DELGROUP (Delete group profile)
Purpose
Use the DELGROUP command to delete a group and its relationship to its superior group from RACF®.
There are, however, other places in the RACF database where the group name might appear, and DELGROUP processing does not delete these other occurrences of the group name. For example, the group name could be in the access list for any resource. You can use the RACF Remove ID utility (IRRRID00) to remove all occurrences of a group name.
The DELGROUP command does not work for a UNIVERSAL group, in most cases. To delete a UNIVERSAL group, the RACF Remove ID Utility (IRRRID00) should be used.
For information on using the RACF remove ID utility, see z/OS Security Server RACF Security Administrator's Guidez/OS Security Server RACF Security Administrator's Guide.
Issuing options
The following table identifies the eligible options for issuing the DELGROUP command:
As a RACF TSO command? | As a RACF operator command? | With command direction? | With automatic command direction? | From the RACF parameter library? |
---|---|---|---|---|
Yes | Yes | Yes | Yes | Yes |
For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.
For information on issuing this command as a RACF operator command, refer to RACF operator commands.
You must be logged on to the console to issue this command as a RACF operator command.
Related commands
- To add a group profile to the RACF database, see ADDGROUP (Add group profile).
- To change a group profile in the RACF database, see ALTGROUP (Alter group profile).
- To connect a user to a group, see CONNECT (Connect user to group).
- To list information related to a group profile, see LISTGRP (List group profile).
- To remove a user from a group profile, see REMOVE (Remove user from group).
- To obtain a list of group profiles, see SEARCH (Search RACF database).
Authorization required
When issuing this command as a RACF operator command, you might require sufficient authority to the proper resource in the OPERCMDS class. For details about OPERCMDS resources, see "Controlling the use of operator commands" in z/OS Security Server RACF Security Administrator's Guide.
- You must have the SPECIAL attribute
- The group to be deleted must be within the scope of a group in which you have the group-SPECIAL attribute
- You must be the owner of the superior group
- You must have JOIN authority in the superior group
- You must be the owner of the group to be deleted
To specify the AT keyword, you must have READ authority to the DIRECT.node resource in the RRSFDATA class and a user ID association must be established between the specified node.userid pair(s).
To specify the ONLYAT keyword you must have the SPECIAL attribute, the userid specified on the ONLYAT keyword must have the SPECIAL attribute, and a user ID association must be established between the specified node.userid pair(s) if the user IDs are not identical.
Syntax
For the key to the symbols used in the command syntax diagrams, see Syntax of RACF commands and operands. The complete syntax of the DELGROUP command is:
[subsystem-prefix]{DELGROUP | DG} |
(group-name ...) |
[ AT([node].userid ...) | ONLYAT([node].userid ...) ] |
For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.
For information on issuing this command as a RACF operator command, refer to RACF operator commands.
Parameters
- subsystem-prefix
- Specifies that the RACF subsystem
is the processing environment of the command. The subsystem prefix
can be either the installation-defined prefix for RACF (1 - 8 characters)
or, if no prefix has been defined, the RACF subsystem
name followed by a blank. If the command prefix was registered with
CPF, you can use the MVS command D OPDATA to display it or you can
contact your RACF security
administrator.
Only specify the subsystem prefix when issuing this command as a RACF operator command. The subsystem prefix is required when issuing RACF operator commands.
- group-name
- Specifies
the name of the group whose profile is to be removed from the RACF database. If you are deleting
more than one group, you must enclose the list of group names in parentheses.
You must enter at least one group name. For each group name you enter, the following conditions must exist:
- The group must be defined to RACF.
- The group must not have any subgroups.
- The group must not have any group data sets (data sets whose names are qualified by the group name or begin with the value supplied by an installation exit).
- The group must not have any users connected to it.
- AT | ONLYAT
- The AT and ONLYAT keywords are only valid when the command is
issued as a RACF TSO command.
- AT([node].userid ...)
- Specifies
that the command is to be directed to the node specified by node,
where it runs under the authority of the user specified by userid in
the RACF subsystem address
space.
If node is not specified, the command is directed to the local node.
- ONLYAT([node].userid ...)
- Specifies
that the command is to be directed only to the node specified by node where
it runs under the authority of the user specified by userid in
the RACF subsystem address
space.
If node is not specified, the command is directed only to the local node.
Examples
Example | Activity label | Description |
---|---|---|
1 | Operation | User WJE10 wants to delete subgroups DEPT1 and DEPT2 from group PAYROLL. |
Known | User WJE10 has JOIN authority to
group PAYROLL. DEPT1 and DEPT2 are subgroups of group PAYROLL. Neither DEPT1 nor DEPT2 have any subgroups or users connected to them. In addition, neither group has any group data sets. User WJE10 wants to issue the command as a RACF TSO command. |
|
Command | DELGROUP (DEPT1 DEPT2) | |
Defaults | None. |