z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Migrating to the dynamic CDT

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

Restriction: You cannot move supplied classes (ICHRRCDX) to the dynamic CDT. You can only migrate classes from the installation-defined CDT (ICHRRCDE) to the dynamic CDT.

Because dynamic CDT entries can be changed without an IPL, you should consider migrating your static installation-defined classes to the dynamic CDT. The RACF® Web site provides a REXX exec to translate your installation-defined CDT into a series of RDEFINE CDT commands to facilitate this migration. Look for this download at: http://www.ibm.com/servers/eserver/zseries/zos/racf/.

If you do not use the CDT migration exec, define classes in the dynamic CDT to replace the same-named class in ICHRRCDE. Use class attributes on the RDEFINE CDT command that match the equivalent class attributes for each class on the ICHERCDE macro invocation (used to create ICHRRCDE). Use Table 1 to determine the equivalent class attributes. (If you use the REXX EXEC to create the RDEFINE CDT commands, this translation is done for you.) If you choose class attributes on the RDEFINE CDT command that do not match the equivalent class attributes on your ICHERCDE macro invocation for a class, a warning message is issued to note the attribute differences.

When you issue an RDEFINE CDT command to define a class that already exists in ICHRRCDE, a warning message is issued to remind you that a duplicate entry exists in ICHRRCDE. When you add the class to the dynamic CDT during SETROPTS RACLIST(CDT) or SETROPTS RACLIST(CDT) REFRESH command processing, another warning message is issued to indicate the class definition in the dynamic CDT overrides the definition in the static CDT. If you subsequently delete the entry in the dynamic CDT, the class definition in the static CDT will again be in effect, and another message will indicate this.

Rules:
  • If you are replacing a grouping or member class from the installation-defined CDT with a dynamic class, you must specify the equivalent GROUP or MEMBER operand on the definition of the dynamic class. If the grouping or member class definition does not match, an error message is issued. For example, if your installation-defined class HORSES8 is a grouping class that specifies the member class PONIES8 (MEMBER=PONIES8 is specified on the ICHERCDE macro), then your dynamic class definition for HORSES8 must include the CDTINFO(MEMBER(PONIES8)) operand.
  • When you move a grouping or member class from ICHRRCDE to the dynamic CDT, you must define both the grouping and member class to the CDT class before issuing SETROPTS RACLIST(CDT) to build or refresh the dynamic CDT. A grouping class in the dynamic CDT cannot reference a member class in the static CDT. Similarly, a member class in the dynamic CDT cannot reference a grouping class in the static CDT.
See Table 1 for a comparison of the class attributes of the ICHERCDE macro and the corresponding class attributes to specify when you define dynamic class entries in the CDT class.
Table 1. ICHERCDE macro operands and the corresponding operands for the RDEFINE and RALTER commands
ICHERCDE macro operand Corresponding RDEFINE/RALTER operand
CLASS= profile-name
CASE=UPPER | ASIS CDTINFO(CASE(UPPER | ASIS))
DFTRETC=0 | 4 | 8 CDTINFO(DEFAULTRC(0 | 4 | 8))

DFTUACC=ALTER | CONTROL
  | UPDATE | READ | NONE

CDTINFO(DEFAULTUACC(ACEE | ALTER | CONTROL
  | UPDATE | READ | NONE)) 1
EQUALMAC=YES | NO CDTINFO(MACPROCESSING(NORMAL | EQUAL))
FIRST=ALPHA CDTINFO(FIRST(ALPHA,NATIONAL))
FIRST=NUMERIC CDTINFO(FIRST(NUMERIC))
FIRST=ALPHANUM CDTINFO(FIRST(ALPHA,NUMERIC,NATIONAL))
FIRST=ANY CDTINFO(FIRST(ALPHA,NUMERIC,NATIONAL,SPECIAL))
FIRST=NONATABC CDTINFO(FIRST(ALPHA))
FIRST=NONATNUM CDTINFO(FIRST(ALPHA,NUMERIC))
GENERIC=ALLOWED | DISALLOWED CDTINFO(GENERIC(ALLOWED | DISALLOWED))
GENLIST=ALLOWED | DISALLOWED CDTINFO(GENLIST(ALLOWED | DISALLOWED))
GROUP=grouping-classname CDTINFO(GROUP(grouping-classname))
ID=number None. 2
KEYQUAL=nnn CDTINFO(KEYQUALIFIERS(nnn))
MAXLENX=nnn CDTINFO(MAXLENX(nnn))
MAXLNTH=nnn CDTINFO(MAXLENGTH(nnn))
MEMBER=member-classname CDTINFO(MEMBER(member-classname))
OPER=YES | NO CDTINFO(OPERATIONS(YES | NO)) 3
OTHER=ALPHA CDTINFO(OTHER(ALPHA,NATIONAL))
OTHER=NUMERIC CDTINFO(OTHER(NUMERIC))
OTHER=ALPHANUM CDTINFO(OTHER(ALPHA,NUMERIC,NATIONAL))
OTHER=ANY CDTINFO(OTHER(ALPHA,NUMERIC,NATIONAL,SPECIAL))
OTHER=NONATABC CDTINFO(OTHER(ALPHA))
OTHER=NONATNUM CDTINFO(OTHER(ALPHA,NUMERIC))
POSIT=nnn CDTINFO(POSIT(nnn))
PROFDEF=YES | NO CDTINFO(PROFILESALLOWED(YES | NO))
RACLIST=ALLOWED | DISALLOWED CDTINFO(RACLIST(ALLOWED | DISALLOWED))
RACLREQ=YES | NO CDTINFO(RACLIST(REQUIRED))
RVRSMAC=YES | NO CDTINFO(MACPROCESSING(NORMAL | REVERSE))
SIGNAL=YES | NO CDTINFO(SIGNAL(YES | NO))
SLBLREQ=YES | NO CDTINFO(SECLABELSREQUIRED(YES | NO))
Note:
  1. If you do not specify the DEFAULTUACC operand, the default is DEFAULTUACC(NONE) which is different from the ICHERCDE default of using the ACEE value.
  2. The ID operand is not applicable for use with dynamic CDT.
  3. If you do not specify the OPERATIONS operand, the default is OPERATIONS(NO) which is different from the ICHERCDE default of OPER=YES.
Parent topic: Administering the dynamic class descriptor table (CDT)

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014