SETROPTS (Set RACF options)
Purpose
- Gather and display RACF statistics
- Protect terminals
- Log RACF events
- Permit list-of-groups access checking
- Display options currently in effect
- Enable or disable the generic profile checking facility on a class-by-class basis
- Activate checking for previous passwords and password phrases
- Limit unsuccessful attempts to access the system using incorrect passwords and password phrases
- Control change intervals for passwords and password phrases
- Control mixed-case passwords
- Warn of expiring passwords and password phrases
- Establish password syntax rules
- Activate auditing for access attempts by class
- Activate auditing for security labels
- Require that all work entering the system, including users logging on and batch jobs, have a security label assigned
- Enable or disable the global access checking facility
- Refresh in-storage profile lists and global access checking tables
- Set the password the operator must supply in order for RACF to complete an RVARY command that changes RACF status or changes the RACF databases
- Enable or disable the sharing, in common storage, of discrete and generic profiles for general resource classes
- Activate or deactivate auditing of access attempts to RACF-protected resources based on installation-defined security levels
- Control the automatic data set protection (ADSP) attribute for users
- Activate profile modeling for GDG, group, and user data sets
- Activate protection for data sets with single-level names
- Control logging of real data set names
- Control the job entry subsystem options
- Activate tape data set protection
- Control whether RACF is to allow users to create or access data sets that do not have RACF protection
- Activate and control the scope of erase-on-scratch processing
- Activate program control, which includes both access control to load modules and program access to data
- Prevent users from accessing uncataloged permanent data sets
- Establish a system-wide VTAM® session interval
- Set an installation-wide default for the RACF security retention period for tape data sets
- Activate enhanced generic naming for data sets and entries in the global access checking table
- Set installation defaults for primary and secondary national languages
- Activate auditing for APPC transactions
- Use the dynamic class descriptor table.
Following are the classes that can be specified in the AUDIT operand and the commands and SVCs that are logged for each class.
USER | GROUP | DATASET | CDT entries |
---|---|---|---|
ADDUSER |
ADDGROUP |
ADDSD |
PERMIT |
ALTUSER |
ALTGROUP |
ALTDSD |
REQUEST=DEFINE SVC |
CONNECT |
CONNECT |
DELDSD |
RALTER |
DELUSER |
DELGROUP |
PERMIT |
RDEFINE |
PASSWORD |
REMOVE |
REQUEST= DEFINE SVC |
RDELETE |
REMOVE |
- | - | - |
Most RACF functions do not require special versions or releases of the operating system or operating system components. However, some do require that your system be at a certain level.
- GENERIC REFRESH
- GLOBAL
- GLOBAL REFRESH
- RACLIST
- NORACLIST
- RACLIST REFRESH
- WHEN(PROGRAM)
- WHEN(PROGRAM) REFRESH
When issued from a member of the RACF data sharing group, these commands, if successful on the member that issues them, are propagated in a controlled, synchronized manner to the other members in the group. A system in read-only mode can participate if it receives a SETROPTS command propagated from another system, but a user on a system in read-only mode cannot issue any SETROPTS commands except for the SETROPTS LIST command. For propagated SETROPTS REFRESH commands, members of the data sharing group are notified to either create, update, or delete some in-storage information. These commands are coordinated to ensure that all systems begin to use the changed information simultaneously, and to always see a consistent view of this information.
RACF serializes propagated SETROPTS commands to prevent conflicting commands of the same type (for example, SETROPTS RACLIST and SETROPTS NORACLIST) from processing simultaneously.
- The options you specify on SETROPTS are common on systems that share the RACF database. All the systems involved must have the required levels of software. If you activate SECLABEL and the multilevel security options on one system, they are activated on all systems.
- If RACF is not enabled for sysplex communication, the SETROPTS commands that would be propagated to all members of a data sharing group must instead be issued on each system sharing the database. Although the command is not propagated, RACF does record the fact that a SETROPTS RACLIST was issued. The next time that any system sharing the database is IPLed, the SETROPTS RACLIST is done on that sharing system.
- When the SETROPTS command is from ISPF, the TSO command buffer (including password data) is written to the ISPLOG data set. As a result, you should not issue the SETROPTS command from ISPF or you must control the ISPLOG data set carefully.
- If the SETROPTS command is issued as a RACF operator command, the command and the password data is written to the system log. Therefore, use of SETROPTS as a RACF operator command should either be controlled or you should issue the command as a TSO command.
- If
70 < yy <= 99
, the date is interpreted as19yy
. - If
00 <= yy <= 70
, the date is interpreted as20yy
.
Issuing options
As a RACF TSO command? | As a RACF operator command? | With command direction? | With automatic command direction? | From the RACF parameter library? |
---|---|---|---|---|
Yes | Yes | Yes | Yes (See rule.) | Yes |
For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.
For information on issuing this command as a RACF operator command, refer to RACF operator commands.
You must be logged on to the console to issue this command as a RACF operator command.
Authorization required
When issuing this command as a RACF operator command, you might require sufficient authority to the proper resource in the OPERCMDS class. For details about OPERCMDS resources, see Controlling the use of operator commands in z/OS Security Server RACF Security Administrator's Guide.
Most SETROPTS command functions require you to have the SPECIAL or AUDITOR attributes.
- APPLAUDIT | NOAPPLAUDIT
- AUDIT | NOAUDIT
- CMDVIOL | NOCMDVIOL
- LOGOPTIONS
- OPERAUDIT | NOOPERAUDIT
- SAUDIT | NOSAUDIT
- SECLABELAUDIT | NOSECLABELAUDIT
- SECLEVELAUDIT | NOSECLEVELAUDIT
If you have either the SPECIAL, AUDITOR or ROAUDIT attributes, you can use the LIST operand.
To specify the AT keyword, you must have READ authority to the DIRECT.node resource in the RRSFDATA class and a user ID association must be established between the specified node.userid pair(s).
To specify the ONLYAT keyword you must have the SPECIAL attribute, the userid specified on the ONLYAT keyword must have the SPECIAL attribute, and a user ID association must be established between the specified node.userid pair(s) if the user IDs are not identical.
- You can specify the LIST operand if you have the group-SPECIAL or group-AUDITOR attribute in the current connect group or if GRPLIST is active in any group that you are connected to.
- You can specify REFRESH together with GENERIC if you have the group-SPECIAL, AUDITOR, group-AUDITOR, OPERATIONS, group-OPERATIONS attribute, or CLAUTH authority for the classes specified.
- You can specify REFRESH together with GLOBAL if you have the OPERATIONS attribute or CLAUTH authority for the classes specified.
- You can specify REFRESH together with RACLIST if you have CLAUTH authority to the specified class.
- You can specify REFRESH together with WHEN(PROGRAM) if you have the OPERATIONS attribute or CLAUTH authority for the program class.
Syntax
For the key to the symbols used in the command syntax diagrams, see Syntax of RACF commands and operands. The complete syntax of the SETROPTS command is:
[subsystem-prefix]{SETROPTS | SETR} |
[ ADDCREATOR | NOADDCREATOR ]
|
[ ADSP | NOADSP ]
|
[ APPLAUDIT | NOAPPLAUDIT ]
|
[ AT([node].userid ...) | ONLYAT([node].userid ...) ]
|
[ {AUDIT | NOAUDIT} ({class-name ... |
* }) ] |
[ CATDSNS ( FAILURES | WARNING ) | NOCATDSNS ]
|
[ {CLASSACT | NOCLASSACT} ({class-name ... |
* }) ] |
[ CMDVIOL | NOCMDVIOL ]
|
[ COMPATMODE | NOCOMPATMODE ]
|
[ EGN | NOEGN ]
|
[ ERASE[( { ALL | SECLEVEL(seclevel-name) | NOSECLEVEL } )] | NOERASE ] |
[ {GENCMD | NOGENCMD} ({class-name ... |
* }) ] |
[ {GENERIC | NOGENERIC} ({class-name ... |
* }) ] |
[ GENERICOWNER | ENHANCEDGENERICOWNER | NOGENERICOWNER ]
|
[ {GENLIST | NOGENLIST} (class-name ...) ]
|
[ {GLOBAL | NOGLOBAL} ({class-name ... |
* }) ] |
[ GRPLIST | NOGRPLIST ]
|
[ INACTIVE(unused-userid-interval) | NOINACTIVE ]
|
[ INITSTATS | NOINITSTATS ]
|
[ JES( [ BATCHALLRACF | NOBATCHALLRACF ] [ EARLYVERIFY | NOEARLYVERIFY ] [ XBMALLRACF | NOXBMALLRACF ] [ NJEUSERID(userid) ] [ UNDEFINEDUSER(userid) ] ) ] |
[ KERBLVL(0|1) ]
|
[ LANGUAGE( [ PRIMARY(language) ] [ SECONDARY(language) ] ) ] |
[ LIST ]
|
[ LOGOPTIONS( { ALWAYS(class-name, ...), ... | NEVER(class-name, ...), ... | SUCCESSES(class-name, ...), ... | FAILURES(class-name, ...), ... | DEFAULT({class-name, ... | * }) } ) ] |
[ MLACTIVE [( FAILURES | WARNING )] | NOMLACTIVE ]
|
[ MLFSOBJ ( ACTIVE | INACTIVE ) ]
|
[ MLIPCOBJ ( ACTIVE | INACTIVE ) ]
|
[ MLNAMES | NOMLNAMES ]
|
[ MLQUIET | NOMLQUIET ]
|
[ MLS [( FAILURES | WARNING)] | NOMLS ]
|
[ MLSTABLE | NOMLSTABLE ]
|
[ MODEL( [ GDG | NOGDG ] [ GROUP | NOGROUP ] [ USER | NOUSER ] ) | NOMODEL ] |
[ OPERAUDIT | NOOPERAUDIT ]
|
[ PASSWORD( [ ALGORITHM(KDFAES) | NOALGORITHM ] [ HISTORY(number-previous-values) | NOHISTORY ] [ INTERVAL(maximum-change-interval) ] [ MINCHANGE(minimum-change-interval) ] [ MIXEDCASE | NOMIXEDCASE ] [ REVOKE(number-incorrect-attempts) | NOREVOKE ] [ {RULEn(LENGTH(m1:m2) content-keyword (position)) | NORULEn | NORULES} ] [ SPECIALCHARS | NOSPECIALCHARS ] [ WARNING(days-before-expiration) | NOWARNING ] ) ] |
[ PREFIX(prefix) | NOPREFIX ]
|
[ PROTECTALL [( FAILURES | WARNING )] | NOPROTECTALL ]
|
[ {RACLIST | NORACLIST} (class-name ...) ]
|
[ REALDSN | NOREALDSN ]
|
[ REFRESH ]
|
[ RETPD(nnnnn) ]
|
[ RVARYPW( [SWITCH(switch-pw)] [STATUS(status-pw) ]) ]
|
[ SAUDIT | NOSAUDIT ]
|
[ SECLABELAUDIT | NOSECLABELAUDIT ]
|
[ SECLABELCONTROL | NOSECLABELCONTROL ]
|
[ SECLBYSYSTEM | NOSECLBYSYSTEM ]
|
[ SECLEVELAUDIT (security-level) | NOSECLEVELAUDIT ]
|
[ SESSIONINTERVAL(n) | NOSESSIONINTERVAL ]
|
[ {STATISTICS | NOSTATISTICS} ({class-name ... |
* })] |
[ TAPEDSN | NOTAPEDSN ]
|
[ TERMINAL( NONE | READ ) ]
|
[ {WHEN | NOWHEN} (PROGRAM) ]
|
For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.
For information on issuing this command as a RACF operator command, refer to RACF operator commands.
Parameters
- subsystem-prefix
- Specifies that the RACF subsystem
is the execution environment of the command. The subsystem
prefix can be either the installation-defined prefix for RACF (1 - 8 characters)
or, if no prefix has been defined, the RACF subsystem
name followed by a blank. If the command prefix was registered with
CPF, you can use the MVS™ command
D OPDATA to display it or you can contact your RACF security administrator.
Only specify the subsystem prefix when issuing this command as a RACF operator command. The subsystem prefix is required when issuing RACF operator commands.
- ADDCREATOR | NOADDCREATOR
-
- ADDCREATOR
- Specifies that if a user defines any new DATASET or general resource profile using ADDSD, RDEFINE or RACROUTE REQUEST=DEFINE, the profile creator's user ID is placed on the profile access list with ALTER authority.
- NOADDCREATOR
- Specifies
that if a user defines any new DATASET or general resource profile
using ADDSD, RDEFINE or RACROUTE REQUEST=DEFINE, or creates discrete
profiles other than DATASET and TAPEVOL using RACROUTE REQUEST=DEFINE, RACF does not place the profile
creator's user ID on the profile's access list. If the profile creator
uses profile modeling, RACF copies
the access list exactly. If the creator's user ID appears in the model's
access list, RACF copies the
authority to the new profile. For example, if the creator's user ID
appears in the model's access list with READ, RACF copies that access authority to the new
profile without changing it to ALTER.
