omitting the suboperand on the ADDUSER command. If you are changing an existing CICS segment in a user profile, omitting a suboperand leaves the existing value for that suboperand unchanged.

You can control access to the entire CICS segment or to individual fields within the CICS segment by using field-level access checking. For more information, see z/OS Security Server RACF Security Administrator's Guide.

OPCLASS | ADDOPCLASS | DELOPCLASS | NOOPCLASS

Where operator-class1, operator-class2 are numbers in the range 1 - 24, defined as two digits. These numbers represent classes assigned to this operator to which BMS (basic mapping support) messages are routed.

OPCLASS(operator-class ...)

Specifies the list of classes assigned to this operator to which BMS messages are routed.

ADDOPCLASS(operator-class ...)

Adds to the list of classes assigned to this operator to which BMS messages are routed.

DELOPCLASS(operator-class ...)

Deletes only the specified classes from the list of classes assigned to this operator to which BMS messages are routed.

NOOPCLASS

Deletes all operator classes from this profile and returns the user to the CICS defaults for this field. This field no longer appears in LISTUSER output.

OPIDENT | NOOPIDENT

OPIDENT(operator-id)

Specifies a 1 - 3 character identification of the operator for use by BMS.

Operator identifiers can consist of any characters, and can be entered with or without single quotation marks. The following rules apply:

• If parentheses, commas, blanks, or semicolons are to be entered as part of the operator identifier, the character string must be enclosed in single quotation marks. For example, if the operator identifier is (1), you must enter OPIDENT('(1)').
• If a single quotation mark is intended to be part of the operator identifier, use two single quotation marks together for each single quotation mark within the string, and enclose the entire string within single quotation marks.

NOOPIDENT

Deletes the operator identification and returns the user to the CICS default for this field. The OPIDENT field defaults to blanks in the RACF user profile, and blanks appear for the field in LISTUSER output.

OPPRTY | NOOPPRTY

OPPRTY(operator-priority)

Specifies a number in the range 0 - 255 that represents the priority of the operator.

NOOPPRTY

Deletes the operator priority and returns the user to the CICS default for this field.

This field defaults to zeros in the RACF user profile, and zeros appear for the field in LISTUSER output.

RSLKEY | NORSLKEY

RSLKEY(rslkey ... | 0 | 99)

Specifies the complete list of resource security level (RSL) keys assigned to the user. The RSL keys are used by CICS on distributed platforms. Each CICS resource has one RSL key assigned to it; in order for a user to access a resource, the user must have the same RSL key as the RSL key assigned to the resource.

RSLKEY does not add or delete keys. It only replaces existing keys. Use NORSLKEY to delete keys.

• RSLKEY(rslkey ...) specifies a list of one or more numbers in the range of 1 - 24 which represent the resource security level (RSL) keys assigned to the user.
• If RSLKEY(0) is specified, no RSL keys are assigned to the user.
• If RSLKEY(99) is specified, all RSL keys are assigned to the user (1 - 24, inclusive).
• Keys 0 and 99 are mutually exclusive and cannot be specified with any other keys.
• If RSLKEY is specified with no key numbers, RSLKEY(0) is defaulted.

NORSLKEY

Specifies that you want to remove the RSL key list from the user's RACF user profile. CICS will treat it as RSLKEY(0).

TIMEOUT | NOTIMEOUT

TIMEOUT(timeout-value)

Specifies the time, in hours and minutes, that the operator is allowed to be idle before being signed off. The value for TIMEOUT can be entered in the form m, mm, hmm, or hhmm, where the value for m or mm is 00 - 59, or 00 - 60 if h or hh is not specified or is specified as 0 or 00. The value for h or hh must be 00 - 99.

If this suboperand is omitted, there is no change to this field.

NOTIMEOUT

Deletes the timeout value and returns the user to the CICS default for this field.

This field defaults to zeros in the RACF user profile, and zeros appear for the field in LISTUSER output.

TSLKEY | NOTSLKEY

TSLKEY(tslkey ... | 0 | 1 | 99)

Specifies the complete list of transaction security level (TSL) keys assigned to the user. The TSL keys are used by CICS on distributed platforms. Each CICS transaction has one TSL key assigned to it; in order for a user to run a transaction, the user must have the same TSL key as the TSL key assigned to the transaction.

TSLKEY does not add or delete keys. It only replaces existing keys. Use NOTSLKEY to delete keys.

• TSLKEY(tslkey ...) specifies a list of one or more values of 1 - 64 which represent the transaction security level (TSL) keys assigned to the user.
• If TSLKEY(0) is specified, no TSL keys are assigned to the user.
• If TSLKEY(99) is specified, all TSL keys are assigned to the user (1 - 64, inclusive).
• Keys 0 and 99 are mutually exclusive and cannot be specified with any other keys.
• If TSLKEY is specified with no key numbers, TSLKEY(1) is defaulted.

NOTSLKEY

Specifies that you want to remove the TSL key list from the user's RACF user profile. CICS will treat it as TSLKEY(1).

XRFSOFF | NOXRFSOFF

XRFSOFF(FORCE | NOFORCE)

Specifies that the user is to be signed off by CICS when an XRF takeover occurs.

NOXRFSOFF

Returns the user to the CICS default for this field.

This field defaults to NOFORCE in the RACF user profile, and NOFORCE appears in LISTUSER output.

NOCICS

Deletes the CICS segment from a user profile. No CICS information appears in LISTUSER output.

CLAUTH | NOCLAUTH

CLAUTH(class-name ...)

Specifies the classes in which the user is allowed to define profiles to RACF for protection, in addition to the classes previously allowed for the user. Classes you can specify are USER, and any resource class defined in the class descriptor table. RACF adds the class names you specify to the class names previously specified for this user.

To enter the CLAUTH operand, you must have the SPECIAL attribute, or the user's profile must be within the scope of a group in which you have the group-SPECIAL attribute and have the CLAUTH attribute, or you must be the owner of the user's profile and have the CLAUTH attribute for the class to be added.

Note: The CLAUTH attribute has no meaning for the FILE and DIRECTORY classes.

NOCLAUTH(class-name ...)

Specifies that the user is not allowed to define profiles to RACF for the classes that you specify. Classes you can specify are USER and any resource class name defined in the user profile. RACF deletes the class names you specify from the class names previously allowed for this user.

To enter the NOCLAUTH operand specifying a class in the class descriptor table, you must have the SPECIAL attribute, or the user's profile must be within the scope of a group in which you have the group-SPECIAL attribute and have the CLAUTH attribute, or you must be the owner of the user's profile and have the CLAUTH attribute for the class to be deleted.

To enter the NOCLAUTH operand specifying a class that is not in the class descriptor table you must have the SPECIAL attribute.

If you do not have sufficient authority for a specified class, RACF ignores the CLAUTH or NOCLAUTH specification for the class and continues processing with the next class name specified.

CSDATA | NOCSDATA

CSDATA

Specifies information to add, change, or remove a custom field for this user.

custom-field-name ... | NOcustom-field-name ...

custom-field-name(custom-field-value) ...

Specifies the name and value of a custom field for this user. You can specify values for multiple custom fields with a single ALTDSD command.

Usage for each custom field is defined using the CFDEF operand of the RDEFINE command for resource profiles in the CFIELD class. Contact your security administrator to see how custom fields are used at your installation. For more information about custom fields, see z/OS Security Server RACF Security Administrator's Guide.

Rules:

• You must use the same custom-field-name as defined by the CFIELD profile named USER.CSDATA.custom-field-name. (The CFIELD profile is defined using the CFDEF operand of the RDEFINE command.)
• You must specify a custom-field-value that is valid for the attributes of this custom field. (The attributes, such as data type, are defined in the CFDEF segment of the CFIELD profile.)

NOcustom-field-name ...

Removes the custom field information for this user. You can remove values for multiple custom fields with a single ALTUSER command.

When you append the prefix NO to the name of the custom field, you delete the value for that custom field from the user's profile. For example, if your installation has defined a custom field named ADDRESS and you want to remove the ADDRESS field from the profile of the user SHANNON, you might issue the following command:

Example:

ALTUSER SHANNON CSDATA(NOADDRESS)

NOCSDATA

Deletes the CSDATA segment from the user profile.

DATA | NODATA

DATA('installation-defined-data')

Specifies up to 255 characters of installation-defined data to be stored in the user's profile and must be enclosed in single quotation marks. It can also contain double-byte character set (DBCS) data. Note that only 254 characters of data are available for installation exits. If your installation has exits that examine this data, you should specify a maximum of 254 characters.

Use the LISTUSER command to list this information.

NODATA

Specifies that the ALTUSER command is to delete the installation-defined data in the user's profile.

DCE | NODCE

DCE

Adds or modifies the DCE segment in the user profile of the specified z/OS DCE user or Distributed File Service (DFS) Server Message Block (SMB) user. You can enter any of the following suboperands to specify information for that user. Each suboperand defines information that RACF stores in a field within the DCE segment of the user's profile.

You can control access to an entire DCE segment or to individual fields within the DCE segment by using field level access checking.

AUTOLOGIN(YES | NO) | NOAUTOLOGIN

Specifies whether z/OS UNIX DCE is to log this user into z/OS UNIX DCE automatically. If AUTOLOGIN(NO) or NOAUTOLOGIN is specified, z/OS UNIX DCE does not attempt to login this user to z/OS UNIX DCE automatically. If AUTOLOGIN is not specified, AUTOLOGIN(NO) is the default.

DCENAME | NODCENAME

DCENAME(user-principal-name)

Specifies the DCE principal name defined for this RACF user in the DCE registry.

The DCENAME you define to RACF can contain 1 - 1023 characters and can consist of any character. You can enter the name with or without single quotation marks, depending on the following:

• If parentheses, commas, blanks, or semicolons are entered as part of the name, the character string must be enclosed in single quotation marks.
• If a single quotation mark is intended to be part of the character string, use two single quotation marks together for each single quotation mark within the string, and enclose the entire string within single quotation marks.

Both uppercase and lowercase characters are accepted and maintained in the case in which they are entered. RACF does not ensure that a valid DCENAME has been specified.

The DCENAME assigned to a user must be the same as the DCE principal name defined to the DCE registry.

If DCENAME is not specified, the LISTUSER command does not display a DCENAME for this user.

Note: RACF does not enforce the uniqueness of each DCENAME. The DCENAME specified must match the user's DCE principal name that is defined to the DCE registry. If the DCENAME entered does not correspond to the DCE principal name entered in the DCE registry for this user, z/OS UNIX DCE cannot correctly associate the identity of the DCE principal with the correct RACF user ID.

NODCENAME

Specifies that you want to delete the DCE principal name from the DCE segment of the user's profile.

If NODCENAME is specified, the LISTUSER command does not display a DCENAME for this user.

HOMECELL | NOHOMECELL

HOMECELL(dce-cell-name)

Specifies the DCE cell name defined for this RACF user.

The HOMECELL you define to RACF can contain 1 - 1023 characters and can consist of any character. You can enter the name with or without single quotation marks, depending on the following:

• If parentheses, commas, blanks, or semicolons are entered as part of the cell name, the character string must be enclosed in single quotation marks.
• If a single quotation mark is intended to be part of the cell name, use two single quotation marks together for each single quotation mark within the string, and enclose the entire string within single quotation marks.

Both uppercase and lowercase characters are accepted and maintained in the case in which they are entered. The fully qualified path name should be specified. RACF does not ensure that a valid DCE cell name has been specified.

The HOMECELL assigned to a user must be the same as the DCE cell name that this user has been defined to.

If the HOMECELL is not specified, z/OS UNIX DCE single signon to DCE support assumes that the HOMECELL for this user is the same cell where this MVS system is defined.

RACF checks that the prefix of the HOMECELL name entered has a prefix of either /.../ or /.:/.

The notation /.../ indicates that the HOMECELL name is a global domain name service (DNS) cell name or X.500 global name.

The notation /.:/ indicates that the HOMECELL name is a cell relative CDS (cell directory service) name. When determining the naming conventions used within your DCE cell, you should contact your DCE cell administrator.

NOHOMECELL

Specifies that you want to delete the cell information from the DCE segment of the user profile.

If NOHOMECELL is specified, the LISTUSER command does not display the HOMECELL for this user.

HOMEUUID | NOHOMEUUID

HOMEUUID(home-cell-UUID)

Specifies the DCE universal unique identifier (UUID) for the cell that this user is defined to. The UUID is a 36-character string that consists of numeric and hexadecimal characters. This string must have the delimiter character (-) in positions 9, 14, 19, and 24. The general format for the UUID string is xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx, in which x represents a valid numeric or hexadecimal character.

Be careful when assigning UUIDs. The UUID cannot be randomly assigned. The HOMEUUID is the DCE UUID of the cell that this RACF user is defined to. If HOMEUUID is not specified, the LISTUSER command displays NONE for the HOMEUUID field.

Note: The HOMEUUID specified must match the UUID of the DCE cell to which this principal (specified by the DCENAME operand) is defined.

NOHOMEUUID

Specifies that you want to delete the home cell unique universal identifier from the DCE segment of the user's profile.

If NOHOMEUUID is specified, LISTUSER for that user ID shows NONE for the HOMEUUID field.

UUID | NOUUID

UUID(universal-unique-identifier)

Specifies the DCE universal unique identifier (UUID) of the DCE principal defined in DCENAME. The UUID is a 36-character string that consists of numeric and hexadecimal characters. This string must have the delimiter character (-) in positions 9, 14, 19, and 24. The general format for the UUID string is xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx, in which x represents a valid numeric or hexadecimal character.

Be careful when assigning UUIDs. The UUID cannot be randomly assigned.

The DCE UUID assigned to a user must be the same as the DCE UUID assigned when defining this RACF user to the DCE registry as a DCE principal.

If UUID is not specified, the user cannot become a z/OS DCE user and a LISTUSER command for that user ID shows NONE for the UUID.

Note: RACF does not enforce the uniqueness of each UUID entered. The UUID specified must match the UUID in the DCE registry for the principal (specified by the DCENAME operand) that is being cross-linked with this RACF user ID.

NOUUID

Specifies that you want to delete the DCE unique universal identifier from the DCE segment of the user's profile.

If NOUUID is specified, LISTUSER for that user ID shows NONE for the UUID field.

NODCE

Specifies that RACF should delete the DCE segment from the user's profile.

