IBM RACF Commands

IBM RACF commands and descriptions.
acf2src
The following lists IBM RACF commands and descriptions and the CA ACF2 equivalent commands.
  • ADDGROUP
    Indicates adding a group definition.
    ADDGROUP OMVSGRP OMVS(GID(1))
    For CA ACF2, the definition is added to a profile record:
    SET PROFILE(GROUP) DIV(OMVS) INSERT OMVSGRP GID(1)
    When you insert, change, or delete CA ACF2 profile records, add the profile records in storage:
    F ACF2,REBUILD(USR),CLASS(P)
    Also, if you change the OMVS or OMVSGRP profile records, rebuild the in-storage tables:
    F ACF2,OMVS
  • ADDSD
    Defines IBM RACF profiles for data sets that are to be protected. This process is not necessary with CA ACF2 because data sets are protected by default.
  • ADDUSER
    Creates an IBM RACF user profile. This command includes the profile information necessary to use the desired components of the system.
    ADDUSER USER01 DFLTGRP(OMVSGRP) OMVS(UID(200) HOME(/) OMVSPROGRAM(/bin/sh)) PASSWORD(password)
    The CA ACF2 equivalent is the INSERT command:
    INSERT USER01 GROUP(OMVSGRP) PASSWORD(password) SET PROFILE(USER) DIV(OMVS) INSERT USER01 UID(200) HOME(/) OMVSPGM(/bin/sh)
    If you insert, change, or delete CA ACF2 profile records, put the changed profile records into storage:
    F ACF2,REBUILD(USR),CLASS(P)
    If you change the CA ACF2 OMVS USER or OMVS GROUP profile records, rebuild the in-storage tables:
    F ACF2,OMVS
  • ALTDSD
    Adds profiles for the data sets that are defined as protected. This process is unnecessary in CA ACF2 because all data sets are automatically protected by default.
  • ALTGROUP
    Change an existing IBM RACF group profile:
    ALTGROUP OMVSGRP OMVS(G10(2))
    In
    CA ACF2
    , the function of modifying an existing profile is performed with a CHANGE command:
    SET PROFILE(GROUP) DIV(OMVS) CHANGE OMVSGRP GID(2)
    If you insert, change, or delete CA ACF2 profile records, put the changed profile records into storage:
    F ACF2,REBUILD(USR),CLASS(P)
    If you changed the CA ACF2 OMVS or OMVSGRP profile records, rebuild the in-storage tables:
    F ACF2,OMVS
  • BLKUPD
    Repair the IBM RACF database by directly changing its internal elements. This command is for IBM RACF administration and has no effect on a CA ACF2 environment.
  • CONNECT
    Connect or add an IBM RACF userid to an existing group. For example:
    CONNECT USERA GROUP(PAYGRP)
    In CA ACF2, grouping individuals together is handled with the UID string and the logonid fields that are used to construct the UID string. For example, if you want to add a user to the payroll department:
    SET LID CHANGE USERA DEPT(PAY)
  • DELDSD
    Deletes a profile defining a data set for IBM RACF protection, if PROTECTALL is not active. This process is unnecessary in CA ACF2 because all data sets are automatically protected by default.
  • DELGROUP
    Delete an IBM RACF group profile:
    DELGROUP PAYROLL
    CA ACF2 uses the UID string to group people. A group is assigned to an individual logonid in the GROUP field and defined in the GROUP profile records:
    SET LID CHANGE LOGONID GROUP() SET PROFILE(GROUP) DIV(OMVS) DELETE PAYROLL
  • DELUSER
    Delete a user profile from IBM RACF:
    DELUSER USERA
    In CA ACF2, remove a user from the database by deleting the logonid:
    SET LID DELETE USERA
  • LISTDSD, LISTGRP, and LISTUSER
    Display the corresponding data set, group, and user profiles:
    LISTUSER USERA
    The CA ACF2 LIST command lets you list the individual or selected groups or database records. To list a logonid:
    SET LID LIST USERA
  • PASSWORD
    Change a user's password or change interval. The same function is accomplished in CA ACF2 using the CHANGE command on the logonid:
    SET LID CHANGE USERA PASSWORD(NEWONE)
  • PERMIT
    Allows access to resources:
    PERMIT SYS1.PARMLIB CLASS(DATASET) ID(user) ACCESS(READ)
    Or:
    PERMIT USI161ME.HOGWA01.HOGWA01C.JOB03567.D0000002 CLASS(jesspoolclass) ID(user) ACCESS(READ)
    Based on the resource class, CA ACF2 uses access rules or resource rules to perform the same control. If the resource class is DATASET, DASDVOL, or TAPEVOL, CA ACF2 uses access rules to validate a request.
