RSH Consulting - RACF SETROPTS - 2015-03 - SHARE - 16807

RACF
SETROPTS
Exploring the Options
SHARE ‐ 16807 ‐ March 2015
Robert S. Hansel Lead RACF Consultant R.Hansel@rshconsulting.com 617‐969‐9050
Robert S. Hansel
Robert S. Hansel is Lead RACF Specialist and founder of RSH Consulting,
Inc., an IT security professional services firm he established in 1992 and
dedicated to helping clients strengthen their IBM z/OS mainframe access
controls by fully exploiting all the capabilities and latest innovations in
RACF. He has worked with IBM mainframes since 1976 and in information
systems security since 1981. Mr. Hansel began working with RACF in
1986 and has been a RACF administrator, manager, auditor, instructor,
developer, and consultant. He has reviewed, implemented, and
enhanced RACF controls for major insurance firms, financial institutions,
utilities, payment card processors, universities, hospitals, and
international retailers. Mr. Hansel is especially skilled at redesigning and
refining large‐scale implementations of RACF using role‐based access
control concepts. He has also created elaborate automated tools to assist
clients with RACF administration, database merging, identity
management, and quality assurance.
Contact and background information:
• 617‐969‐8211
• R.Hansel@rshconsulting.com
• www.linkedin.com/in/roberthansel
• www.rshconsulting.com
RACF SETROPTS SHARE
2
© 2015 RSH Consulting, Inc. All Rights Reserved. March 2015
SETROPTS
 SETROPTS ‐ SET RACF OPTIONS