DFLTGRP(group-name)

Specifies the name of a RACF-defined group to be used as the new default group for the user. The user must already be connected to this new group with at least USE authority. The user remains connected to the previous default group.

DFP | NODFP

DFP

Specifies that when you change the profile of a user, you can enter any of the following suboperands to add, change, or delete default values for the DFP data application, data class, management class, and storage class. DFP uses this information to determine data management and DASD storage characteristics when a user creates a new data set.

You can control access to the entire DFP segment or to individual fields within the DFP segment by using field-level access checking. For more information, see z/OS Security Server RACF Security Administrator's Guide.

DATAAPPL | NODATAAPPL

DATAAPPL(application-name)

Specifies the name of a DFP data application. The name you specify can contain up to 8 alphanumeric characters.

NODATAAPPL

Specifies that you want to delete the DFP data application name from the DFP segment of the user's profile.

DATACLAS | NODATACLAS

DATACLAS(data-class-name)

Specifies the default data class. The class name you specify can contain up to 8 alphanumeric characters.

A data class can specify some or all of the physical data set attributes associated with a new data set. During new data set allocation, data management uses the value you specify as a default unless it is preempted by a higher priority default, or overridden in some other way (for example, by JCL).

The value you specify must be a valid data class name defined for use on your system. For more information, see z/OS Security Server RACF Security Administrator's Guide.

For information on defining DFP data classes, see z/OS DFSMSdfp Storage Administration.

NODATACLAS

Specifies that you want to delete the default data class name from the DFP segment of the user's profile.

MGMTCLAS | NOMGMTCLAS

MGMTCLAS(management-class-name)

Specifies the default management class. The class name you specify can contain up to 8 alphanumeric characters.

A management class contains a collection of management policies that apply to data sets. Data management uses the value you specify as a default unless it is preempted by a higher priority default, or overridden in some other way (for example, by JCL).

The value you specify must be defined as a profile in the MGMTCLAS general resource class, and the user must be granted at least READ access to the profile. Otherwise, RACF does not allow the user access to the specified MGMTCLAS. For more information, see z/OS Security Server RACF Security Administrator's Guide.

For information on defining DFP management classes, see z/OS DFSMSdfp Storage Administration.

NOMGMTCLAS

Specifies that you want to delete the default management class name from the DFP segment of the user's profile.

STORCLAS | NOSTORCLAS

STORCLAS(storage-class-name)

Specifies the default storage class. The class name you specify can contain up to 8 alphanumeric characters.

A storage class specifies the service level (performance and availability) for data sets managed by the storage management subsystem (SMS). During new data set allocation, data management uses the value you specify as a default unless it is preempted by a higher priority default, or overridden in some other way (for example, by JCL).

The value you specify must be defined as a profile in the STORCLAS general resource class, and the user must be granted at least READ access to the profile. Otherwise, RACF does not allow the user access to the specified STORCLAS. For more information, see z/OS Security Server RACF Security Administrator's Guide.

For information on defining DFP storage classes, see z/OS DFSMSdfp Storage Administration.

NOSTORCLAS

Specifies that you want to delete the default storage class name from the DFP segment of the user's profile.

NODFP

Specifies that RACF should delete the DFP segment from the user's profile.

EIM | NOEIM

Specifies or deletes the bind information required to establish a connection with the EIM domain.

EIM

Specifies the EIM segment for the user's profile.

LDAPPROF(ldapbind_profile)

Specifies the name of a profile in the LDAPBIND class. The profile in the LDAPBIND class contains the name of an EIM domain and the bind information required to establish a connection with the EIM domain. The EIM services attempt to retrieve this information when it is not explicitly supplied through invocation parameters. Applications or other services that use the EIM services may instruct their callers to define a profile in the LDAPBIND class or the IRR.PROXY.DEFAULTS profile in the FACILITY class.

The ldapbind_profile specifies the name of a profile in the LDAPBIND class containing the EIM domain and the LDAP bind information. The ldapbind_profile name may be 1 - 246 characters long. It is not a case-sensitive name.

NOLDAPPROF

Deletes the LDAPBIND profile name from the EIM segment in the user's profile.

NOEIM

Deletes the EIM segment from the user's profile

EXPIRED | NOEXPIRED

EXPIRED

Specifies that the new password or password phrase (specified with the PASSWORD or PHRASE keyword) or the new password defaulted by the PASSWORD keyword is marked as expired. Specifying the EXPIRED keyword requires the user to change their new password or password phrase at the next logon or job start.

When EXPIRED is specified with the PHRASE keyword, the password phrase you specify is subject to the basic RACF rules for password phrase syntax and to any rules set by the installation through the new-password-phrase exit (ICHPWX11), if present.

When EXPIRED is specified with the PASSWORD keyword, the password you specify is not subject to the password syntax rules set by the installation through the SETROPTS PASSWORD command. However, the password is checked by the new-password exit (ICHPWX01), if present.

When EXPIRED is specified without PASSWORD and PHRASE, the existing password and password phrase, if they exist, are to be marked as expired.

NOEXPIRED

Specifies that the password specified by the PASSWORD keyword or the password phrase specified by the PHRASE keyword need not be changed at the next logon. The NOEXPIRED keyword is only valid when specified with the PASSWORD or PHRASE keyword. NOEXPIRED does not indicate that the password or password phrase never expires. If you want to set a password or password phrase that never expires, use the NOINTERVAL keyword on the PASSWORD command.

When NOEXPIRED is specified, the password or password phrase value you supply is subject to certain rules. Those rules include the basic RACF rules for password phrase syntax and any password syntax rules set by the installation through the SETROPTS PASSWORD(RULEn) command. In addition, the new-password exit (ICHPWX01), if present, is called to check passwords. The new-password-phrase exit (ICHPWX11), if present, is called to check password phrases and perform additional validation.

To specify NOEXPIRED, you must either have the SPECIAL attribute (at the system level), or you must have UPDATE access to either the IRR.PASSWORD.RESET resource or the appropriate IRR.PWRESET resource in the FACILITY class. Being the owner of the USER profile or having the group-SPECIAL attribute is not sufficient when NOEXPIRED is specified.

GROUP(group-name)

Specifies the group to which changes to the group-related user attributes UACC and AUTHORITY are to be made. The user must be connected to the specified group.

If you omit GROUP, the changes apply to the user's default group. If you omit GROUP and specify DFLTGRP, however, the changes still apply to the user's previous default group.

GRPACC | NOGRPACC

GRPACC

Specifies that any group data sets protected by DATASET profiles defined by this user are automatically accessible to other users in the group. The group whose name is used as the high-level qualifier of the data set name (or the qualifier supplied by a command installation exit) has UPDATE access authority in the new profile. GRPACC specified on the ALTUSER command overrides NOGRPACC specified on the CONNECT command.

NOGRPACC

Specifies that the user no longer has the GRPACC attribute.

KERB | NOKERB

KERB

Specifies z/OS Integrated Security Services Network Authentication Service information for a user defined to RACF. Each subkeyword defines information that RACF stores in a field within the KERB segment of the user's profile.

Note: The RACF user password must be changed to be non-expired in order to complete the definition of the z/OS Network Authentication Service principal. The user cannot use any z/OS Network Authentication Service function until the definition is complete.

Note: ICSF must be available when passwords are changed for users who have KERB segments or keys cannot be generated.

ENCRYPT | NOENCRYPT

ENCRYPT

Specifies which keys the user (the z/OS Network Authentication Service principal) is allowed to use.

DES | NODES

Whether DES encrypted keys can be used.

DES3 | NODES3

Whether DES3 encrypted keys can be used.

DESD | NODESD

Whether DESD encrypted keys can be used.

AES128 | NOAES128

Whether AES128 encrypted keys can be used.

AES256 | NOAES256

Whether AES256 encrypted keys can be used.

When a principal's password changes, a key of each allowed type is generated and stored in the principal's user profile. The use of each key is based on the z/OS Network Authentication Service configuration.

Important: When you enable the use of a new key type, be sure that the principal's password is changed to ensure that a key of the new type is generated and stored in the principal's user profile.

See z/OS Integrated Security Services Network Authentication Service Administration for information about how z/OS Network Authentication Service uses keys and how to customize environment variables related to keys.

NOENCRYPT

Specifies that there is no restriction on which generated keys the principal can use, and resets the KERB ENCRYPT values to the default settings.

See z/OS Integrated Security Services Network Authentication Service Administration for information about how z/OS Network Authentication Service uses keys and how to customize environment variables related to keys.

KERBNAME | NOKERBNAME

KERBNAME(kerberos-principal-name)

Specifies the z/OS user ID's local kerberos-principal-name.

The value specified for the local kerberos-principal-name must be unique. Consequently, a list of users cannot be specified on an ALTUSER command with the KERBNAME keyword.

The kerberos-principal-name you define to RACF can consist of any character except the @ (X'7C') character. You can enter the name with or without single quotation marks, depending on the following:

• If parentheses, commas, blanks, or semicolons are entered as part of the name, the name must be enclosed in single quotation marks.
• If a single quotation mark is intended to be part of the name and the entire character string is enclosed in single quotation marks, you must use two single quotation marks together to represent each single quotation mark within the string.
• If the first character of the name is a single quotation mark, you must enter the string within single quotation marks, with two single quotation marks entered for that single quotation mark.

Guideline: Avoid using EBCDIC variant characters to prevent problems with different code pages.

Both uppercase and lowercase characters are accepted and maintained in the case in which they are entered. However, RACF does not ensure that a valid kerberos-principal-name has been specified.

A local kerberos-principal-name must not be qualified with a realm name when specified with the KERBNAME keyword. However, RACF verifies that the local principal name, when fully qualified with the name of the local realm:

/.../local_realm_name/principal_name

does not exceed 240 characters. For example,

• If the local realm name is

  X

  fully qualified local principal names are prefixed with

  /.../X/

  and are limited to a maximum of 233 characters.
• If the local realm name is

  KERB390.ENDICOTT.IBM.COM

  fully qualified local principal names are prefixed with

  /.../KERB390.ENDICOTT.IBM.COM/

  and are limited to a maximum of 210 characters.

This length verification requires that the REALM profile for the local realm KERBDFLT be defined and contain the name of the local realm, prior to the specification of local z/OS Network Authentication Service user principals. Otherwise, z/OS Network Authentication Service users will not be defined.

Note: Because of the relationship between realm names and local kerberos-principal-names, in which the length of a fully qualified name cannot exceed 240 characters, caution and planning must go into renaming the local realm because the combined length is only checked by RACF when a local kerberos-principal-name is added or altered. Renaming the realm should be avoided as a result.

NOKERBNAME

Deletes the kerberos-principal-name. This invalidates the z/OS user ID's z/OS Network Authentication Service account.

MAXTKTLFE | NOMAXTKTLFE

MAXTKTLFE(max-ticket-life)

Specifies the max-ticket-life in seconds. The value for MAXTKTLFE must be 1 - 2 147 483 647. Note that 0 is not a valid value.

If MAXTKTLFE is specified on the definition of a local z/OS Network Authentication Service principal, the z/OS Integrated Security Services Network Authentication Service takes the most restrictive of the value defined for the local principal and the value specified on the definition of the local realm (the KERBDFLT profile in the REALM class). Consequently, if the realm max-ticket-life is 24 hours, a principal cannot get a ticket with a longer lifetime even if the max-ticket-life is set to 48 hours. If this field is not specified for a local principal, or if NOMAXTKTLFE has been specified, the maximum lifetime for tickets created by this principal is determined from the definition of the local z/OS Network Authentication Service realm.

NOMAXTKTLFE

Deletes the max-ticket-life value for this local z/OS Network Authentication Service principal.

NOKERB

Deletes the user's KERB segment. This user is no longer considered a principal by the z/OS Integrated Security Services Network Authentication Service.

LANGUAGE | NOLANGUAGE

Specifies to add, alter, or delete the user's preferred national languages.

Specify LANGUAGE if this user is to have languages other than the ones established or defaulted by the LANGUAGE operand on the SETROPTS command, or the ones previously specified with the ADDUSER command.

LANGUAGE(PRIMARY(language) SECONDARY(language))

Specifies the user's preferred national languages. Specify this operand if the user is to have languages other than the system-wide defaults (established by the LANGUAGE operand on the SETROPTS command).

• If this profile is for a TSO/E user who will establish an extended MCS console session, the languages you specify should be one of the languages specified on the LANGUAGE LANGCODE statements in the MMSLSTxx PARMLIB member. See your MVS system programmer for this information.

  For more information on TSO/E national language support, see z/OS TSO/E Customization.

• If this profile is for a CICS user, see your CICS administrator for the languages supported by CICS on your system.

  For more information, visit CICS Transaction Server for z/OS.

PRIMARY | NOPRIMARY

PRIMARY(language)

Specifies the user's new primary language.

NOPRIMARY

Deletes any primary language information from the user's profile and returns the user to the installation's default primary language.

SECONDARY | NOSECONDARY

SECONDARY(language)

Specifies the language to which the user's secondary language is to be changed.

NOSECONDARY

Deletes any secondary language information from the user's profile and returns the user to the installation's default secondary language.

Note:

1. For the primary and secondary languages, specify either the installation-defined name of a currently active language (a maximum of 24 characters) or one of the language codes (three characters in length) for a language installed on your system.
2. The language name can be a quoted or unquoted string.
3. The same language can be specified for with both PRIMARY and SECONDARY parameters.
4. If the MVS message service is not active, the PRIMARY and SECONDARY values must be a 3-character language code.

NOLANGUAGE

Deletes the user's preferred national languages from the profile and returns that user to the installation defaults. LANGUAGE information no longer appears in LISTUSER output.

LNOTES | NOLNOTES

LNOTES

Specifies Lotus Notes for z/OS information for the user profile being changed.

SNAME | NOSNAME

SNAME(short-name)

Specifies the Lotus Notes for z/OS short-name of the user being changed. The name should match the one stored in the Lotus® Notes® address book for this user, but this is not verified by the command.

The short-name you define to RACF can contain 1 - 64 characters. You can specify the following characters: uppercase and lowercase alphabetic characters (A - Z, and a - z), 0 - 9, & (X'50'), - (X'60'), . (X'4B'), _ (X'6D'), and blanks (X'40').

If the short-name you specify contains any blanks, it must be enclosed in single quotation marks. The short-name is stripped of leading and trailing blanks.

The value specified for the short-name must be unique. Consequently, a list of users might not be specified on an ALTUSER command with the SNAME keyword.

