z/OS Security Server RACF Macros and Interfaces
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


ICHEINTY macro

z/OS Security Server RACF Macros and Interfaces
SA23-2288-00

The ICHEINTY macro provides a direct interface to the RACF® database through the RACF manager. Its function is to locate or update a profile in the RACF database.

You can use the ICHEINTY macro with the ICHETEST and ICHEACTN macros to test and conditionally update fields in RACF profiles.

The ICHEINTY macro must be issued from a task running in non-cross-memory mode with no locks held. The issuing task must be authorized (APF-authorized, in system key 0-7, or running in supervisor state).

You can reference only one segment with each ICHEINTY call; however, you can access more than one field in a segment using a single call. If you need to retrieve or update more than one segment, issue a separate ICHEINTY for each segment.

When activated, automatic direction of application update propagates ICHEINTY ADD, ALTER, DELETE, DELETEA, and RENAME updates to selected remote nodes. Only ICHEINTY requests with return code 0 are propagated.

If your installation uses RACF remote sharing facility (RRSF) to propagate password changes to other (target) nodes, you should be aware that attempts to change the password of a revoked user on a target node fails. Therefore, if your installation has implemented automatic password direction or password synchronization, make sure that each target user ID is resumed before changing the password.

The format of the ICHEINTY macro definition is: 
[label] ICHEINTY [operation]
           [,TYPE='GRP' | 'USR' | 'CON' | 'DS' | 'GEN']
           [,ENTRY=entry-address]
           [,ENTRYX=extended-entry address]
           [,CLASS=class-address]
           [,FLDACC=NO | YES]
           [,RELEASE=number | (,CHECK) | (number,CHECK)]
           [,RUN=YES | NO]
           [,ACEE=acee address]
           [,WKSP=subpool number]
           [,CHAIN=parm-list address]
           [,DATAMAP=OLD | NEW]
           [,SEGMENT='segment name']
           [,VOLUME=volume-address]
           [,ACTIONS=(action-address,…)]
           [,TESTS=(test-addr[,[AND],test-addr]...)]
           [,WKAREA=workarea-address]
           [,NEWNAME=newname-address]
           [,NEWNAMX=extended-newname-address]
           [,RBA=rba-address]
           [,FLDEF=fldef-address]
           [,OPTIONS=(list-of-options)]
           [,SMC=YES | NO]
           [,GENERIC=NO | YES | UNCOND]
           [,DATEFMT=YYDDDF | YYYYDDDF]
           [,MF=I | L | (E,address)]
           [,INDEX=ASIS | ONLY | MULTIPLE]
operation
Specifies the operation that RACF is to perform on the specified profile. The valid operation values are ADD, ALTER, ALTERI, DELETE, DELETEA, FLDEF, LOCATE, NEXT, NEXTC, and RENAME. This operand is positional and is required if you specify MF=I or MF=L.

Some operations are based on assumptions. If a requested operation violates an assumption, the operation fails.

ADD
Defines entities to RACF by adding profiles to the RACF database. ADD processing does the following:
Some considerations regarding ADD are:
  • ADD processing assumes that the profile does not already exist. If the profile already exists (the index contains the profile name), any of the following conditions causes a return code of 8 (X'08'):
    • TYPE is not ‘DS’
    • TYPE is ‘DS’ and duplicate data set name creation has been prohibited via ICHSECOP.
    • TYPE is ‘DS’ and one of the existing profiles for the entity name contains in its volume list the volume specified by the VOLUME keyword.
  • For TYPE=‘DS’, ICHEINTY sets a return code of 60 (X'3C') if VOLUME is not specified and there are multiple profiles for the entity name.
  • For TYPE='USR', when automatic direction of application updates and automatic password direction are active, a single ICHEINTY with ACTIONS= that specifies both add user and password information results in the propagation of 2 requests to the target node, one by automatic direction of application updates, the other by automatic password direction. At the target node, these two requests execute using different user IDs and can execute concurrently; this makes the results of the ICHEINTY unpredictable at the target node. The unpredictable results occur for the propagation of any combination of ICHEINTYs (a program with a single ICHEINTY, or multiple ICHEINTYs within the same or different programs) that add a user and specify password information for that user.

    Guideline: Use an ADDUSER command or the R-ADMIN function from an application program to define a RACF user under these conditions.

