RACLIST processing

The RACLIST operand on the SETROPTS command copies the base segments of generic and discrete profiles from the RACF® database into storage. The profile copies are put in their own data space. Segments other than the base segments are not loaded into the data space. RACF uses these profile copies to check the authorization of any user who wants to access a resource protected by them. Additionally, if the RACGLIST class is active and a profile is defined with the same name as the class being RACLISTed, RACF copies the contents of the data space into classname_nnnnn profiles to create the RACLIST data space if the system is IPLed. They are also used on a system which is enabled for sysplex communication by members of a data sharing group that are processing a propagated SETROPTS RACLIST command. They are used to build the RACLIST data space, rather than having each member access the database for each discrete and generic profile in the class being RACLISTed.

Before you use RACLIST, consider how frequently the class is referenced, the number of profiles in the class, and the amount of storage that would be required to hold the profiles. Use SETROPTS RACLIST when the general resource class contains frequently referenced profiles, and global access checking cannot be used (that is, everyone is not allowed access to the resources).

You cannot maintain resource-usage statistics on those profiles for which a SETROPTS RACLIST was issued for the class.

To activate RACLIST processing, a user with the SPECIAL attribute issues the following command:

SETROPTS RACLIST(classname...) CLASSACT(classname...)

If RACF is enabled for sysplex communication, a SETROPTS RACLIST issued from one system in a sysplex is propagated to the other systems in the data sharing group. If RACF is not enabled for sysplex communication, when you issue a SETROPTS RACLIST on one system, that action is not propagated to other systems that share the RACF database; you must issue the command separately for each system, or IPL the other system. See Shared system considerations.

If the following classes supplied by IBM® are active, you must issue a SETROPTS RACLIST command:

APPCSERV
APPCTP
CRYPTOZ
CSFKEYS
CSFSERV
DEVICES
DIGTCRIT
DIGTNMAP
FIELD
FSACCESS
IDIDMAP
NODES
OPERCMDS
PKISERV
PROPCNTL
PSFMPL
PTKTDATA
RACFHC
RACFVARS
RDATALIB
SECLABEL
SERVAUTH
STARTED
SYSMVIEW
UNIXPRIV
VTAMAPPL
XCSFKEY

In-storage profiles for the following classes supplied by IBM can be optionally shared by using SETROPTS RACLIST:

ACCTNUM *
ALCSAUTH
APPCPORT
APPCSI
APPL *
CBIND
CDT *
CONSOLE
CPSMOBJ
CPSMXMP
DASDVOL
DBNFORM
DCEUUIDS
DIGTCERT *
DIGTRING
DLFCLASS
DSNR
FACILITY *
FCICSFCT
INFOMAN
JAVA
JESINPUT
JESJOBS
JESSPOOL
KEYSMSTR
LDAPBIND *
LFSCLASS
LOGSTRM
MGMTCLAS
MQCMDS
MQCONN
NETCMDS
PERFGRP *
PKISERV
PTKTVAL
PRINTSRV *
RRSFDATA *
SDSF
SERVER
SMESSAGE
SOMDOBJS
STORCLAS
SUBSYSNM
SURROGAT
TERMINAL *
TMEADMIN
TSOAUTH *
TSOPROC *
VMBATCH
VMCMD
VMDEV
VMLAN
VMNODE
VMSEGMT
WRITER

Important: For each class marked with an asterisk (*), you might incur performance degradation or missing function if you do not issue the SETROPTS RACLIST command when you define profiles in the class and activate it. For important details about each class, see z/OS Security Server RACF Security Administrator's Guide (for classes used for RACF functions) or the appropriate program documentation.