RACF Commands

The following is a list of RACF commands followed by a description of each.
acf2src
The following is a list of RACF commands followed by a description of each.
ADDGROUP Command
RACF uses the ADDGROUP command to add a group definition. For example:
ADDGROUP OMVSGRP OMVS(GID(1))
In CA ACF2, this definition is added to a profile record as follows:
SET PROFILE(GROUP) DIV(OMVS) INSERT OMVSGRP GID(1)
Anytime you insert, change, or delete profile records, you must bring the changed profile records into storage as follows:
F ACF2,REBUILD(USR),CLASS(P)
In addition, if you changed the OMVS or OMVSGRP profile records, you must also rebuild the in-storage tables as follows:
F ACF2,OMVS
ADDSD Command
ACF uses the ADDSD command to define profiles for data sets that are to be protected. This process is unnecessary in CA ACF2 because all data sets are protected by default.
ADDUSER Command
RACF uses the ADDUSER command to define a new user to its database with the profile information necessary to let that user use the desired components of the system. The ADDUSER command is the same as the INSERT command in CA ACF2. For example, the RACF command:
ADDUSER USER01 DFLTGRP(OMVSGRP) OMVS(UID(200) HOME(/) OMVSPROGRAM(/bin/sh)) PASSWORD(password)
Would be rendered in CA ACF2 as follows:
INSERT USER01 GROUP(OMVSGRP) PASSWORD(password) SET PROFILE(USER) DIV(OMVS) INSERT USER01 UID(200) HOME(/) OMVSPGM(/bin/sh)
Anytime you insert, change, or delete profile records, you must bring the changed profile records into storage as follows:
F ACF2,REBUILD(USR),CLASS(P)
In addition, if you changed the OMVS USER or OMVS GROUP profile records, you must also rebuild the in-storage tables as follows:
F ACF2,OMVS
ALTDSD Command
In situations where PROTECTALL is not active, RACF uses the ALTDSD command to add profiles for data sets that have been defined as protected. This process is unnecessary in CA ACF2 because all data sets are automatically protected by default.
ALTGROUP Command 
RACF uses the ALTGROUP command to change an existing group profile. For example:
ALTGROUP OMVSGRP OMVS(G10(2))
In 
CA ACF2
, the function of modifying an existing profile is performed with a CHANGE command. For example:
SET PROFILE(GROUP) DIV(OMVS) CHANGE OMVSGRP GID(2)
Anytime you insert, change, or delete profile records, you must bring the changed profile records into storage as follows:
F ACF2,REBUILD(USR),CLASS(P)
In addition, if you changed the OMVS or OMVSGRP profile records, you must also rebuild the in-storage tables as follows:
F ACF2,OMVS
BLKUPD Command
RACF uses the BLKUPD command to let users repair the RACF database by directly changing its internal elements. This command is for RACF administration and would have no effect on an CA ACF2 environment.
CONNECT Command
RACF uses the CONNECT command to connect or add an RACF userid to an existing group. This gives the userid the accesses associated with that group. For example:
CONNECT USERA GROUP(PAYGRP)
In CA ACF2, grouping individuals together is handled with the UID string and the individual logonid fields that CA ACF2 uses to construct the UID string. For example, if you want to add a user to the payroll department, you would issue the following command:
SET LID CHANGE USERA DEPT(PAY)
DELDSD Command
In the event that PROTECTALL is not active, RACF uses the DELDSO command to delete a profile defining a data set for RACF protection. This process is unnecessary in CA ACF2 because all data sets are automatically protected by default.