An important exception for NOADDCREATOR occurs when the user creates a discrete DATASET or TAPEVOL profile using RACROUTE REQUEST=DEFINE. In this case, RACF ignores the NOADDCREATOR options and places the profile creator's user ID on the new profile's access list with ALTER authority. If the profile creator uses profile modeling to define a discrete DATASET or TAPEVOL and the creator's user ID appears in the model's access list, RACF creates the authority in the new profile with ALTER authority. This exception to NOADDCREATOR allows system components to allocate data sets and immediately access them without having an administrator manipulate the profile's access list in the interim.
Note: The initial setting of the ADDCREATOR/NOADDCREATOR keyword depends on whether your database is new or old. When IRRMIN00 is run with PARM=NEW, the initial setting is NOADDCREATOR. When IRRMIN00 is run with anything other than PARM=NEW, RACF retains the current value of ADDCREATOR/NOADDCREATOR. For compatibility and migration reasons, this value is set to ADDCREATOR if no prior specification of ADDCREATOR or NOADDCREATOR had occurred.
- ADSP | NOADSP
-
- ADSP
- Specifies that data
sets created by users who have the automatic data set protection (ADSP)
attribute is RACF-protected automatically.
ADSP is in effect when RACF is using a newly initialized database.
Because ADSP forces the creation of a discrete profile for each data set created by users who have the ADSP attribute, you should normally specify NOADSP if you specify GENERIC.
- NOADSP
- Cancels
automatic RACF protection for
users who have the ADSP attribute.
Because ADSP forces the creation of a discrete profile for each data set created by users who have the ADSP attribute, you should normally specify NOADSP if you specify GENERIC.
- APPLAUDIT | NOAPPLAUDIT
-
- APPLAUDIT
- Specifies that
auditing of APPC transactions on your system be enabled. APPC transactions are audited when they
receive authorization (start) or have authorization removed (end). You must request auditing for the
appropriate APPL profile. Otherwise, turning APPLAUDIT on does not cause auditing of APPC
transactions. See z/OS Security Server RACF Auditor's Guide for more information on requesting auditing.
You must have the AUDITOR attribute to specify this option.
- NOAPPLAUDIT
- Specifies that auditing of APPC transactions on your system (starting and ending) be disabled. You must have the AUDITOR attribute to specify this option.
- AT | ONLYAT
- The AT and ONLYAT keywords are only valid when the command is
issued as a RACF TSO command.
- AT([node].userid ...)
- Specifies
that the command is to be directed to the node specified by node,
where it runs under the authority of the user specified by userid in
the RACF subsystem address
space.
If node is not specified, the command is directed to the local node.
- ONLYAT([node].userid ...)
- Specifies
that the command is to be directed only to the node specified by node where
it runs under the authority of the user specified by userid in
the RACF subsystem address
space.
If node is not specified, the command is directed only to the local node.
Note: SETROPTS LIST with no other keywords specified is not eligible for automatic command direction. Do not specify the ONLYAT and LIST keywords together without any other keywords on a SETROPTS command.
- AUDIT | NOAUDIT
-
- AUDIT(class-name ... |
*
) - Specifies the names of the classes for
which you want RACF to perform
auditing. For the classes you specify, RACF logs
all uses of the RACROUTE REQUEST=DEFINE SVC and all changes made to
profiles by RACF commands.
When the class specified is USER, RACF logs
all password and password phrase changes made by RACROUTE REQUEST=VERIFY.
(RACF adds the classes you
specify to those already specified for auditing.)
The valid class names are USER, GROUP, DATASET, and those defined in the class descriptor table. For a list of general resource classes defined in the class descriptor table supplied by IBM®, see Supplied RACF resource classes.
If you specify an asterisk (
*
), logging occurs for all classes.You must have the AUDITOR attribute to enter the AUDIT operand.
Note: If you activate auditing for a class using SETROPTS AUDIT, RACF activates auditing for all classes in the class descriptor table that have the same POSIT value as the class you specify. For example, the classes TIMS, GIMS, and AIMS all have a POSIT value of4
in their respective class descriptor table entries. If you activate auditing for any one of these classes, you activate auditing for all of them.For more information on sharing a POSIT value, see the POSIT keyword of the RDEFINE command.
- NOAUDIT(class-name ... |
*
) - Specifies
the names of the classes for which you no longer want RACF to perform auditing. For the classes you
specify, RACF no longer logs
all uses of the REQUEST=DEFINE SVC and all changes made to profiles
by RACF commands. The valid
class names are USER, GROUP, DATASET, and those classes defined in
the class descriptor table. For a list of
general resource classes defined in the class descriptor table supplied
by IBM, see Supplied RACF resource classes.
If you specify NOAUDIT(
*
), logging does not occur for any classYou must have the AUDITOR attribute to enter the NOAUDIT operand.
Note: If you deactivate auditing for a class using SETROPTS NOAUDIT, RACF deactivates auditing for all classes in the class descriptor table that have the same POSIT value as the class you specify. For example, the classes TIMS, GIMS, and AIMS all have a POSIT value of4
in their respective class descriptor table entries. If you deactivate auditing for any one of these classes, you deactivate auditing for all of them.For more information on sharing a POSIT value, see the POSIT keyword of the RDEFINE command.
- AUDIT(class-name ... |
- CATDSNS | NOCATDSNS
-
- CATDSNS (FAILURES | WARNING)
- Specifies that
uncataloged data sets, new (and not cataloged), or system temporary data sets are not to be accessed
by users. The following exceptions apply:
- The job that creates the data set can access it even if the data set is uncataloged. If the data set is still uncataloged when the job ends, it is inaccessible thereafter.
- Data sets with discrete profiles can be accessed - even if uncataloged - if allowed by the profile.
- For uncataloged data sets without discrete profiles, RACF constructs a resource name of ICHUNCAT.dsname (only the first 30 characters of the dsname is used). It checks the user's authority to this resource in the FACILITY class. If the resource is protected by a FACILITY class profile, and the user has access to it, the access is allowed.
- If the user has the SPECIAL attribute, the access is allowed even if the data set is uncataloged, but a warning message and SMF record is created.
- If you use DFSMSrmm to manage your tape data sets and the TAPEAUTHF1 option is active (in the DEVSUPxx member of SYS1.PARMLIB), an uncataloged tape data set might be read by a user who has access to the first file on the tape volume when the first file is cataloged. See z/OS DFSMSrmm Implementation and Customization Guide. (If you use a different tape management system, refer to your product documentation.
- Write requests to tape data sets are not denied because of SETROPTS CATDSNS.
Note: For additional information about accessing uncataloged data sets, refer to SETROPTS command in z/OS Security Server RACF Security Administrator's Guide.- FAILURES
- Specifies that RACF is to reject any request to access a
data set that is not cataloged.
FAILURES is the default.
If CATDSNS(FAILURES) is in effect and a privileged started task or a user with the SPECIAL attribute requests access of an uncataloged data set, RACF accepts the request and issues a warning message.
- WARNING
- Specifies that the access is allowed even if the data set is uncataloged. However, a warning message and SMF record is created.
- NOCATDSNS
- Specifies that data sets that are not cataloged can be accessed
by users.
NOCATDSNS is in effect when RACF is using a newly initialized database.
- CLASSACT | NOCLASSACT
-
- CLASSACT(class-name ... |
*
) - Specifies
those classes defined by entries in the class descriptor table for
which RACF protection is to
be in effect. If you specify an asterisk (
*
), you activate RACF protection for all classes defined in the class descriptor table except for those classes with a default return code of8
. For a list of general resource classes defined in the class descriptor table supplied by IBM, see Supplied RACF resource classes.Note:- If you activate a class using SETROPTS CLASSACT, RACF activates all classes in the class descriptor
table that have the same POSIT value as the class you specify. For
example, the classes TIMS, GIMS, and AIMS all have a POSIT value of
4
in their respective class descriptor table entries. If you activate any one of these classes, you activate all of them.For more information on sharing a POSIT value, see the POSIT keyword of the RDEFINE command.
- Before activating a class that has a default return code of
8
in the class descriptor table (either explicitly or by means of a shared POSIT value), be sure you have defined the necessary profiles to allow your users to access resources in that class. For example, if you activate JESINPUT without defining profiles to allow access, no one is able to submit batch jobs. - You need not activate the DIGTCERT, DIGTCRIT, and DIGTRING classes to use resources in those classes. However, performance is improved when you RACLIST the DIGTCERT and DIGTCRIT classes if you use resources in these classes. To RACLIST a class, you must activate it.
- If you activate a class using SETROPTS CLASSACT, RACF activates all classes in the class descriptor
table that have the same POSIT value as the class you specify. For
example, the classes TIMS, GIMS, and AIMS all have a POSIT value of
- NOCLASSACT(class-name ... |
*
) - Specifies those classes defined
by entries in the class descriptor table for which RACF protection is not to be in effect. If you
specify an asterisk (
*
), you deactivate RACF protection for all classes defined in the class descriptor table. For a list of general resource classes defined in the class descriptor table supplied by IBM, see Supplied RACF resource classes.NOCLASSACT is in effect when RACF is using a newly initialized database.
Rules:- If you deactivate a class using SETROPTS NOCLASSACT, RACF deactivates all classes in the class descriptor
table that have the same POSIT value as the class you specify. For
example, the classes TIMS, GIMS, and AIMS all have a POSIT value of
4
in their respective class descriptor table entries. If you deactivate any one of these classes, you deactivate all of them.For more information on sharing a POSIT value, see the POSIT keyword of the RDEFINE command.
- If MLACTIVE, MLS, MLIPCOBJ, MLFSOBJ or SECLBYSYSTEM is active, you may not deactivate the SECLABEL class. Issuing SETROPTS NOCLASSACT(SECLABEL) will fail.
- If you deactivate a class using SETROPTS NOCLASSACT, RACF deactivates all classes in the class descriptor
table that have the same POSIT value as the class you specify. For
example, the classes TIMS, GIMS, and AIMS all have a POSIT value of
- CLASSACT(class-name ... |
- CMDVIOL | NOCMDVIOL
- Specifies whether RACF is
to log violations detected by RACF commands.
You must have the AUDITOR attribute to specify these options.
- CMDVIOL
- Specifies that RACF is to log violations detected by RACF commands (except LISTDSD,
LISTGRP, LISTUSER, RLIST, and SEARCH) during RACF command processing. A violation might occur
because a user is not authorized to modify a particular profile or
is not authorized to enter a particular operand on a command.
CMDVIOL is in effect when RACF is using a newly initialized database.
- NOCMDVIOL
- Specifies that RACF is not to log violations detected by RACF commands during RACF command processing (except RVARY and SETROPTS, which are always logged).
- COMPATMODE | NOCOMPATMODE
-
- COMPATMODE
- Allows
users and jobs not using security labels to be on a system enforcing
security labels. The ACEEs of the user IDs or jobs must have been
created by a RACROUTE REQUEST=VERIFY that did not specify the
RELEASE=1.9
keyword (or later). - NOCOMPATMODE
- Users
and jobs must be running with correct security labels to access data.
NOCOMPATMODE is in effect when RACF is using a newly initialized database.
- EGN | NOEGN
- Specifies whether of not to activate or deactivate enhanced generic
naming (EGN).
- EGN
- Activates EGN. When you
activate this option, RACF allows you to specify the generic
character
**
(in addition to the generic characters*
and%
) when you define data set profile names and entries in the global access checking table.Note:For information on EGN and its effect on profile names, see the description of generic profiles in Naming considerations for resource profiles in z/OS Security Server RACF Command Language Reference.- EGN changes the meaning of the generic character
*
. - When you first activate enhanced generic naming, the RACF-protection provided by existing data set profiles and global access checking table remains the same.
- EGN changes the meaning of the generic character
- NOEGN
- Specifies
deactivation of EGN. When you deactivate this option, RACF does not allow you to specify the generic
character
**
when you define data set names and entries in the global access checking table.NOEGN is in effect when RACF is using a newly initialized database.
Important:If you protect data sets with generic profiles while EGN is active and then deactivate this option, your resources can no longer be protected. Table 1 and Table 2 show examples of generic profiles created with enhanced generic naming active.
Some of these profiles do not provide RACF protection when the option is deactivated. If a data set is unprotected when EGN is deactivated, you can protect the data set with a discrete profile - as described in Naming considerations for resource profiles in z/OS Security Server RACF Command Language Reference - either before or after the option is deactivated, or with a generic profile after the option is deactivated.
- ERASE | NOERASE
-
- ERASE(erase-indicator)
- Specifies that data
management is to physically erase the contents of deleted data sets and scratched or released DASD
extents. Erasing the data set means overwriting its contents with binary zeroes so that it cannot be
read.
Restriction: The ERASE option applies to DASD data sets only, not tape data sets, unless you set the TAPEAUTHDSN option in the DEVSUPxx member of SYS1.PARMLIB. See Erasing scratched or released data (ERASE option) in z/OS Security Server RACF Security Administrator's Guide for more information. For details about customizing SYS1.PARMLIB, see z/OS MVS Initialization and Tuning Reference. For details about controlling authorization for tape volume overwriting, see z/OS DFSMSrmm Implementation and Customization Guide. (If you use a different tape management system, refer to your product documentation.)
If you specify ERASE without any suboperand, whether a scratched data set is erased depends on the status of the erase indicator in the data set profile. The SETROPTS ERASE suboperand allow you to override the erase indicator in the data set profile, to control the scope of erase-on-scratch on an installation level rather than leaving it to individual users.
