SIGNOFF (Sign off sessions)

Background

Persistent verification allows users to sign on to a partner LU (logical unit) and have their authority persist. In other words, once a user has signed on, a password is not required for subsequent signon attempts.

APPC/MVS invokes RACF to create and maintain a list called the signed-on-from list. If persistent verification is being used, the signed-on-from list consists of the users currently signed on with Persistent Verification authority.

Purpose

The RACF SIGNOFF operator command removes user entries from the signed-on-from list. Entries in the signed-on-from list are selected by the SIGNOFF command using the following information:

User ID
Group
APPL (the local LU name)
POE (the partner LU name from which the user is signed on)

The SIGNOFF command has operands which correspond to the items above. You can use these operands to select which user entries to remove from the signed-on-from list.

To determine which user entries are signed off by issuing a particular SIGNOFF command, issue a DISPLAY command with corresponding selection criteria.

Issuing options

The following table identifies the eligible options for issuing the SIGNOFF command:

As a RACF TSO command?	As a RACF operator command?	With command direction?	With automatic command direction?	From the RACF parameter library?
No	Yes	No	No	Yes

For information on issuing this command as a RACF® operator command, see RACF operator commands.

Related commands

Use the DISPLAY operator command to view the signed-on-from list.

Authorization required

You might require sufficient authority to the proper resource in the OPERCMDS class. For details about OPERCMDS resources, see "Controlling the use of operator commands" in z/OS Security Server RACF Security Administrator's Guide.

Syntax

For the key to the symbols used in the command syntax diagrams, see Syntax of RACF commands and operands. The complete syntax of the SIGNOFF command is:


subsystem-prefixSIGNOFF
	APPL(local-luname \| `*`)
	POE(partner-luname \| `*`)
	USER(userid-name \| `*`)
	[ GROUP(group-name \| `*`) ]
	[ SECLABEL(security-label \| `*`) ]

For information on issuing this command as a RACF operator command, see Rules for entering RACF operator commands.

Parameters

subsystem-prefix: Specifies that the RACF subsystem is the processing environment of the command. The subsystem prefix can be either the installation-defined prefix for RACF (1 - 8 characters) or, if no prefix has been defined, the RACF subsystem name followed by a blank. If the command prefix was registered with CPF, you can use the MVS command D OPDATA to display it or you can contact your RACF security administrator.
Only specify the subsystem prefix when issuing this command as a RACF operator command. The subsystem prefix is required when issuing RACF operator commands.

The operands listed below allow the operator to specify the user entries to be signed off. The APPL, POE and USER operands are required to uniquely identify a user entry to be signed off. The GROUP operand is optional and defaults to a group-name consisting of blanks.

APPL(local-luname | * ): This is a required operand. The local-luname is a 1 - 8 character name of the local LU to be searched for. An asterisk can occupy the last position of the local-luname in order to provide a partial generic selection capability. A character string consisting of a single asterisk is permitted as a full generic that matches any APPL name in the signed-on-from list.

POE(partner-luname | * ): This is a required operand. The partner-luname is a 1 - 7 character name of the partner LU to be searched for. A partner-luname consisting of a single asterisk is permitted as a full generic that matches any POE name in the signed-on-from list.

USER(userid-name | * ): This is a required operand. The userid-name is a 1 - 8 character specification which represents the RACF user ID to be searched for. A character string consisting of a single asterisk is permitted as a full generic that matches any user ID in the signed-on-from list.

GROUP(group-name | * ): This is an optional operand. The group-name is a 1 - 8 character name which represents the RACF group to be searched for. A character string consisting of a single asterisk is also permitted as a full generic which matches any group-name in the signed-on-from list. If this operand is not specified, the default value is a group-name consisting of blanks.
Note that entries in the signed-on-from list might not always be added to that list with a group-name value. Such entries have group-names consisting of blanks.

SECLABEL(security-label | * ): This is an optional operand. The security-label is a 1 - 8 character name that represents the RACF security label to be searched for. This operand is currently ignored.

Examples


Example 1	Operation	Sign off a user from a local/partner LU pair.
	Known	The local LU is `locallu`, the partner LU is `prtnrlu5`, and the userid-name is `jim`. The RACF subsystem prefix is `@`.
	Command	`@signoff user(jim),appl(locallu),poe(prtnrlu5)`
	Defaults	A group-name consisting of blank characters.
Example 2	Operation	Sign off all of the users from a local/partner LU pair.
	Known	The local LU is `locallu`, the partner LU is `prtnrlu5`, and the RACF subsystem prefix is `@`.
	Command	`@signoff appl(locallu),poe(prtnrlu5),user(*)`
	Defaults	A group-name consisting of blank characters.
Example 3	Operation	Sign off a user from all the local/partner LU pairs to which that user is signed on.
	Known	The userid-name is Kurt, and the RACF subsystem prefix is `@`.
	Command	`@signoff appl(),poe(),group(*),user(jim)`
	Defaults	None.
Example 4	Operation	Sign off all users from all the partner LUs of a particular local LU.
	Known	The local LU is `locallu`, the RACF subsystem prefix is `@`.
	Command	`@signoff appl(locallu),poe(),user(),group(*)`
	Defaults	None.
Example 5	Operation	Sign off all users of a particular group from a particular local LU.
	Known	The local LU is `locallu`, the group is `grp1`, and the RACF subsystem prefix is `@`.
	Command	`@signoff appl(locallu),poe(),user(),group(grp1)`
	Defaults	None.