NOSNAME

Specifies that you want to delete the short-name from the LNOTES segment of the user's profile.

NOLNOTES

Specifies that you want to delete the LNOTES segment from the user's profile.

MFA | NOMFA

MFA

Specifies multi-factor authentication information for the user profile being changed. Information is stored in the base segment of the user's profile. MFA can not be specified for a PROTECTED user.

The MFADEF class must be active before a user can logon with IBM® MFA.

See z/OS Security Server RACF Security Administrator's Guide.

PWFALLBACK|NOPWFALLBACK

PWFALLBACK

When IBM MFA is unavailable or is unable to determine the validity of an ACTIVE factor, this user can logon to the system using any existing RACF authenticators such as their password, password phrase or PassTicket.

NOPWFALLBACK

When IBM MFA in unavailable or is unable to determine the validity of an ACTIVE factor, this user will not be able to logon to the system with any existing RACF authenticators. NOPWFALLBACK is the default.

FACTOR|DELFACTOR

FACTOR(factor-name)

Specifies an authentication factor for a user. If the user is not already registered to the factor, the factor will be added to the user. The specified factor must be defined in an MFADEF class profile named FACTOR.<factorName>. Other ALTUSER keywords such as ACTIVE and TAGS are specific to this specified factor.

Factor-name is a 1 - 20 character identifier. The characters can be alphabetic, numeric, or national.

A user is limited to 10 total factors. Only one factor may be specified in a single ALTUSER command.

DELFACTOR(factor-name)

Deletes the specified factor from the list of authentication factors registered to this user.

Factor-name is a 1 - 20 character identifier. The characters can be alphabetic, numeric, or national.

ACTIVE|NOACTIVE

ACTIVE

The user is required to authenticate to IBM MFA with the specified factor to logon to the system when the MFADEF class is active.

NOACTIVE

The user is not required to authenticate to IBM MFA with the specified factor to logon to the system. NOACTIVE is the default.

TAGS|DELTAGS|NOTAGS

TAGS(tag-name:tag-value...)

Specifies tags and values for the specified factor.

The tag-name and tag-value pairs are factor specific and are defined by IBM MFA. ALTUSER calls IBM MFA to validate tag-names and tag-values. IBM MFA must be available for RACF to process the TAGS keyword. IBM MFA may reject a tag-name or tag-value during ALTUSER processing. IBM MFA may utilize these values during logon processing to authenticate a user. Refer to IBM Multi-Factor Authentication for z/OS User's Guide for documentation of each factor's configuration data parameters.

When the tag-name is not already present in the TAGS for the specified factor the tag-name is added. When the tag-name is already present for the specified factor, it is replaced with the new tag-value.

The tag-name is a 1 - 20 character case insensitive identifier and can consist of alphabetic or numeric characters. A factor is limited to 20 total tags.

The tag-value can be 1 - 1024 characters and can consist of any character. If the tag-value you specify contains any blanks, the tag-name:tag-value pair must be enclosed in quotation marks.

DELTAGS(tag-name ...)

Deletes specific tags for the specified factor.

The tag-name is a 1 - 20 character identifier and can consist of alphabetic or numeric characters.

The tag-name is ignored when it does not already exist for a specified factor.

NOTAGS

Removes all tags for the specified factor.

ADDPOLICY | DELPOLICY

ADDPOLICY(policy-name …)

Adds to the user's list of MFA authentication policies where policy-name is the name of an MFA policy profile defined in the MFADEF class. Policy-name is specified as only the unique name portion of the policy profile after the initial "POLICY." qualifier.

A policy name must be between 1 and 20 characters.

Each user is limited to a maximum of 10 policy names.

DELPOLICY(policy-name … | *)

Deletes the specified policies from the user's list of MFA policies.

Specifying the * character deletes all existing policies.

NOMFA

Specifies that RACF delete all MFA fields from the user's profile. The user is no longer required to provide additional authentication factors when logging on.

MODEL | NOMODEL

MODEL(dsname)

Specifies the name of a data set that RACF is to use as a model when new data set profiles are created that have userid as the high-level qualifier. For this operand to be effective, the MODEL(USER) option (specified on the SETROPTS command) must be active. If the ALTUSER command cannot find the dsname profile, it issues a warning message but places the model name in the user ID entry.

Note that RACF always prefixes dsname with the user ID.

For information about automatic profile modeling, refer to z/OS Security Server RACF Security Administrator's Guide.

NOMODEL

Deletes the model profile name in the user's profile.

NAME(user-name)

Specifies the user name to be associated with the user ID. You can use a maximum of 20 alphanumeric or non-alphanumeric characters. If the name you specify contains any blanks, it must be enclosed in single quotation marks.

Names longer than 20 characters are truncated to 20 characters when you enclose the name in quotation marks. However, if you specify a name longer than 20 characters without enclosing the name in quotation marks, you receive an error from the TSO parse routine.

If you omit the NAME operand, RACF uses a default of twenty # (X'7B') characters ('### ...'). Note, however, that the corresponding entry in a LISTUSER output is the word UNKNOWN.

 

NDS | NONDS

NDS

Specifies Novell Directory Services for OS/390 information for the user profile being changed.

UNAME | NOUNAME

UNAME(user-name)

Specifies the Novell Directory Services for OS/390 user-name of the user being changed. The user-name value should match the name stored in the Novell Directory Services for OS/390 directory for this user, but this is not verified by the command.

The user-name you define to RACF can contain 1 - 246 characters. However, the user-name cannot contain the following characters: * (X'5C'), + (X'4E'), | (X'4F'), = (X'7E'), , (X'6B'), " (X'7F'), ` (X'79'), / (X'61'), : (X'7A'), ; (X'5E'), ¢ (X'4A'), and brackets [ and ] (X'AD' and X'BD').

If the user-name you specify contains any parentheses or blanks, it must be enclosed in single quotation marks. The user-name is stripped of leading and trailing blanks. If a single quotation mark is intended to be part of the user-name, use two single quotation marks together for each single quotation mark within the string, and enclose the entire string within single quotation marks.

The value specified for the user-name must be unique. Consequently, a list of users cannot be specified on an ALTUSER command with the UNAME keyword.

NOUNAME

Specifies that you want to delete the user-name from the NDS segment of the user's profile.

NONDS

Specifies that RACF delete the NDS segment from the user's profile.

NETVIEW | NONETVIEW

NETVIEW

Specifies that this is a NetView® operator that can enter any of the following suboperands to add, update, or delete the information in the NETVIEW segment.

You can control access to the entire NETVIEW segment or to individual fields within the NETVIEW segment by using field-level access checking. For more information, see z/OS Security Server RACF Security Administrator's Guide.

CONSNAME | NOCONSNAME

CONSNAME(console-name)

Specifies the default MCS console name identifier used for this operator. This default console name is used when the operator does not specify a console name using the NetView GETCONID command.

The console-name value is a 1 - 8 character identifier whose validity is checked by MVS processing when the operator tries to use it. See z/OS MVS Planning: Operations for information on valid values for a particular release.

NOCONSNAME

Deletes any default MCS console name previously specified for this operator.

CTL | NOCTL

CTL (GENERAL | GLOBAL | SPECIFIC)

Specifies whether a security check is performed for this NetView operator when they try to use a span or try to do a cross-domain logon.

GENERAL

Specifies that a security done should be done as for SPECIFIC, and, in addition, that the operator is allowed to access devices that are not part of any span.

GLOBAL

Specifies that no security check is done.

SPECIFIC

Specifies that a security check is performed through RACROUTE REQUEST=AUTH whenever this operator attempts to use a span. It also specifies that any cross-domain logon must be to a domain listed in the operator's NETVIEW segment with the DOMAINS keyword.

CTL(SPECIFIC) is the default.

NOCTL

NOCTL has the same effect as specifying CTL(SPECIFIC).

DOMAINS | NODOMAINS | ADDDOMAINS | DELDOMAINS

DOMAINS(domain-name ...)

Specifies the complete list of identifiers of NetView programs in another NetView domain where this operator can start a cross-domain session. The NetView program identifiers are coded on the NCCFID definition statement for the other domains, and represent the name given to that NetView program on the APPL statement.

Domain-name is a 1 - 5 character identifier. The characters can be alphabetic, numeric, or national.

ADDDOMAINS(domain-name ...)

Adds identifiers of NetView programs in another NetView domain where this operator can start a cross-domain session. The NetView program identifiers are coded on the NCCFID definition statement for the other domains, and represent the name given to that NetView program on the APPL statement.

The domain-name value is a 1 - 5 character identifier. The characters can be alphabetic, numeric, or national.

DELDOMAINS(domain-name ...)

Deletes specific identifiers of NetView programs in another NetView domain where this operator can start a cross-domain session. The NetView program identifiers are coded on the NCCFID definition statement for the other domains, and represent the name given to that NetView program on the APPL statement.

The domain-name value is a 1 - 5 character identifier. The characters can be alphabetic, numeric, or national.

NODOMAINS

Specifies that the operator cannot start any cross-domain sessions.

IC | NOIC

IC('command | command-list')

Specifies the command or command list (up to 255 characters) to be processed when the operator logs on to NetView.

If the command or command list you specify contains any commas, blanks, or other special characters that TSO/E requires to be quoted, it must be enclosed in single quotation marks.

NOIC

Deletes the command or command list to be processed at logon time for this operator. No command or command list is automatically processed when this operator logs on.

MSGRECVR | NOMSGRECVR

MSGRECVR (YES | NO)

Specifies whether this operator can receive unsolicited messages that are not routed to a specific NetView operator.

YES

Specifies that the operator is to receive the messages.

NO

Specifies that the operator is not to receive the messages.

NOMSGRECVR

NOMSGRECVR has the same effect as specifying MSGRECVR(NO).

NGMFADMN | NONGMFADMN

NGMFADMN (YES | NO)

Specifies whether a NetView operator has administrator authority to the NetView Graphic Monitor Facility (NGMF).

YES

Specifies that the operator does have the authority.

NO

Specifies that the operator does not have the authority.

NONGMFADMN

NONGFMADMN has the same effect as specifying NGFMADMN(NO).

NGMFVSPN | NONGMFVSPN

NGMFVSPN (view-span)

Reserved for future use by the NetView Graphic Monitor Facility

NONGMFVSPN

Reserved for future use by the NetView Graphic Monitor Facility

OPCLASS | NOOPCLASS | ADDOPCLASS | DELOPCLASS

OPCLASS(class ...)

Specifies the complete list of NetView scope classes for which the operator has authority.

The class value is a number 1 - 2040 that specifies a NetView scope class.

ADDOPCLASS(class ...)

Adds specific NetView scope classes to the operator's current list of classes.

The class value is a number 1 - 2040 that specifies a NetView scope class.

DELOPCLASS(class ...)

Deletes specific NetView scope classes from the operator's current list of classes.

The class value is a number 1 - 2040 that specifies a NetView scope class.

NOOPCLASS

Specifies that the operator is in no scope classes.

NONETVIEW

Specifies that RACF should delete the NETVIEW segment from the user's profile.

OIDCARD | NOOIDCARD

OIDCARD

Specifies that the user must supply an operator identification card when logging onto the system. If you specify the OIDCARD operand, the system prompts you to enter the user's new operator identification card as part of the processing of the ALTUSER command. If you specify the OIDCARD operand in a job executing in the background or when you cannot be prompted in the foreground, the ALTUSER command fails.

NOOIDCARD

Specifies that the user is not required to supply an operator identification card.

If NOPASSWORD is specified or the user ID already has the NOPASSWORD attribute, and NOPHRASE is specified or the user ID already does not have a password phrase, specifying NOOIDCARD causes this user ID to become a protected user ID. Protected user IDs cannot be used to enter the system by any means that requires a password to be specified, such as TSO logon. If the user attempts to enter the system with a password, the attempt fails.

Protected user IDs can be used for the user IDs associated with the started tasks in ICHRIN03 or the STARTED class.

OMVS | NOOMVS

OMVS

Specifies z/OS UNIX information for the user profile being changed.

You can control access to the entire OMVS segment or to individual fields within the OMVS segment by using field-level access checking.

ASSIZEMAX | NOASSIZEMAX

ASSIZEMAX(address-space-size)

Specifies the RLIMIT_AS hard limit (maximum) resource value that processes receive when they are dubbed a process. The address-space-size you define to RACF is a numeric value from 10485760 - 2 147 483 647. ASSIZEMAX indicates the address space region size in bytes. The soft limit (current) resource value is obtained from MVS. If the soft limit value from MVS is greater than the address space size, the soft limit is used.

The value specified for ASSIZEMAX is also used when processes are initiated by a daemon process using an exec after setuid(). In this case, both the RLIMIT_AS hard limit and soft limit are set to the address-space-size value.

The value specified for ASSIZEMAX overrides any value provided by the MAXASSIZE parameter of BPXPRMxx. For more information, see z/OS UNIX System Services Planning.

NOASSIZEMAX

Specifies that you want to delete the address space size from the OMVS segment of the user's profile. The value specified for MAXASSIZE in BPXPRMxx now applies to the user.

AUTOUID | UID | NOUID

Specifies whether RACF is to automatically assign an unused UID value to the user, if a specific UID value is to be assigned or if the user identifier from the OMVS segment of the user's profile is to be deleted.

AUTOUID

Specifies that RACF is to automatically assign an unused UID value to the user. The UID value is derived from information obtained from the BPX.NEXT.USER profile in the FACILITY class. For more information on setting up BPX.NEXT.USER, see z/OS Security Server RACF Security Administrator's Guide.

If you are using RRSF automatic command direction for the USER class, the command sent to other nodes will contain an explicit assignment of the UID value which was derived by RACF on the local node.

Rules:

• AUTOUID cannot be specified if more than one user ID is entered.
• The AUTOUID keyword is mutually exclusive with the SHARED keyword.
• If both UID and AUTOUID are specified, AUTOUID is ignored.
• If both NOUID and AUTOUID are specified, AUTOUID is ignored.
• Field-level access checking for the UID field applies when using AUTOUID.
• AUTOUID cannot be used to reassign a UID value when one already exists for the user. If AUTOUID is specified, but the user already has a UID assigned, one of two things will happen.
  • If the preexisting UID is unique to this user, this value will be identified in informational message IRR52177I, and the value remains unchanged. If RRSF automatic command direction is in effect for the USER class, then the outbound ALTUSER command will be altered to contain the preexisting UID value in the OMVS UID keyword.
  • If the preexisting UID is not unique to this user, error message IRR52178I will be issued, and the command will fail. See IRR52178I for information on changing the user's existing UID value.