The SETROPTS ERASE erase-indicator can be:- ALL
- Specifies that data management is to erase all scratched data sets, including temporary data sets, regardless of the erase indicator, if any, in the data set profile.
- SECLEVEL(seclevel-name)
- Specifies that data management is to erase all scratched data sets that have a security
level equal to or greater than the security level that you specify, where
seclevel-name must be a member of the SECLEVEL profile in the SECDATA
class. Note: A scratched data set with a security level lower than the level you specify is not erased unless the erase indicator (if any) in the data set profile is on.
- NOSECLEVEL
- Specifies that RACF is not to consider the security level
in the data set profile when it decides whether data management is to erase a scratched
data set. Note: A scratched data set, regardless of security level, is not erased unless the erase indicator (if any) in the data set profile is on.
NOSECLEVEL is the default if you do not specify erase-indicator when you specify ERASE.
- NOERASE
- Specifies
that erase-on-scratch processing is not in effect. NOERASE means that
no data sets are erased when deleted (scratched), even if
the erase indicator in the data set profile is on.
NOERASE is in effect when RACF is using a newly initialized database.
- GENCMD | NOGENCMD
-
- GENCMD(class-name ... |
*
) - Activates generic profile command processing for the
specified classes. Valid class names are DATASET and all class names except grouping classes and
classes defined with the GENERIC(DISALLOWED) attribute. The following supplied classes in the static class descriptor table (CDT) are defined with the GENERIC(DISALLOWED) attribute:
CDT
IDIDMAP
REALM
SECLABEL
CFIELD
KERBLINK
SECLMBR
To identify installation-defined classes in the dynamic CDT with the GENERIC(DISALLOWED) attribute, issue the
RLIST CDT * CDTINFO
command to list the attributes of all classes in the dynamic CDT.If you specify an asterisk (
*
), you activate generic profile command processing for the DATASET class plus all general resource classes except grouping classes and classes defined with the GENERIC(DISALLOWED) attribute.When GENCMD is in effect for a class, all the command processors can work on generic profiles, but the RACF SVC routines cannot perform generic profile checking. This operand allows the installation to temporarily disable generic profile checking (during maintenance, for example) and still use the RACF commands to maintain generic profiles.
Generic profile command processing is automatically activated for all classes for which generic profile checking is activated. Therefore, when you issue SETROPTS GENERIC for a class, you need not issue SETROPTS GENCMD for the same class.
Note: If you activate generic profile command processing for a class using SETROPTS GENCMD, RACF activates generic profile command processing for all classes in the class descriptor table that have the same POSIT value as the class you specify, except grouping classes. For example, the resource classes TIMS and AIMS and the grouping class GIMS all have a POSIT value of4
in their respective class descriptor table entries. If you activate generic profile command processing for TIMS, you also activate it for AIMS. However, you cannot activate this option for GIMS because GIMS is a grouping class. If you have GENCMD turned on for the DIGTCERT class when the certificate is created or added, and its Issuer's Distinguished Name contains any generic characters (*
,&
and%
), a generic certificate profile will be created. This generic feature will cause unexpected behavior when the certificate is being used by other programs. You need to remove it add it back after turning off GENCMD in the DIGTCERT class.For more information on sharing a POSIT value, see the POSIT keyword of the RDEFINE command.
- NOGENCMD(class-name ... |
*
) - Deactivates
generic profile command processing for the specified classes. Valid
class names are DATASET and all class names except grouping classes
and classes defined with the GENERIC(DISALLOWED) attribute.
If you specify an asterisk (
*
), you deactivate generic profile command processing for the DATASET class plus all general resource classes except grouping classes and classes defined with the GENERIC(DISALLOWED) attribute.NOGENCMD(
*
) is in effect when RACF is using a newly initialized database.If generic profile checking is active (GENERIC is in effect), RACF ignores this operand because GENERIC both includes and overrides generic profile command processing.
Note: If you deactivate generic profile command processing for a class using SETROPTS NOGENCMD, RACF deactivates generic profile command processing for all classes in the class descriptor table that have the same POSIT value as the class you specify, except grouping classes. For example, the resource classes TIMS and AIMS and the grouping class GIMS all have a POSIT value of4
in their respective class descriptor table entries. If you deactivate generic profile command processing for TIMS, you also deactivate it for AIMS. However, GIMS is unaffected because it is a grouping class.For more information on sharing a POSIT value, see the POSIT keyword of the RDEFINE command.
- GENCMD(class-name ... |
- GENERIC | NOGENERIC
-
- GENERIC(class-name ... |
*
) - Activates generic profile checking
for the classes specified. Note: Avoid activating generic profile checking for the DIGTCERT or DIGTRING class.
Valid class names are DATASET and all class names except grouping classes and classes defined with the GENERIC(DISALLOWED) attribute.
The following supplied classes in the static class descriptor table (CDT) are defined with the GENERIC(DISALLOWED) attribute:CDT
IDIDMAP
REALM
SECLABEL
CFIELD
KERBLINK
SECLMBR
To identify installation-defined classes in the dynamic CDT with the GENERIC(DISALLOWED) attribute, issue the
RLIST CDT * CDTINFO
command to list the attributes of all classes in the dynamic CDT.Guidelines:- When possible, use generic profiles to protect multiple resources and reduce administrative effort. Consider issuing SETROPTS GENERIC(classname) for the classes you use, so that generic profiles are usable in those classes.
- If you already have general resource profiles defined in your database, avoid issuing the
SETROPTS GENERIC(*)
command. This command activates generic profile checking for all classes except resource grouping classes and classes defined with the GENERIC(DISALLOWED) attribute. Some classes do not support generic profile checking. These and other classes might already have profile names that contain generic characters (*
,&
, and%
). - If you have GENERIC turned on for the DIGTCERT class when the certificate is
created or added and its Issuer's Distinguished Name contains any generic characters
(
*
,&
and%
), a generic certificate profile will be created. This generic feature will cause unexpected behavior when the certificate is being used by other programs. You need to remove it add it back after turning off GENERIC in the DIGTCERT class. - If a general resource class already has discrete profiles with
names that contain generic characters (
*
,&
, and%
), enabling generic profile checking for the class prevents RACF from using those discrete profiles for authorization checking.If you enable SETROPTS GENERIC for a class that has a discrete profile name containing generic characters, the profile will be marked
UNUSABLE
in RLIST and SEARCH output listings.Tip: Use the RDELETE command with the NOGENERIC option to delete this profile.
- In general, once you activate generic profile checking for a class and define generic profiles, avoid deactivating it with the NOGENERIC operand. RACF will not use your previously defined generic profiles for authorization checking while NOGENERIC is in effect.
Generic profile command processing is automatically activated for all classes for which generic profile checking is activated. Therefore, when you issue SETROPTS GENERIC for a class, you need not issue SETROPTS GENCMD for the same class.
If you specify GENERIC with REFRESH, only those currently active and authorized classes are refreshed.Note:- If RACF is enabled for sysplex communication, RACF propagates SETROPTS GENERIC(class-name) REFRESH commands to other members of the data sharing group.
- If RACF is not enabled for sysplex communication, a SETROPTS GENERIC(class-name) REFRESH command is effective only on the system where it is issued.
- If you specify GENERIC, you should also specify NOADSP.
- If you activate generic profile checking for a class using SETROPTS GENERIC, RACF activates generic profile checking for all classes in the class
descriptor table that have the same POSIT value as the class you specify, except grouping classes.
For example, the resource classes TIMS and AIMS and the grouping class GIMS all have a POSIT value
of
4
in their respective class descriptor table entries. If you activate generic profile checking for TIMS, you also activate it for AIMS. However, you cannot activate this option for GIMS because GIMS is a grouping class.For more information on sharing a POSIT value, see the POSIT keyword of the RDEFINE command.
- NOGENERIC(class-name ... |
*
) - Deactivates
the generic profile checking facility for the classes specified.
Guideline: In general, once you activate generic profile checking for a class and define generic profiles, avoid deactivating it with the NOGENERIC operand. RACF will not use your defined generic profiles for authorization checking while NOGENERIC is in effect.
Valid class names are DATASET and all class names except grouping classes and classes defined with the GENERIC(DISALLOWED) attribute.
If you specify an asterisk (
*
), you deactivate generic profile checking for the DATASET class plus all general resource classes except grouping classes and classes defined with the GENERIC(DISALLOWED) attribute.NOGENERIC (
*
) is in effect when RACF is using a newly initialized database.NOGENERIC does not automatically deactivate generic profile command processing. Therefore, when you issue SETROPTS NOGENERIC for a class, issue SETROPTS NOGENCMD if you want to deactivate generic profile command processing for the same class.
If you specify GENCMD with NOGENERIC, users can issue RACF commands to maintain generic profiles, but RACF does not use generic profile checking during authorization checking.
If you specify NOGENCMD with NOGENERIC, all generic profile command processing is deactivated.
Note: If you deactivate generic profile checking for a class using SETROPTS NOGENERIC, RACF deactivates generic profile checking for all classes in the class descriptor table that have the same POSIT value as the class you specify, except grouping classes. For example, the resource classes TIMS and AIMS and the grouping class GIMS all have a POSIT value of4
in their respective class descriptor table entries. If you deactivate generic profile checking for TIMS, you also deactivate it for AIMS. However, GIMS is unaffected because it is a grouping class.For more information on sharing a POSIT value, see the POSIT keyword of the RDEFINE command.
- GENERIC(class-name ... |
- GENERICOWNER | ENHANCEDGENERICOWNER | NOGENERICOWNER
-
- GENERICOWNER
- Restricts creation of profiles in all general resource classes
except the PROGRAM class. To create a profile that is more specific than any existing profile protecting the same resource a user must:
- Have the SPECIAL attribute
- Be the owner of the existing profile
- Have the group-SPECIAL attribute if a group owns the profile
- Have the group-SPECIAL attribute if the owner of the profile is in the scope of the group.
Note:- GENERICOWNER provides protection only when there is an existing (less-specific) profile protecting the resource.
- A less-specific profile must end in
*
,**
or trailing%
characters. A more specific profile is a profile that matches the less-specific profile name, character for character, up to the ending*
, or**
, or trailing%
characters in the less-specific name. If the less-specific profile ends in%
, the characters in the more specific profile that correspond to the contiguous trailing%
characters must not be either*
or.
characters. For more information, see Permitting profiles for GENERICOWNER classes.For example: To allow USERX to RDEFINE A.B in the JESSPOOL class, you need profile A.
*
in the JESSPOOL class, which is owned by USERX. You also need profile**
, owned by the system administrator, to prevent other CLAUTH users from being able to RDEFINE A.B. - GENERICOWNER does not prevent the creation of a more specific
profile if the more specific profile is created in the grouping class
and is specified on the ADDMEM operand. For example, profile A
*
exists in the TERMINAL class and is owned by a group for which user ELAINE does not have group-SPECIAL, If the GENERICOWNER option is in effect, user ELAINE cannot define a more specific profile in the member class (such as, RDEF TERMINAL AA*
), but user ELAINE can define a profile if it is specified on the ADDMEM operand for the grouping class profile - such as RDEF GTERMINL profile-name ADDMEM(AA*
).
- ENHANCEDGENERICOWNER
- Same functionality as GENERICOWNER, but also prevents the creation of a more specific profile if
the more specific profile is created in the grouping class and is specified on the ADDMEM operand.
That is, Note 3 from GENERICOWNER (above) does not apply to ENHANCEDGENERICOWNER.
The ENHANCEDGENERICOWNER option works with all classes except DATASET, RVARSMBR/RACFVARS, SECLMBR/SECLABEL, PMBR/PROGRAM, GMBR/GLOBAL, SCDMBR/SECDATA, VMBR/VMEVENT, VXMBR/VMXEVENT and NODMBR/NODES.
- NOGENERICOWNER
- Cancels the restriction on the creation
of profiles for general resources.
NOGENERICOWNER is in effect when RACF is using a newly initialized database.
- GENLIST | NOGENLIST
-
- GENLIST(class-name ...)
- Also see RACLIST operand.
Activates the sharing of in-storage generic profiles for the classes specified. When GENLIST is active for a class, the generic profiles for that class are loaded into common storage (ECSA) instead of being resident in the private storage (ELSQA) of each user who references the class. Before activating GENLIST for a class, you should check with your system programmer to determine if your system is configured with enough ECSA to contain the profiles.
The z/OS Security Server RACF System Programmer's Guide contains information about the amount of virtual storage required for generic profiles, and other considerations about when to use RACLIST or GENLIST. Generally, when you do not share the RACF database with RACF on a VM system, RACLIST provides the best performance with the lowest usage of common storage.
The following classes supplied by IBM can be used with GENLIST:APPL
ILMADMIN
RRSFDATA
VMLAN
CPSMOBJ
INFOMAN
SDSF
VMMDISK
DASDVOL
JESJOBS
TERMINAL
VMNODE
DCEUUIDS
KEYSMSTR
TMEADMIN
VMRDR
DSNR
LOGSTRM
VMBATCH
VMSEGMT
FACILITY
PRINTSRV
VMCMD
XFACILIT
FIELD
RACFEVNT
VMDEV
When you activate GENLIST processing for a class, a generic profile in that class is copied from the RACF database into common storage the first time an authorized user requests access to a resource protected by the profile. The profile is retained in common storage and is available for all authorized users, thus saving real storage because the need to retain multiple copies of the same profile (one copy for each requesting user) in common storage is eliminated. Also, because RACF does not have to retrieve the profile each time a user requests access to a resource protected by it, this function saves processing overhead.
