CHANGE Subcommand

The CHANGE subcommand lets logonids add, change, or delete fields of selected logonid records.
acf2src
The CHANGE subcommand lets logonids add, change, or delete fields of selected logonid records. The use of the CHANGE subcommand depends on the privilege that is assigned and if the logonid record is scoped. A scoped logonid limits administrative authority and are used to control the actions of logonids.
  • Logonids with the
    security privilege
    Considered security administrators. Logonids with the security privilege are normally not scoped, and therefore they can change any logonid record field. Logonids with the security privilege can be scoped to change the user profile data information in the infostorage database.
  • Logonids with the
    account privilege
    known as account managers. A logonid with the account privilege is normally scoped. If a logonid with the account privilege is not scoped, you can change any logonid record fields.
  • Logonids with the
    leader privilege
    Considered a group leader. A logonid with the leader privilege is normally scoped. Group leaders can change logonids for users within their group.
  • Authorized
    end-user logonids
    Can change certain password-related fields for themselves and other end users, depending on their scope.
Issuing the CHANGE subcommand for a logonid with the SUSPEND or CANCEL fields that are specified automatically triggers a type 71 RACF Event Notifications (ENF) signal. The ENF 71 signal provides notification about a change to a user’s security record. Applications that receive the signal can take action. For example, refreshing the user's security record in a CICS remote region suspends or cancels the user immediately.
CHANGE * {*|logonid} {Like(lidmask) [If(
field,...,field
)]} {Uid(uidmask) [If(
field,...,field
)]} {If(
field,...,field
)} [TARGET(null|=|?|nodemask1,...,nodemask100)] [(
field,...,field
) [PWCNVRT] [ADD|REP|DEL]
When using the CHANGE subcommand, an asterisk ( * ), logonid, like (
lidmask
) or UID (
uidmask
) and at least one keyword must be specified.
Examples: Manage CA ACF2 records
  • Changing Privileges
    : Account managers in your organization want to be notified at logon time of changes to the TSO environment. As as security administrator, you have SECURITY privileges which allow you to make this change. The NOTICE|NONNOTICES logonid parameter indicates to TSO whether a user wants to receive TSO notices at logon time. Because some logonids have ACCOUNT and SECURITY privileges, specify NOSECURITY. This setting indicates that any logonid with the SECURITY privilege is not changed.
    CHANGE IF(ACCOUNT, NOSECURITY) OPERATOR NOTICE
    All logonids with the ACCOUNT privilege now receive TSO notices a logon time. All logonids with the SECURITY privilege are unchanged.
  • Changing Domain Access
    : System programmer Jane Doe needs access to data sets in your CICS environment. The following output is the logonid record for Jane:
    LIST SYSPROG1 SYSPROG1 SYSPROG1 JANE DOE EXT.458 PRIVILEGES LEADER SCPLIST(FINANCE) TSO
    ACCESS ACC-CNT(0) ACC-DATE(0) ACC-TIME(0)
    PASSWORD PSWD-TOD(01/04/21-12:01) TSO MAIL NOTICES TSOACCT(ACCT01) STATISTICS UPD-TOD(01/04/21-12:01) RESTRICTIONS PREFIX(PAY7777) DFP SMSINFO(DEFPAY)
    In this example, CICS does not appear under the PRIVILEGES section of Jane Doe's logonid record. To add CICS privileges:
    CHANGE SYSPROG1 CICS
    Verify the change to Jane's logonid record:
    LIST SYSPROG1 SYSPROG1 SYSPROG1 JANE DOE EXT.458 PRIVILEGES
    CICS
    LEADER SCPLIST(FINANCE) ACCESS ACC-CNT(0) ACC-DATE(0) ACC-TIME(0) PASSWORD PSWD-TOD(01/04/21-12:01) TSO MAIL NOTICES TSOACCT(ACCT01) STATISTICS UPD-TOD(01/04/21-12:01) RESTRICTIONS PREFIX(PAY7777) DFP SMSINFO(DEFPAY)
    Jane Doe now has access to your CICS environment.
  • Asterisk ( * )
    Specifies that you want to change the last logonid that was processed.
  • CPFWAIT|
    NOCPFWAIT
    Specifies that commands are processed on a synchronous basis, requiring the user to wait for commands to complete on ALL specified nodes before the local command completes.
    Default:
    NOCPFWAIT. Specifies that processing is asynchronous. If a new default is set in the CPF OPTIONS record CMDWAIT parameter, you can override this setting.
  • logonid
    Specifies a one- to eight-character name of the logonid record or user profile record that you want to change.
