IBM RACF Commands
IBM RACF commands and descriptions.
The following lists IBM RACF commands and descriptions and the CA ACF2 equivalent commands.
- ADDGROUPIndicates adding a group definition.
For CA ACF2, the definition is added to a profile record:ADDGROUP OMVSGRP OMVS(GID(1))
When you insert, change, or delete CA ACF2 profile records, add the profile records in storage:SET PROFILE(GROUP) DIV(OMVS) INSERT OMVSGRP GID(1)
Also, if you change the OMVS or OMVSGRP profile records, rebuild the in-storage tables:F ACF2,REBUILD(USR),CLASS(P)F ACF2,OMVS
- ADDSDDefines IBM RACF profiles for data sets that are to be protected. This process is not necessary with CA ACF2 because data sets are protected by default.
- ADDUSERCreates an IBM RACF user profile. This command includes the profile information necessary to use the desired components of the system.
The CA ACF2 equivalent is the INSERT command:ADDUSER USER01 DFLTGRP(OMVSGRP) OMVS(UID(200) HOME(/) OMVSPROGRAM(/bin/sh)) PASSWORD(password)
If you insert, change, or delete CA ACF2 profile records, put the changed profile records into storage:INSERT USER01 GROUP(OMVSGRP) PASSWORD(password) SET PROFILE(USER) DIV(OMVS) INSERT USER01 UID(200) HOME(/) OMVSPGM(/bin/sh)
If you change the CA ACF2 OMVS USER or OMVS GROUP profile records, rebuild the in-storage tables:F ACF2,REBUILD(USR),CLASS(P)F ACF2,OMVS
- ALTDSDAdds profiles for the data sets that are defined as protected. This process is unnecessary in CA ACF2 because all data sets are automatically protected by default.
- ALTGROUPChange an existing IBM RACF group profile:
InALTGROUP OMVSGRP OMVS(G10(2))CA ACF2, the function of modifying an existing profile is performed with a CHANGE command:
If you insert, change, or delete CA ACF2 profile records, put the changed profile records into storage:SET PROFILE(GROUP) DIV(OMVS) CHANGE OMVSGRP GID(2)
If you changed the CA ACF2 OMVS or OMVSGRP profile records, rebuild the in-storage tables:F ACF2,REBUILD(USR),CLASS(P)F ACF2,OMVS
- BLKUPDRepair the IBM RACF database by directly changing its internal elements. This command is for IBM RACF administration and has no effect on a CA ACF2 environment.
- CONNECTConnect or add an IBM RACF userid to an existing group. For example:
In CA ACF2, grouping individuals together is handled with the UID string and the logonid fields that are used to construct the UID string. For example, if you want to add a user to the payroll department:CONNECT USERA GROUP(PAYGRP)SET LID CHANGE USERA DEPT(PAY)
- DELDSDDeletes a profile defining a data set for IBM RACF protection, if PROTECTALL is not active. This process is unnecessary in CA ACF2 because all data sets are automatically protected by default.
- DELGROUPDelete an IBM RACF group profile:
CA ACF2 uses the UID string to group people. A group is assigned to an individual logonid in the GROUP field and defined in the GROUP profile records:DELGROUP PAYROLLSET LID CHANGE LOGONID GROUP() SET PROFILE(GROUP) DIV(OMVS) DELETE PAYROLL
- DELUSERDelete a user profile from IBM RACF:DELUSER USERAIn CA ACF2, remove a user from the database by deleting the logonid:SET LID DELETE USERA
- LISTDSD, LISTGRP, and LISTUSERDisplay the corresponding data set, group, and user profiles:
The CA ACF2 LIST command lets you list the individual or selected groups or database records. To list a logonid:LISTUSER USERASET LID LIST USERA
- PASSWORDChange a user's password or change interval. The same function is accomplished in CA ACF2 using the CHANGE command on the logonid:SET LID CHANGE USERA PASSWORD(NEWONE)
- PERMITAllows access to resources:PERMIT SYS1.PARMLIB CLASS(DATASET) ID(user) ACCESS(READ)Or:
Based on the resource class, CA ACF2 uses access rules or resource rules to perform the same control. If the resource class is DATASET, DASDVOL, or TAPEVOL, CA ACF2 uses access rules to validate a request.PERMIT USI161ME.HOGWA01.HOGWA01C.JOB03567.D0000002 CLASS(jesspoolclass) ID(user) ACCESS(READ)
The second IBM RACF example uses a class that is not one of the classes that uses access rules. CA ACF2 uses a generalized resource rule:$KEY(SYS1) PARMLIB UID(user) R(A)$KEY(USI161ME) TYPE(SPL) HOGWA01.- UID(user) SERVICE(READ) ALLOW
- RACDCERTAdminister digital certificates. This command allows authorized users to add, list, modify, generate, and delete certificates, and to generate certificate requests.
- RALTERAllows changes to an existing profile:
In CA ACF2, the equivalent function is to change an access or resource rule and recompile the rule.RALTER PROGRAM * ADDMEM('CBC.SCLBDLL') UACC(READ)
- RDEFINEDefine resources, where a resource is not protected by default. There is no counterpart to this command in CA ACF2. CA ACF2 uses a default protection scheme, which assumes that the resource is protected.
- RDELETERemove a resource from IBM RACF protection and remove other IBM RACF administrative functions. There is no counterpart to this command in CA ACF2. Removing resources from protection is the same as writing a generic resource rule to allow access to the resource class.
- REMOVERemoves IBM RACF users out of a specific group. CA ACF2 has a grouping structure based on the UID string. Change the value in the appropriate field contained in the UID string to move a user from group to group.
- RLISTList the details of IBM RACF resource profiles and perform refreshes to resource profiles. CA ACF2 uses the LIST command to display the various records found in the CA ACF2 databases. For refreshing resource rules that are globally resident, CA ACF2 uses the F ACF2, REBUILD command. For locally resident rules, the SETNORUL command releases the old copies of rules in an address space forcing the address space to acquire new copies.
- RVARYDeactivate or reactivate IBM RACF functions or resources. There is no direct counterpart to this command in CA ACF2.
- SEARCHDisplay information from the IBM RACF database based on specified search criteria. CA ACF2 provides similar functionality with the LIST command and reports such as ACFRPTSL, ACRRPTXR, and ACFRPTRX.
- SETROPTSSet IBM RACF options:
CA ACF2 uses SAFDEF records to activate protection schemes. Since most SAF calls are protected by default, it is not necessary to add more SAFDEF records. The CA ACF2 SECTRACE and SHOW SAFDEF commands can be used to verify the SAF environment that an application is using. CA ACF2 also uses GSO records to control options. Changes to the GSO records can be made using the F ACF2, REFRESH command. If detail is required, the SECTRACE output supplies additional information that can be added to the SAFDEF record to make the request more specific.SETROPTS CLASSACT(JESSPOOL)
- CLASSDefines a type of resource. CA ACF2 divides resources into data set resources or general resources. If the class is DATASET, DASDVOL, or TAPEVOL, CA ACF2 uses data set access rules to validate access. All other classes use generalized resource rules. The currently defined classes and their CA ACF2 type codes can be found by issuing an ACF SHOW CLASMAP command.If the resource is not defined or you want to change the type codes used in the resource rules for a class, use the GSO CLASMAP record. For example, the JESSPOOL class comes predefined with a type code of SAF:SET CONTROL(GSO) INSERT CLASMAP.JESSPOOL RESOURCE(JESSPOOL) RSRCTYPE(SPL) ENTITYLN(53)