If you want to refresh shared in-storage generic profiles for a specific resource class, issue the SETROPTS command with the GENERIC(class-name) and REFRESH operands.
Note: RACF does not allow you to specify SETROPTS GENLIST and SETROPTS RACLIST for the same general resource class.For information on sharing a POSIT value, see the POSIT keyword of the RDEFINE command.
- NOGENLIST(class-name ...)
- Also
see NORACLIST operand.
Deactivates the sharing of in-storage generic profiles for the classes specified. Deactivate this function for general resource classes defined in the class descriptor table that are eligible for GENLIST processing. These classes are listed under the description for GENLIST.
When you specify NOGENLIST, RACF deletes in-storage generic profiles for the specified classes from common storage.
NOGENLIST is in effect for all classes defined in the class descriptor table when RACF is using a newly initialized database.
For information on sharing a POSIT value, see the POSIT keyword of the RDEFINE command.
- GLOBAL | NOGLOBAL
-
- GLOBAL(class-name ... |
*
) - Specifies
those classes eligible for global access checking. If you specify
an asterisk (
*
), you activate global access checking for all valid classes.Valid classes you may specify are:- The DATASET class
- The NODES grouping class
- The SECLABEL grouping class
- All other classes defined in the class descriptor table, except for the remaining grouping classes.
If you specify GLOBAL with REFRESH, only those currently active and authorized classes are refreshed. If you have deleted the GLOBAL profile for a class, you should issue the SETROPTS command with the NOGLOBAL operand specified, rather than GLOBAL with REFRESH specified.Note:- If you activate global access checking for a class using SETROPTS
GLOBAL, RACF activates global
access checking for all classes in the class descriptor table that
have the same POSIT value as the class you specify, except the excluded
grouping classes. For example, the resource classes TIMS and AIMS
and the grouping class GIMS all have a POSIT value of
4
in their respective class descriptor table entries. If you activate global access checking for TIMS, you also activate it for AIMS. However, you cannot activate this option for GIMS because GIMS is a grouping class.For more information on sharing a POSIT value, see the POSIT keyword of the RDEFINE command.
- If RACF is enabled for sysplex communication, it propagates the SETROPTS GLOBAL and SETROPTS GLOBAL REFRESH commands to other systems in the sysplex if the command is successful on the system on which it was entered. If RACF is not enabled for sysplex communication, the command has to be issued on each system sharing the database.
- Global access checking is bypassed if the user ID has the RESTRICTED attribute.
- NOGLOBAL(class-name ... |
*
) - Deactivates
global access checking for the specified classes. For more information
on valid classes that are processed by the NOGLOBAL operand, see the
GLOBAL operand description.
NOGLOBAL(
*
) is in effect when RACF is using a newly initialized database.Note: If you deactivate global access checking for a class using SETROPTS NOGLOBAL, RACF deactivates global access checking for all classes in the class descriptor table that have the same POSIT value as the class you specify, except for the excluded grouping classes. For example, the resource classes TIMS and AIMS and the grouping class GIMS all have a POSIT value of4
in their respective class descriptor table entries. If you deactivate global access checking for TIMS, you also deactivate it for AIMS. However, GIMS is unaffected because it is a grouping class.For more information on sharing a POSIT value, see the POSIT keyword of the RDEFINE command.
- GLOBAL(class-name ... |
- GRPLIST | NOGRPLIST
-
- GRPLIST
- Specifies that authorization checking processing is to perform list-of-groups access checking for all system users. When you specify GRPLIST, a user's authority to access or define a resource is not based only on the authority of the user's current connect group; access is based on the authority of any group to which the user is connected.
- NOGRPLIST
- Specifies
that the user's authority to access a resource is based on the authority
of the user's current connect group.
NOGRPLIST is in effect when RACF is using a newly initialized database.
- INACTIVE | NOINACTIVE
-
- INACTIVE(unused-userid-interval)
- Specifies the number of days (1 - 255) that a user ID can remain unused and
still be considered valid. RACF user verification checks the
number of days since the last successful time the user accessed the system against the INACTIVE
value and, if the former is larger, revokes the user's right to use the system. INACTIVE does not apply to Protected user IDs. Protected user IDs are protected from being revoked
through inactivity. If you specify INACTIVE, INITSTATS must be in effect.
If the backup database is needed but does not contain current information, some user IDs can be revoked because they appear to have been unused beyond the number of days specified on the INACTIVE operand. For more information, see z/OS Security Server RACF System Programmer's Guide.
- NOINACTIVE
- Specifies
that RACF user verification
is not to check user IDs against an unused-userid-interval.
NOINACTIVE is in effect when RACF is using a newly initialized database.
- INITSTATS | NOINITSTATS
-
- INITSTATS
- Specifies that statistics available
during RACF user verification are to be recorded. These
statistics include the date and time the user was verified by RACF, the number of user verifications that specified a particular group, and the date and
time of the user last requested verification with a particular group. If you specify INACTIVE,
REVOKE, or WARNING, INITSTATS must be in effect.
For applications that specify the APPL operand on the RACROUTE REQUEST=VERIFY macro, you can define a profile in the APPL class to specify that the application needs only daily statistics recorded for its users. To do this, specify the
RACF-INITSTATS(DAILY)
string in the APPLDATA field. For more information about statistics collection, see z/OS Security Server RACF Security Administrator's Guide.INITSTATS is in effect when RACF is using a newly initialized database.
- NOINITSTATS
- Specifies that statistics available during user verification are not to be recorded.
- JES
- Controls job entry subsystem (JES)
options. The JES options are:
- BATCHALLRACF | NOBATCHALLRACF
-
- BATCHALLRACF
- Specifies that JES is to test for the presence of a user ID and password on the job statement or for propagated RACF identification information for all batch jobs. If the test fails, JES is to fail the job.
- NOBATCHALLRACF
- Specifies that JES is not to test for the presence of a user ID
and a password on the statement, or propagated RACF identification information for all batch
jobs.
NOBATCHALLRACF is in effect when RACF is using a newly initialized database.
- EARLYVERIFY | NOEARLYVERIFY
- This setting is ignored.
- XBMALLRACF | NOXBMALLRACF
-
- XBMALLRACF
- Specifies that JES is to test for the presence of either a user
ID and password on the JOB statement, or JES-propagated RACF identification information for all jobs
to be run with an execution batch monitor. If the test fails, JES
is to fail the job.
XBMALLRACF is only used on JES2.
- NOXBMALLRACF
- Specifies that JES is not to test for the presence of either a
user ID and password on the JOB statement, or JES-propagated RACF identification information
for all jobs to be run with an execution batch monitor.
NOXBMALLRACF is in effect when RACF is using a newly initialized database.
- NJEUSERID(userid)
- Defines the name (user ID) associated with SYSOUT or jobs that arrive through the network
without an RTOKEN or UTOKEN.
The initial user ID (default user ID) after RACF data set initialization is
????????
(eight question marks).Note: The variable userid cannot be a user ID defined in the RACF database. For more information, see the section on providing security for JES in z/OS Security Server RACF Security Administrator's Guide. - UNDEFINEDUSER(userid)
- Defines the name (user ID) that is associated with local jobs that enter the system without a
user ID.
The initial user ID (default user ID) after RACF data set initialization is
++++++++
(eight plus signs).Note: The variable userid cannot be a user ID defined in the RACF database. For more information, see the section on providing security for JES in z/OS Security Server RACF Security Administrator's Guide.
- KERBLVL
- Specifies what
level of key encryption processing should occur when a KERB segment is being processed for user and
realm profiles. Beginning with z/OS
Version 1 Release 9, the KERBLVL setting is ignored.
See z/OS Integrated Security Services Network Authentication Service Administration for information about how z/OS Network Authentication Service uses keys and how to customize environment variables related to keys.
- LANGUAGE
- Specifies the system-wide defaults for national languages (such
as American English or Japanese) to be used on your system. You can
specify a primary language, a secondary language, or both. The languages
you specify depend on which products, when installed on your system,
check for primary and secondary languages (using RACROUTE REQUEST=EXTRACT).
- If this user establishes an extended MCS console session, the languages you specify should be the same as the languages specified on the LANGUAGE LANGCODE statements in the MMSLSTxx PARMLIB member. See your MVS system programmer for this information.
- If this is a CICS® user, see your CICS administrator for the languages supported by CICS on your system.
- PRIMARY(language)
- Specifies the installation's default primary language.
The variable language can be a quoted or unquoted string.
If the PRIMARY suboperand is not specified, the primary language is not changed.
- SECONDARY(language)
- Specifies the installation's default secondary language.
The language name can be a quoted or unquoted string.
If the SECONDARY suboperand is not specified, the secondary language is not changed.
Note:- For both the PRIMARY and SECONDARY suboperands, specify the installation-defined name of a currently active language (a maximum of 24 characters) or one of the language codes (3 characters in length) that is installed on your system. For a list of valid codes, see National Language Design Guide, Volume 2, National Language Support Reference Manual, SE09-8002.
- If the MVS message service is not active, the PRIMARY and SECONDARY values must be a 3-character language code.
- The same language can be specified for both PRIMARY and SECONDARY.
- RACF is shipped with both the primary and secondary language defaults set to ENU, meaning United States English.
- LIST
- Specifies that the current RACF options are to be displayed.
If you specify operands in addition to LIST on the SETROPTS command, RACF processes the other operands
before it displays the current set of options.
If RACF is enabled for sysplex communication and the system is in read-only mode, users on that system can issue the SETROPTS LIST command. All other operands are ignored.
You must have the SPECIAL, AUDITOR, ROAUDIT, group-SPECIAL, or group-AUDITOR attribute to enter the LIST operand.
If you have the SPECIAL or group-SPECIAL attribute, RACF displays all operands except these auditing operands:- APPLAUDIT | NOAPPLAUDIT
- AUDIT | NOAUDIT
- CMDVIOL | NOCMDVIOL
- LOGOPTIONS
- OPERAUDIT | NOOPERAUDIT
- ROAUDIT | NOROAUDIT
- SAUDIT | NOSAUDIT
- SECLABELAUDIT | NOSECLABELAUDIT.
If you have the AUDITOR, ROAUDIT, or the group-AUDITOR attribute, RACF displays all operands.
Notes:- SETROPTS LIST with no other keywords specified is not eligible for automatic command direction. Do not specify the ONLYAT and LIST keywords together without any other keywords on a SETROPTS command.
- To ensure that SETROPTS LIST shows the most current information, SETROPTS LIST reads information from the RACF database and may write to the RACF database
- LOGOPTIONS (auditing-level (class-name
...
)...
) - Audits access attempts to resources in specified classes according to the auditing level
specified. You must have the AUDITOR attribute. You can specify the DATASET class and any classes in
the class descriptor table. The resources need not have profiles created in order for auditing to
occur. See z/OS Security Server RACF Auditor's Guide for more information on when auditing occurs. The SUCCESSES and FAILURES operands result in auditing in addition to any auditing specified in profiles in the class. In contrast, the ALWAYS and NEVER operands override any auditing specified in profiles in the class. Note that LOG=NONE, specified on a RACROUTE REQUEST=AUTH, takes precedence (auditing is not performed).
- auditing-level
- Specifies the access attempts to be logged for class-name. These
options are processed in the following order. Thus, if class-name is
specified with both SUCCESSES and ALWAYS in the same command, auditing takes place at the SUCCESSES
level because option SUCCESSES is processed after ALWAYS.
- ALWAYS
- All access attempts to resources protected by the class are audited.
- NEVER
- No access attempts to resources protected by the class are audited. (All auditing is suppressed.)
- SUCCESSES
- All successful access attempts to resources protected by the class are audited.
- FAILURES
- All failed access attempts to resources protected by the class are audited.
- DEFAULT
- Auditing is controlled by the profile protecting the resource, if a profile exists. You can
specify DEFAULT for all classes by specifying an asterisk (
*
) with DEFAULT.
LOGOPTIONS(DEFAULT) is in effect when RACF is using a newly initialized database.
- class-name
- The RACF class to which
auditing-level applies. The class-name value can
be DATASET and any classes in the class descriptor table. Each class can have only one auditing
level associated with it. The auditing levels are processed in the following order:
ALWAYS
NEVER
SUCCESSES
FAILURES
DEFAULT
.
This processing order occurs independently of the order you specify the auditing levels. If you specify two or more auditing levels for a class in the same command, only the last option processed takes effect. Thus, if you specify the following command:
The options in effect for the classes is:SETR LOGOPTIONS (FAILURES (DATASET,SECLABEL), ALWAYS (DATASET, APPL), DEFAULT (DATASET, GLOBAL))
ALWAYS
for theAPPL
classFAILURES
for theSECLABEL
classDEFAULT
for theDATASET
andGLOBAL
classes
If you specify one auditing-level for class-name and in a separate command specify a new auditing level for the same class name, the new auditing-level take effects.
SETROPTS LOGOPTIONS(DEFAULT(
*
)) is in effect when RACF is using a newly initialized database.For information on sharing a POSIT value, see the POSIT keyword of the RDEFINE command.
