RACF Commands vs Authorities and RACF Attributes

Different levels of authority and RACF attributes allow you to issue different types of RACF commands. In this article we will see which RACF commands one can issue with each level of authority and attributes.

System Special or Group Special Attribute

Command	Operands
ADDSD	With all operands
ADDGROUP	With all operands
ADDUSER	With all operands, but for group-SPECIAL user only when user also has CLAUTH(USER)
ALTDSD	With all operands except GLOBALAUDIT
ALTGROUP	With all operands
ALTUSER	With all operands except UAUDIT or NOUAUDIT. Also, you must have the SPECIAL attribute to use the NOEXPIRED operand or to issue the NOCLAUTH operand for a class name that is not in the class descriptor table (group-SPECIAL does not suffice).
CONNECT	With all operands
DELDSD	With all operands
DELGROUP	With all operands
DELUSER	With all operands
LISTDSD1	With all operands
LISTGRP	With all operands
LISTUSER	With all operands
PASSWORD or PHRASE	With all operands
PERMIT	With all operands
RALTER	With all operands except GLOBALAUDIT
RACDCERT	With all operands. You must have the SPECIAL attribute to issue the RACDCERT command. Group-SPECIAL does not suffice.
RACLINK	With all operands
RACMAP	With all operands. You must have the SPECIAL attribute to issue the RACMAP command. Group-SPECIAL does not suffice.
RDEFINE	With all operands
RDELETE	With all operands
REMOVE	With all operands
RLIST	With all operands
SEARCH	With all operands
SETROPTS	With all operands except AUDIT, NOAUDIT, CMDVIOL, NOCMDVIOL, APPLAUDIT, NOAPPLAUDIT, LOGOPTIONS, OPERAUDIT, NOOPERAUDIT, SAUDIT, NOSAUDIT, SECLABELAUDIT, NOSECLABELAUDIT, SECLEVELAUDIT, and NOSECLEVELAUDIT, which require the AUDITOR attribute. Users with the group-SPECIAL attribute can only issue REFRESH GENERIC and LIST.

 

System Auditor or Group Auditor Attribute

Command	Operands
ALTDSD	Only with GLOBALAUDIT
ALTUSER	Only with UAUDIT or NOUAUDIT
LISTDSD	With all operands, lists GLOBALAUDIT option
LISTGRP	With all operands
LISTUSER	With all operands, lists UAUDIT or NOUAUDIT operand
RALTER	Only with GLOBALAUDIT
RLIST	With all operands, lists GLOBALAUDIT option
SEARCH	With all operands
SETROPTS	Only with APPLAUDIT, NOAPPLAUDIT, AUDIT, NOAUDIT, CMDVIOL, NOCMDVIOL, LOGOPTIONS, OPERAUDIT, NOOPERAUDIT, SAUDIT, NOSAUDIT, SECLABELAUDIT, NOSECLABELAUDIT, SECLEVELAUDIT, NOSECLEVELAUDIT, LIST, REFRESH GENERIC, or REFRESH RACLIST

 

System Operations or Group Operations Attribute

Command	Operands
ADDSD	When adding new profiles for group data sets
LISTDSD	With all operands except GLOBALAUDIT
RLIST	With all operands except GLOBALAUDIT
SEARCH	With all operands
SETROPTS	Only with REFRESH

 

CLAUTH Attribute

Command	Operands
ADDUSER1	With all operands except OPERATIONS, NOOPERATIONS, SPECIAL, NOSPECIAL, AUDITOR or NOAUDITOR
ALTUSER2	Only with CLAUTH or NOCLAUTH
RALTER3	Only with ADDVOL
RDEFINE4	With all operands (special rules apply to ADDMEM)

Notes:

1. When you have the CLAUTH attribute of USER and you either are the owner of a group, have JOIN authority in the default group specified in the command, or the profile is within the scope of a group in which you have the group special attribute.
2. When you have the CLAUTH attribute for the class to be added or deleted, the class name is in the class descriptor table (CDT), and either you are the owner of the user’s profile, or the profile is within the scope of a group in which you have the group special attribute.
3. When you have the CLAUTH attribute of TAPEVOL and you also have sufficient authority to issue the command. For ADDMEM, special rules apply, depending on access to individual resources.
4. When you have the CLAUTH attribute for the specified class. For ADDMEM, special rules apply, depending on access to individual resources.

