Summary of RACF commands

Much of the RACF activity dealing with protected CICS resources involves creating, changing, and deleting general resource profiles. Note: The commands described here, and the operands used in the examples, are not exhaustive. The sequences of commands shown here demonstrate one way to accomplish a given task. There may be other sequences of commands that you can use. For full details of RACF commands, refer to z/OS Security Server RACF Command Language Reference Creating general resource profiles To create a general resource profile, use the RDEFINE command. Generally, once you have created a profile, you then create an access list for the profile using the PERMIT command. In this example, the three RDEFINE commands define three profiles named CEMT, CEDA, and CEDB in the TCICSTRN resource class. The three PERMIT commands allow two groups of users to access each transaction: RDEFINE TCICSTRN CEMT UACC(NONE) NOTIFY(sys_admin_userid) RDEFINE TCICSTRN CEDA UACC(NONE) NOTIFY(sys_admin_userid) RDEFINE TCICSTRN CEDB UACC(NONE) NOTIFY(sys_admin_userid) PERMIT CEMT CLASS(TCICSTRN) ID(group1, group2) ACCESS(READ) PERMIT CEDA CLASS(TCICSTRN) ID(group1, group2) ACCESS(READ) PERMIT CEDB CLASS(TCICSTRN) ID(group1, group2) ACCESS(READ) Creating a resource group profile To define a profile in a resource grouping class, use the RDEFINE command with the ADDMEM operand to add resources as members of the group.

Generally, once you have created a profile, you then create an access list for the profile using the PERMIT command. In this example, the RDEFINE command defines a resource group profile named CICSTRANS in the GCICSTRN resource grouping class. The PERMIT command allows two groups of users to access all transactions in the profile. RDEFINE GCICSTRN CICSTRANS UACC(NONE) ADDMEM(CEMT, CEDA, CEDB) NOTIFY(sys_admin_userid) PERMIT CICSTRANS CLASS(GCICSTRN) ID(group1, group2) ACCESS(READ) Creating a general resource profile Use the RDEFINE command to create a profile in a general resource class: RDEFINE class profile UACC(NONE) where: class is the name of the general resource class profile is the name of the new profile Specify UACC(NONE) to ensure that there is no default access to the profile. Permitting access to a general resource To permit access to a general resource, use the PERMIT command to create an access list for the general resource profile: PERMIT profile CLASS(class) ID(user) ACCESS(authority) where: profile is the name of the new profile class is the name of the general resource class user is the user (or group of users) that is being given access authority to the resource authority is the level of authority that is being granted to the user Removing an entry from an access list

To remove the entry for a user or group from an access list, issue the PERMIT command with the DELETE operand instead of the ACCESS operand: PERMIT profile_name CLASS(class_name) ID(user|group) DELETE Changing a profile If you want to change a profile (for example, changing UACC from NONE to READ), use the RALTER command: RALTER class_name profile_name UACC(READ) Deleting a profile To delete a profile, use the RDELETE command. For example: RDELETE class_name profile_name Copying from a profile You can copy an access list from one profile to another. To do so, specify the FROM operand on the PERMIT command: PERMIT profile_name CLASS(class_name) FROM(existing_profile_name) FCLASS(class_name) You can copy information from one profile to another. To do so, specify the FROM operand on the RDEFINE or RALTER command: RDEFINE class_name profile_name FROM(existing-profile_name) FCLASS(class_name) Note: Do not plan to do this if you are using resource group profiles. RACF does not copy the members (specified with the ADDMEM operand) when copying the profile. Also, there are other ways in which the new profile might not be an exact copy of the existing profile. For example, RACF places the userid of the resource profile owner in the access list with ALTER access authority. For complete information, see the description of the FROM operand on the appropriate commands in the z/OS Security Server RACF Command Language Reference. Listing profiles in a class To list the names of profiles in a particular class, use the SEARCH command. The following command lists profiles in the TCICSTRN class:

SEARCH CLASS(TCICSTRN) The following command lists all profiles and their details in the GCICSTRN class: SEARCH CLASS(GCICSTRN) RLIST GCICSTRN * ALL For information on resource classes, see RACF general resource profiles. Note: If you are a group-SPECIAL user (not system-SPECIAL), the SEARCH command might not list all the profiles that exist in a class. To get a complete list of profiles in a class, you must have at least the authority to list each profile. For further information, see the description of RACF requirements for the SEARCH command in the z/OS Security Server RACF Command Language Reference, and Which profile is used to protect the resource?. Activating protection for a class To begin protecting all the resources protected by profiles in a RACF class, activate that class by issuing the SETROPTS command with CLASSACT specified: SETROPTS CLASSACT(class_name) Defining a generic profile Before you can use RDEFINE to define a generic profile (that is, one that uses an asterisk (*), double asterisk (**), ampersand (&), or percentage (%) character), first issue the command: SETROPTS GENERIC(class_name) Deactivating protection for a class Deactivating a class turns off protection without disturbing the profiles themselves. If a class is deactivated, RACF issues a "not protected" return code to CICS for all resources in that class. CICS treats this response as access denied. To deactivate a RACF class, issue the SETROPTS command with NOCLASSACT specified: SETROPTS NOCLASSACT(class_name) Determining active classes To determine which RACF classes are currently active, issue the SETROPTS command with LIST specified: SETROPTS LIST

Activating support for mixed case passwords To turn support for mixed case passwords on, issue the SETROPTS command with PASSWORD specified: SETROPTS PASSWORD(MIXEDCASE) To turn support for mixed case passwords off, issue the SETROPTS command: SETROPTS PASSWORD(NOMIXEDCASE) Mixed case passwords are supported in z/OS Security Server (RACF) 1.7 and above.