  • For TYPE=‘GEN‘, you can add the same entity name to any number of different classes. If the class is TAPEVOL, ICHEINTY sets a return code of 60 (X'3C') if a VOLUME is specified but is not an existing TAPEVOL. ICHEINTY creates a profile for a TAPEVOL only when VOLUME is not specified; otherwise, it updates an existing profile. The macro creates an index entry in either case. The result of this special TAPEVOL processing is that RACF maintains only one profile for a multivolume tape. You can refer to that profile by specifying any of the volumes it protects.
  • You must supply all the information required by RACF for subsequent processing: for example, owner, creation date.
  • In general, you should use the RACF command processors to create RACF resource profiles. If you use ICHEINTY instead, you should create profiles which are supported by the command processors. For instance, ICHEINTY allows you to create a fully-qualified generic profile in a general resource class and a data set profile containing characters that are not valid, but those profiles are not supported by the RACF command processors.
ALTER
Alters field values in an existing profile on the RACF database. ALTER processing:
  • Locates the profile on the RACF database.
  • Performs the tests that the ICHETEST macros specify, if any macros are present. The TESTS operand on the ICHEINTY macro names the tests to be performed.
  • Alters field values as specified by associated ICHEACTN macro instructions.
  • Writes the profile back to the primary and backup (if active) RACF databases.
Some considerations regarding ALTER are:
  • If the profile is too large to be rewritten to the same location in the RACF database, RACF allocates new space, writes the profile to the new location, and updates the index entry for the profile to point to the new location.
  • Do not use ICHEINTY to ALTER (or ALTERI) repeat group count fields. These fields are updated automatically whenever a repeat group changes its size. Repeat group count fields can be read.
ALTERI
Similar to the ALTER operation with the following exceptions:
  • Fields are updated in place. ICHEINTY sets a return code of 68 (X'44') and fails the operation if the altered profile has a length which differs from that of the original profile.
  • The update to the field occurs with only a shared lock on the RACF database. Therefore, other ALTERI, LOCATE, NEXT, or NEXTC requests can take place simultaneously.
  • You can specify the RBA of the level one index block, containing the pointer to the profile to be altered. This improves processing efficiency.
  • ALTERI processing writes the profile back to the primary RACF database only; it does not write to the backup, unless you have otherwise specified in the data set name table (ICHRDSNT). RACF uses ALTERI to update statistical information in profiles. ALTERI should only be used with fields that are marked in the template as statistical. For more information about the RACF database templates, see RACF database templates.
DELETE
Deletes a profile from the RACF database. DELETE processing:
  • Deletes the index entry for the entity.
  • Frees space used for the profile on the RACF database.
Some considerations regarding DELETE are:
  • You cannot specify the ACTIONS operand with the DELETE operation.
  • For TYPE=‘DS’, ICHEINTY sets a return code of 60 (X'3C') if you specified VOLUME and a profile containing the specified volume in its VOLSER list was not found. ICHEINTY sets a return code of 56 (X'38') if you do not specify VOLUME and there are multiple profiles for the entity name.
  • ICHEINTY deletes the profile for a TAPEVOL only when the volume being deleted is the last in its set. Otherwise, the macro deletes the index entry and removes the volume from the VOLSER list.
DELETEA
Deletes all the members of a TAPEVOL set from the RACF database. It is similar to the DELETE operation with the following exception:
  • If you specify ‘TYPE=GEN’ and the class is TAPEVOL, ICHEINTY deletes the profile along with the index entry for each volume in the set.
FLDEF
Builds the area that the FLDEF operand uses. The area contains control information and the list generated by the TESTS and ACTIONS operands.
Some assumptions and considerations regarding FLDEF are:
  • FLDEF creates a separate area for ICHEACTN and ICHETEST pointers, which can be referenced from one or more ICHEINTY macros.
  • You can maintain the field definition area with the MF=E form of ICHEINTY FLDEF.
  • When referencing the field definition area from a remote ICHEINTY, specify FLDEF=field-definition-area, and do not specify any of the ACTION, FLDEF, TESTC, and TESTM options on the OPTIONS keyword.
LOCATE
Retrieves zero or more fields from an existing RACF profile in the RACF database. LOCATE processing:
  • Locates the profile in the RACF database.
  • Performs the tests that the ICHETEST macros specify, if any macros are present. The TESTS operand on the ICHEINTY macro names the tests to be performed.
  • Retrieves field values as specified by associated ICHEACTN macro instructions into the caller-specified work area.
Some assumptions and considerations regarding LOCATE are:
  • ICHEINTY sets a return code of 44 (X'2C') if the values being returned are too large for the work area provided and you did not specify the WKSP operand, which would have provided you with an additional work area.
  • For TYPE=‘DS’, ICHEINTY set a return code of 60 (X'3C') if you specify VOLUME and one or more profiles were found for the data set name but none contained the specified volume name in its VOLSER list. ICHEINTY sets a return code of 56 (X'38') if you do not specify VOLUME and there are multiple profiles for the entity name.
  • ICHEINTY sets a return code of 52 (X'34') if an ICHETEST macro specified by the TESTS operand failed. The LOCATE operation terminates at this point.
NEXT
Retrieves zero or more fields from the profile whose name follows the name specified by the ENTRY or ENTRYX operand. The NEXT operation updates the area pointed to by the ENTRY or ENTRYX operand with the name of the profile just completed. NEXT processing:
  • Locates the profile of the first entity of the specified type that follows the specified entity in the RACF database.
  • Performs the tests that the ICHETEST macros specify, if any macros are present. The TESTS operand on the ICHEINTY macro names the tests to be performed.
  • Retrieves field values as specified by associated ICHEACTN macro instructions into the caller specified work area.
Some considerations regarding NEXT are:
  • If the entity retrieved has the same name as the entity that follows it in the RACF database, ICHEINTY sets the duplicate data set name count. The count becomes 2 if it was zero on entry; otherwise, the count increases by one. The count is zero if the entity is not a duplicate of the one that follows it.
  • ICHEINTY sets a return code of 44 (X'2C') if the values being returned do not fit into the provided work area, unless you specified WKSP which would provide you with an additional work area.
  • For qualified types (data set, general, and connect), the located entity must have the same high-level qualifier as the specified entity. Otherwise, the macro sets a return code of 12 (X'0C').
  • For data set profiles, the qualifier includes the first period in the name.
  • For TYPE=‘DS’, if the duplicate data set name count in the work area is not zero, ICHEINTY locates the specified data set name. (That is, if the duplicate data set count equals N, then the macro locates the Nth occurrence of the specified name. If there are less than N occurrences of the specified name, the same process occurs as when the duplicate data set count is zero; ICHEINTY locates the profile of the first entity of the specified type that follows the specified entity in the RACF data set.) If you want to locate the first DATASET profile with a name greater than or equal to the name specified by ENTRY= or ENTRYX, you can do so by setting the duplicate data set name count to one.
  • If an ICHETEST macro specified in the TESTS operand failed, ICHEINTY sets a return code of 52 (X'34') and the NEXT operation terminates.
  • If you specify a segment other than BASE on this ICHEINTY, or on any ICHEINTY in a chain, the RACF manager skips any profiles that do not contain an occurrence of the segment. Normal processing (TESTS on ICHEINTY, ICHEACTN) resumes with the next profile containing the segment. This simplifies the process of finding users who are defined to TSO, for example.
NEXTC
is similar to the NEXT operation with the following exception:
  • For qualified types (data set, general, and connect), ICHEINTY does not make the high-level qualifier check. For unqualified types (group and user), NEXTC processing is identical to NEXT processing. The qualifier for a general profile is the 8-character class name.