    $KEY(SYS1) PARMLIB UID(user) R(A)
    The second IBM RACF example uses a class that is not one of the classes that uses access rules. CA ACF2 uses a generalized resource rule:
    $KEY(USI161ME) TYPE(SPL) HOGWA01.- UID(user) SERVICE(READ) ALLOW
  • RACDCERT
    Administer digital certificates. This command allows authorized users to add, list, modify, generate, and delete certificates, and to generate certificate requests.
  • RALTER
    Allows changes to an existing profile:
    RALTER PROGRAM * ADDMEM('CBC.SCLBDLL') UACC(READ)
    In CA ACF2, the equivalent function is to change an access or resource rule and recompile the rule.
  • RDEFINE
    Define resources, where a resource is not protected by default. There is no counterpart to this command in CA ACF2. CA ACF2 uses a default protection scheme, which assumes that the resource is protected.
  • RDELETE
    Remove a resource from IBM RACF protection and remove other IBM RACF administrative functions. There is no counterpart to this command in CA ACF2. Removing resources from protection is the same as writing a generic resource rule to allow access to the resource class.
  • REMOVE
    Removes IBM RACF users out of a specific group. CA ACF2 has a grouping structure based on the UID string. Change the value in the appropriate field contained in the UID string to move a user from group to group.
  • RLIST
    List the details of IBM RACF resource profiles and perform refreshes to resource profiles. CA ACF2 uses the LIST command to display the various records found in the CA ACF2 databases. For refreshing resource rules that are globally resident, CA ACF2 uses the F ACF2, REBUILD command. For locally resident rules, the SETNORUL command releases the old copies of rules in an address space forcing the address space to acquire new copies.
  • RVARY
    Deactivate or reactivate IBM RACF functions or resources. There is no direct counterpart to this command in CA ACF2.
  • SEARCH
    Display information from the IBM RACF database based on specified search criteria. CA ACF2 provides similar functionality with the LIST command and reports such as ACFRPTSL, ACRRPTXR, and ACFRPTRX.
  • SETROPTS
    Set IBM RACF options:
    SETROPTS CLASSACT(JESSPOOL)
    CA ACF2 uses SAFDEF records to activate protection schemes. Since most SAF calls are protected by default, it is not necessary to add more SAFDEF records. The CA ACF2 SECTRACE and SHOW SAFDEF commands can be used to verify the SAF environment that an application is using. CA ACF2 also uses GSO records to control options. Changes to the GSO records can be made using the F ACF2, REFRESH command. If detail is required, the SECTRACE output supplies additional information that can be added to the SAFDEF record to make the request more specific.
  • CLASS
    Defines a type of resource. CA ACF2 divides resources into data set resources or general resources. If the class is DATASET, DASDVOL, or TAPEVOL, CA ACF2 uses data set access rules to validate access. All other classes use generalized resource rules. The currently defined classes and their CA ACF2 type codes can be found by issuing an ACF SHOW CLASMAP command.
    If the resource is not defined or you want to change the type codes used in the resource rules for a class, use the GSO CLASMAP record. For example, the JESSPOOL class comes predefined with a type code of SAF:
    SET CONTROL(GSO) INSERT CLASMAP.JESSPOOL RESOURCE(JESSPOOL) RSRCTYPE(SPL) ENTITYLN(53)