  • LIKE(
    lidmask
    )
    Specifies a one- to eight-character mask that identifies a group of logonid records you want to change. For example, the mask PAY*** identifies records for all logonids that begin with the letters P and end with any zero to three characters. Embedded blanks are excluded. PAY-. matches all logonids that begin with PAY regardless of length. If you use this parameter to add or delete the TSO field to a group of logonids, synchronize the SYS1.BRODCAST data set. To recreate the SYS1.BRODCAST data set, use the SYNCH subcommand or the ACFBSYNC utility. When issuing a CHANGE subcommand with user profile records, you cannot specify the LIKE parameter.
  • IF(
    (field,...,field
    )
    Specifies changing a group of logonids with a certain field or group of fields. For example, the following command changes all logonid records of users who have the ACCOUNT privilege but not the SECURITY privilege:
    CHANGE IF(ACCOUNT, NOSECURITY) Operator Notice
    • field,...,field
      Specifies the fields and any values that you want to add, replace, or delete to the new record. These rules apply to field names:
      • Turn on bit fields by stating the field name. Turn them off by prefixing the field name with NO. For example, to remove the STC option found in the OPTS record, use NOSTC.
      • Specify the desired value in parentheses for fields with variable or character values, for example, TIME(12:30). To nullify a field, specify the field with no value, as in TIME().
      • Specify multiple values in parentheses for fields that are defined with the capacity to contain multiple values. For example, PGMS(IMASPZAP AMASPZAP SUPERZAP). Use a space or comma as a valid delimiter in the parentheses.
    You cannot specify the IF parameter when issuing a CHANGE subcommand with user profile records.
    When specifying a
    constant-specific value
    in the IF statement, use the listed formats. For example, to change a date to a specific value:
    CHANGE IF(D'
    dd/mm/yy'
    )
    • Format:
      'aaaa' or C'aaaa'
      Contents:
      Alphanumerics
      Type:
      Character fields
    • Format:
      Nnnn
      Contents:
      Numerics
      Type:
      Binary number fields
    • Format:
      X'xx
      Contents:
      Hex numbers
      Type:
      Hex fields
    • Format:
      B'n
      Contents:
      1 or 0 (1=on, 0=off)
      Type:
      Bit (flag) fields
    • Format:
      P'nn
      Contents:
      Numerics
      Type:
      Packed decimal fields
    • Format:
      D'mm/dd/yy' or D'dd/mm/yy' or 'D'yy/mm/dd'
      Contents:
      Numbers with dividing date field slashes. This format is based on local system options. Use single quotes before and after the date.
      Type: n/a
    • Format:
      U'xxxx'
      Contents:
      Any of the previous contents can be used. CA ACF2 resolves the data type to how the field is defined in the @CFDE.
      Type:
      n/a
    You can designate the DATE field as a TOD clock field. Or, you can store the DATE field as a packed decimal in the logonid record. Time-of-day fields are treated as date fields only. No comparison is made of the time portion of the field by the IF processor.
  • PWCNVRT
    Specifies that the current password is converted to the current password encryption algorithm. The current password encryption algorithm is defined in the PSWDENCT field of the GSO PSWD record. PWCNVRT must be used by itself on a change command. For example:
    CHANGE logonid PWCNVRT
    When command propagation facility (CPF) is active, the PWCNVRT command is executed on other CPF nodes. PWCNVRT does not affect the CPF nodes when command propagation is not active. Before using PWCNVRT, back up the CA ACF2 logonids database.
    If you are using PWCNVRT and are sharing databases, ensure that the latest maintenance is applied on all LPARs that share databases.
    Follow these rules when using PWCNVRT:
    • You must have SECURITY or ACCOUNT privilege to use PWCNVRT and the logonid must be in your scope.
    • PWCNVRT must not be used with any other parameters, except TARGET and CPFWAIT. You cannot use PWCNVRT with the LIKE, UID, or IF parameters.
    • You cannot specify PWCNVRT and logonid fields on the same CHANGE command.
    • You cannot convert down to a lower encryption algorithm. You can convert the password in the following ways: XDES to AES128, XDES to AES256 and AES128 to AES256.
    • After PWCNVRT has been issued on a logonid, another PWCNVRT command cannot be issued on the same logonid unless a password change is done in between.
  • UID(
    uidmask
    )
    Specifies a UID mask that identifies the logonids that you want to change.
    The UID parameter cannot be specified when issuing a CHANGE subcommand with user profile records.
  • ADD
    |RE|DEL
    Indicates that you want to add, replace, or delete the specified field values from the existing record. This parameter applies only to multi-value fields. You can abbreviate field names when specified on the CHANGE subcommand. If abbreviations match more than one field name in the logonid record and in any user profile record, they are treated as invalid. Use the CHANGE subcommand to redefine the record field specifications.
    Default:
    ADD
    To activate changed profile records:
    F ACF2,REBUILD(USR),CLASS(P),DIVISION(CHANGE)