Guideline: Do not use NEXTC with general resource classes, because it might have unpredictable results. When you reach the end of the profiles for the class that you specified with the CLASS keyword, ICHEINTY retrieves the first profile for the next general resource class that has profiles. However, you have no way of determining what class that profile belongs to, and in some cases you might not even know that ICHEINTY switched to a new class.

RENAME
renames a data set, SFS file, or SFS directory entry in the RACF database.

You must specify the NEWNAME or NEWNAMX operand.

When renaming resources in the FILE and DIRECTRY class, use ENTRYX and NEWNAMX.

TYPE= ‘GRP’ | ‘USR’ | ‘CON’ | ‘DS’ | ‘GEN’
Specifies the type of the entry as GROUP (‘GRP’), USER (‘USR’), CONNECT (‘CON’), DATASET (‘DS’), or general resource (‘GEN’).

The final parameter list the SVC uses as a request to the RACF manager must include a value for TYPE.

ENTRY= entry-address
Specifies the address of a 1-byte entry name length field followed by the entry name. The NEXT and NEXTC operations update this field. When using NEXT or NEXTC you should initialize the field in this way. To initialize the entry field, point to a field that has a length of 1 and a field of X'00'. The area that is pointed to must allow for 255 bytes of data to be returned.

The final parameter list the SVC uses as a request to the RACF manager must include a value for ENTRY or ENTRYX.

ENTRYX= extended-entry-address
Specifies the extended entry name field for long name support. You must specify the address of two 2-byte fields, followed by the entry name.
  • The first 2-byte field specifies a buffer length which can be from 0 to 255 bytes. This length field only refers to the length of the buffer that contains the entity name; it does not include the length of either length field.
  • The second 2-byte field specifies the actual length of the entity name. This length field includes only the length of the actual name without any trailing blanks; it does not include the length of either length field.

As with ENTRY, the NEXT and NEXTC operations update this field. The area that is pointed to must allow for a name which is of maximum entry length. ENTRY and ENTRYX are mutually exclusive keywords.

Guideline: Use the ENTRYX keyword to save storage, because it allows you to code to the specific amount of space that you need.

The final parameter list the SVC uses as a request to the RACF manager must include a value for ENTRY or ENTRYX. To use the ENTRYX keyword, you must specify RELEASE=1.9.

