SUPPRESS command options

The SUPPRESS command provides a number of options that can be used to stop processing of verification of failure messages, command generation and scoping rules for use in REPORT SCOPE or NEWLIST SCOPE. These options are described in this topic. Some of the options, such as VOLUME, CATALOG, DELETEUNCATALOGED, and DELETEDATASETS are discussed in the introduction to the SUPPRESS command. See Suppress options related to resource management in SUPPRESS.

ACCESS_GDG_VERSION

This option applies only to RACF systems running on z/OS. To reduce the size of consolidated Access Monitor data sets, this option maps the GnnnnVnn qualifier of GDG generation resource names into a fixed string of GnnnnVnn for all TYPE=ACCESS input records. For example, G1259V00 is mapped to GnnnnVnn.

ACCESS_JESSPOOL_JOBID

This option applies only to RACF systems running on z/OS. This option is checked when reading TYPE=ACCESS input files. This SUPPRESS option converts the fourth JESSPOOL resource name qualifier (the job ID) into a fixed string by using the following convention: the leading S, J, or T character is retained and the remaining characters in the job ID are replaced with a lowercase x.

ACCESS_JESSPOOL_DSID

This option applies only to RACF systems running on z/OS. This option is checked when reading TYPE=ACCESS input files. This SUPPRESS option converts the fifth JESSPOOL resource name qualifier (the data set ID) into a fixed string if it starts with a D by using the following convention: the leading D character is retained and the remaining characters in the data set ID are replaced with a lowercase x. If the data set ID includes a word such as GROUP, the word GROUP is retained as part of the resource name qualifier.

ACF2

This option applies only to ACF2 systems. This option suppresses the reading of the ACF2 database. This can only be used in unrestricted mode, and is useful if a NEWLIST is used that can make use of the ACF2 database, but does not require it.

ADDSD

ADDDSD

ADD

This option applies only to RACF systems running on z/OS. It limits the commands generated by the COPY command to exclude the addition of data set and general resource profiles as well as profile members. For example, on a COPY USER=userid command, you can use this option to prevent the addition of data set profiles starting with id to the copy command.

AUTO_RESOURCE

The AUTO_RESOURCE parameter specifies that resource simulation operations are limited to the resources that are explicitly specified by SIMULATE commands. Resources that are determined from CKFREEZE data sets are not automatically included in the analysis.

AUTO_SENSTYPE=[senstype|'sens type']

This parameter can be used one or more times to suppress specific sensitivity types. It does not support a list in the keyword, but multiple keywords with different sensitivity types can be specified. The sensitivity type is case-sensitive. If it has an embedded blank, quotes must be used around it. Instead of or in addition to the equal sign, parentheses can be used, as in AUTO_SENSTYPE('sens type'). The parameter is meant to reduce the number of records in TYPE=SENSDSN, TYPE=ACF2_SENSDSN_ACCESS, TYPE=ACF2_SENSRESOURCE_ACCESS, and TYPE=RESOURCE.

CATALOG=catname

CAT=catname

For z/OS systems, this option suppresses error messages related to this catalog. For RACF systems, in addition, resource copying and deletion will not take the contents of this catalog into account, so no IDCAMS commands will be (implicitly or explicitly) directed to it; this might lead to some data sets appearing uncataloged and being scratched from the VTOC directly. See DELETEUNCATALOGED.

CKFREEZE

IOCONFIG

Suppress the use of a CKFREEZE file with catalog information. If a cursory analysis is sufficient, omitting read of the trailing part of the CKFREEZE file saves time. This option is useful for commands that can provide useful information without a CKFREEZE file. For VSAM profiles, CKFREEZE data is needed to generate complete and correct report information for VSAM data sets. This parameter is ignored for NEWLIST TYPE=SMF in restricted mode and message CKR0521 is issued. This option implies

SUPPRESS
DELETEDATASETS

and COPYALIAS.

CONNECTOWNER

This option applies only to RACF systems. Do not use the RACF connect owner field of group, user, or connect profiles during VERIFY PERMIT, REMOVE PERMIT and MERGE processing. For VERIFY PERMIT and REMOVE PERMIT this has the effect of not generating CONNECT commands to change the connect owner when it is a user ID or group which no longer exists. For MERGE operations no commands will be generated to set the connect owner field to any specific value.

COPYALIAS

This option applies only to RACF systems running on z/OS. It suppresses the generation of IDCAMS DEFINE ALIAS commands by COPY. This option is implied by SUPPRESS CKFREEZE. It is also automatically implied if no CKFREEZE file is allocated.

COPYCUSTOMDATA

COPYCSDATA

This option applies only to RACF systems running on z/OS. It suppresses the generation of RACF commands to copy custom fields.

