DELGROUP (Delete group profile)

Purpose

Use the DELGROUP command to delete a group and its relationship to its superior group from RACF®.

There are, however, other places in the RACF database where the group name might appear, and DELGROUP processing does not delete these other occurrences of the group name. For example, the group name could be in the access list for any resource. You can use the RACF Remove ID utility (IRRRID00) to remove all occurrences of a group name.

The DELGROUP command does not work for a UNIVERSAL group, in most cases. To delete a UNIVERSAL group, the RACF Remove ID Utility (IRRRID00) should be used.

For information on using the RACF remove ID utility, see z/OS Security Server RACF Security Administrator's Guide z/OS Security Server RACF Security Administrator's Guide.

Issuing options

The following table identifies the eligible options for issuing the DELGROUP command:

As a RACF TSO command?	As a RACF operator command?	With command direction?	With automatic command direction?	From the RACF parameter library?
Yes	Yes	Yes	Yes	Yes

For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.

For information on issuing this command as a RACF operator command, refer to RACF operator commands.

You must be logged on to the console to issue this command as a RACF operator command.

Related commands

To add a group profile to the RACF database, see ADDGROUP (Add group profile).
To change a group profile in the RACF database, see ALTGROUP (Alter group profile).
To connect a user to a group, see CONNECT (Connect user to group).
To list information related to a group profile, see LISTGRP (List group profile).
To remove a user from a group profile, see REMOVE (Remove user from group).
To obtain a list of group profiles, see SEARCH (Search RACF database).

Authorization required

When issuing this command as a RACF operator command, you might require sufficient authority to the proper resource in the OPERCMDS class. For details about OPERCMDS resources, see "Controlling the use of operator commands" in z/OS Security Server RACF Security Administrator's Guide.

To use the DELGROUP command, at least one of the following must be true:

You must have the SPECIAL attribute
The group to be deleted must be within the scope of a group in which you have the group-SPECIAL attribute
You must be the owner of the superior group
You must have JOIN authority in the superior group
You must be the owner of the group to be deleted

To specify the AT keyword, you must have READ authority to the DIRECT.node resource in the RRSFDATA class and a user ID association must be established between the specified node.userid pair(s).

To specify the ONLYAT keyword you must have the SPECIAL attribute, the userid specified on the ONLYAT keyword must have the SPECIAL attribute, and a user ID association must be established between the specified node.userid pair(s) if the user IDs are not identical.

Syntax

For the key to the symbols used in the command syntax diagrams, see Syntax of RACF commands and operands. The complete syntax of the DELGROUP command is:


[subsystem-prefix]{DELGROUP \| DG}
	(*group-name …*)
	[ AT([node].userid …) \| ONLYAT([node].userid …) ]

For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.

For information on issuing this command as a RACF operator command, refer to RACF operator commands.

Parameters

subsystem-prefix

Specifies that the RACF subsystem is the processing environment of the command. The subsystem prefix can be either the installation-defined prefix for RACF (1 - 8 characters) or, if no prefix has been defined, the RACF subsystem name followed by a blank. If the command prefix was registered with CPF, you can use the MVS command D OPDATA to display it or you can contact your RACF security administrator.

Only specify the subsystem prefix when issuing this command as a RACF operator command. The subsystem prefix is required when issuing RACF operator commands.

group-name

Specifies the name of the group whose profile is to be removed from the RACF database. If you are deleting more than one group, you must enclose the list of group names in parentheses.

You must enter at least one group name. For each group name you enter, the following conditions must exist:

The group must be defined to RACF.
The group must not have any subgroups.
The group must not have any group data sets (data sets whose names are qualified by the group name or begin with the value supplied by an installation exit).
The group must not have any users connected to it.

AT | ONLYAT

The AT and ONLYAT keywords are only valid when the command is issued as a RACF TSO command.

AT([node].userid …): Specifies that the command is to be directed to the node specified by node, where it runs under the authority of the user specified by userid in the RACF subsystem address space.
If node is not specified, the command is directed to the local node.
ONLYAT([node].userid …): Specifies that the command is to be directed only to the node specified by node where it runs under the authority of the user specified by userid in the RACF subsystem address space.
If node is not specified, the command is directed only to the local node.

Examples


Example	Operation	User WJE10 wants to delete subgroups DEPT1 and DEPT2 from group PAYROLL.
	Known	User WJE10 has JOIN authority to group PAYROLL. DEPT1 and DEPT2 are subgroups of group PAYROLL. Neither DEPT1 nor DEPT2 have any subgroups or users connected to them. In addition, neither group has any group data sets. User WJE10 wants to issue the command as a RACF TSO command.
	Command	`DELGROUP (DEPT1 DEPT2)`
	Defaults	None.