- MLACTIVE | NOMLACTIVE
- For the relationships among the SECLABEL class and the MLS, MLACTIVE, MLNAMES, MLQUIET, and
SECLBYSYSTEM options, see z/OS Security Server RACF Security Administrator's Guide.
- MLACTIVE (FAILURES | WARNING)
- Causes security labels to be required on all work entering the system and on all resources
defined to USER, DATASET, and all classes defined in the class descriptor table that require
security labels. Rules:
- This option is available only if the SECLABEL class is active. Activation of MLACTIVE will fail if the SECLABEL class is not active or being activated by the command activating MLACTIVE.
- With MLACTIVE, user tasks running in a server address space must have a security label that is equivalent to the address space's security label.
Data set and general resource profiles in WARNING mode: A user or task can access a resource that is in WARNING mode and has no security label even when MLACTIVE(FAILURES) is in effect and the class requires security labels. The user or task receives a warning message and gains access. (A data set or general resource is in WARNING mode when you define or modify the profile that protects it and you specify the WARNING operand.)
- FAILURES
- Specifies that RACF is to reject any request to create or
access any resource that requires a security label in the profile that protects it, and does not
have one, and to reject any work entering the system that does not have a security label.
The only exception is if MLS(FAILURES) and MLACTIVE(FAILURES) are in effect, and a privileged started task or a user with the SPECIAL attribute and the SYSHIGH SECLABEL attempts to access a resource that requires a security label and does not have one. In this case, RACF allows the request as long as the request does not declassify data.
- WARNING
- Specifies that when a user requests access to a resource that does not have a security label and
the resource belongs to a class that requires security labels, access is allowed but a warning is
issued. Also, when work enters the system without a security label, access is allowed but a warning
is issued.
MLACTIVE(WARNING) is the default value.
- NOMLACTIVE
- Allows work to enter the system without a security label and allows requests to access a
resource that does not have a security label and the resource belongs to a class that requires
security labels.
NOMLACTIVE is in effect when RACF is using a newly initialized database.
- MLFSOBJ
-
- MLFSOBJ (ACTIVE | INACTIVE )
-
- ACTIVE
- Specifies that security labels are required for files and directories.
When the SECLABEL class is active, and MLFSOBJ is active, access to
files and directories without security labels is denied except by
trusted or privileged started tasks. This option cannot be activated
if the SECLABEL class is not active.
If you do not specify ACTIVE or INACTIVE, MLFSOBJ(ACTIVE) is the default.
- INACTIVE
- Specifies that security labels are not required for files and
directories.
INACTIVE is in effect when RACF is using a newly initialized database.
- MLIPCOBJ
-
- MLIPCOBJ (ACTIVE | INACTIVE )
-
- ACTIVE
- Specifies that security labels are required for interprocess communication.
When the SECLABEL class is active, and MLIPCOBJ is active, access
to semaphores, message queues and shared memory without associated
security labels is denied except by trusted or privileged started
tasks. This option cannot be activated if the SECLABEL class is not
active.
If you do not specify ACTIVE or INACTIVE, MLIPCOBJ(ACTIVE) is the default.
- INACTIVE
- Specifies that security labels are not required for interprocess
communication.
INACTIVE is in effect when RACF is using a newly initialized database.
- MLNAMES | NOMLNAMES
-
- MLNAMES
- Specifies that users are restricted to viewing only the names of files and directories that could be read from their current security label, and to viewing data set names that they have access to from their current security label. When MLNAMES is active, users listing catalogs or directories will not see names of resources that they cannot currently access.
- NOMLNAMES
- Specifies that users are not restricted to viewing only the names
of files and directories that they cannot currently access.
If you do not specify MLNAMES or NOMLNAMES, NOMLNAMES is the default.
NOMLNAMES is in effect when RACF is using a newly initialized database.
- MLQUIET | NOMLQUIET
- For the relationships among SECLABEL, MLS, MLACTIVE, and MLQUIET, see z/OS Security Server RACF Security Administrator's Guide.
- MLQUIET
- Allows only started tasks, console operators, or users with the SPECIAL attribute to log on,
start new jobs, or access resources. Actions requiring user verification, resource access checking,
or resource definition are available only to the security administrator (SPECIAL user), a trusted
computer base job (as indicated in the token), or the console operator.
When this option is enabled, the system is in a tranquil state.
- NOMLQUIET
- Allows all users access to the system.
NOMLQUIET is in effect when RACF is using a newly initialized database.
- MLS | NOMLS
- For the relationships among SECLABEL, MLS, MLACTIVE, and MLQUIET, see z/OS Security Server RACF Security Administrator's Guide.
- MLS (FAILURES |WARNING )
- Prevents a user from declassifying data. In order to copy data, the security label of the target
must encompass the security label of the source. Rules:
- This option is available only if the SECLABEL class is active.
- Activation of MLS will fail if the SECLABEL class is not active or being activated by the command activating MLS.
- FAILURES
- Specifies that RACF is to reject any request to declassify data.
- WARNING
- Specifies that when a user attempts to declassify data, RACF is to allow the request but issue warning messages to the user and the security
administrator.
MLS(WARNING) is the default value if you do not specify either FAILURES or WARNING.
- NOMLS
- Allows users to declassify data within the same CATEGORY.
NOMLS is in effect when RACF is using a newly initialized database.
- MLSTABLE | NOMLSTABLE
-
- MLSTABLE
- Allows the installation to indicate that no one on the system is allowed to alter the security label of an object or alter the definition of the security label, unless MLQUIET is in effect.
- NOMLSTABLE
- Allows the alteration of security label definitions or the security
labels within a profile without requiring MLQUIET to be in effect.
NOMLSTABLE is in effect when RACF is using a newly initialized database.
- MODEL | NOMODEL
-
- MODEL
- Specifies, through the
following suboperands, the model profile processing options. For information about automatic profile
modeling, refer to the z/OS Security Server RACF Security Administrator's Guide.
- GDG | NOGDG
- Specifies that RACF should attempt
to protect RACF-indicated members of a generation data group (GDG) using a base profile with the
same name as the GDG data set base name. If a base profile exists for a particular RACF-indicated
member, then RACF uses the base profile when determining
whether the user can access or create the member. Otherwise, RACF uses, or creates, an individual profile for the model. MODEL(GDG) has no effect on GDG
members that are protected by generic profiles.
NOGDG specifies that GDG members should not be treated specially by RACF; they are processed as any other data set would be.
- GROUP | NOGROUP
- Specifies
that when creating a new profile for a group-named data set, RACF should check whether a model profile is specified in the group profile. If so, that model
profile should be used to complete the definition of the new data set profile.
NOGROUP specifies that RACF should not use model profiles to complete the definition of new group-named data sets.
- USER | NOUSER
- Specifies that when creating a new profile for all user ID-named data
sets, RACF should check whether a model profile is specified
in the user profile. If so, that model profile should be used to complete the definition of the new
data set profile.
NOUSER specifies that RACF should not use model profiles to complete the definition of new user ID-named data sets.
- NOMODEL
- Specifies
that there is no model profile processing for GDG, GROUP, or USER
data sets.
NOMODEL is in effect when RACF is using a newly initialized database.
- OPERAUDIT | NOOPERAUDIT
- Specifies whether RACF is
to log all actions allowed only because a user has the OPERATIONS
(or group-OPERATIONS) attribute. You must have the AUDITOR attribute
to enter these operands.
- OPERAUDIT
- Specifies that RACF is to log all actions, such as accesses to resources and commands, allowed only because a user has the OPERATIONS or group-OPERATIONS attribute.
- NOOPERAUDIT
- Specifies
that RACF is not to log the
actions allowed only because a user has the OPERATIONS or group-OPERATIONS
attribute.
NOOPERAUDIT is in effect when RACF is using a newly initialized database.
- PASSWORD (suboperands)
- Specifies options to monitor
and check passwords and password phrases:
- ALGORITHM(KDFAES) | NOALGORITHM
-
- ALGORITHM(KDFAES)
- Indicates that RACF should
start using the KDFAES algorithm to encrypt user passwords and password
phrases. After enablement, the existing algorithm continues to be
used to evaluate a user's password or password phrase until the user's
password or password phrase is changed. The first time a user's password
or password phrase is changed, the new algorithm is used from that
point forward.
The KDFAES algorithm is more secure than DES, but is more computationally intensive, by design.
The PWCONVERT keyword of ALTUSER can be used to convert a user's password from DES to KDFAES format without requiring the password to be changed.
If ALGORITHM is specified without a sub-operand, it is ignored.
- NOALGORITHM
- Indicates
that the legacy algorithm is used to encrypt passwords. This is the
default setting. In this case, the algorithm in effect is determined
by the ICHDEX01 exit, with DES being the default if there is no exit
installed.
If you deactivate KDFAES after some set of passwords have been encrypted using KDFAES, each password continues to be evaluated using KDFAES. When the password is changed, the legacy algorithm is used from that point forward. Any history entries that were created with KDFAES continue to be evaluated using KDFAES. The PWCONVERT keyword of ALTUSER can be used to delete KDFAES history entries, if you want, after reverting to DES.
- HISTORY | NOHISTORY
-
- HISTORY(number-of-previous-values)
- Specifies the number (1 - 32) of
previous passwords and password phrases that RACF saves for each user and compares with each
new intended value. When RACF finds
a match with a previous value, or with the current password or password
phrase, RACF rejects the new
intended value.
For passwords, RACF stores only previous passwords in each user's history. For password phrases, RACF saves the user's current password phrase in addition to the user's previous password phrases. Therefore, for password phrases, RACF saves one fewer previous value than the number you specify for history.
For example, if you specify 12 for your HISTORY number, RACF saves up to 12 previous passwords and up to 11 previous password phrases for each user.SETROPTS PASSWORD(HISTORY(12))
If you increase the HISTORY number, RACF saves and compares that number of passwords and password phrases to the new intended value. If you subsequently reduce the HISTORY number, any previous passwords and password phrases stored in the user profile in excess of the newly specified HISTORY number are not deleted and continue to be used for comparison.
For example, if you specify 12 for your HISTORY number and subsequently reduce it to 8, RACF compares the old passwords and password phrases 9 - 12 with the new intended value.
Attention: You should use ALTUSER PWCLEAN to clean up history entries for all users any time you change the HISTORY value. - NOHISTORY
- Specifies
that new password and password phrase values are only compared with
the current password or password phrase. If prior history information
exists in the user profile, it is neither deleted nor changed. ALTUSER PWCLEAN can be used to delete history from USER
profiles when NOHISTORY is in effect.
NOHISTORY is in effect when RACF is using a newly initialized database.
- INTERVAL(maximum-change-interval)
- Specifies the maximum number of days during which a
user's password and password phrase (if set) remain valid; the value must be 1 to 254 days. The date
of the password change counts as the first day. For example, if the maximum-change-interval is 90,
the password expires at midnight local time the morning of the 90th day following the
change.RACF uses the value you specify for maximum-change-interval as both:
- The default value for new users defined to RACF through the ADDUSER command.
- The upper limit for users who specify the INTERVAL operand on the PASSWORD command.
The initial default at RACF initialization is 30 days. The maximum change interval cannot be less than the minimum change interval set with the MINCHANGE keyword.
- MINCHANGE(minimum-change-interval)
- Specifies the number of days that
must pass between a user's password and password phrase changes. Acceptable
values are 0 - 254
(days), providing the number of days between changes does not exceed
the maximum change interval specified by the INTERVAL keyword. For
example, if you specify 5 for your MINCHANGE number, users cannot
change their passwords more than once in 5 days, nor can they change
their password phrases (if assigned) more than once in 5 days.
The initial default is
0
days, allowing users to change their passwords and password phrases more than once on the same day.Users can not change their own passwords and password phrases within the minimum change interval. However, you can use the ALTUSER command to change another user's password within the minimum change interval if you have at least one of the following authorities:- You have the SPECIAL attribute.
- The user is within the scope of a group in which you have the group-SPECIAL attribute.
- You are the owner of the user's profile.
- You have at least CONTROL authority to the IRR.PASSWORD.RESET resource in the FACILITY class, and the other user does not have the SPECIAL, OPERATIONS, AUDITOR, or PROTECTED attribute.
- You have at least CONTROL access to an appropriate resource in the FACILITY class
(IRR.PWRESET.OWNER.owner or IRR.PWRESET.TREE.owner), and both of the
following conditions are also true:
- The other user does not have the SPECIAL, OPERATIONS, AUDITOR, or PROTECTED attribute.
- You are not excluded from altering the user by the IRR.PWRESET.EXCLUDE.excluded-user resource in the FACILITY class.
- MIXEDCASE | NOMIXEDCASE
-
- MIXEDCASE
- Indicates that all applications on this system and those that share the RACF database support mixed-case and lowercase passwords. The syntax rules
must be modified to allow mixed-case and lowercase characters. (See RULEn | NORULEn | NORULES for more information.) When this option is activated, the RACF ALTUSER, ADDUSER, PASSWORD and RACLINK commands do not
translate passwords to uppercase, nor do applications that provide mixed-case password support, such
as TSO/E and z/OS®
UNIX Systems Services. This option is inactive by default.