UID(user-identifier) [SHARED]

UID(user-identifier)

Specifies the user identifier. The UID is a numeric value from 0 - 2 147 483 647.

When assigning a UID to a user, you should make sure that the user's default group has a GID. A user who has a UID and a current connect group that has a GID can use functions such as the TSO/E OMVS command and can access z/OS UNIX files based on the UID and GID values assigned.

Care should be taken in assigning 0 as the user identifier. UID 0 is considered a superuser. The superuser passes all z/OS UNIX security checks. Assigning a UID to a user ID that appears in the RACF started procedures table (ICHRIN03) should also be done with care. RACF defined started tasks that have the trusted or privileged attribute are considered superusers even if their UID is a value other than 0.

If the UID is not specified, the user is unable to become a z/OS UNIX user and a LISTUSER for that user ID shows NONE for the UID.

Note:

1. If the security administrator has defined the SHARED.IDS profile in the UNIXPRIV class, the UID value must be unique. Use the SHARED keyword in addition to UID to assign a value that is already in use.
2. If SHARED.IDS is not defined, RACF does not require the UID to be unique. The same value can be assigned to multiple users but this is not recommended because individual user control would be lost. However, if you want a set of users to have exactly the same access to z/OS UNIX resources, you might decide to assign the same UID to more than one user.
3. The maximum number of user IDs that can share a UID or groups that can share a GID is 132 at 8 characters. More user IDs or groups are available using less than 8 characters. If the limit is met, you can combine user ID functions (for started tasks or daemons) to use physically less user IDs sharing the same UID. You may also use SUPERUSER granularity functionality to reduce the need for SUPERUSER (using UID 0) for as many user IDs as possible.

SHARED

If the security administrator has chosen to control the use of shared UIDs, this keyword must be used in addition to the UID keyword to specify the user identifier if it is already in use by at least one other user. The administrator controls shared UIDs by defining the SHARED.IDS profile in the UNIXPRIV class.

Rules:

• If the SHARED.IDS profile is not defined, SHARED is ignored.
• If SHARED is specified in the absence of UID, it is ignored.
• If the SHARED.IDS profile is defined and SHARED is specified, but the value specified with UID is not currently in use, SHARED is ignored and UNIXPRIV authority is not required.
• Field-level access checking for the UID field applies when using SHARED.
• The SHARED keyword is mutually exclusive with the AUTOUID keyword.

NOUID

Specifies that you want to delete the user identifier from the OMVS segment of the user's profile.

If NOUID is specified, the user is unable to become a z/OS UNIX System Services user and a LISTUSER for that user ID shows NONE for the UID.

CPUTIMEMAX | NOCPUTIMEMAX

CPUTIMEMAX(cpu-time)

Specifies the RLIMIT_CPU hard limit (maximum) resource value that the user's z/OS UNIX processes receive when they are dubbed a process. The cpu-time you define to RACF is a numeric value from 7 - 2 147 483 647. RLIMIT_CPU indicates the cpu-time that a process is allowed to use, in seconds. The soft limit (current) is obtained from MVS. If the soft limit (current) resource value from MVS is greater than the cpu-time value, the soft limit is used.

The value specified for CPUTIMEMAX is also used when processes are initiated by a daemon process using an exec after setuid(). In this case, both the RLIMIT_CPU hard and soft limits are set to the cpu-time value.

For processes running in, or forked from TSO or BATCH, the cpu-time value has no effect. For processes created by the rlogin command or other daemons, cpu-time is the time limit for the address space.

The value specified for CPUTIMEMAX overrides any value provided by the MAXCPUTIME parameter of BPXPRMxx. For more information, see z/OS UNIX System Services Planning.

NOCPUTIMEMAX

Specifies that you want to delete the CPU time from the OMVS segment of the user's profile. The value specified for MAXCPUTIME in BPXPRMxx now applies to the user.

FILEPROCMAX | NOFILEPROCMAX

FILEPROCMAX(files-per-process)

Specifies the maximum number of files the user is allowed to have concurrently active or open. The files-per-process you define to RACF is a numeric value from 3 and 524287. FILEPROCMAX is the same as the OPEN_MAX variable defined in the POSIX standard.

FILEPROCMAX lets you limit the amount of system resources available to a user process. Select FILEPROCMAX by considering:

• For conformance to standards, set FILEPROCMAX to:
  • At least 16 to conform to the POSIX standard
  • At least 25 to conform to the FIPS standard
• The commonly recommended value is 256.
• A process can change its own value for the number of files it has active or open using the setrlimt() function. Only processes with appropriate privileges can increase their limits.
• The minimum value of 3 supports the standard files for a process: standard input, standard output, and standard error.
• The value needs to be larger than 3 to support z/OS UNIX shell users. If the value is too small, the z/OS UNIX shells might issue the message File descriptor not available.

The value specified for FILEPROCMAX overrides any value provided by the MAXFILEPROC parameter of BPXPRMxx. For more information, see z/OS UNIX System Services Planning.

NOFILEPROCMAX

Specifies that you want to delete the files per process from the OMVS segment of the user's profile. The value specified for MAXFILEPROC in BPXPRMxx now applies to the user.

HOME | NOHOME

HOME(directory-pathname)

Specifies the z/OS® UNIX directory path name. This is the current working directory for the user's process when the user enters the TSO/E command OMVS.

When you define a directory path name to RACF, it can contain 1 - 1023 characters. The directory path name can consist of any characters and can be entered with or without single quotation marks. The following rules apply:

• If parentheses, commas, blanks, or semicolons are to be entered as part of the path name, the character string must be enclosed in single quotation marks.
• If a single quotation mark is intended to be part of the path name, use two single quotation marks together for each single quotation mark within the string, and enclose the entire string within single quotation marks.

Both uppercase and lowercase characters are accepted and maintained in the case in which they are entered. The fully qualified path name should be specified. RACF does not ensure that a valid path name has been specified. If you issue the ALTUSER command as a RACF operator command and you specify the path name in lowercase, you must include the path name within single quotations.

NOHOME

Specifies that you want to delete the initial directory path name from the OMVS segment of the user's profile.

If no value is specified for HOME in the OMVS segment, MVS sets the working directory for the user to / (the root directory).

MEMLIMIT | NOMEMLIMIT

MEMLIMIT(nonshared-memory-size)

Specifies the maximum number of bytes of nonshared memory that can be allocated by the user. The nonshared-memory-size value must be numeric 0 - 16777215, followed by the letter M, G, T, or P. The M, G, T or P letter indicates the multiplier to be used. The maximum value is 16383P.

Byte multiplier label	Decimal	Binary	Hexadecimal
M-megabyte	1048576	220	00000000 00100000
G-gigabyte	1073741824	230	00000000 40000000
T-terabyte	1099511627776	240	00000100 00000000
P-petabyte	1125899906842624	250	00040000 00000000

The following are different MEMLIMIT(nonshared-memory-size) examples:

• MEMLIMIT(1M) indicates a nonshared-memory-size of 1048576 bytes.
• MEMLIMIT(1500M) indicates a nonshared-memory-size of 1572864000 bytes.
• MEMLIMIT(10G) indicates a nonshared-memory-size of 10737418240 bytes.

For more extensive information, see z/OS UNIX System Services Planning.

NOMEMLIMIT

Specifies that you want to delete the nonshared memory size from the OMVS segment of the user's profile.

MMAPAREAMAX | NOMMAPAREAMAX

MMAPAREAMAX(memory-map-size)

Specifies the maximum amount of data space storage, in pages, that can be allocated by this user for memory mappings of z/OS UNIX files. Storage is not allocated until memory mappings are active. The value of memory-map-size must be 1 - 16777216.

Use of memory map services consumes a significant amount of system memory. For each page (4KB) that is memory mapped, 96 bytes of ESQA are consumed when a file is not shared with any other users. When a file is shared by multiple users, each user after the first causes 32 bytes of ESQA to be consumed for each shared page. The ESQA storage is consumed when the mmap() function is invoked by the application program.

The value specified for MMAPAREAMAX overrides any value provided by the MAXMMAPAREA parameter of BPXPRMxx. For more information, see z/OS UNIX System Services Planning.

NOMMAPAREAMAX

Specifies that you want to delete the memory map size from the OMVS segment of the user's profile. The value specified for MAXMMAPAREA in BPXPRMxx now applies to the user.

PROCUSERMAX | NOPROCUSERMAX

PROCUSERMAX(processes-per-UID)

Specifies the maximum number of processes this user is allowed to have active at the same time, regardless of how the process became a z/OS UNIX process. The processes-per-UID you define to RACF is a numeric value from 3 and 32767. PROCUSERMAX is the same as the CHILD_MAX variable defined in the POSIX standard.

PROCUSERMAX allows you to limit user activity to optimize performance. Select PROCUSERMAX by considering:

• For conformance to standards, set PROCUSERMAX to:
  • At least 16 to conform to the POSIX standard
  • At least 25 to conform to the FIPS standard
• A user with a UID of 0 is not limited by the PROCUSERMAX value because a superuser might need to be capable of logging on and using z/OS UNIX services to solve a problem.
• A low PROCUSERMAX value limits the number of concurrent processes that the user can run. A low value also limits the user's consumption of processing time, virtual storage, and other system resources.
• Some daemons run without UID 0, and can create many address spaces. In these cases, it is necessary to set the limit high enough for the daemon associated with this user ID to run all of its processes.

Though not recommended, the same OMVS UID can be given to more than one user ID. If users share a UID, you need to define a greater number for PROCUSERMAX.

The value specified for PROCUSERMAX overrides any value provided by the MAXPROCUSER parameter of BPXPRMxx. For more information, see z/OS UNIX System Services Planning.

NOPROCUSERMAX

Specifies that you want to delete the processes per UID from the OMVS segment of the user's profile. The value specified for MAXPROCUSER in BPXPRMxx now applies to the user.

SHMEMMAX | NOSHMEMMAX

SHMEMMAX(shared-memory-size)

Specifies the maximum number of bytes of shared memory that can be allocated by the user. The shared-memory-size value must be numeric 1 - 16777215, followed by the letter M, G, T, or P. The M, G, T, or P letter indicates the multiplier to be used. The maximum value is 16383P.

Byte multiplier label	Decimal	Binary	Hexadecimal
M-megabyte	1048576	220	00000000 00100000
G-gigabyte	1073741824	230	00000000 40000000
T-terabyte	1099511627776	240	00000100 00000000
P-petabyte	1125899906842624	250	00040000 00000000

The following are different SHMEMMAX(shared-memory-size) examples:

• SHMEMMAX(1M) indicates a shared-memory-size of 1048576 bytes.
• SHMEMMAX(1500M) indicates a shared-memory-size of 1572864000 bytes.
• SHMEMMAX(10G) indicates a shared-memory-size of 10737418240 bytes.

The value specified for SHMEMMAX overrides any value provided by the IPCSHMMPAGES parameter of BPXPRMxx. For more information, see z/OS UNIX System Services Planning.

NOSHMEMMAX

Specifies that you want to delete the shared memory size from the OMVS segment of the user's profile. The value specified for IPCSHMMPAGES in BPXPRMxx now applies to the user.

THREADSMAX | NOTHREADSMAX

THREADSMAX(threads-per-process)

Specifies the maximum number of threads, including those running, queued, and exited but not detached, that this user can have concurrently active. The threads-per-process you define to RACF is a numeric value from 0 - 100000. Specifying a value of 0 prevents applications run by this user from using the pthread_create service.

The value specified for THREADSMAX overrides any value provided by the MAXTHREADS parameter of BPXPRMxx. For more information, see z/OS UNIX System Services Planning.

NOTHREADSMAX

Specifies that you want to delete the threads per process from the OMVS segment of the user's profile. The value specified for MAXTHREADS in BPXPRMxx now applies to the user.

PROGRAM | NOPROGRAM

PROGRAM(program-name)

Specifies the PROGRAM path name (z/OS UNIX shell program). This is the first program started when the TSO/E command OMVS is entered or when a batch job is started using the BPXBATCH program.

When you define a PROGRAM path name to RACF, it can contain 1 - 1023 characters. The PROGRAM path name can consist of any characters and can be entered with or without single quotation marks. The following rules apply:

• If parentheses, commas, blanks, or semicolons are to be entered as part of the path name, the character string must be enclosed in single quotation marks.
• If a single quotation mark is intended to be part of the path name, use two single quotation marks together for each single quotation mark within the string, and enclose the entire string within single quotation marks.

Both uppercase and lowercase characters are accepted and maintained in the case in which they are entered. The fully qualified path name should be specified. RACF does not ensure that a valid path name has been specified. If you issue the ALTUSER command as a RACF operator command and you specify the path name in lowercase, you must include the path name within single quotations.

NOPROGRAM

Specifies that you want to delete the z/OS UNIX System Services program path name from the OMVS segment of the user's profile.

If no value is specified for PROGRAM in the OMVS segment, MVS gives control to the default z/OS UNIX shell program when the user issues the TSO/E command OMVS or starts a batch job using the BPXBATCH program.

For more information about the default z/OS UNIX shell program supplied with z/OS UNIX System Services, see z/OS UNIX System Services Planning and z/OS UNIX System Services User's Guide.

NOOMVS

Specifies that RACF delete the OMVS segment from the user's profile.

OPERATIONS | NOOPERATIONS

OPERATIONS

Specifies that the user is to have authorization to do maintenance operations on all RACF-protected DASD data sets, tape volumes, and DASD volumes except those where the access list specifically limits the OPERATIONS user to an access authority that is less than the operation requires.

You establish the lower access authority for the OPERATIONS user with the PERMIT command. OPERATIONS on the ALTUSER command overrides NOOPERATIONS on the CONNECT command.

You must have the SPECIAL attribute to use the OPERATIONS operand.

NOOPERATIONS

Specifies that the user is not to have the OPERATIONS attribute.

You must have the SPECIAL attribute to use the NOOPERATIONS operand.

OPERPARM | NOOPERPARM

OPERPARM

Specifies default information used when this user establishes an extended MCS console session.

You can control access to the entire OPERPARM segment or to individual fields within the OPERPARM segment by using field-level access checking. For more information, see z/OS Security Server RACF Security Administrator's Guide.

