z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Steps for deleting a dynamic CDT class

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

Restriction: The following procedure cannot be used to delete classes from the static CDT (modules ICHRRCDX or ICHRRCDE). To modify the static CDT, consult your system programmer and see z/OS Security Server RACF System Programmer's Guide.

Before you begin:
  • If you have applications that use resources in the dynamic class, those applications, such as those issuing RACROUTE REQUEST=LIST,GLOBAL=YES for the class, should be changed or removed. Otherwise, the applications could fail after you remove the class from the dynamic CDT.
  • Evaluate the uniqueness of the POSIT value of the class to be deleted.
    • If the POSIT value is unique, follow the steps below to deactivate all SETROPTS options.
    • If the POSIT value is shared, some of the steps below should not be executed and they are so noted. If those steps were executed, the SETROPTS options for all classes that share the POSIT value with the deleted class would be deactivated. This would have unintended effects on those classes.

Perform the following steps to delete an existing class from the dynamic CDT.

  1. Delete all profiles in the class to be deleted.
    1. Execute a SEARCH command to create a CLIST with a command to delete each profile in the class.
      Example:
      SEARCH CLASS(HORSES8) CLIST('RDELETE HORSES8 ')

      _________________________________________________________________

    2. Execute the CLIST created in Step 1.a.
      Example:
      EXEC EXEC.RACF.CLIST LIST

      _________________________________________________________________

    3. Verify no profiles remain in the class.
      Example:
      SEARCH CLASS(HORSES8)

      _________________________________________________________________

  2. Issue the following command and note every occurrence of the class you want to delete. 
    SETROPTS LIST

    _________________________________________________________________

  3. If the class to be deleted does not share a POSIT value with other existing classes, deactivate the class.
    Example:
    SETROPTS NOCLASSACT(HORSES8)
    Do not deactivate this class when it shares a POSIT value with other classes that are active. (See the "Before you begin" topic of this procedure.)

    _________________________________________________________________

  4. If you are using global access checking for the class and the class to be deleted does not share a POSIT value with other existing classes, deactivate the GLOBAL option for the class.
    Example:
    SETROPTS NOGLOBAL(HORSES8)
    Do not deactivate the GLOBAL option for this class when it shares a POSIT value with other classes that are active. (See the "Before you begin" topic of this procedure.)

    _________________________________________________________________

  5. If you have a GLOBAL profile for the class, delete it.
    Example:
    RDELETE GLOBAL HORSES8

    _________________________________________________________________

  6. If you have a RACGLIST profile for the class, delete it.
    Example:
    RDELETE RACGLIST HORSES8

    _________________________________________________________________

  7. If the class to be deleted does not share a POSIT value with other existing classes, deactivate the other active system options for your class, using the SETROPTS LIST command output from Step 2.
    Example:
    SETROPTS NOAUDIT(HORSES8) LOGOPTIONS(DEFAULT(HORSES8)) NORACLIST(HORSES8) 
   NOGENERIC(HORSES8) NOGENCMD(HORSES8) NOSTATISTICS(HORSES8)
    Do not deactivate the active system options for this class when it shares a POSIT value with other classes that are active. (See the "Before you begin" topic of this procedure.)

    _________________________________________________________________

  8. If you are using GENLIST processing for the class to be deleted and the class does not share a POSIT value with other existing classes, deactivate GENLIST processing.
    Example:
    SETROPTS NOGENLIST(HORSES8)
    Do not deactivate GENLIST processing for this class when it shares a POSIT value with other classes that are active. (See the "Before you begin" topic of this procedure.)

    _________________________________________________________________

  9. Delete the class from the CDT class.
    Example:
    RDELETE CDT HORSES8

    If you receive message ICH12304I indicating that the class cannot be deleted because there are profiles in the class, your RACF® database might contain generic profiles in this class that are hidden from the SEARCH and RLIST commands. This can happen when a generic profile is defined in a class that is subsequently disabled for generics with the SETROPTS NOGENCMD or NOGENERIC command. To resolve this, schedule an appropriate time to issue the SETROPTS GENCMD command and then repeat Step 1 to find and delete such profiles. After you successfully delete the profiles, issue the SETROPTS NOGENCMD command. Be sure to carefully plan when to enable the GENCMD option because it will affect other classes that share the same POSIT value.

    _________________________________________________________________

  10. Refresh the dynamic CDT.
    SETROPTS RACLIST(CDT) REFRESH

    _________________________________________________________________

  11. If you have users with class authority (CLAUTH) for the deleted class, remove their authorities.
    Example:
    ALTUSER userid NOCLAUTH(HORSES8)

    _________________________________________________________________

Parent topic: Deleting a class from the dynamic CDT

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014