CLASS= class-address
Specifies the address of an 8-character class name (left-justified and blank-padded, if necessary.) The class name is required when TYPE=‘GEN’ and is ignored for all other types.
FLDACC= NO | YES
Specifies the presence or absence of field level access checking. If you specify FLDACC=YES, the RACF database manager checks to see that the user running your program has the authority to retrieve or modify the fields that have been specified in the ICHETEST and ICHEACTN macros associated with the current ICHEINTY macro.
Note:
  1. For field level access checking to occur, you must specify RELEASE=1.8 or later when you code the ICHEINTY and associated ICHETEST and ICHEACTN macros. RACF bypasses field access checking for any ICHETEST or ICHEACTN macro for which RELEASE=1.8 or later has not been specified. In addition, before your program executes, the security administrator must activate the FIELD class and process the FIELD class using SETROPTS RACLIST. If you code FLDACC=YES and the field class is not active and has not been processed using SETROPTS RACLIST, the request fails with a return code of 60.
  2. In addition, the security administrator must issue the RDEFINE and PERMIT commands to designate those users who will have the authority to access the fields designated in the ICHETEST and ICHEACTN macros.
  3. If you specify FLDACC=NO or omit the parameter, the manager does not perform field level access checking.
  4. If you specify FLDACC=YES for the ADD, ALTER, or LOCATE operation with segment name CSDATA and field name CSCDATA or CSKEY, the data associated with the CSKEY field (if present in the ICHEINTY parameter list) is used instead of the template name for field level access checking. This allows field level access checking to use the FIELD profile USER.CSDATA.custom-field-name or GROUP.CSDATA.custom-field-name for authorization, similar to the authorization that occurs for the RACF commands.
RELEASE=number
RELEASE=(,CHECK)
RELEASE=(number,CHECK)
Specifies the release number. The release numbers you can specify with the ICHEINTY macro are 7790, 7780, 7770, 7760, 7750, 7740, 7730, 7720, 7709, 7708, 7707, 7706, 7705, 7703, 2608, 2.6, 2.4, 2.3, 2.2, 2.1, 1.9.2, 1.9, 1.8.1, 1.8, or 1.7.

When you specify 1.8 or later, the RACF manager returns data using the 1.8 user work area format (documented in the topics Using ICHEACTN to retrieve data when ICHEINTY has DATAMAP=NEW and Using ICHEACTN to retrieve data when the ICHEINTY has DATAMAP=OLD). In effect, DATAMAP defaults to DATAMAP=NEW if you specify RELEASE=1.8 or later and omit DATAMAP.

If you specify RELEASE=1.7, or allow the release parameter to default to 1.7, the RACF manager returns data using the 1.7 user work area format. In this case, DATAMAP defaults to DATAMAP=OLD if you omit it.

If you want to use 1.8 parameters, and the 1.7 user work area format, you must specify RELEASE=1.8 or later and DATAMAP=OLD.

To use the 1.8 parameters, you must specify RELEASE=1.8 or later. If you specify RELEASE=1.8 or later the ICHEINTY parameter list must be in modifiable storage.

The default is RELEASE=1.7.
Table 1. ICHEINTY parameters
Parameter RELEASE=1.7 and earlier RELEASE=1.8 or later
ACEE   X
ACTIONS X X
CHAIN   X
CLASS X X
DATAMAP   X
ENTRY X X
FLDACC   X
FLDEF X X
GENERIC X X
INDEX   X
MF X X
NEWNAME X X
OPTIONS X X
RBA X X
RELEASE X X
RUN   X
SEGMENT   X
SMC X X
TESTS X X
TYPE X X
VOLUME X X
WKAREA X X
WKSP   X
RUN= YES | NO
Specifies whether to activate or deactivate the parameter list. If you specify RUN=NO, the RACF manager ignores the request designated by this ICHEINTY macro although it processes the CHAIN parameter. If you specify RUN=YES, RACF processes this request and also processes the CHAIN parameter. Thus you can use the RUN parameter to deactivate or activate one or more ICHEINTY parameter lists without having to rearrange the chaining.
ACEE= acee-address
Specifies an ACEE that RACF uses to perform field authorization checking. If you specify FLDACC=YES, but omit ACEE, the RACF manager uses the appropriate ACEE pointed to either by the TCB or the ASXB.
WKSP= subpool-number
Specifies the number of a storage subpool. If the area specified by the WKAREA parameter is too small to contain the field data retrieved from LOCATE, NEXT, or NEXTC operation, the RACF manager obtains an additional work area from this subpool in the callers key. The RACF manager returns the address of the work area in the fullword at offset 60 (X'3C') in the ICHEINTY parameter list. If additional storage is not needed, the RACF manager sets the fullword to zero. It is your responsibility to free any returned work area; its subpool number is stored in the one byte field at offset 29 (X'1D') in the parameter list, its address in the fullword at offset 60 (X'3C') in the ICHEINTY parameter list and its size in the first fullword of the work area itself.
Note:
  1. Even if you specify WKSP, you must still provide a work area at least 30 bytes long using the WKAREA operand.
  2. If the RACF manager is unable to obtain a large enough work area, an "out-of-storage" abend occurs.
  3. WKSP does not apply for ICHEINTY requests with INDEX=MULTIPLE.
Guidelines:
  • Simplify your coding by specifying WKSP and you can avoid processing a return code of 44 (X'2C').
  • Carefully select a subpool because MVS™ processes certain subpools differently. In particular, your results might be unpredictable if you specify subpool 0, subpool 250, or any subpool, such as 227–231 or 241, that is documented in z/OS MVS Programming: Assembler Services Guide as having a storage key of USER.
CHAIN= parm-list address
Specifies a parameter list that another ICHEINTY macro created. This chained parameter list executes after the current one within the same manager invocation. If several ICHEINTY requests pertain to the same profile, you can use CHAIN to string the requests together. This chaining improves performance because the RACF manager retrieves the profile only once for the entire chain. Each ICHEINTY parameter list in the chain must contain the same values for the following parameters: ACEE, CLASS, ENTRY or ENTRYX, GENERIC, RBA, SMC, TYPE, and VOLUME.
Note:
  1. Because there are no connect profiles in the database, chained ICHEINTY requests do not work as anticipated. Therefore, if you chain two ICHEINTY requests with TYPE=CON, the second ICHEINTY is ignored.
  2. You cannot specify NEWNAME for any request in the chain.
  3. When you chain ICHEINTY macros together, they must obey the following rules:
    • The first ICHEINTY in the chain must be a LOCATE, NEXT/NEXTC, ALTER/ALTERI, ADD, or a DELETE with SEGMENT specified.
    • The remaining ICHEINTY macros in the chain must be:
      • LOCATE, if the first was LOCATE
      • NEXT/NEXTC, if the first was NEXT or NEXTC
      • ALTERI, if the first was ALTERI
      • ALTER, if the first was ALTER, DELETE, or ADD
      • DELETE, with SEGMENT, if the first was ALTER or DELETE
    • The RACF manager return code is set to the highest return code of any of the individual ICHEINTY macros that have been chained together.
    • For chained ICHEINTY parameter lists, within the bounds of any one chain of ICHEINTYs, an alias field (indicated by the alias bit in the fields template definition) can be referenced, either directly or indirectly (for example, delete of a segment containing a defined alias field, or delete of a profile with a segment containing a defined alias field) multiple times. If there are multiple references, there can be tests on any of these references except for the last reference. If a parameter list chain does not meet this requirement, return code 36 (X'24') reason code 11 (X'B') is returned.