COPYUSERDATA

COPYUSRDATA

This option applies only to RACF systems. It suppresses the generation of CKGRACF commands to copy user data.

DBIDCACHE

This option applies only to RACF systems running on z/OS. It suppresses the translation of Db2 DBID, OBID, PSID, and DSID numbers to their respective database names, table space names, table names, and data set names. Some SMF type 100/101/102 record subtypes contain definitions of specific ID numbers (namely, 24, 104, 105, 107, 142, 143, 144, and 258) and the bulk of the subtypes only refers to the objects by their numeric ID number. By specifying this option you can see what the SMF records really contain. The main use of this option is to assist in diagnosing problems in DB2_OBJECT and RECORDDESC that can be caused by providing the wrong order of SMF records or SMF with gaps. Db2 immediately reuses object ID numbers for new objects after an object has been deleted, and IBM® Security zSecure cannot cope unless the SMF records are read in the proper order.

DELDSD

This option applies only to RACF systems running on z/OS. It limits the commands generated by REMOVE and MOVE operations to exclude deletion of data set profiles as well as other profiles or profile members to be removed. For example, on a REMOVE USER=userid command, the deletion of all profiles starting with userid can be prevented by specifiying this option. Note that this probably results in failure of a DELUSER command. If this parameter is specified, generation of DELGROUP commands that fail due to still existing data set profiles is suppressed. Message CKR1062 is issued to warn you that the command generation was suppressed.

DELETEDATASETS

This option applies only to RACF systems running on z/OS. This option suppresses the generation of all non-RACF commands by MOVE, REMOVE and VERIFY to delete data sets and catalog aliases. As a result, it might become unnecessary to read the CKFREEZE, which can gain you speed. This option is implied by SUPPRESS CKFREEZE; in turn it implies SUPPRESS DELETENOSCRATCH and DELETEUNCATALOGED. This option is also automatically implied by the absence of the CKFREEZE file.

To suppress the generation of all non-RACF commands by MOVE, REMOVE and VERIFY to delete data sets and catalog aliases. As a result, it may become unnecessary to read the CKFREEZE, which may gain you speed. This option is implied by SUP- PRESS CKFREEZE; in turn it implies SUPPRESSDELETENOSCRATCH and DELETEUNCATALOGED . This option is also automatically implied by the absence of the CKFREEZE file.

DELETENOSCRATCH

This option applies only to RACF systems running on z/OS. This option suppresses the generation of IDCAMS DELETE commands with the NOSCRATCH keyword. A suppression message is issued instead of generating the commands. The NOSCRATCH keyword is only generated if a DELETE without it is not possible, because the data set is in several catalogs for example. Migrated data sets do not require this keyword. This option is implied by SUPPRESS DELETEDATASETS.

DELETEUNCATALOGED

To suppress the generation of ALLOCATE and FREE commands to scratch uncataloged data sets from the VTOC; if you want to supply the resource deletion commands to IDCAMS directly (instead of via TSO), you should specify this option, since IDCAMS only partially supports ALLOCATE and does not support FREE at all. This option is implied by SUPPRESS DELETEDATASETS.

ECKD

This option applies only to RACF systems running on z/OS. This parameter requests fallback to non-ECKD channel program formats to be used with EXCP access to the RACF data sets. This reduces the size of sequential I/O operations from 3 tracks to 1 track.

FALLBACK

This option applies only to RACF systems. It suppresses the flagging of second order error conditions. Presently this only affects VERIFY STC, where it means that ICHRIN03 entries are only verified for referential integrity when used (unused entries will still be flagged as such); note that unused STARTED profiles are never syntactically verified.

FMTABEND

Suppress user abend 931 which follows error message CKR0931, indicating a buffer overwrite in a text formatting procedure.

ICHCNX00

This option applies only to RACF systems running on z/OS. It suppresses invocation of this RACF exit to determine the first qualifier. This command might be necessary if the exit depends on key 0 operation. This option is activated automatically if an abend condition is intercepted while calling the exit.

This option might also be required for processing data from another system. In this case, the ICHCNX00 of the current system is used, not that of the subject system. This processing works if the systems have the same level of ICHCNX00 exit code. If the systems do not have the same level exit, it might be better to suppress ICHCNX00 processing.

The SUPPRESS ICHCNX00 command is not supported in restricted mode.

ICHNCV00

This option applies only to RACF systems running on z/OS. It suppresses the use of the RACF naming convention table ICHNCV00 in RACF and SMF reporting. The table normally used is the copy in the CKFREEZE file.

