Purpose

You can use the REMOVE command to remove a user from a group, and to assign a new owner to any group data set profiles the user owns on behalf of that group.

Issuing options

The following table identifies the eligible options for issuing the REMOVE command:

For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.

For information on issuing this command as a RACF operator command, refer to RACF operator commands.

You must be logged on to the console to issue this command as a RACF operator command.

Related commands

• To add a group profile, see ADDGROUP (Add group profile).
• To change a group profile, see ALTGROUP (Alter group profile).
• To connect a user to a group, see CONNECT (Connect user to group).
• To delete a group profile, see DELGROUP (Delete group profile).
• To list a group profile, see LISTGRP (List group profile).
• To display information from a user profile, see LISTUSER (List user profile).

Authorization required

When issuing this command as a RACF operator command, you might require sufficient authority to the proper resource in the OPERCMDS class. For details about OPERCMDS resources, see "Controlling the use of operator commands" in z/OS Security Server RACF Security Administrator's Guide.

To specify the AT keyword, you must have READ authority to the DIRECT.node resource in the RRSFDATA class and a user ID association must be established between the specified node.userid pair(s).

To specify the ONLYAT keyword you must have the SPECIAL attribute, the userid specified on the ONLYAT keyword must have the SPECIAL attribute, and a user ID association must be established between the specified node.userid pair(s) if the user IDs are not identical.

Parameters

subsystem-prefix

Specifies that the RACF subsystem is the processing environment of the command. The subsystem prefix can be either the installation-defined prefix for RACF (1 - 8 characters) or, if no prefix has been defined, the RACF subsystem name followed by a blank. If the command prefix was registered with CPF, you can use the MVS command D OPDATA to display it or you can contact your RACF security administrator.

Only specify the subsystem prefix when issuing this command as a RACF operator command. The subsystem prefix is required when issuing RACF operator commands.

userid

Specifies the user you want to remove from the group. If you are removing more than one user from the group, you must enclose the list of user IDs in parentheses.

This value is required and must be the first operand following REMOVE.

AT | ONLYAT

The AT and ONLYAT keywords are only valid when the command is issued as a RACF TSO command.

AT([node].userid …)

Specifies that the command is to be directed to the node specified by node, where it runs under the authority of the user specified by userid in the RACF subsystem address space.

If node is not specified, the command is directed to the local node.

ONLYAT([node].userid …)

Specifies that the command is to be directed only to the node specified by node where it runs under the authority of the user specified by userid in the RACF subsystem address space.

If node is not specified, the command is directed only to the local node.

GROUP(group-name)

Specifies the group from which the user is to be removed. If you omit this operand, the default is your current connect group. The value specified for group-name cannot be the name of user's default group.

OWNER(userid or group-name)

Specifies a RACF-defined user or group that owns the group data set profiles now owned by the user to be removed.

If you omit this operand when group data set profiles exist that require a new owner, RACF does not remove the user from the group. (Group data set profiles are data set profiles whose names are qualified by the group name or begin with the value supplied by an installation exit.)

The new owner of the group data set profiles must have at least USE authority in the specified group. Do not specify a user who is being removed from the group as the new data set profile owner.