For information on planning how to use OPERPARM segments, see z/OS MVS Planning: Operations.

Note:

1. You need not specify every suboperand in an OPERPARM segment. In general, if you omit a suboperand, the default is the same as the default in the CONSOLxx PARMLIB member, which can also be used to define consoles.
2. If you specify MSCOPE or ROUTCODE but do not specify a value for them, RACF uses MSCOPE(*ALL) and ROUTCODE(NONE) to update the corresponding fields in the user profile. These values appear in listings of the OPERPARM segment of the user profile.
3. If you omit the other suboperands, RACF does not update the corresponding fields in the user's profile, and no value appears in listings of the OPERPARM segment of the profile.

ALTGRP | NOALTGRP

ALTGRP(alternate-console-group)

Specifies the console group used in recovery. The variable alternate-console-group can contain 1 - 8 characters. Valid characters are 0 - 9, A - Z, # (X'7B'), $ (X'5B'), or @ (X'7C').

Restriction: Starting with z/OS Version 1 Release 8, console services ignores ALTGRP(alternate-console-group) when a session is established and it need not be specified.

NOALTGRP

Deletes alternate console group information from this profile.

AUTH | NOAUTH

AUTH

Specifies this console's authority to issue operator commands.

If you omit this operand, RACF does not alter this field in the user's profile. If this field has not been added to the user's profile, an extended MCS console uses AUTH(INFO) when a session is established.

The console can have the following authorities:

MASTER

Allows this console to act as a master console, which can issue all MVS operator commands. This authority can only be specified by itself.

ALL

Allows this console to issue system control commands, input/output commands, console control commands, and informational commands. This authority can only be specified by itself.

INFO

Allows this console to issue informational commands. This authority can only be specified by itself.

CONS

Allows this console to issue console control and informational commands.

IO

Allows this console to issue input/output and informational commands.

SYS

Allows this console to issue system control commands and informational commands.

NOAUTH

Deletes the user's operator authorities from the profile. Console operator authority no longer appears in profile listings. However, AUTH(INFO) is used when an extended MCS console session is established.

AUTO | NOAUTO

AUTO(YES | NO)

Specifies whether the extended console can receive messages that have been automated by the Message Processing Facility (MPF) in the sysplex.

NOAUTO

Deletes this field from the user's profile. No AUTO information appears in profile listings. However, AUTO(NO) is used when an extended MCS console session is established.

CMDSYS | NOCMDSYS

CMDSYS(system-name | *)

Specifies the system to which commands from this console are to be sent.

If you omit this operand, RACF does not alter this field in the user's profile. If this field has not been added to the user's profile, an extended MCS console uses CMDSYS(*) when a session is established. The system-name value must be 1 - 8 characters. Valid characters are A - Z, 0 - 9, @ (X'7C'), # (X'7B'), and $ (X'5B'). If (*) is specified, commands are processed on the local system where the console is attached.

NOCMDSYS

Deletes any system-names from this profile. No CMDSYS information appears in profile listings. However, CMDSYS(*) is used when an extended MCS console session is established.

DOM | NODOM

DOM(NORMAL | ALL | NONE)

Specifies which delete operator message (DOM) requests this console can receive.

If you omit this operand, RACF does not alter this field in the user's profile. If this field has not been added to the user's profile, an extended MCS console uses DOM(NORMAL) when a session is established.

NORMAL

The system queues all appropriate DOM requests to this console.

ALL

All systems in the sysplex queue DOM requests to this console.

NONE

No DOM requests are queued to this console.

NODOM

Deletes this field from the user's profile. DOM information no longer appears in profile listings. However, DOM(NORMAL) is used when an extended MCS console session is established.

HC | NOHC

HC(YES | NO)

Specifies whether this console is to receive all messages that are directed to hardcopy. Any route codes specified for a console do not apply to hardcopy messages, so this console receives all hardcopy messages regardless of their specific route code.

NOHC

Deletes this field from the user's profile. z/OS console services uses HC(NO) when a session is established.

INTIDS | NOINTIDS

INTIDS(YES | NO)

Specifies whether this console is to receive messages directed to console ID zero (the internal console). Such messages are usually responses to internally issued commands.

NOINTIDS

Deletes this field from the user's profile. z/OS console services uses INTIDS(NO) when a session is established.

KEY | NOKEY

KEY(searching-key)

Specifies a 1 - 8 character name that can be used to display information for all consoles with the specified key by using the MVS command DISPLAY CONSOLES,KEY. If specified, KEY can include A - Z, 0 - 9, # (X'7B'), $ (X'5B'), or @ (X'7C').

If you omit this operand, RACF does not alter this field in the user's profile. If this field has not been added to the user's profile, an extended MCS console uses a KEY value of NONE when a session is established.

NOKEY

Deletes search key information from the user's profile. Search key information no longer appears in profile listings. However, a KEY value of NONE is used when an extended MCS console session is established.

LEVEL | NOLEVEL

LEVEL(message-level)

Specifies the messages that this console is to receive.

If you omit this operand, RACF does not alter this field in the user's profile. If this field has not been added to the user's profile, an extended MCS console uses LEVEL(ALL) when a session is established.

The message-level variable can be a list of R, I, CE, E, IN, NB or ALL. If you specify ALL, you cannot specify R, I, CE, E, or IN.

NB

The console receives no broadcast messages.

ALL

The console receives these messages: R, I, CE, E, IN.

R

The console receives messages requiring an operator reply.

I

The console receives immediate action messages.

CE

The console receives critical eventual action messages.

E

The console receives eventual action messages.

IN

The console receives informational messages.

NOLEVEL

Deletes any defined message levels for this console from the profile. Message information no longer appears in profile listings. However, LEVEL(ALL) is used when an extended MCS console session is established.

LOGCMDRESP | NOLOGCMDRESP

LOGCMDRESP(SYSTEM | NO)

Specifies if command responses are to be logged.

If you omit this operand, RACF does not alter this field in the user's profile. If this field has not been added to the user's profile, an extended MCS console uses LOGCMDRESP(SYSTEM) when a session is established.

SYSTEM

Specifies that command responses are logged in the hardcopy log.

NO

Specifies that command responses are not logged.

NOLOGCMDRESP

Deletes the value for LOGCMDRESP from the profile. Command response logging information no longer appears in profile listings. However, LOGCMDRESP(SYSTEM) is used when an extended MCS console session is established.

MFORM | NOMFORM

MFORM(message-format)

Specifies the format in which messages are displayed at the console.

If you omit this operand, RACF does not alter this field in the user's profile. If this field has not been added to the user's profile, an extended MCS console uses MFORM(M) when a session is established.

The message-format variable can be a combination of T, S, J, M, and X:

J

Messages are displayed with a job ID or name.

M

The message text is displayed.

S

Messages are displayed with the name of the originating system.

T

Messages are displayed with a time stamp.

X

Messages that are flagged as exempt from job name and system name formatting are ignored.

NOMFORM

Deletes the values for MFORM from the profile and causes message text to be displayed (MFORM(M)) when an extended MCS console session is established.

MIGID | NOMIGID

MIGID(YES | NO)

Specifies whether a 1-byte migration ID is to be assigned to this console or not. The migration ID allows command processors that use a 1-byte console ID to direct command responses to this console.

Restriction: Starting with z/OS Version 1 Release 7, console services ignores MIGID(YES | NO) when a session is established and it need not be specified.

NOMIGID

Deletes this segment from the profile. Migration identification information no longer appears in profile listings. However, MIGID(NO) is assigned when an extended MCS console session is established.

MONITOR | NOMONITOR

MONITOR(events)

Specifies which information should be displayed when monitoring jobs, TSO sessions, or data set status.

If you omit this operand, RACF does not alter this field in the user's profile. If this field has not been added to the user's profile, an extended MCS console uses MONITOR(JOBNAMES SESS) when a session is established. The variable events can be a list of the following:

JOBNAMES | JOBNAMEST

Displays information about the start and end of each job. JOBNAMES omits the times of job start and job end. JOBNAMEST displays the times of job start and job end.

SESS | SESST

Displays information about the start and end of each TSO session. SESS omits the times of session start and session end. SESST displays the times of session start and session end.

STATUS

Specifies that the information displayed when a data set is freed or unallocated should include the data set status.

NOMONITOR

Deletes job monitor information from the user's profile. Information from this field no longer appears in profile listings. However, MONITOR(JOBNAMES SESS) is used when an extended MCS console session is established.

MSCOPE | ADDMSCOPE | DELMSCOPE | NOMSCOPE

MSCOPE(system-name ... | * | *ALL)

Specifies the systems from which this console can receive messages that are not directed to a specific console.

If you omit this operand, RACF does not alter this field in the user's profile. If this field has not been added to the user's profile, an extended MCS console uses MSCOPE(*ALL) when a session is established. If you specify MSCOPE but omit a value, RACF uses MSCOPE(*ALL) as the default to update this field in the user's profile. *ALL appears in listings of the OPERPARM segment of the user's profile.

system-name ...

Is a list of one or more system names, where a system name can be any combination of A - Z, 0 - 9, # (X'7B'), $ (X'5B'), or @ (X'7C').

*

Is the system on which the console is currently active.

*ALL

Means all systems.

ADDMSCOPE(system-name ...)

Adds the specified system names to the existing list of systems from which this console can receive messages that are not directed to a specific console.

DELMSCOPE(system-name ...)

Deletes the specified system names from the existing list of systems from which this console can receive messages that are not directed to a specific console.

NOMSCOPE

Deletes any system name information from the user's profile. Message reception information no longer appears in profile listings. However, MSCOPE(*ALL) is used when an extended MCS console session is established.

ROUTCODE | NOROUTCODE

ROUTCODE(ALL | NONE | routing-codes)

Specifies the routing codes of messages this operator is to receive.

If you omit this operand, RACF does not alter this field in the user's profile. If this field has not been added to the user's profile, an extended MCS console uses ROUTCODE(NONE) when a session is established. If you specify ROUTCODE but omit a value, RACF uses ROUTCODE(NONE) to update this field in the user's profile. NONE appears in listings of the OPERPARM segment of the user's profile.

The routing code information can be one of the following:

ALL

Means all routing codes.

NONE

Means no routing codes.

routing-codes

Specifies one or more routing codes or sequences of routing codes. The routing codes can be a list of n and n1:n2, where n, n1, and n2 are integers 1 - 128, and n1:n2 represents a range of routing codes from n1 (low) to n2 (high).

NOROUTCODE

Deletes routing code information from the user's profile. Routing code information no longer appears in profile listings. However, ROUTCODE(NONE) is used when an extended MCS console session is established.

STORAGE | NOSTORAGE

STORAGE(amount)

Specifies the amount of storage in the TSO/E user's address space that can be used for message queuing to this console.

If you omit this operand, RACF does not alter this field in the user's profile. If this field has not been added to the user's profile, an extended MCS console uses STORAGE(1) when a session is established. A value of 0 appears in listings of the user's profile to indicate that no value was specified. The variable amount must be a value from 1 - 2000.

NOSTORAGE

Deletes this field from the profile. A value of 0 appears in listings of the user's profile to indicate that no value was specified. However, STORAGE(1) is used when an extended MCS console session is established.

UD | NOUD

UD(YES | NO)

Specifies whether this console is to receive undelivered messages. If you do not specify this operand, RACF does not alter the user's profile.

Restriction: Starting with z/OS Version 1 Release 8, console services ignores UD(YES | NO) when a session is established and it need not be specified.

NOUD

Deletes the field from the profile. Undelivered message information no longer appears in profile listings. However, UD(NO) is used when an extended MCS console session is established.

UNKNIDS | NOUNKNIDS

UNKNIDS(YES | NO)

Specifies whether this console is to receive messages directed to unknown console IDs. Unknown consoles are typically one-byte console IDs that the system cannot unambiguously resolve.

NOUNKNIDS

Deletes this field from the user's profile. z/OS console services uses UNKNIDS(NO) when a session is established.

NOOPERPARM

Specifies that the OPERPARM segment is to be deleted. Operator information no longer appears in LISTUSER output.

OVM | NOOVM

Specifies OpenExtensions VM information for the user profile being changed. Information is stored in the OVM segment of the user's profile.

You can control access to an entire OVM segment or to individual fields within the OVM segment by using field level access checking.

FSROOT | NOFSROOT

FSROOT(file-system-root)

Specifies the path name for the file system root.

When you define the FSROOT path name to RACF, it can contain 1 - 1023 characters, consist of any character, and be entered with or without single quotation marks. The following rules apply:

• If the path name contains parentheses, commas, blanks, or semicolons, enclose the character string in single quotation marks. For example, if the path name is (123), you must enter FSROOT('(123)').
• If a single quotation mark is intended to be part of the path name, use two single quotation marks together for each single quotation mark within the string, and enclose the entire string within single quotation marks.

When entering the ALTUSER command, both uppercase and lowercase characters are accepted and maintained in the case in which they are entered. You should specify the fully qualified path name because RACF does not ensure that a valid path name has been specified.

NOFSROOT

Specifies that you want to delete the FSROOT path name from the OVM segment of the user's profile.

If you do not specify a value for FSROOT in the OVM segment, VM uses the value specified in the CP directory. If no value is specified in the CP directory, issue the OPENVM MOUNT command to mount the appropriate file system.

HOME | NOHOME

HOME(initial-directory-name)

Specifies the initial directory path name. The initial directory is part of the file system and is the current working directory for the user's process when the user enters the OPENVM SHELL command.

When you define a HOME directory name to RACF, the name can contain 1 - 1023 characters, consist of any character, and be entered with or without single quotation marks. The following rules apply:

• If the path name contains parentheses, commas, blanks, or semicolons, enclose the character string in single quotation marks. For example, if the path name is (123), you must enter HOME('(123)').
• If a single quotation mark is intended to be part of the path name, use two single quotation marks together for each single quotation mark within the string, and enclose the entire string within single quotation marks.

When entering the ALTUSER command, both uppercase and lowercase characters are accepted and maintained in the case in which they are entered. You should specify the fully qualified path name because RACF does not ensure that a valid path name has been specified.

NOHOME

Specifies that you want to delete the initial directory path name from the OVM segment of the user's profile.

If no value is specified for HOME in the OVM segment, VM uses the value specified in the CP directory. If no value is specified in the CP directory, VM sets the working directory for the user to / (the root directory).