If you are propagating passwords with RRSF, see RRSF considerations for mixed-case passwords in z/OS Security Server RACF Security Administrator's Guide.
Important: The MIXEDCASE option is intended to be activated - after evaluating and updating applications and implementing appropriate password syntax rules - and never deactivated. Deactivate it only if problems are encountered. If you deactivate MIXEDCASE after it was active, any users who changed their passwords to mixed-case or lowercase (when MIXEDCASE was active) will no longer be able to enter the system until an authorized user resets their passwords to uppercase. If you subsequently reactivate MIXEDCASE, the same users must enter their passwords in upper case.
- NOMIXEDCASE
- Indicates that mixed-case and lowercase
passwords are not supported. This is the default setting.
Important: If you issue SETR NOMIXEDCASE after MIXEDCASE was active, any users who changed their passwords to mixed-case or lowercase (when MIXEDCASE was active) can no longer enter the system until an authorized user resets their passwords to uppercase. See the important note for the MIXEDCASE operand.
- REVOKE | NOREVOKE
-
- REVOKE(number-of-unsuccessful-attempts)
- Specifies
the number of consecutive unsuccessful attempts (1 - 255) to
access the system (using an incorrect password or password phrase)
before RACF revokes the user
ID on the next unsuccessful attempt. If you specify REVOKE, INITSTATS
must be in effect.
The REVOKE number you specify applies to the combination of incorrect passwords and password phrases RACF allows. For example, if you specify 5 as your REVOKE number, a user will be revoked upon three consecutive incorrect passwords followed by three consecutive incorrect password phrases.
- NOREVOKE
- Specifies that RACF ignores the number of consecutive unsuccessful attempts to access the system using an incorrect password or password phrase.
- RULEn | NORULEn | NORULES
- Tip: You might find the ISPF panels easier to use for entering password rules.
- RULEn (LENGTH (m1:m2) content-keyword (position))
-
Specifies an individual syntax rule for new passwords that users specify at logon, on JCL job cards, or on the PASSWORD command. Also applies to passwords specified on the ALTUSER commands that have the NOEXPIRED operand. Eight syntax rules are allowed. Therefore, for the RULEn suboperand, the value of n is 1 - 8.
These syntax rules do not apply to:- Password phrases
- Logon passwords that are currently in effect for a user
- Logon passwords specified on the ADDUSER command
- Logon passwords specified on the ALTUSER command with the PASSWORD operand and with the EXPIRED operand either specified or defaulted
If multiple rules are defined, a password that passes at least one rule is accepted.
Restriction: Changes to password syntax rules will not force users to immediately change their passwords. RACF does not apply new password rules to users until users change their passwords - either voluntarily or at password expiration.
- LENGTH(m1:m2)
- Specifies the minimum and maximum password lengths to which this particular rule applies (m2 must be greater than or equal to m1). Because RACF allows passwords no longer than 8 alphanumeric characters, the value for m2 must be less than or equal to 8. If you omit the m2 value, the rule applies to a password of one length only.
- content-keyword(position)
- Specifies the syntax rules for the positions indicated by the LENGTH suboperand. Rules specifying mixed-case characters other than MIXEDALL should only be set when the
MIXEDCASE option is in effect. New passwords will not match these rules when mixed-case
passwords are not supported, either because the MIXEDCASE option is not in effect or because an
application is used that does not support mixed-case passwords. The possible values for
content-keyword are:
- ALPHA
- Includes uppercase alphabetic characters and the national characters
#
(X'7B'),$
(X'5B'), and@
(X'7C') - ALPHANUM
- Includes the ALPHA characters - uppercase alphabetic characters and the national characters
#
(X'7B'),$
(X'5B'), and@
(X'7C') - and NUMERIC characters.If the password syntax rule requires only one ALPHANUM character, passwords must contain either one ALPHA character or one NUMERIC character.
If the password syntax rule requires two or more ALPHANUM characters, passwords must contain at least one ALPHA character and at least one NUMERIC character in the specified ALPHANUM positions.
- VOWEL
- Includes uppercase vowel characters, namely
A
,E
,I
,O
, andU
- NOVOWEL
- Includes characters that are not vowels, such as
- Uppercase alphabetic characters that are consonants, not vowels
- National and special characters
- Numeric characters
- CONSONANT
- Includes uppercase non-vowel characters
- NUMERIC
- Includes numeric characters
- NATIONAL
- Includes the national characters
#
(X'7B'),$
(X'5B'), and@
(X'7C') - MIXEDALL
- Includes all allowable password characters separated into the following categories. There are
either three or four "active" categories, depending on whether SETROPTS PASSWORD(MIXEDCASE) is
enabled.
- The national characters, and special characters if SETROPTS PASSWORD(SPECIALCHARS) is in effect
- Numeric characters
- Uppercase alphabetic characters (not including the national characters)
- Lowercase alphabetic characters, if SETROPTS PASSWORD(MIXEDCASE) is in effect.
- When one MIXEDALL position is specified, any character from any active category may be specified in that position. This is equivalent to not specifying a content-keyword in this position.
- When two MIXEDALL positions are specified, two characters from any two different active categories must be specified in the designated positions.
- When three MIXEDALL positions are specified, three characters from any three different active categories must be specified in the designated positions.
- When four or more MIXEDALL positions are specified, and SETROPTS PASSWORD(MIXEDCASE) is enabled, then at least one of every category must be specified anywhere across the designated positions. If MIXEDCASE is not enabled, then there is no change in behavior from having three MIXEDALL positions, other than in the number of positions over which the three active categories may be spread.
- MIXEDCONSONANT
- Includes uppercase and lowercase non-vowel characters
- MIXEDVOWEL
- Includes the uppercase and lowercase vowel characters,
A
,E
,I
,O
,U
, anda
,e
,i
,o
,u
- MIXEDNUM
- Includes all characters of the following three types of MIXEDNUM characters:
- ALPHA characters - includes uppercase
alphabetic characters and the national characters
#
(X'7B'),$
(X'5B'), and@
(X'7C') - Lowercase alphabetic characters
- NUMERIC characters.
If the password syntax rule requires only one MIXEDNUM character, passwords must contain at least one character of any one of the three MIXEDNUM character types.
If the password syntax rule requires two MIXEDNUM characters, passwords must contain two characters of different MIXEDNUM character types, in one of the following valid combinations:- An ALPHA character and a lowercase alphabetic
- An ALPHA character and a NUMERIC character
- A lowercase alphabetic character and a NUMERIC character.
If the password syntax rule requires three or more MIXEDNUM characters, passwords must contain three or more MIXEDNUM characters including at least one character of each MIXEDNUM character type in the specified MIXEDNUM positions.
- ALPHA characters - includes uppercase
alphabetic characters and the national characters
- SPECIAL
- Includes the special characters documented under SETROPTS PASSWORD(SPECIALCHARS) as well as the national characters # (X'7B'), $ (X'5B'), and @ (X'7C').
If the values in the content-keywords do not define every position specified by the LENGTH value, the undefined positions can consist of any combination of alphanumeric characters.
Each content-keyword is followed by a position (in the form ofk
, not greater than 8), list of positions (form ofk1,k2,k3...
in any order), or a range (form ofk4:k5
, wherek5
must be greater than or equal tok4
).- Example:
RULE1(LENGTH(8) CONSONANT(1,3,5:8) NUMERIC(2,4))
- Result:
Syntax
RULE1
applies to passwords eight characters in length with consonants in positions 1, 3, 5, 6, 7, and 8 and numbers in positions 2 and 4. The passwordB2D2GGDD
obeysRULE1
, andC3PIBOLO
does not. - Example:
RULE2(LENGTH(6) NATIONAL(3) MIXEDNUM(4:6))
- Result:
Syntax
RULE2
applies to passwords 6 characters in length with a national character in position 3 and requires an uppercase alphabetic, a lowercase alphabetic, and a numeric in positions 4, 5, and 6. The passwordAB@1tD
obeysRULE2
.
- NORULEn
- Specifies that RACF is to delete the particular rule identified by n.
- NORULES
- Specifies that RACF is to delete all password
syntax rules established by the installation.
NORULES is in effect when RACF is using a newly initialized database.
- SPECIALCHARS | NOSPECIALCHARS
- SPECIALCHARS
- Indicates that all applications on this system and those that share the RACF database support additional special characters in passwords. For more information, see Allowing special characters in passwords (PASSWORD option) in z/OS Security Server RACF Security Administrator's Guide. This option is inactive by default.
- NOSPECIALCHARS
- Indicates that special characters are not allowed in passwords. This is the default setting. If NOSPECIALCHARS is specified after users have already starting using special characters in passwords, those users will still be able to logon with their existing password, but will not be able to include special characters in the new password when they change their password.
- WARNING | NOWARNING
-
- WARNING(days-before-password-expires)
- Specifies the number of days (1 - 255) before
a password or password phrase expires, indicating that RACF is to issue a warning message
to the TSO user or to the job log of a batch job that specified the
expiring password or password phrase.
If you specify a WARNING value that exceeds the INTERVAL value, a warning message is issued at each logon. If you do not want the warning with each logon, specify a value for WARNING that is less than the value you specify for INTERVAL. If you specify WARNING, INITSTATS must be in effect.
- NOWARNING
- Specifies that RACF is
not to issue the warning message for expiring passwords or password
phrases.
NOWARNING is in effect when RACF is using a newly initialized database.
- PREFIX | NOPREFIX
-
- PREFIX(prefix)
- Activates RACF protection for data sets that have single-qualifier names, and specifies the 1 - 8 character prefix to be used as the high-level qualifier in the internal form of the names. The variable prefix should be a predefined group name, and it must not be the high-level qualifier of any actual data sets in the system.
- NOPREFIX
- Deactivates RACF protection for data sets that
have single-level names.
When EGN is active and NOPREFIX is in effect, a data set can be protected with a generic profile of the form ABC
.**
, where ABC equals the data set name.NOPREFIX is in effect when RACF is using a newly initialized database.
- PROTECTALL | NOPROTECTALL
-
- PROTECTALL(FAILURES | WARNING)
- Activates
PROTECTALL processing. When PROTECTALL processing is active, the system
automatically rejects any request to create or access a data set that
is not RACF-protected. This processing includes DASD data sets, tape
data sets, catalogs, and GDG basenames. Temporary data sets that comply
with standard MVS temporary data
set naming conventions are excluded from PROTECTALL processing.
Note that PROTECTALL requires all data sets to be RACF-protected. This includes tape data sets if your installation specifies the TAPEDSN operand on the SETROPTS command.
In order for PROTECTALL to work effectively, you must specify GENERIC to activate generic profile checking. Otherwise, RACF would allow users to create or access only data sets protected by discrete profiles. If your installation uses nonstandard names for temporary data sets, you must also predefine entries in the global access checking table that allow these data sets to be created and accessed.
The WARNING suboperand enables you to specify a warning message to the requestor in place of rejecting the request.- FAILURES
- Specifies that RACF is
to reject any request to create or access a data set that is not RACF-protected.
The default value is FAILURES.
If PROTECTALL(FAILURES) is in effect and a user with the SPECIAL attribute requests access to an unprotected data set, RACF accepts the request, audits the event, and issues a PROTECTALL warning message.
If PROTECTALL(FAILURES) is in effect and a trusted started task requests access to an unprotected data set, RACF accepts the request, audits the event, and no warning message is issued.
If PROTECTALL(FAILURES) is in effect and a privileged started task requests access to an unprotected data set, RACF accepts the request, the event is not audited, and no warning message is issued.
- WARNING
- Specifies that when a user requests creation of, or access to, a data set that is not RACF-protected, RACF is to allow the request but issue warning messages to the user and the security administrator.
- NOPROTECTALL
- Specifies
that a user can create or access a data set that is not protected
by a profile.
NOPROTECTALL is in effect when RACF is using a newly initialized database.
- RACLIST | NORACLIST
-
- RACLIST(class-name ...)
- Activates the sharing of in-storage profiles, both generic and
discrete, for the classes specified. Also see GENLIST operand.
Activate this function to improve the performance of resource access checking for a general resource class. With the profiles for the class in storage, RACF requires no database I/O when making an access decision.
A valid class-name is any member class for which the class descriptor table allows or requires RACLIST processing. Grouping classes are not valid, except for RACFVARS and NODES. If class-name is valid, not only the specified class-name, but all classes that share the same POSIT are processed. If some classes sharing the same POSIT do not allow RACLIST processing, those classes are skipped.
Only active classes are RACLISTed. Be sure to activate each class you want to RACLIST. For example:SETROPTS RACLIST(DIGTCERT) CLASSACT(DIGTCERT)
If REFRESH is also specified, member classes for which the class descriptor table does not allow RACLIST processing are also valid because the SETROPTS RACLIST(class-name) REFRESH command refreshes classes that were RACLISTed by RACROUTE REQUEST=LIST,GLOBAL=YES or SETROPTS RACLIST. Likewise, classes for which SETROPTS GENLIST was specified are also valid.
You cannot SETROPTS RACLIST and SETROPTS GENLIST for the same general resource class.
