z/OS Security Server RACF System Programmer's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Commands that perform multiple operations

z/OS Security Server RACF System Programmer's Guide
SA23-2287-00

The following commands perform more than one operation on the RACF® database. Therefore, failures that occur during the processing of these commands can cause discrepancies between the profiles on the RACF database, or discrepancies between data set profiles and the RACF-protected indication for the data set.

The commands are:
  • ADDGROUP
  • ADDSD
  • ADDUSER
  • ALTDSD (with the ADDVOL, ALTVOL, or DELVOL operand)
  • ALTGROUP
  • ALTUSER
  • DELDSD
  • DELGROUP
  • DELUSER
  • RACDCERT
  • RACLINK
  • RACMAP
  • REMOVE

To recover, perform the following steps:

  1. Examine the error messages to identify the failure.
  2. List the contents of the affected user, group, and data set profiles, and any relevant mapping profiles (NOTELINK, NDSLINK, DCEUUIDS, UNIXMAP, and VMPOSIX) to determine the status of the contents. Do not expect to find any UNIXMAP, NOTELINK, or NDSLINK mapping profiles if your system is running with application identity mapping stage 3. Instead, run IRRUT200 to verify the alias index entries.
  3. If all information is correct, the command completed successfully before the error occurred.
  4. If the profiles contain incorrect information, enter the appropriate commands to correct the profiles.

    Example 1: During REMOVE command processing, a failure occurs that causes the connect entry for the user to be deleted but does not delete the user's user ID from the group profile. In this case, reenter the REMOVE command.

    Example 2: During DELUSER processing, a failure occurs that causes the user's profile to be removed, but the user ID remains in the default group. In this case, enter the CONNECT command with the REVOKE operand to remove the user ID from the default group.

    Example 3: During ADDSD command processing, a failure occurs that causes the RACF-protected indicator in the DSCB (or catalog) to be set but prevents the creation of the data set profile. In this case, enter the ADDSD command with the NOSET operand to create the data set profile.

    Example 4: During DELDSD command processing, a failure occurs that causes the RACF-protected indicator in the DSCB (or catalog) to be set off but does not delete the data set profile from the RACF data set. In this case, enter the DELDSD command with the NOSET operand.

    Example 5: During ADDUSER command processing for the command: 
    ADDUSER SIVLE OVM(UID(10))
    a failure occurs that causes the user's profile to be created without creating the corresponding U10 mapping profile in the VMPOSIX class. In this case, enter: 
    RDEFINE VMPOSIX U10 UACC(NONE)
PERMIT U10 CLASS(VMPOSIX) ID(SIVLE) ACCESS(NONE)
PERMIT U10 CLASS(VMPOSIX) ID(your-id) DELETE
    If the NOADDCREATOR option is in effect, the PERMIT command to delete authorization for your user ID is not necessary. If another user already has a UID of 10, the VMPOSIX profile probably exists, and the RDEFINE command is not necessary. For more information on VMPOSIX mapping profiles, see RACF Security Administrator's Guide for RACF 1.10 for VM. For more information on the NOADDCREATOR option, see z/OS Security Server RACF Security Administrator's Guide. For information on the ADDCREATOR and NOADDCREATOR keywords on the SETROPTS command, see z/OS Security Server RACF Command Language Reference.
    Example 6: During ADDUSER command processing for the command: 
    ADDUSER DCEUSR DCE(UUID(004386ea-ebb6-1ec3-bcae-10005ac90feb))
    a failure occurs that causes the user's profile to be created without creating the corresponding 004386ea-ebb6-1ec3-bcae-10005ac90feb mapping profile in the DCEUUIDS class. In this case, enter: 
       RDEFINE DCEUUIDS 004386ea-ebb6-1ec3-bcae-10005ac90feb UACC(NONE)
    APPLDATA('DCEUSR')
    Example 7: During ADDUSER command processing for the command: 
    ADDUSER USER0131 OMVS(UID(0))
    a failure occurs and messages ICH51011I, ICH01010I, and IRR419I are issued, indicating that an alias index entry has reached its maximum size and no additional users can be associated with the UID. Although the user profile is created with the UID field complete, processing failed before the mapping profile, alias index, or connect link to the default group was defined. The simplest solution is to delete the user: 
    DELUSER USER0131
    Expect message ICH04002I even though the profile is successfully deleted. The message results from RACF's detection of the missing connect link. You can now add the user again, specifying a different UID.
  5. If the failure occurs again, contact your programming support representative.
Parent topic: Failures during RACF command processing

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014