PROGRAM | NOPROGRAM

PROGRAM(program-name)

Specifies the PROGRAM path name (z/OS UNIX shell program). This is the first program started when the OPENVM SHELL command is entered.

When you define a PROGRAM path name to RACF, it can contain 1 - 1023 characters, consist of any character, and be entered with or without single quotation marks. The following rules apply:

• If the path name contains parentheses, commas, blanks, or semicolons, enclose the character string in single quotation marks. For example, if the path name is (123), you must enter PROGRAM('(123)').
• If a single quotation mark is intended to be part of the path name, use two single quotation marks together for each single quotation mark within the string, and enclose the entire string within single quotation marks.

When entering the ALTUSER command, both uppercase and lowercase characters are accepted and maintained in the case in which they are entered. Specify the fully qualified path name. RACF does not ensure that a valid path name is specified.

NOPROGRAM

Specifies that you want to delete the PROGRAM path name from the OVM segment of the user's profile.

If no value is specified for PROGRAM in the OVM segment, VM uses the value specified in the CP directory. If no value is specified in the CP directory, VM gives control to the default z/OS UNIX shell program (/bin/sh) when a user issues the OPENVM SHELL command.

UID | NOUID

UID(user-identifier)

Specifies the user identifier. The UID is a numeric value from 0 - 2 147 483 647.

Care should be taken in assigning 0 as the user identifier. UID 0 is considered a superuser, and a superuser passes all OpenExtensions VM security checks.

Note:

1. RACF does not require the UID to be unique. You can assign the same value to multiple users, but this is not recommended because individual user control is lost. However, if you want a set of users to have exactly the same access to the OpenExtensions VM resources, you can assign the same UID to more than one user.
2. Exercise caution when changing the UID for a user.
   • The file-system might contain files that were created by the user, and thus contain the old UID as the file owner UID. Depending on the permission bits associated with the file, the user probably loses access to those files.
   • If files already exist with an owner UID equal to the user's new UID value, the user probably gains access to these files.
   • If another user is subsequently added with the old value as its UID, then the user might have access to the old files.
   • If you have an EXEC.uid profile in the VMPOSIX class for the old UID value, make sure you delete this profile and create another to reflect the new value.

Care should also be taken when changing the value of a user's UID (as opposed to assigning an initial value). Any references in the UNIX file system (for example, file ownership or access control list entries) to the old value remain unchanged. Any subsequential change of the user's UID value can:

• change and potentially remove the user's ownership to those files,
• change and potentially remove the user's authority to those files.

NOUID

Specifies that you want to delete the user identifier from the OVM segment of the user's profile.

If NOUID is specified, the user is assigned the default UID of 4294967295 (X'FFFFFFFF') and a LISTUSER for that user ID shows NONE for the UID.

NOOVM

Specifies that RACF delete the OVM segment from the user's profile.

OWNER(userid or group-name)

Specifies a RACF-defined user or group to be assigned as the new owner of the user's profile.

PASSWORD | NOPASSWORD

PASSWORD[(password)]

Specifies the user's logon password. Use this command to specify a password for a user who has forgotten his/her password. Unless the NOEXPIRED operand is also specified, this password is set expired, thus requiring the user to change the password at next logon or job start. Note that the password syntax rules your installation defines using SETROPTS PASSWORD do not apply to this password unless the NOEXPIRED operand is also included.

If you specify a password value, the password is checked by the new-password exit (ICHPWX01), if present.

If you specify PASSWORD without a value, no password is assigned.

Note:

1. If the installation is maintaining user password history, the password that was in effect prior to issuing this command is stored as part of this history. Note that the password specified is not subject to history checking.
2. When the installation specifies a minimum change interval, RACF checks the number of days between password changes to ensure the minimum required days have elapsed each time users change their own passwords. RACF also checks the days when users change passwords using their IRR.PASSWORD.RESET or IRR.PWRESET authority unless the command issuer has CONTROL authority or higher.

If you enter PASSWORD without a password value, you are prompted for a value unless your TSO session is in NOPROMPT mode. If you are in NOPROMPT mode, or issuing the command from an environment without prompting, the command fails and the user profile(s) is not defined.

If you enter PASSWORD without a password value, you are prompted for a value unless your TSO session is in NOPROMPT mode. If you are in NOPROMPT mode, or issuing the command from an environment without prompting, the command fails, and no updates to the profile(s) occur.

NOPASSWORD

Specifies that the user cannot supply a password when entering the system. If NOOIDCARD is specified, or the user ID has the NOOIDCARD attribute, and NOPHRASE is specified or the user ID does not have a password phrase, and you specify NOPASSWORD, you change the status of the user ID to protected. Protected user IDs cannot be used to enter the system by any means that requires a password to be specified, such as a TSO logon, CICS signon, batch job that specifies a password on the JOB statement. Therefore, user IDs that you assign to z/OS UNIX, UNIX daemons, started procedures, applications, servers or subsystems can be protected from being revoked when an incorrect password is entered. If the user attempts to enter the system with a password, the attempt fails. Note that the protected user ID is not revoked due to the failed password attempts even if the SETROPTS PASSWORD(REVOKE) option is in effect.

Determine which user IDs you want to protect, ensuring that these user IDs is not used in any circumstance where a password must be supplied. A protected user has the PROTECTED attribute displayed in the output of the LISTUSER command. Protected users can be associated with started procedures defined in the STARTED class (preferred method) or in the started procedures table (ICHRIN03).

Note: z/OS Integrated Security Services Network Authentication Service information such as a local kerberos-principal-name must not be defined for protected user IDs, and these user IDs must not be used for z/OS Network Authentication Service authentication, because these authentication failures can result in user revocation.

PHRASE | NOPHRASE

PHRASE('password-phrase')

Specifies the user's password phrase. The password phrase you define is a text string of up to 100 characters and must be enclosed in single quotation marks. The password phrase is set expired unless NOEXPIRED is also specified.

The following syntax rules apply to all password phrases. You cannot alter these syntax rules but you can specify additional syntax rules if your installation tailors the new-password-phrase exit (ICHPWX11).

Syntax rules for password phrases:

• Maximum length: 100 characters
• Minimum length:
  • 9 characters, when the encryption algorithm is KDFAES or ICHPWX11 is present and allows the new value
  • 14 characters, when ICHPWX11 is not present and the encryption algorithm is not KDFAES
• Must not contain the user ID (as sequential uppercase or sequential lowercase characters)
• Must contain at least 2 alphabetic characters (A - Z, a - z)
• Must contain at least 2 non-alphabetic characters (numerics, punctuation, or special characters)
• Must not contain more than 2 consecutive characters that are identical
• If a single quotation mark is intended to be part of the password phrase, you must use two single quotation marks together for each single quotation mark.

If the new-password-phrase exit (ICHPWX11) is present, it can reject the specified password phrase. RACF allows password phrases greater than 8 characters when the encryption algorithm is KDFAES, however, ICHPWX11 can enforce any minimum length greater than 8.

If the specified password phrase is accepted, it is made the user's current password phrase and, when SETROPTS PASSWORD(HISTORY) is in effect, it is added to the user's password phrase history.

If you enter PHRASE without a password-phrase value, you are prompted for a value unless your TSO session is in NOPROMPT mode.

When the installation specifies a minimum change interval, RACF checks the number of days between password phrase changes to ensure the minimum required days have elapsed each time users change their own password phrases. RACF also checks the days when users change password phrases using the IRR.PASSWORD.RESET or IRR.PWRESET authority unless the command issuer has CONTROL authority or higher.

NOPHRASE

Specifies that the user cannot use a password phrase for authentication. If a password phrase was previously set, the password phrase is cleared. The date of the last password phrase change is also cleared from the user's profile. If NOOIDCARD is specified, or the user ID has the NOOIDCARD attribute, and NOPASSWORD is specified or the user ID has the NOPASSWORD attribute, and you specify NOPHRASE, you change the status of the user ID to protected. See NOPASSWORD for more information.

PWCLEAN | PWCONVERT

PWCLEAN

Performs the following functions:

• Removes residual password and password phrase history entries resulting from lowering the SETROPTS PASSWORD(HISTORY(n)) value.
• Reorganizes the history so that an increase in the SETROPTS PASSWORD(HISTORY(n)) value takes immediate effect.
• Removes any password history from a user without a password.
• Removes any password phrase history from a user without a password phrase.

When the SETROPTS PASSWORD(HISTORY(n)) value is lowered, the residual history entries continue to be used by RACF. PWCLEAN removes these entries.

If the SETROPTS PASSWORD(HISTORY(n)) value is raised, the higher number does not immediately take effect, depending on how many times a user has changed their password or password phrase in the past. PWCLEAN reorganizes the history so that the history change takes effect immediately after using PWCLEAN.

PWCLEAN should be used against all user IDs whenever the SETROPTS PASSWORD(HISTORY(n)) value is changed. The SEARCH command with the CLIST option provides a way of creating a 'utility' to do this.

PWCONVERT

Performs the following functions:

• Performs the PWCLEAN function.
• If KDFAES is active:
  • If the current password is in legacy format, converts it to KDFAES format.
  • Converts any legacy-format password history entries to KDFAES.
• If KDFAES is not active:
  • Deletes any password and password phrase history entries that are in KDFAES format.

PWCONVERT does nothing with the current password phrase. After KDFAES is enabled, the phrase must be changed before it is encrypted with the new algorithm. Likewise, PWCONVERT does nothing with phrase history entries. They remain in their legacy form until they are replaced in the history.

The IRRDBU00 utility reports on the algorithm that is used to encrypt a user's current password and password phrase, including the number of legacy password history entries. This information can be used to determine the exact user IDs needing an update. This allows for a more efficient conversion than SEARCH with CLIST.

Attention:

1. The existing current password and password history entries are assumed to be encrypted with DES when PWCONVERT encrypts them using KDFAES. If you use masking, or an installation-defined encryption method by use of an ICHDEX01 exit, do not use PWCONVERT. This results in the user being unable to log on until the password is changed. In addition, it results in unusable history entries. That is, a user is able to reuse a password value that is contained in the password history.
2. When password history entries are converted, they can never be converted back to the legacy format. Thus, they are always more expensive to evaluate, and they are not recognized by any systems not containing KDFAES support.

PROXY | NOPROXY

PROXY

Specifies information which the z/OS LDAP server uses when acting as a proxy on behalf of a requester. The R_proxyserv (IRRSPY00) SAF callable service attempts to retrieve this information when it is not explicitly supplied with the invocation parameters. Applications or other services which use the R_proxyserv callable service, such as IBM Policy Director Authorization Services for z/OS and OS/390, may instruct their invokers to define PROXY segment information.

LDAPHOST | NOLDAPHOST

LDAPHOST(ldap_url)

Specifies the URL of the LDAP server which the z/OS LDAP server contacts when acting as a proxy on behalf of a requester. An LDAP URL has a format such as ldap://123.45.6:389 or ldaps://123.45.6:636, where ldaps indicates that an SSL connection is desired for a higher level of security. LDAP also allows you to specify the host name portion of the URL using either the text form (BIGHOST.POK.IBM.COM) or the dotted decimal address (123.45.6). The port number is appended to the host name, separated by a colon : (X'7A').

For more information about LDAP URLs and how to enable LDAP servers for SSL connections, see z/OS IBM Tivoli Directory Server Administration and Use for z/OS.

The LDAP URL that you define to RACF can consist of 10 - 1023 characters. A valid URL must start with either ldap:// or ldaps://. RACF allows any characters to be entered for the remaining portion of the URL, but you should ensure that the URL conforms to TCP/IP conventions. For example, parentheses, commas, blanks, semicolons, and single quotation marks are not typically allowed in a host name. The LDAP URL can be entered with or without single quotation marks, however, in both cases, it is translated to uppercase.

RACF does not ensure that a valid LDAP URL has been specified.

NOLDAPHOST

Deletes the URL of the LDAP server which the z/OS LDAP server contacts when acting as a proxy on behalf of a requester.

BINDDN | NOBINDDN

BINDDN(bind_distinguished_name)

Specifies the distinguished name (DN) which the z/OS LDAP server uses when acting as a proxy on behalf of a requester. This DN is used in conjunction with the BIND password, if the z/OS LDAP server needs to supply an administrator or user identity to BIND with another LDAP server. A DN is made up of attribute value pairs, separated by commas. For example:

cn=Ben Gray,ou=editing,o=New York Times,c=US 
cn=Lucille White,ou=editing,o=New York Times,c=US 
cn=Tom Brown,ou=reporting,o=New York Times,c=US 

When you define a BIND DN to RACF, it can contain 1 - 1023 characters. The BIND DN can consist of any characters and can be entered with or without single quotation marks. The following rules apply:

• If parentheses, commas, blanks, or semicolons are to be entered as part of the BIND DN, the character string must be enclosed in single quotation marks.
• If a single quotation mark is intended to be part of the BIND DN, use two single quotation marks together for each single quotation mark within the string, and enclose the entire string within single quotation marks.

Both uppercase and lowercase characters are accepted and maintained in the case in which they are entered. For more information about LDAP distinguished names, see z/OS IBM Tivoli Directory Server Administration and Use for z/OS.

If you issue the ALTUSER command as a RACF operator command and you specify the BIND DN in lowercase, you must include the BIND DN within single quotations.

RACF does not ensure that a valid BIND DN has been specified.

NOBINDDN

Deletes the distinguished name (DN) used by the z/OS LDAP server when acting as a proxy on behalf of a requester.

BINDPW | NOBINDPW

BINDPW

Specifies the password which the z/OS LDAP server is used when acting as a proxy on behalf of a requester.

When you define a BIND password to RACF, it can contain 1 - 128 characters. The BIND password can consist of any characters (see the following exception) and can be entered with or without single quotation marks. The following rules apply:

• The BIND password cannot start with a left brace { character (X'8B').
• If parentheses, commas, blanks, or semicolons are to be entered as part of the BIND password, the character string must be enclosed in single quotation marks.
• If a single quotation mark is intended to be part of the BIND password, use two single quotation marks together for each single quotation mark within the string, and enclose the entire string within single quotation marks.

Both uppercase and lowercase characters are accepted and maintained in the case in which they are entered. For more information about LDAP passwords, see z/OS IBM Tivoli Directory Server Administration and Use for z/OS.

If you issue the ALTUSER command as a RACF operator command and you specify the BIND password in lowercase, you must include the BIND password within single quotations.

RACF does not ensure that a valid BIND password has been specified.

