z/OS Security Server RACF System Programmer's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Commands that have recovery routines

z/OS Security Server RACF System Programmer's Guide
SA23-2287-00

Failures that occur during the processing of the following commands might or might not cause a problem with the profiles on the RACF® database. These commands have recovery (backout) routines that enable the command processor to recover from some of the failures.

The commands are:
  • ADDGROUP
  • ADDUSER
  • ALTGROUP
  • CONNECT
If the command error messages indicate that recovery (backout) was successful, perform the following steps:
  1. Examine the error messages to identify the failure.
  2. Reenter the command.
  3. If the failure occurs again, contact your programming support representative.
If the command error messages indicate that recovery (backout) was not successful, perform the following steps:
  1. Examine the error messages to identify the failure.
  2. List the contents of the affected user and group profiles to determine the status of the contents.
  3. If no profiles were modified, reenter the command.
  4. If the user or group profiles have discrepancies, enter the appropriate commands to correct the data in the profiles.

    Example: A failure occurs during the processing of the ADDUSER command and the user profile is created correctly but the group profile is not updated with the new user's user ID. In this case, enter the CONNECT command with the default group name as the desired group in order to update the group profile.

  5. If the command was adding or changing a UID or GID of an OVM segment, and the user or group profile is correct, examine the appropriate VMPOSIX mapping profile to see if it matches the change made to the user or group profile. If it does not match, change the VMPOSIX profile appropriately.
    Example: You entered: 
    ADDUSER CAMERON OVM(UID(7))
    The CAMERON user profile is correct but the U7 profile does not exist in the VMPOSIX class. Add it as follows: 
    RDEFINE VMPOSIX U7 UACC(NONE)
PERMIT U7 CLASS(VMPOSIX) ID(CAMERON) ACCESS(NONE)
PERMIT U7 CLASS(VMPOSIX) ID(your-id) DELETE
    If the NOADDCREATOR option is in effect, the PERMIT command to delete authorization for your user ID is not necessary.

    For information on VMPOSIX mapping profiles, see RACF Security Administrator's Guide for RACF 1.10 for VM. For information on the NOADDCREATOR option, see z/OS Security Server RACF Security Administrator's Guide. For information on the ADDCREATOR and NOADDCREATOR keywords on the SETROPTS command, see z/OS Security Server RACF Command Language Reference.

  6. If there are no discrepancies and the user and group profiles and the VMPOSIX mapping profiles (if relevant) are correct, the command completed successfully.
  7. If the failure occurs again, contact your programming support representative.
Parent topic: Failures during RACF command processing

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014