      If an FLDEF test is specified for a delete or alter ICHEINTY whose last action on a specific alias field lacks a test, then unless there is an ICHEINTY parameter list earlier in the chain which also references the same alias field, the FLDEF test does not count as a test on the last alias reference. This is because if the FLDEF test on the ICHEINTY fails, none of the actions in the ICHEINTY parameter list will be executed.

DATAMAP= OLD | NEW (default depends on RELEASE)
DATAMAP determines the format of the work area returned for a LOCATE, NEXT, or NEXTC operation and the format of the data you provide when you issue an ICHEINTY request to update the database. You can specify the DATAMAP parameter in several different combinations to tailor it to your system:
  • If you specify RELEASE=1.7 or allow RELEASE= to default to 1.7, you need not specify DATAMAP. It defaults to OLD, meaning the 1.7 format.
    Note: You cannot specify DATAMAP=NEW if you specify RELEASE=1.7 or default to it.
  • If you specify RELEASE=1.8 or later, and allow DATAMAP to default, it defaults to NEW, meaning the 1.8 format.
  • If you specify RELEASE=1.8 or later, and want to use the 1.7 user work area format, you must specify DATAMAP=OLD for the data to be retrieved in the 1.7 format.
    Note: Releases before 1.7 are in the 1.7 format.
SEGMENT= ‘segment name’
Specifies that this request is to apply to a specific segment in the profile. If you do not specify a specific segment, the default is the BASE segment. If you specify a segment other than the BASE segment, the operation cannot be ADD, DELETEA, or RENAME. If you specify a segment, the DELETE operation deletes only that segment. If you do not specify a segment, the DELETE operation deletes the entire profile. If you specify a segment, the ALTER operation alters only that segment. If you do not specify a segment, the ALTER operation updates the BASE segment. See RACF database templates for a list of valid segment names.
VOLUME= volume-address
Specifies the address of a 6-character volume identifier. When TYPE=‘DS’, the volume identifier differentiates among data sets with the same name. When the operation is ADD, TYPE=‘GEN’, and the class is TAPEVOL, the volume identifier specifies the name of an existing tape volume set to which the current entry is to be added. In all other cases, ICHEINTY ignores the volume identifier.
ACTIONS= (action-address,.....)
Specifies the address of one or more ICHEACTN macros that determine which profile fields the RACF manager is to retrieve or update. For a description of the ICHEACTN macro, see ICHEACTN macro. You can specify up to 255 actions.
Note: If you specify ACTION on the execute form of the ICHEINTY macro, the number of actions you specify should agree with the number of actions you have specified on the list form of the macro (or the FLDEF list, if you use that instead). If the numbers do not match, you must specify the OPTION keyword on the execute form to update the counts, using the appropriate ACTION operands.
TESTS= (test-addr[,[AND],test-addr]...)
Allows some preliminary testing on selected conditions before the execution of the operation specified by the ICHEINTY macro. You must specify an odd number of items (including the connector ‘AND’). Each address must be the address of a list built by the ICHETEST macro. See ICHETEST macro.
Note: If you specify TEST on the execute form of the ICHEINTY macro, the number of tests you specify should agree with the number of tests you have specified on the list form of the macro (or the FLDEF list, if you use that instead). If the numbers do not match, you must specify the OPTION keyword on the execute form to update the counts, using the appropriate TESTC or TESTM operands.
WKAREA= wkarea-address
Specifies the address of the area into which the retrieved values are to be placed. This operand is valid and required only for the LOCATE, NEXT, and NEXTC operations. The work area must be at least 30 bytes long.