Important:

• When the command is issued from ISPF, the TSO command buffer (including possible BINDPW password data) is written to the ISPLOG data set. As a result, you should not issue this command from ISPF or you must control the ISPLOG data set carefully.
• When the command is issued as a RACF operator command, the command and the possible BINDPW password data is written to the system log. Therefore, use of ALTUSER as a RACF operator command should either be controlled or you should issue the command as a TSO command.

NOBINDPW

Deletes the password used by the z/OS LDAP server when acting as a proxy on behalf of a requester.

NOPROXY

Deletes LDAP proxy information.

RESTRICTED | NORESTRICTED

RESTRICTED

Specifies that global access checking is bypassed when resource access checking is performed for the user, and neither ID(*) on the access list nor the UACC will allow access. The RESTRICTED.FILESYS.ACCESS profile in the UNIXPRIV class can also be used to bypass the z/OS UNIX other permission bits during file access checking for RESTRICTED users.

Note: If your installation has profiles defined in the PROGRAM class, and the user ID with the RESTRICTED attribute needs to load programs covered by one or more of these profiles, the user ID must be put on the access list with EXECUTE or READ authority.

NORESTRICTED

Specifies that the user does not have the RESTRICTED attribute and access checking is performed the standard way including global access checking, ID(*), the UACC, and the z/OS UNIX 'other' permission bits as appropriate.

RESUME | NORESUME

RESUME[(date)]

Specifies that the user is to be allowed to access the system again. You normally use RESUME to restore access to the system that has been prevented by a prior REVOKE.

If you specify a date, RACF prevents the user from accessing the system until the date you specify. The date must be a future date; if it is not, you are prompted to provide a future date.

Between the time you specify the RESUME and the time the RESUME takes effect, the RESUME is called a pending resumption (or a pending RESUME).

You specify a date in the form mm/dd/yy, and you need not specify leading zeros; specifying 9/1/06 is the same as specifying 09/01/06. RACF interprets dates as 20yy when yy is less than 71, and 19yy when yy is 71 or higher. So, 09/01/94 would be in the year 1994, and 09/01/14 would be in the year 2014.

If you specify RESUME without a date, the RESUME takes effect immediately.

When no REVOKE or pending REVOKE is in effect for the user, RACF ignores the RESUME operand.

Note:

1. If you use the ALTUSER command to issue a REVOKE for a user, you must use the ALTUSER command to issue the corresponding RESUME. Issuing RESUME on the CONNECT command does not restore access revoked on the ALTUSER command.
2. If you specify both REVOKE(date) and RESUME(date), RACF acts on them in date order. For example, if you specify RESUME(8/19/06) and REVOKE(8/5/06), RACF prevents the user from accessing the system from August 5, 2006, to August 18, 2006. On August 19, the user can again access the system.

   If a user is already revoked and you specify RESUME(8/5/06) and REVOKE(8/19/06), RACF allows the user to access the system from August 5, 2006, to August 18, 2006. On August 19, RACF prevents the user from accessing the system.

3. If RACF detects a conflict between REVOKE and RESUME (for example, you specify both without a date), RACF uses REVOKE.
4. To clear the RESUME date field, specify NORESUME.
5. To successfully resume a user whose revoke date has passed, you must specify NOREVOKE to clear the revoke date as well as specifying the RESUME keyword.
6. Downlevel systems sharing the RACF database should not be affected by the changes to REVOKE and RESUME processing. A user who is considered revoked on a z/OS V1R7 system should also be considered revoked on a downlevel system.

NORESUME

Specifies that RACF is to clear the user's RESUME date field. You can use the NORESUME option to cancel the pending resumption (of a user's ID) that resulted from a previous ALTUSER command specified with RESUME(date).

REVOKE | NOREVOKE

REVOKE[(date)]

Specifies that RACF is to prevent the user from accessing the system. The user's profile is not deleted from the RACF database, and the user's data sets are not deleted from the RACF data set.

If you specify the date, RACF prevents the user from accessing the system, starting on the date you specify. The date must be a future date; if it is not, you are prompted to provide a future date.

Between the time you specify the REVOKE and the time the REVOKE takes effect, the REVOKE is called a pending revocation (or a pending REVOKE).

You specify a date in the form mm/dd/yy, and you need not specify leading zeros; specifying 9/1/06 is the same as specifying 09/01/06. RACF interprets dates as 20yy when yy is less than 71, and 19yy when yy is 71 or higher. So, 09/01/94 would be in the year 1994, and 09/01/14 would be in the year 2014.

When you specify REVOKE without a date, the following conditions apply:

• The REVOKE takes effect the next time the user tries to log on to the system.
• Any pending RESUME date remains in effect unless you also specify NORESUME.

  Important: To permanently revoke system access, specify both REVOKE and NORESUME.

When a REVOKE is already in effect for the user, RACF ignores the REVOKE operand and issues a message.

Note:

1. Specifying REVOKE on the ALTUSER command overrides RESUME on the CONNECT command.
2. If you specify both REVOKE(date) and RESUME(date), RACF acts on them in date order. For example, if you specify RESUME(8/19/06) and REVOKE(8/5/06), RACF prevents the user from accessing the system from August 5, 2006, to August 18, 2006. On August 19, the user can again access the system.

   If a user is already revoked and you specify RESUME(8/5/06) and REVOKE(8/19/06), RACF allows the user to access the system from August 5, 2006, to August 18, 2006. On August 19, RACF prevents the user from accessing the system.

3. If RACF detects a conflict between REVOKE and RESUME (for example, you specify both without a date), RACF uses REVOKE.
4. To clear the REVOKE date field, specify NOREVOKE.
5. Downlevel systems sharing the RACF database should not be affected by the changes to REVOKE and RESUME processing. A user who is considered revoked on a z/OS V1R7 system should also be considered revoked on a downlevel system.

NOREVOKE

Specifies that RACF is to clear the user's REVOKE date field. You can use the NOREVOKE option to cancel the pending revocation (of a user's ID) that resulted from a previous ALTUSER command specified with REVOKE(date).

To successfully resume a user whose revoke date has passed, you must specify NOREVOKE to clear the revoke date.

The NOREVOKE option does not resume the user ID after it was revoked by the ALTUSER REVOKE command or the user's excessive attempts to use incorrect passwords or password phrases. To successfully resume a user under these circumstances, you must specify the RESUME keyword as well.

ROAUDIT | NOROAUDIT

ROAUDIT

Specifies that the user is to have full responsibility for auditing the use of system resources.

You must have the SPECIAL attribute to enter the ROAUDIT operand.

NOROAUDIT

Specifies that the user no longer has the ROAUDIT attribute.

You must have the SPECIAL attribute to enter the NOROAUDIT operand.

SECLABEL | NOSECLABEL

SECLABEL(seclabel-name)

Specifies the user's default security label where seclabel-name is an installation-defined security label that represents an association between a particular security level and a set of zero or more security categories.

A security label corresponds to a particular security level (such as CONFIDENTIAL) with a set of zero or more security categories (such as PAYROLL or PERSONNEL).

When no profile in the SECLABEL class exists for seclabel-name, an error message is issued and the user's security label is not changed.

NOSECLABEL

Specifies that the ALTUSER command is to delete any security label contained in the user profile.

SECLEVEL | NOSECLEVEL

SECLEVEL(seclevel-name)

Specifies the user's security level, where seclevel-name is an installation-defined name that must be a member of the SECLEVEL profile in the SECDATA class. The security level name that you specify corresponds to the number of the minimum security level that a user must have to access the resource.

When you specify SECLEVEL and the SECDATA class is active, RACF adds security level access checking to its other authorization checking. If global access checking does not grant access, RACF compares the security level allowed in the user profile with the security level required in the resource profile. If the security level in the user profile is less than the security level in the resource profile, RACF denies the access. If the security level in the user profile is equal to or greater than the security level in the resource profile, RACF continues with other authorization checking.

Note: RACF does not perform security level checking for a started task or user that has the RACF privileged or trusted attribute. The RACF privileged or trusted attribute can be assigned to a started task through the RACF started procedures table or STARTED class, or to other users by installation-supplied RACF exits.

When the SECDATA class is not active, RACF ignores this operand. When the SECLEVEL profile does not include a member for seclevel-name, you are prompted to provide a valid security level name.

NOSECLEVEL

Specifies that the ALTUSER command is to delete any security level contained in the user profile. The user no longer has access to any resource that requires a requester to have a certain security level.

SPECIAL | NOSPECIAL

SPECIAL

Specifies that the user is to be allowed to issue all RACF commands with all operands except the operands that require the AUDITOR attribute. SPECIAL specified on the ALTUSER command overrides NOSPECIAL specified on the CONNECT command.

You must have the SPECIAL attribute to use the SPECIAL operand.

NOSPECIAL

Specifies that the user no longer has the SPECIAL attribute.

You must have the SPECIAL attribute to use the NOSPECIAL operand.

TSO | NOTSO

TSO

Specifies that when you change the profile of a TSO user, you can enter any of the following suboperands to add or change default TSO logon information for that user. Each suboperand defines information that RACF stores in a field within the TSO segment of the user's profile.

You can control access to an entire TSO segment or to individual fields within the TSO segment by using field-level access checking. For more information, see z/OS Security Server RACF Security Administrator's Guide.

ACCTNUM | NOACCTNUM

ACCTNUM(account-number)

Specifies the user's default TSO account number when logging on from the TSO/E logon panel. The account number you specify must be defined as a profile in the ACCTNUM general resource class, and the user must be granted READ access to the profile. Otherwise, the user cannot log on to TSO using the specified account number.

Account numbers can consist of any characters, and can be entered with or without single quotation marks. The following rules apply:

• If parentheses, commas, blanks, and semicolons are to be entered as part of the account number, the character string must be enclosed in single quotation marks. For example, if the account number is (123), you must enter ACCTNUM('(123)').
• If a single quotation mark is intended to be part of the account number, use two single quotation marks together for each single quotation mark within the string, and enclose the entire string within single quotation marks.

A user can change an account number, or specify an account number if one has not been specified, using the TSO/E logon panel. RACF checks the user's authorization to the specified account number. If the user is authorized to use the account number, RACF stores the account number in the TSO segment of the user's profile, and TSO/E uses it as a default value the next time the user logs on to TSO/E. Otherwise, RACF denies the use of the account number.

Note: When you define an account number on TSO, you can specify 1 - 40 characters. When you define a TSO account number to RACF, you can specify only 1 - 39 characters.

NOACCTNUM

Specifies that you want to delete the user's default account number. If you delete the default account number from a user's profile, RACF uses a default value consistent with current TSO defaults when the user logs on to TSO.

COMMAND | NOCOMMAND

COMMAND(command-issued-at-logon)

Specifies the command to be run during TSO/E logon. TSO/E uses this field to prime the COMMAND field of the logon panel. The command value can contain 1 - 80 characters and consist of any characters. You can enter the value with or without single quotation marks depending on the following rules:

• If the command value contains parentheses, commas, blanks, or semicolons, enclose the character string in single quotation marks. For example, if the command value is (123), you must enter COMMAND('(123)').
• If a single quotation mark is intended to be part of the command value, use two single quotation marks together for each single quotation mark within the string, and enclose the entire string within single quotation marks.

Both uppercase and lowercase characters are accepted and maintained in the case in which they are entered. A user can change the command value, or specify a command if one has not been specified, using the TSO/E logon panel.

Note: It is recommended that you use this command for a user who is logged off. If you change the command value for a currently logged-on user ID, the change is overwritten by the TSO/E logoff command processor when the user ID is logged off.

NOCOMMAND

Deletes any COMMAND data that was previously saved in the RACF database for this user ID.

Note: When you delete this field for a currently logged-on user ID, the field is overwritten by the TSO/E logoff command processor when the user ID is logged off.

DEST | NODEST

DEST(destination-id)

Specifies the default destination to which the user can route dynamically allocated SYSOUT data sets. The specified value must be 1 - 7 alphanumeric characters, beginning with an alphabetic or national character.

NODEST

Specifies that you want to remove any default destination information for this user. Without explicit action by the user to route SYSOUT, the SYSOUT for this user is printed at your system default print location.

HOLDCLASS | NOHOLDCLASS

HOLDCLASS(hold-class)

Specifies the user's default hold class. The specified value must be 1 alphanumeric character, excluding national characters.

If you specify the TSO operand on the ALTUSER command but do not specify a value for HOLDCLASS, RACF uses a default value consistent with current TSO defaults.

NOHOLDCLASS

Specifies that you want to delete the default hold class from the TSO segment of the user's profile. If you delete the default hold class from a user's profile, RACF uses a default value consistent with current TSO defaults when the user logs onto TSO.

JOBCLASS | NOJOBCLASS

JOBCLASS(job-class)

Specifies the user's default job class. The specified value must be 1 alphanumeric character, excluding national characters.

If you specify the TSO operand on the ALTUSER command but do not specify a value for JOBCLASS, RACF uses a default value consistent with current TSO defaults.

NOJOBCLASS

Specifies that you want to delete the default job class from the TSO segment of the user's profile. If you delete the default job class from a user's profile, RACF uses a default value consistent with current TSO defaults when the user logs on to TSO.

MAXSIZE | NOMAXSIZE

MAXSIZE(maximum-region-size)

Specifies the maximum region size that the user can request at logon. The maximum region size is the number of 1024-byte units of virtual storage that TSO can create for the user's private address space. The specified value must be an integer 0 - 2096128.

Note: Entering the integer '0' for this parameter results in a "non value" entry for the parameter, not a 'zero' value.

If you specify the TSO operand on the ALTUSER command but do not specify a value for MAXSIZE, or specify MAXSIZE(0), RACF uses a default value consistent with current TSO defaults.

If values are specified for both MAXSIZE and SIZE and SIZE is greater than MAXSIZE, RACF sets SIZE equal to MAXSIZE. If a value is specified for only SIZE or MAXSIZE and SIZE is greater than MAXSIZE, the operand is ignored.

NOMAXSIZE

Specifies that you want to delete the maximum region size from the TSO segment of the user's profile. If you delete the maximum region size from a user's profile, RACF uses a default value consistent with current TSO defaults when the user logs on to TSO.

MSGCLASS | NOMSGCLASS

MSGCLASS(message-class)

Specifies the user's default message class. The specified value must be one alphanumeric character, excluding national characters.

If you specify the TSO operand on the ALTUSER command but do not specify a value for MSGCLASS, RACF uses a default value consistent with current TSO defaults.