• Defines system‐wide RACF security & auditing options
• Options reside in RACF Database ICB (Inventory Control Block)
 TSO Command ‐ SETROPTS option‐operand(s) | LIST
• LIST ‐ display options
• Use of command always logged
 Authority to execute
• SPECIAL List & set security options only
• AUDITOR List all options & set auditing options
• Group‐AUDITOR List all options
• OPERCMDS racf‐subsystem.SETROPTS Execute commands via the console
 READ LIST
 UPDATE All other operands
 Setting options on a particular resource class (e.g., TCICSTRN) affects all
classes with the same POSIT value
  ‐ RSH recommended option settings
RACF SETROPTS SHARE
3
SETROPTS LIST
SETROPTS LIST
ATTRIBUTES = INITSTATS WHEN(PROGRAM -- BASIC) TERMINAL(READ) SAUDIT CMDVIOL OPERAUDIT
STATISTICS = DATASET GTERMINL TERMINAL
AUDIT CLASSES = DATASET USER GROUP DASDVOL GDASDVOL GTERMINL TERMINAL
ACTIVE CLASSES = DATASET USER GROUP ACCTNUM ACICSPCT APPL BCICSPCT CCICSCMD
CDT CONSOLE DASDVOL DCICSDCT DSNR ECICSDCT FACILITY FCICSFCT
FSSEC GCICSTRN GDASDVOL GSDSF GTERMINL HCICSFCT JCICSJCT
KCICSJCT LOGSTRM MCICSPPT NCICSPPT OPERCMDS PCICSPSB
PMBR PROGRAM PROPCNTL QCICSPSB RACFVARS RRSFDATA RVARSMBR
SCICSTST SDSF SERVER STARTED SURROGAT TCICSTRN TEMPDSN
TERMINAL TSOAUTH TSOPROC UCICSTST UNIXPRIV VCICSCMD
GENERIC PROFILE CLASSES = DATASET DASDVOL FACILITY PROGRAM TCICSTRN TERMINAL
GENERIC COMMAND CLASSES = DATASET ACCTNUM DASDVOL FACILITY FIELD PERFGRP
PROGRAM T@TESTRN TCICSTRN TERMINAL TSOAUTH TSOPROC
GENLIST CLASSES = NONE
GLOBAL CHECKING CLASSES = DATASET FACILITY TERMINAL
SETR RACLIST CLASSES = APPL CDT DSNR FACILITY STARTED TSOAUTH TSOPROC
GLOBAL=YES RACLIST ONLY = TCICSTRN
LOGOPTIONS "ALWAYS" CLASSES = SURROGAT
LOGOPTIONS "NEVER" CLASSES = NONE
LOGOPTIONS "SUCCESSES" CLASSES = NONE
LOGOPTIONS "FAILURES" CLASSES = FACILITY
LOGOPTIONS "DEFAULT" CLASSES = DATASET ACCTNUM ACICSPCT ALCSAUTH APPCLU
... VTAMAPPL VXMBR WIMS WRITER
AUTOMATIC DATASET PROTECTION IS IN EFFECT
ENHANCED GENERIC NAMING IS IN EFFECT
REAL DATA SET NAMES OPTIONS IS INACTIVE
JES-BATCHALLRACF OPTION IS INACTIVE
JES-XBMALLRACF OPTION IS INACTIVE
JES-EARLYVERIFY OPTION IS INACTIVE
PROTECT-ALL OPTION IS NOT IN EFFECT
TAPE DATA SET PROTECTION IS INACTIVE
SECURITY RETENTION PERIOD IN EFFECT IS 9999 DAYS.
ERASE-ON-SCRATCH IS INACTIVE
SINGLE LEVEL NAME PREFIX IS LVL1X
LIST OF GROUPS ACCESS CHECKING IS ACTIVE.
INACTIVE USERIDS ARE NOT BEING AUTOMATICALLY REVOKED.
NO DATA SET MODELLING IS BEING DONE.
RACF SETROPTS SHARE
4
SETROPTS LIST
PASSWORD PROCESSING OPTIONS
THE ACTIVE PASSWORD ENCRYPTION ALGORITHM IS KDFAES New - APAR OA43999
PASSWORD CHANGE INTERVAL IS 45 DAYS.
PASSWORD MINIMUM CHANGE INTERVAL IS 3 DAYS.
MIXED CASE PASSWORD SUPPORT IS NOT IN EFFECT
SPECIAL CHARACTERS ARE ALLOWED.
10 GENERATIONS OF PREVIOUS PASSWORDS BEING MAINTAINED.
AFTER 4 CONSECUTIVE UNSUCCESSFUL PASSWORD ATTEMPTS,
A USERID WILL BE REVOKED.
PASSWORD EXPIRATION WARNING LEVEL IS 5 DAYS.
INSTALLATION PASSWORD SYNTAX RULES:
RULE 1 LENGTH(5:8) ********
RULE 2 LENGTH(6:8) LLLLLLLL
LEGEND:
A-ALPHA C-CONSONANT L-ALPHANUM N-NUMERIC V-VOWEL W-NOVOWEL *-ANYTHING
c-MIXED CONSONANT m-MIXED NUMERIC v-MIXED VOWEL $-NATIONAL s-SPECIAL
x-MIXEDALL
INSTALLATION DEFINED RVARY PASSWORD IS IN EFFECT FOR THE SWITCH FUNCTION.
DEFAULT RVARY PASSWORD IS IN EFFECT FOR THE STATUS FUNCTION.
SECLEVELAUDIT IS INACTIVE
SECLABEL AUDIT IS NOT IN EFFECT
SECLABEL CONTROL IS NOT IN EFFECT
GENERIC OWNER ONLY IS NOT IN EFFECT
COMPATIBILITY MODE IS NOT IN EFFECT
MULTI-LEVEL QUIET IS NOT IN EFFECT
MULTI-LEVEL STABLE IS NOT IN EFFECT
NO WRITE-DOWN IS NOT IN EFFECT
MULTI-LEVEL ACTIVE IS NOT IN EFFECT
CATALOGUED DATA SETS ONLY, IS NOT IN EFFECT
USER-ID FOR JES NJEUSERID IS : ????????
USER-ID FOR JES UNDEFINEDUSER IS : ++++++++
PARTNER LU-VERIFICATION SESSIONKEY INTERVAL DEFAULT IS 30 DAYS.
APPLAUDIT IS IN EFFECT
ADDCREATOR IS NOT IN EFFECT
KERBLVL = 0
MULTI-LEVEL FILE SYSTEM IS NOT IN EFFECT
MULTI-LEVEL INTERPROCESS COMMUNICATIONS IS NOT IN EFFECT
MULTI-LEVEL NAME HIDING IS NOT IN EFFECT
SECURITY LABEL BY SYSTEM IS NOT IN EFFECT
PRIMARY LANGUAGE DEFAULT : ENU / ENGLISH
SECONDARY LANGUAGE DEFAULT : ENU / ENGLISH
RACF SETROPTS SHARE
5
SETROPTS
 INITSTATS  | NOINITSTATS
• Specifies whether user logon statistics are recorded
• Required with INACTIVE or PASSWORD( REVOKE | HISTORY | WARNING )
 WHEN( PROGRAM )  | NOWHEN( PROGRAM ) ) [ REFRESH ]

