The following are a few common RACF commands used by Security Administrators in the Mainframe environment. Note that the commands shown are very simplified examples. More details of the commands and their parameters can be found in IBM’s manual.
| User Profiles | |
|---|---|
| AU userid NAME(‘user_name’) DFLTGRP(grp_name) OWNER(owner) PASS(password) | Add a userid to the RACF database. Note that this is a very simplified example. |
| LU userid | List a userid info |
| ALU userid PASSWORD(password) | Set a temporary password to a userid. This password will have to be changed when user logs in to the system. |
| ALU userid REVOKE | Revoke a userid |
| ALU userid RESUME | Resume a userid |
| ALU userid RESUME PASS(password) | Resume a userid and set a temporary password. |
| CO userid GROUP(grp_name) OWN(grp_name) | Connect a userid to a RACF group. |
| RE userid GROUP(grp_name) | Remove a userid from a RACF group. |
| ALU userid NAME(‘user_name’) | Change the user name of a userid. Max. of 120 characters available. |
| ALU userid DATA(‘inst_data’) | Change the installation data of a userid. Max. of 255 characters available. |
| DU userid | Delete a userid from RACF database. |
| Group Profiles | |
| AG grp_name OWNER(owner) SUPGROUP(superior_grp_name) | Add a group to RACF. |
| LG grp_name | List a RACF group details. |
| ALG grp_name SUPGROUP(superior_grp_name) | Change the Superior Group of a RACF group. |
| ALG grp_name DATA(‘inst_data’) | Change installation data of a RACF group. Max. of 255 characters available. |
| DG grp_name | Delete a RACF group. |
| Dataset Profiles | |
| AD ‘ds_profile’ UACC(uacc_level) | Add a Dataset profile to RACF database. Note that this is a very simplified example.Ex: AD ‘XPTO.*’ UACC(READ) |
| LD DATASET(‘ds_profile’) | List a dataset profile details. |
| ALD ‘ds_profile’ UACC(uacc_level) | Change a dataset profile UACC. |
| ALD ‘ds_profile’ OWNER(owner) | Change a dataset profile OWNER. |
| DD ‘ds_profile’ | Delete dataset profile from RACF database. |
| SR MASK(mask_argument) CLASS(class) | List the profiles matching the mask argument and the Class.Ex: SR MASK(sys1) CLASS(DATASET) |
| PE ‘ds_profile’ ID(userid) GEN AC(access_level) | Grants userid access to the dataset profile. |
| PE ‘ds_profile’ ID(grp_name) GEN AC(access_level) | Grants RACF group access to the dataset profile. |
| General Resources | |
| RDEF class_name profile_name ADDMEM(member) | Add a general resource profile.Ex: RDEF PROGRAM AMASPZAP ADDMEM(‘SYS1.LINKLIB’/SYSRES/PADCHK) |
| RL class_name profile_name ALL | List all details of a general resource profile.Ex: RL PROGRAM AMASPZAP ALL |
| RALT class_name profile_name UACC(acc_level) | Changes the general resource profile UACC.Ex: RAL PROGRAM AMASPZAP UACC(READ) |
| RDEL class_name profile_name | Delete a general resource profile.Ex: RDEL PROGRAM AMASPZAP |
| PE gr_profile CL(class) ID(userid) AC(access_level) | Grants userid access to the General resource profile of Class class. |
| PE gr_profile CL(class) ID(grp_name) AC(access_level) | Grants RACF group access to the General resource profile of Class class. |
| RACF Options | |
| SETROPTS GENERIC(class_name) REFRESH | Refresh in-storage profile for a specific CLASS. |
| SETROPTS PASSWORD(REVOKE(5) RULE1(LENGTH(6:8) ALPHA(1,6) ALPHANUM(2:5))
RULE2(LENGTH(7) ALPHA(1,7) ALPHANUM(2:6)) RULE3(LENGTH(8) ALPHA(1,8) ALPHANUM(2:7))) |
Sets in RACF that all passwords must be at least six characters in length and contain at least one numeric character, not in the first or last position. Further, the user’s access to the system must be revoked if five incorrect passwords are entered in a row. |
For more information on RACF, check my presentation “RACF – The Basics” available for download.
Thank you for sharing these needed commands
Very handy list of admin commands and options
Thanks for this very helpful for me
Thank you Miguel!
Very useful!
Very useful, thank you!
it was really helpful, It has all the commands I wanted.. thanks..