Summary of RACF commands
Much of the RACF® activity dealing with protected CICS® resources involves creating, changing, and deleting general resource profiles.
Note:
For full details of RACF commands, refer to z/OS
Security Server RACF Command Language Reference- The commands described here, and the operands used in the examples, are not exhaustive.
- The sequences of commands shown here demonstrate one way to accomplish a given task. There may be other sequences of commands that you can use.
- Creating general resource profiles
- To create a general resource profile, use the RDEFINE command.
Generally, once you have created a profile, you then create an access
list for the profile using the PERMIT command. In this example, the three RDEFINE commands define three profiles named CEMT, CEDA, and CEDB in the TCICSTRN resource class. The three PERMIT commands allow two groups of users to access each transaction:
RDEFINE TCICSTRN CEMT UACC(NONE) NOTIFY(sys_admin_userid) RDEFINE TCICSTRN CEDA UACC(NONE) NOTIFY(sys_admin_userid) RDEFINE TCICSTRN CEDB UACC(NONE) NOTIFY(sys_admin_userid) PERMIT CEMT CLASS(TCICSTRN) ID(group1, group2) ACCESS(READ) PERMIT CEDA CLASS(TCICSTRN) ID(group1, group2) ACCESS(READ) PERMIT CEDB CLASS(TCICSTRN) ID(group1, group2) ACCESS(READ)
- Creating a resource group profile
- To define a profile in a resource grouping class, use the RDEFINE
command with the ADDMEM operand to add resources as members of the
group. Generally, once you have created a profile, you then create
an access list for the profile using the PERMIT command. In this example, the RDEFINE command defines a resource group profile named CICSTRANS in the GCICSTRN resource grouping class. The PERMIT command allows two groups of users to access all transactions in the profile.
RDEFINE GCICSTRN CICSTRANS UACC(NONE) ADDMEM(CEMT, CEDA, CEDB) NOTIFY(sys_admin_userid) PERMIT CICSTRANS CLASS(GCICSTRN) ID(group1, group2) ACCESS(READ)
- Creating a general resource profile
- Use the RDEFINE command to create a profile in a general resource
class:
where:RDEFINE class profile UACC(NONE)
- class is the name of the general resource class
- profile is the name of the new profile
UACC(NONE)
to ensure that there is no default access to the profile. - Permitting access to a general resource
- To permit access to a general
resource, use the PERMIT command to create an access list for the
general resource profile:
where:PERMIT profile CLASS(class) ID(user) ACCESS(authority)
- profile is the name of the new profile
- class is the name of the general resource class
- user is the user (or group of users) that is being given access authority to the resource
- authority is the level of authority that is being granted to the user
- Removing an entry from an access list
- To remove the entry for a user or
group from an access list, issue the PERMIT command with the DELETE
operand instead of the ACCESS operand:
PERMIT profile_name CLASS(class_name) ID(user|group) DELETE
- Changing a profile
- If you want to change a profile (for example, changing UACC from
NONE to READ), use the RALTER command:
RALTER class_name profile_name UACC(READ)
- Deleting a profile
- To delete a profile, use the RDELETE command. For example:
RDELETE class_name profile_name
- Copying from a profile
- You can copy an access list from one profile to another. To do
so, specify the FROM operand on the PERMIT command:
PERMIT profile_name CLASS(class_name) FROM(existing_profile_name) FCLASS(class_name)
You can copy information from one profile to another. To do so, specify the FROM operand on the RDEFINE or RALTER command:RDEFINE class_name profile_name FROM(existing-profile_name) FCLASS(class_name)
Note: Do not plan to do this if you are using resource group profiles. RACF does not copy the members (specified with the ADDMEM operand) when copying the profile. Also, there are other ways in which the new profile might not be an exact copy of the existing profile. For example, RACF places the userid of the resource profile owner in the access list with ALTER access authority. For complete information, see the description of the FROM operand on the appropriate commands in the z/OS Security Server RACF Command Language Reference. - Listing profiles in a class
- To list the names of profiles in a particular class, use the SEARCH
command. The following command lists profiles in the TCICSTRN class:
The following command lists all profiles and their details in the GCICSTRN class:SEARCH CLASS(TCICSTRN)
For information on resource classes, see RACF general resource profiles.SEARCH CLASS(GCICSTRN) RLIST GCICSTRN * ALL
Note: If you are a group-SPECIAL user (not system-SPECIAL), the SEARCH command might not list all the profiles that exist in a class. To get a complete list of profiles in a class, you must have at least the authority to list each profile. For further information, see the description of RACF requirements for the SEARCH command in the z/OS Security Server RACF Command Language Reference, and Which profile is used to protect the resource?. - Activating protection for a class
- To begin protecting all the resources protected by profiles in
a RACF class, activate that class by issuing
the SETROPTS command with CLASSACT specified:
SETROPTS CLASSACT(class_name)
- Defining a generic profile
- Before you can use RDEFINE to define a generic profile (that is,
one that uses an asterisk (*), double asterisk (**), ampersand (&),
or percentage (%) character), first issue the command:
SETROPTS GENERIC(class_name)
- Deactivating protection for a class
- Deactivating a class turns off protection without disturbing the
profiles themselves. If a class is deactivated, RACF issues a
not protected
return code to CICS for all resources in that class. CICS treats this response as “access denied”. To deactivate a RACF class, issue the SETROPTS command with NOCLASSACT specified:SETROPTS NOCLASSACT(class_name)
- Determining active classes
- To determine which RACF classes are currently active, issue the
SETROPTS command with LIST specified:
SETROPTS LIST
- Activating support for mixed case passwords
- To turn support for mixed case passwords on, issue the SETROPTS
command with PASSWORD specified:
To turn support for mixed case passwords off, issue the SETROPTS command:SETROPTS PASSWORD(MIXEDCASE)
Mixed case passwords are supported in z/OS Security Server (RACF) 1.7 and above.SETROPTS PASSWORD(NOMIXEDCASE)