z/OS Security Server RACF System Programmer's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Changing an installation-defined class in the static class descriptor table

z/OS Security Server RACF System Programmer's Guide
SA23-2287-00

Changing certain fields of a class entry requires extra attention. If you are changing the POSIT value, do the following before making the change:

  1. Use SETROPTS LIST and record each active option for the class.
  2. Examine your classes to see if any other class is using the current POSIT value.
    • If not, use SETROPTS to turn off all the options associated with the class. This is done to reset the options associated with the POSIT value so that you will not receive any extraneous options if you later add a class using that POSIT value.
    • Otherwise, proceed to the next step.
  3. After you make the change and have re-IPLed all the systems that are using the new class, use SETROPTS to set any of the options that are still relevant for the class, using the output of the previous SETROPTS LIST as reference.

Because several classes can share the same POSIT value, changing the POSIT value might deactivate classes previously active and vice versa. (See z/OS Security Server RACF Macros and Interfaces for a description of POSIT numbers.)

A user who has CLAUTH authority to a class also has CLAUTH authority to all other classes with the same POSIT value. Therefore, changing the POSIT value of a class might change the set of classes to which a user has CLAUTH authority.

To modify the table, you must specify the macro for each class entry you are changing.

Follow this procedure:

  1. Modify the assembler source statements that invoke ICHERCDE for each class entry.
  2. Ensure that the last entry of ICHERCDE is blank. It cannot have a CLASS operand.
  3. Assemble the modified source.
  4. Use the link-edit utility to link-edit the resulting object module together with the existing ICHRRCDE load module to produce a new ICHRRCDE load module.
  5. Be sure that your linkage editor ORDER statements specify ICHRRCDE as the last CSECT. Any class that does not have an ORDER statement, or any class that appears after ICHRRCDE in the output load module, is not usable.

    If you install the class descriptor table with an SMP/E SYSMOD, consider assigning it a user-defined FMID, not the RACF® FMID, to prevent SMP/E from deleting it during future RACF product installations.

  6. Re-IPL MVS™. In a sysplex, you must re-IPL each system on which you intend to use the class before you activate the class.

If you are making changes to the load module, you must reassemble the class descriptor table, or you lose the cross-checking that the ICHERCDE macro performs.

Parent topic: The class descriptor table (CDT)

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014