NOMSGCLASS

Specifies that you want to delete the default message class from the TSO segment of the user's profile. If you delete the default message class from a user's profile, RACF uses a default value consistent with current TSO defaults when the user logs on to TSO.

PROC | NOPROC

PROC(logon-procedure-name)

Specifies the name of the user's default logon procedure when logging on through the TSO/E logon panel. The name you specify must be 1 - 8 alphanumeric characters and begin with an alphabetic character. The name must also be defined as a profile in the TSOPROC general resource class, and the user must be granted READ access to the profile. Otherwise, the user cannot log on to TSO using the specified logon procedure.

A user can change a logon procedure, or specify a logon procedure if one has not been specified, using the TSO/E logon panel. RACF checks the user's authorization to the specified logon procedure. If the user is authorized to use the logon procedure, RACF stores the name of the procedure in the TSO segment of the user's profile, and TSO/E uses it as a default value the next time the user logs on to TSO/E. Otherwise, RACF denies the use of the logon procedure.

NOPROC

Specifies that you want to delete the default logon procedure from the TSO segment of the user's profile. If you delete the default logon procedure from a user's profile, RACF uses a default value consistent with current TSO defaults when the user logs on to TSO.

SECLABEL | NOSECLABEL

SECLABEL(security-label)

Specifies the user's security label if the user specifies one on the TSO logon panel.

NOSECLABEL

Specifies that you want to delete the security label from the TSO segment of the user's profile. If you delete the security label from a user's TSO segment, RACF uses the security label in the user's profile the next time the user logs on to TSO.

SIZE | NOSIZE

SIZE(default-region-size)

Specifies the minimum region size if the user does not request a region size at logon. The default region size is the number of 1024-byte units of virtual storage available in the user's private address space at logon. The specified value must be an integer 0 - 2096128.

Note: Entering the integer '0' for this parameter results in a "non value" entry for the parameter, not a 'zero' value.

A user can change a minimum region size, or specify a minimum region size if one has not been specified, using the TSO/E logon panel. RACF stores this value in the TSO segment of the user's profile, and TSO/E uses it as a default value the next time the user logs on to TSO/E.

If values are specified for both MAXSIZE and SIZE and SIZE is greater than MAXSIZE, RACF sets SIZE equal to MAXSIZE. If a value is specified for only SIZE or MAXSIZE and SIZE is greater than MAXSIZE, the operand is ignored.

NOSIZE

Specifies that you want to delete the default minimum region size from the TSO segment of the user's profile. If you delete the default minimum region size from a user's profile, RACF uses a default value consistent with current TSO defaults when the user logs on to TSO.

SYS | NOSYS

SYS(sysout-class)

Specifies the user's default SYSOUT class. The specified value must be one alphanumeric character, excluding national characters.

If you specify the TSO operand on the ALTUSER command but do not specify a value for SYS, RACF uses a default value consistent with current TSO defaults.

NOSYS

Specifies that you want to delete the default SYSOUT class from the TSO segment of the user's profile. If you delete the default SYSOUT class from a user's profile, RACF uses a default value consistent with current TSO defaults when the user logs on to TSO.

UNIT | NOUNIT

UNIT(unit-name)

Specifies the default name of a device or group of devices that a procedure uses for allocations. The specified value must be 1 - 8 alphanumeric characters.

NOUNIT

Specifies that you want to delete the default name of a device or group of devices that a procedure uses for allocations from the TSO segment of the user's profile. If you delete this name from a user's profile, RACF uses a default value consistent with current TSO defaults when the user logs on to TSO.

USERDATA | NOUSERDATA

USERDATA(user-data)

Specifies optional installation data defined for the user. The specified value must be 4 EBCDIC characters; valid characters are 0 - 9 and A - F.

Note: When you change this value for a currently logged-on user ID, the change is overwritten by the TSO logoff command processor when the user ID is logged off.

NOUSERDATA

Specifies that you want to delete the installation data previously defined for a user.

NOTSO

Specifies that you are revoking a user's authority to use TSO. RACF deletes TSO logon information from the RACF database for the specified user. However, if the user ID is currently logged on, when the user issues the LOGOFF command the TSO logoff processor restores the TSO segment with default values (except for the USERDATA field which is set to the user's current value). To prevent the TSO segment from being restored, the user ID should be logged off before issuing the ALTUSER NOTSO command.

When you specify NOTSO, the result is the same as if you issue the TSO ACCOUNT command with the DELETE subcommand.

UACC(access-authority)

Specifies the new default universal access authority for all new resource profiles the user defines while the user's default group or the group specified in the GROUP operand is the user's current connect group. The universal access authorities are ALTER, CONTROL, UPDATE, READ, and NONE. (RACF does not accept EXECUTE access authority with the ALTUSER command.) If you specify UACC without a value, RACF ignores the operand.

This operand is group-related. If a user is subsequently connected to other groups (with the CONNECT command), the user can have a different default universal access authority in each group. Therefore, if the user specifies a different group at logon time or at batch job execution, the user's default UACC is the UACC of the specified group, not the UACC of the user's default group.

UAUDIT | NOUAUDIT

UAUDIT

Specifies that RACF is to log the following events:

• All RACF commands (except LISTDSD, LISTGRP, LISTUSER, RLIST and SEARCH) issued by this user
• All additions, changes, or deletions that the user makes to RACF profiles using RACROUTE REQUEST=DEFINE requests
• All attempts that the user makes to access RACF-protected resources, except those authorized by global access checking and those not logged because the resource manager (issuer of the RACROUTE REQUEST=AUTH or RACROUTE REQUEST=FASTAUTH request) specified no logging
• All security decisions made during RACF callable services involving this user and any resource in certain z/OS UNIX classes. For a list of these classes, see Auditing for z/OS UNIX System Services in z/OS Security Server RACF Auditor's Guide.

You must have the AUDITOR attribute, or the user profile must be within the scope of a group in which you have the group-AUDITOR attribute, in order to enter the UAUDIT operand.

If an unauthorized user specifies UAUDIT on the ALTUSER command, none of the operands on the command is processed. RACF issues ICH21005I NOT AUTHORIZED TO SPECIFY UAUDIT, OPERAND IGNORED. The System Action states RACF ignores the operand and continues processing with the next operand. RACF verifies other operands, but does not process any of them. For more information, see z/OS Security Server RACF Messages and Codes.

NOUAUDIT

Specifies that no UAUDIT logging is to be performed. This operand does not override any other auditing options (for example, CMDVIOL specified on SETROPTS) that might be in effect.

You must have the AUDITOR attribute, or the user profile must be within the scope of a group in which you have the group-AUDITOR attribute, to enter the NOUAUDIT operand.

WHEN

Specifies the days of the week and the hours in the day when the user is allowed to access the system from a terminal. The day-of-week and time restrictions apply only when a user logs on to the system; that is, RACF does not force the user off the system if the end-time occurs while the user is logged on. Also, the day-of-week and time restrictions do not apply to batch jobs; the user can submit a batch job on any day and at any time.

If you specify the WHEN operand, you can restrict the user's access to the system to certain days of the week and to a certain time period within each day. For example, you can restrict a user's access to any one of the following:

• From 9:00 a.m. to 5:00 p.m. (0900:1700). (This would be a daily restriction because days were not also specified.)
• Monday through Friday. (This restriction applies for all 24 hours of Monday, Tuesday, Wednesday, Thursday, and Friday.)
• Monday through Friday from 9:00 a.m. to 5:00 p.m. (0900:1700)

DAYS(day-info)

Specifies days of the week when a user can access the system. The day-info value can be any one of the following:

ANYDAY

Specifies that the user can access the system on any day.

WEEKDAYS

Specifies that the user can access the system only on weekdays (Monday through Friday).

day ...

Specifies that the user can access the system only on the days specified, where day can be MONDAY, TUESDAY, WEDNESDAY, THURSDAY, FRIDAY, SATURDAY, or SUNDAY, and you can specify the days in any order.

Restriction: You cannot specify more than one combination of days and times, even through multiple ALTUSER commands.

• Example:

  ALTUSER USER127 WHEN(DAYS(MONDAY TUESDAY) TIME(0100:0500))
  ALTUSER USER127 WHEN(DAYS(THURSDAY) TIME(0200:0500))

• Result:

  USER127 is allowed to access the system only on Thursday 2:00 - 5:00. The preceding DAYS(MONDAY TUESDAY) and TIME(0100:0500) operands are overwritten.

TIME(time-info)

Specifies the time period each day when a user can access the system. The time-info value can be any one of the following:

ANYTIME

Specifies that the user can access the system at any time.

start-time:end-time

Specifies that the user can access the system only during the specified time period. The format of both start-time and end-time is hhmm, where hh is the hour in 24-hour notation (00 - 23) and mm is the minutes (00 - 59). Note that 0000 is not a valid time value.

If start-time is greater than end-time, the interval spans midnight and extends into the following day.

If you omit DAYS and specify TIME, the time restriction applies to any day-of-week restriction already indicated in the profile. If you omit TIME and specify DAYS, the day restriction applies to the time restriction already indicated in the profile. If you specify both DAYS and TIME, the user can access the system only during the specified time period and only on the specified days.

If you omit both DAYS and TIME, the time and day restriction remains as it was in the profile.

WORKATTR | NOWORKATTR

WORKATTR

Specifies the user-specific attributes of a unit of work.

z/OS elements or features such as APPC, WLM, and z/OS UNIX might use the WORKATTR segment.

These operands are used by APPC/MVS for SYSOUT created by APPC transactions.

WAACCNT(account-number) | NOWAACCNT

Specifies an account number for APPC/MVS processing.

You can specify a maximum of 255 EBCDIC characters. Use the following rules when entering a value for this field:

• If the data contains parentheses, commas, blanks, or semicolons, enclose the character string in single quotation marks. For example, if the data is (123), you must enter WAACCNT'(123)').
• If a single quotation mark is intended to be part of the data, use two single quotation marks together for each single quotation mark within the string, and enclose the entire string within single quotation marks.

The NOWAACCNT suboperand deletes the account number from the user profile.

WAADDRn(address-line-n) | NOWAADDRn

Where n can be 1 - 4, address-line-n specifies other address lines for SYSOUT delivery. For each line of the address you can specify a maximum of 60 EBCDIC characters. Both uppercase and lowercase characters are accepted and maintained in the case in which they are entered.

Use the following rules when entering a value for this field:

• If the data contains parentheses, commas, blanks, or semicolons, enclose the character string in single quotation marks. For example, if the data is (123), you must enter WAADDR('(123)').
• If a single quotation mark is intended to be part of the data, use two single quotation marks together for each single quotation mark within the string, and enclose the entire string within single quotation marks.

The NOWAADDR suboperand deletes address line n from the user profile.

WABLDG(building) | NOWABLDG

Specifies the building that SYSOUT information is to be delivered to.

You can specify a maximum of 60 EBCDIC characters. Both uppercase and lowercase characters are accepted and maintained in the case in which they are entered.

Use the following rules when entering a value for this field:

• If the data contains parentheses, commas, blanks, or semicolons, enclose the character string in single quotation marks. For example, if the data is (123), you must enter WABLDG('(123)').
• If a single quotation mark is intended to be part of the data, use two single quotation marks together for each single quotation mark within the string, and enclose the entire string within single quotation marks.

The NOWABLDG suboperand deletes the building from the profile.

WADEPT(department) | NOWADEPT

Specifies the department that SYSOUT information is to be delivered to.

You can specify a maximum of 60 EBCDIC characters. Both uppercase and lowercase characters are accepted and maintained in the case in which they are entered.

Use the following rules when entering a value for this field:

• If the data contains parentheses, commas, blanks, or semicolons, enclose the character string in single quotation marks. For example, if the data is (123), you must enter WADEPT('(123)').
• If a single quotation mark is intended to be part of the data, use two single quotation marks together for each single quotation mark within the string, and enclose the entire string within single quotation marks.

The NOWADEPT suboperand deletes the department from the profile.

WANAME(name) | NOWANAME

Specifies the name of the user SYSOUT information is to be delivered to.

You can specify a maximum of 60 EBCDIC characters. Both uppercase and lowercase characters are accepted and maintained in the case in which they are entered.

Use the following rules when entering a value for this field:

• If the data contains parentheses, commas, blanks, or semicolons, enclose the character string in single quotation marks. For example, if the data is (123), you must enter WANAME('(123)').
• If a single quotation mark is intended to be part of the data, use two single quotation marks together for each single quotation mark within the string, and enclose the entire string within single quotation marks.

The NOWANAME suboperand deletes the name from the profile.

WAROOM(room) | NOWAROOM

Specifies the room SYSOUT information is to be delivered to.

You can specify a maximum of 60 EBCDIC characters. Both uppercase and lowercase characters are accepted and maintained in the case in which they are entered.

Use the following rules when entering a value for this field:

• If the data contains parentheses, commas, blanks, or semicolons, enclose the character string in single quotation marks. For example, if the data is (123), you must enter WAROOM('(123)').
• If a single quotation mark is intended to be part of the data, use two single quotation marks together for each single quotation mark within the string, and enclose the entire string within single quotation marks.

The NOWAROOM suboperand deletes the room from the profile.

WAEMAIL(e-mail) | NOWAEMAIL

Specifies the user's fully qualified e-mail address in the format user@domain, such as jasper@moes.bar.com. Both uppercase and lowercase characters are accepted and maintained in the case in which they are entered.

Use the following rules when entering a value for this field:

• The minimum length of the e-mail address is 3 characters and the maximum length is 246 characters.
• If the data contains parentheses, commas, blanks, or semicolons, enclose the character string in single quotation marks. For example, if the data is joe@a.(b).com, you must enter WAEMAIL('joe@a.(b).com').
• If a single quotation mark is intended to be part of the data, use two single quotation marks together for each single quotation mark within the string, and enclose the entire string within single quotation marks.
• To specify WAEMAIL, the RACF database must be at stage 3 of application identity mapping (AIM). For details about using the IRRIRA00 utility to advance the RACF database to AIM stage 3, see z/OS Security Server RACF System Programmer's Guide.
• The value that is specified must be unique. Consequently, a list of users cannot be specified on an ADDUSER command with WAEMAIL keyword.

The NOWAEMAIL suboperand deletes the e-mail address from the profile.

NOWORKATTR

Specifies that you want to delete the work attributes previously defined for a user.