Rule: If the following supplied classes are active, you must issue the SETROPTS RACLIST command to share them:
ACEECHK
DIGTCRIT
NODES
RACFVARS
SYSMVIEW
APPCSERV
DIGTNMAP
OPERCMDS
RDATALIB
UNIXPRIV
APPCTP
FIELD
PKISERV
SDSF
VTAMAPPL
CRYPTOZ
FSACCESS
PROPCNTL
SECLABEL
WBEM
CSFKEYS
FSEXEC
PSFMPL
SERVAUTH
XCSFKEY
CSFSERV
IDIDMAP
PTKTDATA
STARTED
DEVICES
IDTDATA
RACFHC
SYSAUTO
In-storage profiles for the following supplied classes can be optionally shared by using SETROPTS RACLIST.
ACCTNUM *
DIGTRING
JESJOBS
PTKTVAL
TSOPROC *
ALCSAUTH
DLFCLASS
JESSPOOL
RRSFDATA *
VMBATCH
APPCPORT
DSNR
KEYSMSTR
RACFEVNT
VMCMD
APPCSI
EJBROLE
LDAPBIND *
RAUDITX
VMDEV
APPL *
FACILITY *
LDAP
REALM
VMLAN
CBIND
FCICSFCT
LFSCLASS
SERVER
VMNODE
CDT *
HBRADMIN
LOGSTRM
SMESSAGE
VMSEGMT
CONSOLE
HBRCONN
MFADEF
SOMDOBJS
WRITER
CPSMOBJ
HBRCMD
MGMTCLAS
STORCLAS
XFACILIT
CPSMXMP
INFOMAN
MQCMDS
SUBSYSNM
ZMFAPLA
DASDVOL
ILMADMIN
MQCONN
SURROGAT
ZMFCLOUD
DBNFORM
NETCMDS
TERMINAL *
DCEUUIDS
JAVA
PERFGRP *
TMEADMIN
DIGTCERT *
JESINPUT
PRINTSRV *
TSOAUTH *
Important: For each class marked with an asterisk (
*
), you might incur performance degradation or missing function if you do not issue the SETROPTS RACLIST command when you define profiles in the class and activate it. For important details about each class, see z/OS Security Server RACF Security Administrator's Guide (for classes used for RACF functions) or the appropriate program documentation.If you have, or are considering, authorizing a large number of users for a resource in a class that can be processed to an in-storage profile using the SETROPTS RACLIST command, you must consider the number of entries in the access list, because RACLIST processing merges profiles and the access lists of each profile. The combined number of access-list entries might cause the profile to become too large to be processed, and RACLIST processing might fail. See z/OS Security Server RACF Security Administrator's Guide for more information about limiting the size of access lists and profile sizes.
Note:- When you activate RACLIST processing for a class, RACF copies both discrete and generic profiles for that class into a data space.
- When the RACGLIST class is active and class-name profiles have been specified in the
RACGLIST class, SETROPTS RACLIST(class-name) stores the RACLISTed results
from the data space in the RACGLIST classname_nnnnn profiles on the RACF database, enabling all systems sharing the database to access the same
level of profile information. For example if you issue the commands:
SETR CLASSACT(RACGLIST) RDEFINE RACGLIST TERMINAL
Then either when you issue:
or at the next IPL, if the TERMINAL class was RACLISTed before the RACGLIST class was activated, RACF creates RACGLISTSETROPTS RACLIST(TERMINAL)
TERMINAL_00001
, RACGLISTTERMINAL_00002
, and so on, to hold the results of the SETROPTS RACLIST processing.The profiles are available to all authorized users, thereby eliminating the need for RACF to retrieve a profile each time a user requests access to a resource protected by that profile. Thus, when you activate this function, you reduce processing overhead.
The SETROPTS RACLIST(class-name) command overrides a RACROUTE REQUEST=LIST,GLOBAL=YES request for the same class. The data space and RACGLIST classname_nnnnn profiles, if any, are refreshed by the SETROPTS RACLIST. SETROPTS LIST output will list the class in the
SETR RACLIST CLASSES =
line rather than theGLOBAL=YES RACLIST ONLY =
line. - If you specify RACLIST with REFRESH, RACF rebuilds the
discrete and generic profiles for the class and places them in the new data space. If the RACGLIST
class is active and contains a profile for class-name, the
classname_nnnnn profiles for the class are also rebuilt, or are created if they had not been
built previously.
SETROPTS RACLIST(class-name) REFRESH can also be used to refresh classes RACLISTed by RACROUTE REQUEST=LIST,GLOBAL=YES, as well as classes that are RACLISTed. It refreshes the class, but has no effect on SETROPTS LIST output. If the class was processed using SETROPTS RACLIST solely by RACROUTE REQUEST=LIST,ENVIR=CREATE,GLOBAL=YES, the class are listed in the
GLOBAL=YES RACLIST ONLY =
line. Regardless of whether the class was RACLISTed by GLOBAL=YES, if it was RACLISTed by SETROPTS RACLIST (classname) then the class is listed only in theSETR RACLIST CLASSES =
line.SETROPTS RACLIST(classname) REFRESH can also be issued to create the RACGLIST profiles for the class, even if the class were not RACLISTed by either RACROUTE REQUEST=LIST,GLOBAL=YES or by SETROPTS RACLIST. Then the first RACROUTE REQUEST=LIST,GLOBAL=YES uses the RACLIST profiles to build the RACLIST data space, rather than accessing the database for each individual discrete and generic profile.
While the rebuild is in progress, RACF continues to use the old in-storage profiles for authorization requests until the new ones are created. When all systems have completed rebuilding the local data spaces, the coordinator signals the members of the data sharing group to discard the old ones, and to begin using the new one.
- When RACF is enabled for sysplex communication, RACF propagates a SETROPTS RACLIST(class-name) or
SETROPTS RACLIST(class-name) REFRESH command issued from any one system
(coordinator) to other systems in the data sharing group
(peers) if the command is successful on the system on which it was entered. If the RACGLIST
classname_nnnnn profiles were built for the class, peer members of the sysplex use the
results to build the RACLIST data space on their system, but do not rebuild the RACGLIST profiles.
If a refresh is being done, RACF continues to use the old in-storage profiles for authorization requests until the new ones are created. When all systems have completed rebuilding the local data spaces, the coordinator signals the members of the data sharing group to discard the old ones, and to begin using the new one.
If RACF is not enabled for sysplex communication, you must issue the SETROPTS RACLIST(class-name) command and the SETROPTS RACLIST(class-name) REFRESH command on each system sharing the database.
- When you activate RACLIST processing for the CDT class, the dynamic class descriptor table is built in a dataspace instead of in-storage profiles. The information in the dataspace is not used for authorization checking. If authorization checking using RACROUTE REQUEST=FASTAUTH is required for the CDT class, you must use RACROUTE REQUEST=LIST,GLOBAL=NO to locally RACLIST the CDT class profiles. Alternatively, RACROUTE REQUEST=AUTH may be used for the CDT class, and RACF will use CDT profiles in the RACF database for authorization checking. For more information on the dynamic CDT, see z/OS Security Server RACF Security Administrator's Guide.
- NORACLIST(class-name ...)
- Deactivates the
sharing of in-storage profiles, both generic and discrete, for the classes specified. Also see the
NOGENLIST operand.
When you specify NORACLIST, RACF deletes the data space containing the generic and discrete profiles for the specified classes. The data space might have been created by specifying the class with either a SETROPTS RACLIST command or a RACROUTE REQUEST=LIST,GLOBAL=YES request. In the latter case, all applications that issued a RACROUTE REQUEST=LIST,ENVIR=CREATE,GLOBAL=YES for the class should issue a RACROUTE REQUEST=LIST,ENVIR=DELETE before a SETROPTS NORACLIST is issued that processes the class. The SETROPTS NORACLIST should be used to delete the data space only after all applications have relinquished their access to it.
For both the SETROPTS RACLIST and RACROUTE REQUEST=LIST,GLOBAL=YES cases, if RACGLIST classname_nnnnn profiles exist for the class, they are deleted. Even if the class was not RACLISTed, SETROPTS NORACLIST can be used to delete these profiles. In all cases, the RACGLIST classname profile remains.
A valid class-name is any member class in the class descriptor table. Grouping classes are not valid, except for RACFVARS and NODES. If class-name is valid, not only the specified class but all classes that share the same POSIT are processed. For a list of general resource classes defined in the class descriptor table supplied by IBM, see Supplied RACF resource classes.
Because SETROPTS NORACLIST, like SETROPTS RACLIST REFRESH, operates on classes that are RACLISTed by RACROUTE REQUEST=LIST,GLOBAL=YES, or SETROPTS RACLIST, member classes in the class descriptor table that do not allow RACLIST processing are now valid classes for the command. Both these conditions are still invalid for SETROPTS RACLIST.
When RACF is enabled for sysplex communication, RACF propagates the SETROPTS NORACLIST command to other systems in the data sharing group, if the command was successful on the system in which it was entered. If RACF is not enabled for sysplex communication, you must issue the SETROPTS NORACLIST command on each system sharing the database.
NORACLIST is in effect for all classes defined in the class descriptor table when RACF is using a newly initialized database.
When SETROPTS NORACLIST(CDT) is issued, the dataspace containing the dynamic class descriptor table is deactivated, but not deleted. The dataspace remains until the system is restarted. For more information on the dynamic CDT, see z/OS Security Server RACF Security Administrator's Guide.
- REALDSN | NOREALDSN
-
- REALDSN
- Specifies that RACF is to record, in any SMF log records and operator messages, the real data set name (not the naming-conventions name) used on the data set commands and during resource access checking and resource definition.
- NOREALDSN
- Specifies
that RACF is to record, in
any SMF log records and operator messages, the data set names modified
according to RACF naming conventions.
NOREALDSN is in effect when RACF is using a newly initialized database.
- REFRESH
- Refreshes the in-storage generic profiles when specified with GENERIC, GLOBAL or RACLIST, or the in-storage program control tables when specified with WHEN(PROGRAM).
- RETPD(nnnnn)
- Specifies
the default RACF security retention
period for tape data sets, where nnnnn is
a 1-5 digit number in the range of 0 through 65533 or 99999 to indicate
a data set that never expires. The security retention period is the
number of days that RACF protection
is to remain in effect for a tape data set; RACF stores the value in the tape data set profile.
If you specify RETPD, you must also specify TAPEDSN to activate tape data set protection. If you omit TAPEDSN, RACF records the value you specify for security retention period in the list of RACF options. However, without tape data set protection activated, this value is meaningless.
If you specify RETPD and TAPEDSN, the value you specify for security retention period is the default for your installation; RACF places the value in each tape data set profile unless the user specifies one of the following:- An EXPDT in the JCL other than the current date
- An RETPD other than 0 on the ADDSD command.
- RVARYPW([SWITCH(switch-pw)] [STATUS(status-pw) ])
- Specifies the passwords
that the operator is to use to respond to requests to approve RVARY
command processing, where switch-pw is the
response to a request to switch RACF databases
or change the operating mode of RACF,
and status-pw is the response to a request
to change RACF or database
status from ACTIVE to INACTIVE or from INACTIVE to ACTIVE. You can
specify different passwords for each response. Note that NO is not
a valid password for either SWITCH or STATUS.
When RACF is using a newly initialized database, the switch password and the status password are both set to YES.
- SAUDIT | NOSAUDIT
- Specifies whether RACF is
to log RACF commands issued
by users with the SPECIAL or group-SPECIAL attribute. You must have
the AUDITOR attribute to specify these operands.
- SAUDIT
- Specifies that RACF is to log RACF commands (except LISTDSD, LISTGRP, LISTUSER,
RLIST, and SEARCH) issued by users who either had the SPECIAL attribute
or who gained authority to issue the command through the group-SPECIAL
attribute.
SAUDIT is in effect when RACF is using a newly initialized database.
- NOSAUDIT
- Specifies that RACF is not to log the commands issued by users with the SPECIAL or group-SPECIAL attribute.
- SECLABELAUDIT | NOSECLABELAUDIT
- You must have the AUDITOR attribute to specify these options.
- SECLABELAUDIT
- Specifies
that the SECLABEL profile's auditing options are to be used in addition to the auditing options
specified for the user or resource. This additional auditing occurs whenever an attempt is made to
access or define a resource protected by a profile, FSP, or ISP that has a security label specified,
or when a user running with a security label attempts to access or define a resource.
The SECLABEL profile requires SETROPTS RACLIST processing. If SECLABEL profile audit options are not specified, SECLABEL auditing is not done.
For more information, refer to z/OS Security Server RACF Auditor's Guide.
- NOSECLABELAUDIT
- Disables
auditing by SECLABEL.
NOSECLABELAUDIT is in effect when RACF is using a newly initialized database.
- SECLABELCONTROL | NOSECLABELCONTROL
-
- SECLABELCONTROL
- Limits the users who can specify the SECLABEL operand on RACF commands. Those allowed to
specify the operand are:
- Users with the SPECIAL attribute can specify the SECLABEL operand on any RACF command.
- Users with the group-SPECIAL attribute can specify the SECLABEL operand on the ADDUSER and ALTUSER commands when adding a user to a group within their scope of control (provided the group-SPECIAL is permitted to the SECLABEL).
- NOSECLABELCONTROL
- Allows any user to change the SECLABEL field in a profile, as
long as the user has at least READ access authority to the associated
SECLABEL profile.
NOSECLABELCONTROL is in effect when RACF is using a newly initialized database.
