Changing certain fields of a class entry requires extra attention.
If you are changing the POSIT value, do the following before making
the change:
- Use SETROPTS LIST and record each active option for the class.
- Examine your classes to see if any other class is using the current
POSIT value.
- If not, use SETROPTS to turn off all the options associated with
the class. This is done to reset the options associated with the POSIT
value so that you will not receive any extraneous options if you later
add a class using that POSIT value.
- Otherwise, proceed to the next step.
- After you make the change and have re-IPLed all the systems that
are using the new class, use SETROPTS to set any of the options that
are still relevant for the class, using the output of the previous
SETROPTS LIST as reference.
Because several classes can share the same POSIT value, changing
the POSIT value might deactivate classes previously active and vice
versa. (See z/OS Security Server RACF Macros and Interfaces
for a description of POSIT numbers.)
A user who has CLAUTH authority to a class also has CLAUTH authority
to all other classes with the same POSIT value. Therefore, changing
the POSIT value of a class might change the set of classes to which
a user has CLAUTH authority.
To modify the table, you must specify the macro for each class
entry you are changing.
Follow this procedure:
- Modify the assembler source statements that invoke ICHERCDE for
each class entry.
- Ensure that the last entry of ICHERCDE is blank. It cannot have
a CLASS operand.
- Assemble the modified source.
- Use the link-edit utility to link-edit the resulting object module
together with the existing ICHRRCDE load module to produce a new ICHRRCDE
load module.
- Be sure that your linkage editor ORDER statements specify ICHRRCDE
as the last CSECT. Any class that does not have an ORDER statement,
or any class that appears after ICHRRCDE in the output load module,
is not usable.
If you install the class descriptor table with
an SMP/E SYSMOD, consider assigning it a user-defined FMID, not the RACF® FMID, to prevent SMP/E from
deleting it during future RACF product
installations.
- Re-IPL MVS™. In a sysplex,
you must re-IPL each system on which you intend to use the class before
you activate the class.
If you are making changes to the load module, you must reassemble
the class descriptor table, or you lose the cross-checking that the
ICHERCDE macro performs.