When you specify INDEX=MULTIPLE, the work area must be at least 4K long. See Table 3 for the format of the work area for INDEX=MULTIPLE.

For a related operand, see the description of WKSP.

Table 2. Format for the ICHEINTY work area when INDEX=MULTIPLE is not specified
Offset (hex) Length Description
0 4 Length of entire work area
4 6 RBA return area
A 1 Flags
B 1 Reserved
C 4 Duplicate data set name count
10 8 Reserved
18 4 Length of data returned into work area
1C variable Field value return area
Table 3. Format for the ICHEINTY work area when INDEX=MULTIPLE is specified
Offset (hex) Length Description
0 4 Length of entire work area
4 20 Reserved
18 4 Length of data returned into work area
1C 2 Number of returned profile names
1E 1 Flag:
Bit
Meaning
1
No more profiles after this set.
1F 1 Reserved
20 variable Start of list of returned profile names. Format of returned profile name:
Length
Description
1
Length of profile name
variable
Profile name
NEWNAME= newname-address
Specifies the address of the new name to be assigned to the entity named by the ENTRY operand. The name must be left-justified and followed by at least one blank.

Whereas ENTRY is a 1-byte length field followed by a name, NEWNAME specifies an entry name which is not preceded by a 1-byte length field. This operand is valid only for the RENAME operation.

When renaming resources in the FILE and DIRECTRY class, use ENTRYX and NEWNAMX. If NEWNAME is used, the name must be 39 characters long or less.

NEWNAMX= extended-newname-address
Specifies the address of the new name to be assigned to the entity in the ENTRYX keyword. The format of the new name is the same as that of the ENTRYX keyword.
  • The first 2-byte field specifies a buffer length which can be from 0 to 255 bytes. This length field refers only to the length of the buffer that contains the entity name; it does not include the length of either length field.
  • The second 2-byte field specifies the actual length of the entity name. This length field includes only the length of the actual name without any trailing blanks; it does not include the length of either length field.

NEWNAMX and NEWNAME are mutually exclusive parameters, as are NEWNAMX and WKAREA. The NEWNAMX keyword is valid only for the RENAME operation. To use NEWNAMX, you must specify RELEASE=1.9 or later.

RBA= RBA-address
Specifies the address of a 6-byte relative byte area (RBA) of a level one index that points to the profile to be altered. This keyword is valid only for an ALTERI request. RBA should specify the value returned by a previous LOCATE operation.
FLDEF= fldef-address
Specifies a remote list of ACTION/TEST pointers set up by an ICHEINTY with the FLDEF operation.
OPTIONS= (list-of-options)
Provides more direct control of the code generated by the EXECUTE form of the macro. This operand is valid only with the EXECUTE form of the macro.

Specify one or more of the following options, separated by a comma:

NOPRO
Does not generate any prologue code; that is, the instructions that set the type of request, such as ADD, by updating the first two bytes of the parameter list, are not generated.
FLDEF
Generates the FLDEF pointer relocation code to point to the list of ACTION and TEST pointers in the ICHEINTY macro expansion.
ACTION
Generates code to set the number of ACTIONs that are to be performed.
TESTC
Generates code to set the number of TESTs that are to be performed.
TESTM
Generates code to set both actual and maximum number of TESTs.
NOEXEC
Does not generate the SVC instruction to invoke the RACF manager. This subfield is useful with the EXECUTE form of the macro to allow partial setup of the parameter list.
SMC= YES | NO
Controls the ‘set-must-complete’ operation mode of the RACF manager. YES is the default mode of operation.
Note: If an ICHEINTY request is propagated by automatic direction of application updates, the SMC=NO keyword is not propagated. The ICHEINTY request always runs as SMC=YES on the target node.
GENERIC= NO | YES | UNCOND
Informs the RACF manager whether the given entity name is a generic name.
NO
Never generic.

The RACF manager does not attempt to convert the name specified by the ENTRY operand from external to internal form. GENERIC=NO is the default.

YES
Can be generic.

The RACF manager attempts to convert the name specified by the ENTRY operand from external to internal form. The RACF manager does the conversion only if the entity name contains a generic character (an * or %). If the entity name does not contain a generic character, processing continues without any conversion.

UNCOND
Always generic.

The RACF manager unconditionally converts the name specified by the ENTRY operand from external to internal form.