DELGROUP Command
RACF uses the DELGROUP command to delete a RACF group profile. For example:
DELGROUP PAYROLL
There is no direct corollary in CA ACF2. CA ACF2 uses the UID string to group people and only uses a group in selected environments such as UNIX System Services. A group is assigned to an individual logonid in the GROUP field and defined in the GROUP profile records. Deleting a group in this instance would be done as follows:
SET LID CHANGE LOGONID GROUP() SET PROFILE(GROUP) DIV(OMVS) DELETE PAYROLL
DELUSER Command
RACF uses the DELUSER command to delete a user profile from RACF. For example:
DELUSER USERA
In 
CA ACF2
 you remove a user from the database by deleting the logonid as follows:
SET LID DELETE USERA
LISTDSD, LISTGRP, and LISTUSER Commands
RACF uses the LISTDSD, LISTGRP, and LISTUSER commands to display the corresponding data set, group, and user profiles. For example:
LISTUSER USERA
CA ACF2 provides a LIST command to let you list the individual or selected groups or database records. For instance, to list a logonid you would do the following:
SET LID LIST USERA
PASSWORD Command
RACF uses the PASSWORD command to change a user's password or change interval. The same function is accomplished in CA ACF2 using the CHANGE command on the logonid. For example:
SET LID CHANGE USERA PASSWORD(NEWONE)
PERMIT Command
The RACF PERMIT command allows access to resources. For example:
PERMIT SYS1.PARMLIB CLASS(DATASET) ID(user) ACCESS(READ)
Or:
PERMIT USI161ME.HOGWA01.HOGWA01C.JOB03567.D0000002 CLASS(jesspoolclass) ID(user) ACCESS(READ)
Based on the resource class, CA ACF2 would use access rules or resource rules to perform the same control. If the resource class is DATASET, DASDVOL, or TAPEVOL, CA ACF2 uses access rules to validate a request. Any other class is controlled with resource rules. The first RACF example uses a class of DATASET, so in CA ACF2 this is an access rule as follows:
$KEY(SYS1) PARMLIB UID(user) R(A)
The second RACF example uses a class that is not one of the classes that uses access rules, so CA ACF2 uses a generalized resource rule as follows:
$KEY(USI161ME) TYPE(SPL) HOGWA01.- UID(user) SERVICE(READ) ALLOW
RACDCERT Command
RACF uses the RACDCERT command to administer digital certificates. This command allows authorized users to add, list, modify, generate and delete certificates. It can also be used to generate certificate requests. For examples, see IBM RACF to CA ACF2 Translation.
RALTER Command
The RACF RALTER command allows changes to an existing profile. For example:
RALTER PROGRAM * ADDMEM('CBC.SCLBDLL') UACC(READ)
In CA ACF2, the equivalent function would be handled by making changes to an access rule or a resource rule and then recompiling it.
RDEFINE Command
Where a resource is not protected by default, RDEFINE is used in RACF to define resources. There is no counterpart to this in CA ACF2. CA ACF2 uses a default protection scheme, which assumes that the resource is protected. This default scheme requires that rules be written to allow access to a resource.
RDELETE Command
RACF uses the RDELETE command to remove a resource from RACF protection, and to remove other RACF administrative functions. There is no counterpart to this command in CA ACF2. Removing resources from protection is the same as writing a generic resource rule to allow access to the resource class.
REMOVE Command
RACF uses the REMOVE command to take one or more users out of a specific group. Since CA ACF2 has a grouping structure based on the UID string, moving a user from group to group is simply a change to the value in the appropriate field contained within the UID string.
RLIST Command
RACF uses the RLIST command to list the details of resource profiles. It is also used to perform refreshes of resource profiles. CA ACF2 uses the LIST command to display the various records found in the CA ACF2 databases. For refreshing resource rules that are globally resident, CA ACF2 uses the F ACF2, REBUILD command. For locally resident rules, the SETNORUL command releases the old copies of rules in an address space forcing the address space to acquire new copies.
RVARY Command
RACF uses the RVARY command to deactivate or reactivate RACF functions or resources. There is no direct counterpart to this command in CA ACF2.
SEARCH Command
RACF uses the SEARCH command to display information from its database based on specified search criteria. CA ACF2 provides similar functionality in its LIST command and reports such as ACFRPTSL, ACRRPTXR, and ACFRPTRX.
SETROPTS Command
SETROPTS is used to set RACF options or turn them off. For example:
SETROPTS CLASSACT(JESSPOOL)
CA ACF2 uses SAFDEF records as needed to activate various protection schemes. Since most SAF calls are protected by default, it is usually not necessary to add additional SAFDEF records. The CA ACF2 SECTRACE and SHOW SAFDEF commands can be used to verify the SAF environment that an application is using.
For example, the SHOW SAFDEF command indicates that the class of JESSPOOL is ignored so it would need a SAFDEF record to activate as follows:
INSERT SAFDEF.JESSPOOL ID(JESSPOOL) MODE(GLOBAL) -RACROUTE(REQUEST=AUTH,CLASS=JESSPOOL) REP
CA ACF2 also uses GSO records to control options. Changes to the GSO records can be made via the F ACF2, REFRESH command.
If finer detail is required, the SECTRACE output could supply additional information that could be added to the SAFDEF record to make the request more specific.
CLASS
This defines a type of resource. CA ACF2 divides resources into data set resources or general resources. If the class is DATASET, DASDVOL, or TAPEVOL, CA ACF2 uses data set access rules to validate access. All other classes will use generalized resource rules. The currently defined classes and their CA ACF2 type codes can be found by issuing an ACF SHOW CLASMAP command.
If the resource is not defined or you want to change the type codes used in the resource rules for a class, you can use a GSO CLASMAP record to accomplish this. For example, the JESSPOOL class comes predefined with a type code of SAF. To change this, you would issue:
SET CONTROL(GSO) INSERT CLASMAP.JESSPOOL RESOURCE(JESSPOOL) RSRCTYPE(SPL) ENTITYLN(53)