z/OS Security Server RACF System Programmer's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Removing information from VLF

z/OS Security Server RACF System Programmer's Guide
SA23-2287-00

RACF® monitors security-related changes to ensure that the information in VLF is valid. RACF removes the ACEE of the particular user from VLF if it determines that a security-related change has occurred.

A security-related change is:
  • Removing a user from a particular group.
  • Changing a "security-sensitive" field in a user's security profile. Security-sensitive fields can be identified by referring to the RACF database templates in z/OS Security Server RACF Macros and Interfaces. A security-sensitive field has bit 0 of flag 2 turned on.

The commands that make security-related changes are those that manipulate user profiles (for example, ALTUSER, DELUSER, and ADDUSER).

For security-related changes where all of the incorrect user ACEE entries cannot be determined, all the ACEEs will be removed from VLF. Examples of these changes are defining entire groups or updates from another system (z/VM® or z/OS®) sharing the database.

Issuing commands that deal with certain general-resource classes can cause information to be removed from VLF. The classes are:
  • APPCPORT
  • APPL
  • CONSOLE
  • FACILITY, when the SETROPTS MLS option is active
  • GTERMINL
  • JESINPUT
  • SECLABEL
  • SERVAUTH
  • TERMINAL
Whenever the RACF SETROPTS command specifies the CLASSACT, NOCLASSACT, RACLIST REFRESH, or NORACLIST keywords for one of these classes, RACF considers all of the ACEEs in VLF to lack integrity, and removes them from VLF. ACEE saving continues as the ACEEs are subsequently rebuilt.
Parent topic: ACEEs and VLF considerations

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014