For RENAME, the same process applies also to the NEWNAME operand.

DATEFMT= YYYYDDDF | YYDDDF
Specifies the format of the date that you want to extract or replace.
If you specify DATEFMT=YYYYDDDF with a LOCATE, NEXT, or NEXTC operation, RACF retrieves date fields in the format ccyydddF, where cc=19 or cc=20. If an ADD, ALTER, or ALTERI operation is specified, RACF accepts dates in the format ccyydddF, where cc=19 or cc=20, unless the data being retrieved is in an uninitialized state in the RACF database, in which case 0000000F or FFFFFFFF is returned. When accepting a date as input to place into the database, RACF validates that cc is 19 or 20 and that:
  • For cc=19, 70 < yy < = 99
  • For cc=20, 00 < = yy < = 70

If you specify DATEFMT=YYDDDF, RACF retrieves and accepts dates in the three-byte format.

To specify the DATEFMT keyword, you must specify Release=1.9.2 or a later release number.

DATEFMT=YYDDDF is the default.

MF= I | L | (E,address)
Specifies the form of the macro as either INLINE, LIST, or EXECUTE.

The INLINE form generates code to branch around the parameter list. In the MF=I form, the label names the instruction preceding the parameter list. MF=I is the default.

The LIST form reserves and initializes storage.

The EXECUTE form modifies a list defined elsewhere. If you use the EXECUTE form, you must specify the address of the list to be modified. The address can be an A-type address or register (2 through 12).

INDEX= ASIS | ONLY | MULTIPLE
Specifies how RACF processes the generic profile names in the index blocks of the RACF database.

The INDEX option is supported only for NEXT requests. Do not specify INDEX with GENERIC=NO or with TYPE values other than GEN or DS.

ASIS
Specifies normal RACF processing. This is the default value.
ONLY
Specifies that RACF should return the name of the next generic profile with the same HLQ, or the next generic profile for the same class, but should not return the content of any profile.
MULTIPLE
Specifies that RACF should return more than one generic profile name. RACF returns the name of the next generic profile with the same HLQ or the next generic profile for the same class, and the names of subsequent generic profiles in the same level 1 index block with the same HLQ or class name.

With INDEX=MULTIPLE, you must specify WKAREA to supply a work area that is at least 4K in length to hold the returned profile names. See Table 3 for the work area format.

Note: RACF places the last returned name in the ENTRY or ENTRYX field, as it normally does for NEXT operations.

Parent topic: ICHEINTY, ICHETEST, and ICHEACTN macros

Return codes from the ICHEINTY macro

If you did not specify RELEASE=1.8 or later, Register 15 contains the ICHEINTY return code and Register 0 contains the reason code. If you specified RELEASE=1.8 or later, Register 15 contains the highest return code from any of the ICHEINTY macros; Register 0 contains the corresponding reason code. The return code for each ICHEINTY macro appears in the fullword at offset 52(X'34') in each ICHEINTY parameter list; the corresponding reason code appears in the fullword at offset 56(X'38').
Hex (Dec)
Description
0 (0)
The requested operation was successful.
4 (4)
If the reason code is 0, a recovery environment could not be established; if the reason code is 4, an invalid function code was specified. (Valid functions are RACLIST, RACXTRT, and ICHEINTY. The parameter list was not valid for any of those functions.)
8 (8)
An attempt was made to add an entry to the RACF database but an identical entry already exists.
C (12)
For requests other than NEXT or NEXTC, the specified entry did not exist.

For NEXT or NEXTC requests, no subsequent entries satisfied the request.