 

Group Authority

Group authorities	Commands and Operands
USE	For group resources, the authority allowed the group.
CREATE	ADDSD1 with all operands except NOSET
CONNECT	ADDSD1 with all operands except NOSET ALTUSER only with GROUP, AUTHORITY or UACC CONNECT with all operands except SPECIAL, NOSPECIAL, OPERATIONS, NOOPERATIONS, AUDITOR, or NOAUDITOR LISTGRP only with group name REMOVE with all operands
JOIN	ADDGROUP2 with all operands ADDSD1 with all operands except NOSET ADDUSER3 with all operands except OPERATIONS, SPECIAL or AUDITOR ALTGROUP4 only with SUPGROUP ALTUSER only with GROUP, AUTHORITY or UACC CONNECT with all operands except SPECIAL, NOSPECIAL, OPERATIONS, NOOPERATIONS, AUDITOR, or NOAUDITOR DELGROUP2 with all operands LISTGRP only with group name REMOVE with all operands

Notes:

1. This command applies to group data sets only.
2. This command applies to the superior group.
3. This command applies only if you have the JOIN group authority in the default group specified in the ADDUSER command and if you also have the CLAUTH(USER) attribute.
4. This command applies to current and new superior groups. You can have JOIN authority in one group and be owner of or be connected with the group special attribute to another group.

 

Access Authority

Access authorities	Commands and Operands
NONE EXECUTE	None
READ UPDATE CONTROL	LISTDSD with all operands except AUTHUSER or ALL RLIST with all operands except AUTHUSER or ALL SEARCH with all operands
ALTER	ALTDSD1 with all operands except OWNER, NOSET or GLOBALAUDIT DELDSD1 with all operands except NOSET LISTDSD1 with all operands PERMIT1 with all operands RALTER1 with all operands except OWNER, ADDVOL2 or GLOBALAUDIT RDELETE1 with all operands RLIST1 with all operands

Notes:

1. This command applies to discrete profiles only.
2. This command applies to ADDVOL operand only if you also have CLAUTH attribute for TAPEVOL.

 

Profile Ownership Authority

Owner of RACF profile	Commands and Operands
Owner of user profile	ALTUSER1 only with user ID, NAME, OWNER, DFLTGRP, DATA, GRPACC, NOGRPACC, ADSP, NOADSP, REVOKE, NOREVOKE, RESUME, NORESUME, PASSWORD, NOPASSWORD, PHRASE, NOPHRASE, OIDCARD, NOOIDCARD, CLAUTH or NOCLAUTH DELUSER with all operands LISTUSER with all operands PASSWORD or PHRASE only with USER RACLINK with all operands
Owner of group profile	ADDGROUP2 with all operands ADDUSER3 with all operands except OPERATIONS, SPECIAL or AUDITOR ALTGROUP4 with all operands ALTUSER only with GROUP, AUTHORITY or UACC CONNECT with all operands except SPECIAL, NOSPECIAL, OPERATIONS or NOOPERATIONS DELGROUP5 with all operands LISTGRP with all operands REMOVE with all operands
Owner of resource profile	ALTDSD with all operands except NOSET or GLOBALAUDIT DELDSD with all operands except NOSET LISTDSD with all operands PERMIT with all operands RALTER6 with all operands except GLOBALAUDIT RDELETE with all operands RLIST with all operands SEARCH with all operands

Notes:

1. This command applies to CLAUTH or NOCLAUTH only if you have the CLAUTH attribute for the class to be added or deleted, and the class name is in the class descriptor table (CDT).
2. This command applies to the superior group.
3. This command applies to the default group specified and only if you have the CLAUTH attribute of USER.
4. This command applies to current and new superior groups. You can have JOIN authority in one group and be owner of another group.
5. This command applies to the superior group or group to be deleted.
6. This command applies to the ADDVOL operand only when you also have CLAUTH attribute of TAPEVOL.

 

Other Authorities

User ID relationship	Commands and Operands
User ID is current user	ALTUSER only with NAME or DFLTGRP LISTUSER only with user ID PASSWORD or PHRASE only with PASSWORD or INTERVAL
User ID is high-level qualifier of data set name (or qualifier supplied by a command installation exit)	ADDSD with all operands ALTDSD with all operands except OWNER or GLOBALAUDIT DELDSD with all operands LISTDSD with all operands PERMIT with all operands SEARCH with all operands
None	RVARY1 with all operands
None	RACF MVS Operator Commands: DISPLAY Authority granted by OPERCMDS class: RESTART Authority granted by OPERCMDS class SET Authority granted by OPERCMDS class SIGNOFF Authority granted by OPERCMDS class: STOP Authority granted by OPERCMDS class TARGET Authority granted by OPERCMDS class Any RACF TSO command issued as an operator command

Note:

1. Although no special authority is needed to issue this command, the system operator must supply the appropriate RVARY password, as established by the SETROPTS command with the RVARYPW operand, to approve any change in RACF status.

 

You can get more information about this subject in the IBM’s manual “z/OS Security Server RACF Security Administrator’s Guide”.