ICHRRNG

This option applies only to RACF systems running on z/OS. It suppresses use of the RACF range table. This table maps the profile key to a specific RACF data set sequence number. The table used is the copy in the CKFREEZE file, unless the data source is a live RACF database. For a live database, the live ICHRRNG is used. Typically, profiles in the 'wrong' RACF data set are not seen by RACF and the IBM Security zSecure products. When you specify SUPPRESS ICHRRNG the profiles are processed and can be identified. This setting can cause messages to be issued for duplicate profiles, class not in CDT, and connect inconsistency, and other messages. Also, the pseudo field INRANGE can be used to identify the profiles.

ID= id

Suppress error messages and report lines concerning this user or group. In the case of multi-line messages, sometimes only the line containing the message id is suppressed.

IDLE_TCP_CONNECT

This causes the program to resolve only the IP address and open a socket on startup, but not perform an actual TCP connect operation for SYSLOGTCP destinations. This can be useful for sites where idle connections are dropped after very short periods. If the destination is not available, the SUPPRESS also postpones an action-required message on the console to the moment that data must be sent to that destination. Similarly, after detecting that a connection was dropped, recovery of the dropped connections is postponed until there is any data to be sent. Combining this option with an ALTERNATE destination might cause data not to reach that alternate destination, because the connection is not ready in time. Data that cannot be delivered is written to the C2RSYSLG file, unless SUPPRESS SYSLOG_FALLBACK_FILE is also requested.

INDEX

This option applies only to RACF systems. It suppresses use of the RACF data set index and causes a sequential read.

INDEXCUTOFF

This option applies only to RACF systems. It is for debugging and performance analysis purposes. It suppresses automatic fallback to sequential I/O in a RACF data set if the program gauges the number of indexed I/O requests to take longer. Because specifying this option can increase the elapsed time for some queries by more than a factor 12, do not use it with very large databases. Experience shows that queries that select 100,000 or more profiles perform badly while in indexed I/O mode. See also LIMIT INDEXBIAS.

The specification has no effect when BDAMQSAM has been specified.

IO_OVERLAP

This setting applies primarily to the order in which CKFREEZE, UNLOAD, and ACF2 files are read; this option makes the processing order more deterministic. When SUPPRESS IO_OVERLAP is active, if a file is still in an I/O wait after processing of the previous record, CARLa processing does not switch to a different file.

Using this option increases run time.

MANAGERACFVARS

This option applies only to RACF systems. It suppresses interpreting keys and members in RACFVARS profiles to represent users and groups wherever they match a defined user or group id, and have COPY, MOVE and REMOVE generate commands accordingly.

MSG=list

MESSAGE=list

A single decimal message number or a list of decimal message numbers enclosed in parentheses and separated by commas can suppress messages CKRnnnn where nnnn is the decimal message number. Besides suppressing the message output, this also suppresses processing of the return code associated with the message. Hence, the use of this option to suppress a critical error message that would terminate the program, might result in processing to be continued inadvertently, which can lead to abend conditions. The main use of this option is to suppress messages inherent to your configuration that you know about, but do not want to clutter your output with on each run. A large number of messages that would allow circumvention of restricted mode processing cannot be suppressed.

MSGTIMER

This parameter can be used to force display of all status messages in sequence, even though this causes response time to increase. This is mainly useful for automated testing programs.

MYACCESS< level

This option applies only to RACF systems. It limits REPORT and NEWLIST output to profiles that you might access at least the level indicated. The levels that can be used are listed with the ACCESS parameter of the REPORT command; see REPORT. As an example, SUPPRESS MYACCESS<ADMIN restricts REPORT and NEWLIST output to those profiles you may administer, for example, profiles that you are owner of, or discrete profiles that you have ALTER access over. For RACF, this keyword is effectively disregarded if you have system special in the database being displayed (because with system special, you have administrative authority over all RACF profiles). This effect of SPECIAL can be suppressed with SUPPRESS REASON=SPECIAL. Also for RACF, note that records will not be suppressed if they are in your CKG scope, in addition to the normal RACF scope. The records seen only because of this can be suppressed by SUPPRESS REASON=CKGOWNER.

NOT_MY_LIST_SCOPE

This option applies only to RACF systems running on z/OS. It limits the profiles selected to those that fall within any scope specification including CKGLIST and AUDIT. The difference with SUPPRESS MYACCESS<ADMIN is in the addition of profiles that can be reviewed due to CKGLIST scope, AUDITOR, ROAUDIT, or group-AUDIT authority.

RACF

This option applies only to RACF systems. It suppresses the reading of the RACF database. This can only be used in unrestricted mode, and is useful if a NEWLIST is used that can make use of the RACF database, but does not require it. Typically, this is used in zSecure Audit for RACF®.