10 (16)
Reserved for IBM's use.
14 (20)
The RACF database did not contain enough space to satisfy the request.
18 (24)
An I/O error occurred while accessing the RACF database.
1C (28)
RACF was not active at the time of the request.
20 (32)
The request type requires a user work area but the area was not provided (the address in the parameter list was 0) or for a RENAME, neither NEWNAME nor NEWNAMX was supplied.
24 (36)
The input parameter list or the associated ACTION and TEST blocks contain an error. When this code is returned, the possible reason codes are:
Hex (Dec)
Explanation
1 (1)
The entry name or new name is not valid
2 (2)
Action specified with DELETE or DELETEA
3 (3)
An action or test specified for an undefined field
4 (4)
Test specified with RENAME
5 (5)
Reserved for IBM's use.
6 (6)
Reserved for IBM's use.
7 (7)
Incorrect entry type
8 (8)
GROUP=YES specified for an ICHEACTN, but the data length given was too long for the associated data. This reason code can occur with DATAMAP=OLD.
9 (9)
GROUP=YES specified for an ICHEACTN, but the data length given was too short for the associated data.
A (10)
Chained ICHEINTY macros have inconsistent parameters: (CLASS, ENTRY, ENTRYX, GENERIC, RBA, SMC, TYPE, or VOLUME).
B (11)
Chained ICHEINTY macros have inconsistent request types (operations).
C (12)
All ICHEINTY macros specified RUN=NO
D (13)
Operation not allowed with SEGMENT keyword.
E (14)
Illegal field specified for GROUP=YES, must be a repeat group count field
F (15)
More than 1000 ICHEINTY macros present in the chain
10 (16)
Specified SEGMENT name not allowed for the specified profile type.
11 (17)
GROUP=YES specified for an ICHEACTN but the data length given was too long for the associated data. This reason code can occur with DATAMAP=NEW.
12 (18)
Data byte specified on ICHEACTN exceeded the length of the specified fixed-length field.
13 (19)
Inconsistency between action data length and repeat group fields. GROUP=YES data is too short.
14 (20)
Invalid ENTRYX. Current length is greater than 44 and either the primary or the backup database is not in the restructured database format.
15 (21)
Invalid NEWNAMX. Current length is greater than 44 and either the primary or the backup database is not in the restructured database format.
16 (22)
Data length specified on the ICHEACTN macro was less than zero and neither FLDATA=DEL nor FLDATA=COUNT were specified.
17 (23)
Reserved for IBM's use.
18 (24)
Reserved for IBM's use.
19 (25)
Number of tests is greater than 254.
1A (26)
Invalid date supplied on an ICHEACTN when DATEFMT=YYYYDDDF is specified. Date must have a length of 4 bytes and be in the form CCYYDDDF where CC=19, 70 < YY <= 99 and CC=20, 00 <= YY <= 70.
1B (27)
Repeat count cannot be updated when GROUP=NO is specified.
1C (28)
Alias locate requested but database is stage 0 or 1.
1D (29)
Invalid alias locate IPL.
1E (30)
Alias locate requested for a non-alias field.
1F (31)
Base pointer for test is 0 on an alias locate request.
20 (32)
Alias name length is 0 or greater than 252 on an add, alter, or delete request.
21 (33)
INDEX=MULTIPLE was specified but the work area (WKAREA) is not 4K or longer.
28 (40)
The maximum profile size (65 535 bytes) has been reached; the profile cannot be expanded.
2C (44)
The user-supplied work area was not large enough to hold all the data returned. The work area is filled with data up to, but not including, the first field that did not fit. If WKSP was specified, the manager obtains a new work area, retrieves the data, and sets the return code to 0.
30 (48)
The user-supplied work area was smaller than the minimum amount required (30 bytes).
34 (52)
A test condition specified in the TESTS keyword of the ICHEINTY macro was not met; further processing was suppressed.
38 (56)
You requested an operation on a DATASET type entry that has multiple RACF definitions, but you did not specify a VOLUME to single out a specific entry.
3C (60)
For DATASET type entries, you specified a VOLUME that did not exist in the volume list of any entry with the specified name. For TAPEVOL class entries, a request tried to add a new TAPEVOL to a nonexistent tape volume set.
40 (64)
You attempted to delete one of the entries supplied by IBM® (such as SYS1 or IBMUSER) from the RACF database.
44 (68)
An ALTERI request attempted to change the size of the profile being updated.
48 (72)
A request to add an entry to the RACF database would have caused the RACF index to increase to a depth that RACF does not support. The maximum depth is 10 levels.
4C (76)
ICHEINTY encountered an invalid index block or read a non-index block when it expected an index block.
50 (80)
An attempt was made to update one of the following (by a request other than ALTERI):
  • The RACF database that has been locked by a RACF utility
  • The RACF database from a system that is in read-only mode (in a RACF sysplex data sharing environment)
54 (84)
Reserved for IBM's use.
58 (88)
At least one (but not all) ICHEACTN macros for information retrieval failed to be executed because of a profile field access violation.
5C (92)
All ICHEACTN macros for information retrieval failed to be executed because of a profile field access violation.
60 (96)
An ICHEACTN macro attempted to alter a field and failed because of a profile field access violation. All ICHEACTN macros for the ICHEINTY were suppressed. For FLDACC entries, the field class may not be active and processed by SETROPTS RACLIST.
64 (100)
The RELEASE keyword on the E-form ICHEINTY specified a release of 1.8 or later and CHECK, but the L-form did not specify a release of 1.8 or later.
68 (104)
The requested profile on the database contains erroneous data. A reason code is returned as follows:
1
The profile is physically too short to contain the data implied by variable field lengths or repeat group count fields.
6C (108)
The RACF manager has been invoked recursively, and an exclusive reserve/enqueue is required. However a shared reserve/enqueue is already held.
70 (112)
The RACF manager received an unexpected return code from a reserve/enqueue. The reserve/enqueue return code is passed back in register 0.
74 (116)
The maximum length of extended entry of ICHEINTY parameter list is not enough to contain a found profile name.
78 (120)
Reserved (used internal to RACF).
7C (124)
Reserved (used internal to RACF).
80 (128)
This is a data sharing mode return code. A coupling facility function had a problem when dealing with the ICB.
84 (132)
A request to expand an alias index entry beyond its maximum size has been denied.

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014