- SECLBYSYSTEM | NOSECLBYSYSTEM
-
- SECLBYSYSTEM
- Specifies that security labels can be activated on a system image basis. When SECLBYSYSTEM is active, the SMF ID values specified in the member list of the profiles in the SECLABEL class will determine whether or not the security label is valid for each system. Security labels that are not valid for a system are considered inactive and cannot be used or listed by users without SPECIAL or AUDITOR on that system. After activating SECLBYSYSTEM, SETR RACLIST(SECLABEL) REFRESH must be issued to complete the activation of security labels by system. This option cannot be activated if the SECLABEL class is not active.
- NOSECLBYSYSTEM
- Specifies that security labels are not activated on a system image
basis.
NOSECLBYSYSTEM is in effect when RACF is using a newly initialized database.
- SECLEVELAUDIT | NOSECLEVELAUDIT
- You must have the AUDITOR attribute to specify these operands.
- SECLEVELAUDIT (security-level)
- Activates
auditing of access attempts to all RACF-protected resources based
on the specified installation-defined security level. RACF audits all access attempts for the specified
security level and higher.
You can specify only a security level name defined by your installation as a SECLEVEL profile in the SECDATA class. (For information on defining security levels, see the description of the RDEFINE and RALTER commands.)
- NOSECLEVELAUDIT
- Deactivates
auditing of access attempts to RACF-protected resources based on a
security level.
NOSECLEVELAUDIT is in effect when RACF is using a newly initialized database.
- SESSIONINTERVAL | NOSESSIONINTERVAL
-
- SESSIONINTERVAL(n)
- Sets the maximum value that can be specified by RDEFINE or RALTER
for session key intervals. This n value
must be a number in the range of 1 - 32767
(inclusive). The SESSIONINTERVAL value after RACF data set initialization is 30. This value is used for:
- A default if SESSION is specified without INTERVAL on RDEFINE when defining an APPCLU class profile.
- An upper limit if INTERVAL is specified on RDEFINE or RALTER for APPCLU class profiles.
- NOSESSIONINTERVAL
- Disables the global limit on the number of days before a session key expires. The internal value is set to zero.
- STATISTICS | NOSTATISTICS
- Use these operands to cause RACF to record or not record
statistical information
for the specified class name. The valid class names are DATASET and those classes defined in the
class descriptor table. For a list of general resource classes defined in
the class descriptor table supplied by IBM, see Supplied RACF resource classes.
Note: If you activate or deactivate statistics processing for a class, all other classes in the class descriptor table with the same POSIT number are also be activated or deactivated. If, for instance, you activate statistics processing for the TIMS class, statistics processing is activated for classes AIMS and GIMS because they share POSIT number
4
.For more information on sharing a POSIT value, see the POSIT keyword of the RDEFINE command.
- STATISTICS(class-name ... |
*
) - Specifies that RACF is to record statistical information for class-name.
If you specify an asterisk (
*
), you activate the recording of statistical information for the DATASET class and all classes defined in the class descriptor table.When RACF is using a newly initialized database, the recording of class statistics is turned off. Because statistics recording has an impact on system performance, it is recommended that you do not activate this option for any class until your installation evaluates the need to use it versus the potential performance impact. For more information, see z/OS Security Server RACF System Programmer's Guide.
- NOSTATISTICS(class-name ... |
*
) - Specifies the
names of the classes to be deleted from those previously defined to have statistical information
recorded.
If you specify an asterisk (
*
), you deactivate the recording of statistical information for the DATASET class and all classes defined in the class descriptor table.
- STATISTICS(class-name ... |
- TAPEDSN | NOTAPEDSN
-
- TAPEDSN
- Activates tape data
set protection. When tape data set protection is in effect, RACF can protect individual tape data sets as well as tape volumes.
If you activate tape data set protection, you should also activate the TAPEVOL class. If you do not also activate TAPEVOL, RACF does not check the retention period before it deletes a tape data set, and you must provide your own protection for tape data sets that reside on a volume that contains more than one data set.
Before you activate tape data set protection, see z/OS Security Server RACF Security Administrator's Guide for a complete description of the relationship between TAPEDSN and activating the TAPEVOL class.
- NOTAPEDSN
- Deactivates
tape data set protection. When NOTAPEDSN is in effect, RACF cannot protect individual tape data sets,
though it can protect tape volumes.
NOTAPEDSN is in effect when RACF is using a newly initialized database.
- TERMINAL(READ | NONE)
- Is used to set the universal access authority (UACC) associated with undefined terminals. If you specify TERMINAL but do not specify READ or NONE, the system prompts you for a value.
- WHEN | NOWHEN
-
- WHEN(PROGRAM)
- Activates RACF program control, which includes both access control to load modules and program access to
data sets.
To set up access control to load modules, you must identify your controlled programs by creating a profile for each in the PROGRAM class. To set up program access to data sets, you must add a conditional access list to the profile of each program-accessed data set. Then, when program control is active, RACF ensures that each controlled load module is executed only by callers with the defined authority. RACF also ensures that each program-accessed data set is opened only by users who are listed in the conditional access list with the proper authority and who are executing the program specified in the conditional access list entry.
When RACF is enabled for sysplex communication, the SETROPTS WHEN(PROGRAM) command and the SETROPTS WHEN(PROGRAM) REFRESH command are propagated to other members of the data sharing group if the command was successful on the system on which it was entered. When RACF is not enabled for sysplex communication, you must issue the SETROPTS WHEN(PROGRAM) command and the SETROPTS WHEN(PROGRAM) REFRESH command on each system sharing the database.
For more information about program control, see z/OS Security Server RACF Security Administrator's Guide.
Note: The PROGRAM class does not have to be active. - NOWHEN(PROGRAM)
- Specifies
that RACF program control is
not to be active.
NOWHEN(PROGRAM) is in effect when RACF is using a newly initialized database.
Examples
Example | Activity label | Description |
---|---|---|
1 | Operation | User FRG34 wants to establish logging options that causes RACF to log all activity in the USER and GROUP classes, log the activities of
users with the SPECIAL and group-SPECIAL attributes, log all accesses allowed only because the user
has the OPERATIONS or group-OPERATIONS attribute, log all command violations, and audit all attempts
to access RACF-protected resources based on the installation-defined security level
SECRET . |
Known | User FRG34 has the AUDITOR attribute. SECRET is defined as a SECLEVEL profile in
the SECDATA class. User FRG34 wants to issue this command as a RACF TSO command. |
|
Command | SETROPTS AUDIT(USER GROUP) OPERAUDIT
SECLEVELAUDIT(SECRET) |
|
Defaults | SAUDIT CMDVIOL | |
2 | Operation | User RVU03 wants to establish a set of syntax rules for passwords that obey the
following rules:
|
Known | User RVU03 has the SPECIAL attribute. User RVU03 wants to issue this command as a RACF TSO command. |
|
Command | SETROPTS PASSWORD(RULE1(LENGTH(4:5) ALPHANUM(1:5)) RULE2(LENGTH(5)
ALPHA(1:5)) RULE3(LENGTH(6:8) ALPHANUM(1:8)) RULE4(LENGTH(6:8) NUMERIC(1:8)) RULE5(LENGTH(6:8)
ALPHA(1:8))) |
|
Defaults | None. | |
3 | Operation | User ADM1 wants to display the RACF options currently in effect. MVS and VM systems share the RACF database. |
Known | User ADM1 has the SPECIAL and AUDITOR attributes. User ADM1 wants to issue this command as a RACF TSO command. |
|
Command | SETROPTS LIST |
|
Defaults | None. | |
Output | See Figure 1 for a sample listing. | |
4 | Operation | User RVU02 wants to establish system-wide options for an installation. The installation requires tape data set protection and tape volume protection, and the maximum change interval is to be 60 days. The default RACF security retention period for tape data sets is to be 360 days. |
Known | User RVU02 has the SPECIAL attribute. User RVU02 wants to issue this command as a RACF TSO command. |
|
Command | SETROPTS PASSWORD(INTERVAL(60)) CLASSACT(TAPEVOL) TAPEDSN
RETPD(360) |
|
Defaults | None. | |
5 | Operation | User ADM1 wants to enable the generic profile checking facility for the DATASET class. |
Known | User ADM1 has the SPECIAL attribute. User ADM1 wants to issue this command as a RACF TSO command. |
|
Command | SETROPTS GENERIC(DATASET) |
|
Defaults | None. | |
6 | Operation | User ADM1 wants to activate global access checking for the DATASET class. |
Known | User ADM1 has the SPECIAL attribute. User ADM1 wants to issue this command as a RACF TSO command. |
|
Command | SETROPTS GLOBAL(DATASET) |
|
Defaults | None. | |
7 | Operation | User ADM1 wants to activate erase-on-scratch processing for all resources with a security level of CONFIDENTIAL or higher and set the SWITCH and STATUS passwords for the RVARY command. |
Known | User ADM1 has the SPECIAL attribute. The CONFIDENTIAL security level name is
known to RACF. User ADM1 wants to issue this command as a RACF TSO command. |
|
Command | SETROPTS ERASE(SECLEVEL(CONFIDENTIAL)) RVARYPW(SWITCH(LINUS)
STATUS(LUCY)) |
|
Defaults | None. | |
8 | Operation | The RACF system administrator wants to activate installation defaults for the primary and secondary national languages. The primary language is Japanese and the secondary language is Canadian French. |
Known | The system administrator has the SPECIAL attribute. The MVS message service is not active. The 3-character language code for Japanese
is JPN. The language code for Canadian French is FRC.
The system administrator wants to issue this command as a RACF TSO command. |
|
Command | SETROPTS LANGUAGE(PRIMARY(JPN) SECONDARY(FRC)) |
|
Defaults | None. |
- 1
- The second line of this display,
ATTRIBUTES =
, refers to global RACF attributes in effect. These attributes can be set only with the SETROPTS command. They are different from, and should not be confused with, the RACF user attributes.
PASSWORD PROCESSING OPTIONS:
THE ACTIVE PASSWORD ENCRYPTION ALGORITHM IS KDFAES
PASSWORD CHANGE INTERVAL IS 254 DAYS.
PASSWORD MINIMUM CHANGE INTERVAL IS 2 DAYS.
MIXED CASE PASSWORD SUPPORT IS IN EFFECT.
SPECIAL CHARACTERS ARE ALLOWED.
13 GENERATIONS OF PREVIOUS PASSWORDS BEING MAINTAINED.
AFTER 4 CONSECUTIVE UNSUCCESSFUL PASSWORD ATTEMPTS, A USERID WILL BE REVOKED.
PASSWORD EXPIRATION WARNING LEVEL IS 186 DAYS.
INSTALLATION PASSWORD SYNTAX RULES:
RULE 1 LENGTH(4:5) LLLLL
RULE 2 LENGTH(5) AAAAA
RULE 3 LENGTH(6:8) LLLLLLLL
RULE 4 LENGTH(6:8) NNNNNNNN
RULE 5 LENGTH(6:8) AAAAAAAA
LEGEND:
A-ALPHA C-CONSONANT L-ALPHANUM N-NUMERIC V-VOWEL W-NOVOWEL *-ANYTHING
c-MIXED CONSONANT m-MIXED NUMERIC v-MIXED VOWEL $-NATIONAL s-SPECIAL x-MIXEDALL
DEFAULT RVARY PASSWORD IS IN EFFECT FOR THE SWITCH FUNCTION.
DEFAULT RVARY PASSWORD IS IN EFFECT FOR THE STATUS FUNCTION.
SECLEVELAUDIT IS INACTIVE
SECLABEL AUDIT IS IN EFFECT
SECLABEL CONTROL IS IN EFFECT
GENERIC OWNER ONLY IS IN EFFECT
COMPATIBILITY MODE IS IN EFFECT
MULTI-LEVEL QUIET IS IN EFFECT
MULTI-LEVEL STABLE IS IN EFFECT
NO WRITE-DOWN IS IN EFFECT. CURRENT OPTIONS:
"MLS WARNING" OPTION IS IN EFFECT
MULTI-LEVEL SECURE IS IN EFFECT. CURRENT OPTIONS:
"MLS WARNING" OPTION IS IN EFFECT
MULTI-LEVEL ACTIVE IS IN EFFECT. CURRENT OPTIONS:
"MLACTIVE FAIL" OPTION IS IN EFFECT
CATALOGUED DATA SETS ONLY, IS IN EFFECT. CURRENT OPTIONS:
"CATDSNS WARNING" OPTION IS IN EFFECT
USER-ID FOR JES NJEUSERID IS : ????????
USER-ID FOR JES UNDEFINEDUSER IS : ++++++++
PARTNER LU-VERIFICATION SESSIONKEY INTERVAL MAXIMUM/DEFAULT IS 30 days
APPLAUDIT IS IN EFFECT
ADDCREATOR IS IN EFFECT
KERBLVL = 0
MULTI-LEVEL FILE SYSTEM IS IN EFFECT
MULTI-LEVEL INTERPROCESS COMMUNICATIONS IS IN EFFECT
MULTI-LEVEL NAME HIDING IS NOT IN EFFECT
SECURITY LABEL BY SYSTEM IS NOT IN EFFECT
PRIMARY LANGUAGE DEFAULT : ENU / AMERICAN
SECONDARY LANGUAGE DEFAULT : ENU / AMERICAN