REASON= list

This option applies only to RACF systems. It changes REPORT SCOPE=, REPORT PERMIT=, or NEWLIST SCOPE= reports to exclude profiles that would be included only for the reasons indicated. In restricted mode, the suppress reasons SELFCONNECT, PWDCHANGE, WARN, NOPROFILE, and CKGRACMAP are always set. Additional suppress reasons can be added as desired. See Scoping rules that can be suppressed with REASON=.

SETROPTSREFRESH

This option applies only to RACF systems. It suppresses the generation of SETROPTS REFRESH commands.

SMF

For RACF and ACF2 systems, use this option to suppress the allocation of all SMF data sets. For Top Secret systems, use this option to suppress the allocation of all SMF and ATF data sets. This option can be used to prevent unintended enqueues on and reads of the live SMF data sets while syntax checking a CARLa query. This is typically used when verifying an alert in IBM Security zSecure Alert.

SOFTEOF

This option applies only to z/OS systems. It suppresses soft end-of-file processing for ALLOC GETPROC routines. The soft end-of-file return code will be handled as a regular end of file.

SMFTOFILE_AUTO_IMBED

The SMFTOFILE_AUTO_IMBED option can be used to request suppression of the automatic imbed that includes built-in CARLa code in case SMFTOFILE is used with SMF1154. It can be used only to design new SMF 1154 record layouts; it cannot be used to write actual SMF records.

STANDARD=[{ name | * }] { CONTROL=name | RULE_SET=name | RULE=name } REASON=’description’

This statement applies only to z/OS systems. It can be used to suppress counting the compliance or non-compliance of the indicated rule or control (or rule set) to the compliance test result. If the indicated rule or control names are not defined, a warning message is issued and return code 4 is set. If the rule or control is defined in the indicated standard, reporting in the COMPLIANCE newlist shows both the GOAL_COMPLIANT (or TEST_COMPLIANT) and GOAL_NONCOMPLIANT (or TEST_NONCOMPLIANT) flags as missing. The test results are not counted towards either compliance or non-compliance. Instead, the SUPPRESS flag is set to enable counting the number of suppressed test results. The REASON keyword supports three kind of quotation marks, but the begin and end quotation marks must match and cannot be present within the string. You can suppress a single rule (set) in multiple standards. Use STANDARD=* or STANDARD= to let your suppress statements apply to all standards.

In the case of the new multi-standard syntax for a control, the SUPPRESS is propagated to all standards and versions containing the rules in the control.

For additional information and an example of a coded SUPPRESS STANDARD statement, see Rule compliance test suppression.

SYSLOG_FALLBACK_FILE

This option suppresses the normal behavior when alerts cannot be delivered to file C2RSYSLG. This option applies only to RACF systems.
Normally, if the C2RSYSLG file is allocated and none of the destinations for an alert message can be reached, a message CKR2003 is issued and the alert is written to the C2RSYSLG file. This SUPPRESS option suppresses this behavior.

UNIXCACHE

This option applies only to z/OS systems. It suppresses the cache mechanism for the file path in calculating the effective file attributes (ATTR) for UNIX files.

VSAM_SHORTCUT

This option applies only to RACF and ACF2 systems. By using SUPPRESS VSAM_SHORTCUT, you ask the program to precisely look at the VSAM components and cluster definitions in all connected ICF catalogs as seen from all systems to see which catalog is the normal (default) access path for the cluster, and use the associated profile. When this option is off, much less storage is used during execution if possible, but the volume serial that is used to find discrete VSAM profiles might not be the default path one or might be missing altogether, for example, for ZFS data sets.

Also, the profile derived for a VSAM profile might be based on the cluster name mentioned in the VVDS, instead of the 'real' cluster name as it exists in the default search path catalog. This is only noticeable for VSAM components that are cataloged under different cluster names (for example, in two different master catalogs). This is very rare. In case of doubt, it can be useful to compare the output created with and without the SUPPRESS option active.

VOL= volser

VOLSER=volser

VOLUME=volser

This option applies only to z/OS systems. It suppresses error messages relating to the specified volume.

For RACF systems, the volume is also ignored during resource copying and deletion. As a result, catalogs stored on the volume are also ignored which might make some cataloged data sets appear to be uncataloged and, as a result, scratched from the VTOC directly. (See ECKD.) If a Generation Data Group (GDG) is cataloged on this volume, neither the GDG or its Generation data sets (GDSs) residing on this volume are deleted. However, associated GDSs residing on other volumes might be considered uncataloged non-VSAM data sets and consequently scratched. VSAM components are never deleted separately. If you exclude one component, using the SUPPRESS option for example, you exclude the entire cluster.