Purpose
You can use the REMOVE command
to remove a user from a group, and to assign a new owner to any group
data set profiles the user owns on behalf of that group.
Issuing options
The following table identifies
the eligible options for issuing the REMOVE command:
As a RACF® TSO command? |
As a RACF operator command? |
With command direction? |
With automatic command direction? |
From the RACF parameter library? |
---|
Yes |
Yes |
Yes |
Yes |
Yes |
For information on issuing this command
as a RACF TSO command, refer
to RACF TSO commands.
For
information on issuing this command as a RACF operator command, refer to RACF operator commands.
You
must be logged on to the console to issue this command as a RACF operator command.
Authorization required
When issuing this command as a RACF operator command, you might
require sufficient authority to the proper resource in the OPERCMDS
class. For details about OPERCMDS resources, see "Controlling the use of operator commands" in z/OS Security Server RACF Security Administrator's Guide.
To
use the REMOVE command, one of the following conditions must be true:
- You have the SPECIAL attribute.
- The group profile is within the scope of a group in which you
have the group-SPECIAL attribute.
- You are the owner of the group.
- You have JOIN or CONNECT authority in the group.
To specify the AT keyword, you must have READ authority
to the DIRECT.node resource in the RRSFDATA class and a user
ID association must be established between the specified node.userid pair(s).
To
specify the ONLYAT keyword you must have the SPECIAL attribute, the userid specified
on the ONLYAT keyword must have the SPECIAL attribute, and a user
ID association must be established between the specified node.userid pair(s)
if the user IDs are not identical.
Note: - If you only have ownership of the user's profile, you do not have
sufficient authority to remove the user from a group.
- If a user is deleted from a RACF group
as a result of a REMOVE command while the user is logged on, the user
must logoff and logon again before that authority to access resources
in classes that have been RACLISTed is revoked. In addition, started
tasks have to STOP and START to revoke the authority. This might include
started tasks such as JES2 or JES3.
Syntax
For
the key to the symbols used in the command syntax diagrams, see Syntax of RACF commands and operands. The complete syntax of the REMOVE
command is:
|
|
---|
[subsystem-prefix]{REMOVE
| RE} |
|
(userid …) |
|
[ AT([node].userid
…) | ONLYAT([node].userid
…) ] |
|
[ GROUP(group-name)
] |
|
[ OWNER(userid or group-name)
] |
For information on issuing this command
as a RACF TSO command, refer
to RACF TSO commands.
For
information on issuing this command as a RACF operator command, refer to RACF operator commands.
Parameters
- subsystem-prefix
- Specifies that the RACF subsystem
is the processing environment of the command. The subsystem
prefix can be either the installation-defined prefix for RACF (1 - 8 characters)
or, if no prefix has been defined, the RACF subsystem
name followed by a blank. If the command prefix was registered with
CPF, you can use the MVS command D OPDATA to display it or you can
contact your RACF security
administrator.
Only specify the subsystem prefix when issuing
this command as a RACF operator
command. The subsystem prefix is required when issuing RACF operator commands.
- userid
- Specifies
the user you want to remove from the group. If you are removing more
than one user from the group, you must enclose the list of user IDs
in parentheses.
This value is required and must be the first operand
following REMOVE.
- AT
| ONLYAT
- The AT and ONLYAT keywords are only valid when the command is
issued as a RACF TSO command.
- AT([node].userid
…)
- Specifies
that the command is to be directed to the node specified by node,
where it runs under the authority of the user specified by userid in
the RACF subsystem address
space.
If node is not specified, the
command is directed to the local node.
- ONLYAT([node].userid
…)
- Specifies
that the command is to be directed only to the node specified by node where
it runs under the authority of the user specified by userid in
the RACF subsystem address
space.
If node is not specified, the
command is directed only to the local node.
- GROUP(group-name)
- Specifies
the group from which the user is to be removed. If you omit this operand,
the default is your current connect group. The value specified for group-name cannot
be the name of user's default group.
- OWNER(userid
or group-name)
- Specifies
a RACF-defined user or group that owns the group data set profiles
now owned by the user to be removed.
If you omit this operand
when group data set profiles exist that require a new owner, RACF does not remove the user from
the group. (Group data set profiles are data set profiles whose names
are qualified by the group name or begin with the value supplied by
an installation exit.)
The new owner of the group data set
profiles must have at least USE authority in the specified group.
Do not specify a user who is being removed from the group as the new
data set profile owner.
Examples
|
|
|
---|
Example 1 |
Operation |
User ELVIS wants to remove users KURT and JIMI
from group PAYROLL. |
Known |
User ELVIS has JOIN authority to group PAYROLL.
User ELVIS is currently connected to group PAYROLL.
Users
KURT and JIMI are connected to group PAYROLL but do not own any group
data set profiles, and group PAYROLL is not their default group.
User
ELVIS wants to issue the command as a RACF TSO
command.
|
Command |
REMOVE (KURT JIMI) |
Defaults |
GROUP(PAYROLL) |
Example 2 |
Operation |
User WRH0 wants to remove user PDJ6 from group
RESEARCH, assigning user DAF0 as the new owner of PDJ6's group data
set profiles. |
Known |
User WRH0 has CONNECT authority to group RESEARCH.
User WRH0 is not logged on to group RESEARCH.
User PDJ6
is connected to group RESEARCH and owns group data set profiles (The
default connect group for user PDJ6 is not RESEARCH).
User
DAF0 is connected to group RESEARCH with USE authority.
User
WRH0 wants to issue the command as a RACF operator
command, and the RACF subsystem
prefix is @.
|
Command |
@REMOVE PDJ6 GROUP(RESEARCH) OWNER(DAF0) |
Defaults |
None. |