• Activates PROGRAM Class
• Enables protection of program modules & use of conditional access to datasets via
a specific program
• Needed to ensure a 'clean' program environment for Unix Daemons
• Mode set via following profile
FACILITY IRR.PGMSECURITY APPLDATA( BASIC | ENHANCED | anything )
anything ‐ activates ENHANCED‐WARNING
RACF SETROPTS SHARE
6
SETROPTS
 TERMINAL( READ  | NONE )
• Specifies the universal access (UACC) for undefined terminals
• Only appears if TERMINAL Class is active
• If set to NONE and no profiles allow access, all terminal logons are denied
 SAUDIT  | NOSAUDIT
• Specifies whether RACF commands issued using SPECIAL authority are logged
 CMDVIOL  | NOCMDVIOL
• Specifies whether RACF command violations are logged
 OPERAUDIT  | NOOPERAUDIT
• Specifies whether RACF commands issued & resources accessed using OPERATIONS
authority are logged
RACF SETROPTS SHARE
7
SETROPTS
 STATISTICS( class ... | * ) | NOSTATISTICS( class ... | *  )

• Causes access counts to be incremented in discrete profiles
• Ignored for RACLISTed classes
• Statistics not incremented for GLOBAL granted access
• Negative performance impact
 AUDIT( class ... | *  ) | NOAUDIT( class ... | * )

• Activates auditing of profile changes for the specified class
• Ensures auditing of RACF commands entered using an authority other than SPECIAL
and OPERATIONS (addressed by SAUDIT and OPERAUDIT)
• For certain classes, also logs:
 DATASET creations and deletions of datasets
 FSOBJ creations and deletions of USS file system objects
 IPCOBJ creations and deletions of USS objects (e.g., semaphores)
 PROCESS dubbing and undubbing of a process
 USER all password changes, even those made during logon
and auto‐assignment of OMVS segments by BPX.UNIQUE.USER
 GROUP auto‐assignment of OMVS segments by BPX.UNIQUE.USER
RACF SETROPTS SHARE
8
SETROPTS
 CLASSACT( class ... | * ) | NOCLASSACT( class ... | * )
• Activates profiles in the specified class
• Beware activating classes defined with DFTRETC=8 in the CDT; access will be denied
when no profile is defined (e.g., JESINPUT)
•  Activating TEMPDSN turns on protection for temporary datasets
•  Activating FSSEC causes Unix Extended Access Control Lists to take affect
• Activating PROGRAM and GLOBAL have no effect
 GENERIC( class ... | * ) | NOGENERIC( class ... | * ) [ REFRESH ]
• Activates generic profiles in the specified class
• Also activates GENCMD if not already active
• REFRESH causes all in‐memory address space lists to be renewed
 GENCMD( class ... | * ) | NOGENCMD( class ... | * )
• Enables creation of generic profiles in the specified class
• Be sure to activate GENCMD before attempted to create profiles with generic
characters; otherwise, they will be created as discretes
RACF SETROPTS SHARE
9
SETROPTS
 GENLIST( class ... ) | NOGENLIST( class ...  )

• Stores generic profiles in ECSA for authorization checking
• Most appropriate for VM related classes (e.g., VMMDISK )
• To GENLIST, class must be defined with GENLIST=ALLOWED in CDT
• To refresh, issue SETROPTS GENERIC(class) REFRESH
 GLOBAL( class ... | * ) | NOGLOBAL( class ... | * ) [ REFRESH ]

• Activates global access checking for specified class
• Profile matching class name needs to be defined in the GLOBAL class
 RACLIST( class ... ) | NORACLIST( class ... ) [ REFRESH ]

• Stores all profiles in a data space for authorization checking
• To SETROPTS RACLIST, class must be defined with RACLIST=ALLOWED in CDT
• Certain products automatically RACLIST classes (e.g., CICS)
 Appear in SETROPTS LIST under "GLOBAL=YES RACLIST ONLY ="
• Required to exploit grouping classes (e.g., DASDVOL/GDASDVOL)
• Required for some classes (e.g., STARTED ) ‐ RACLREQ=YES in CDT
RACF SETROPTS SHARE
10
SETROPTS
 LOGOPTIONS( level( class … ) … )
• Specifies the level of access auditing enforced for a given class
• Auditing Levels
 ALWAYS Log all accesses, even if no profile exists ( FSSEC )
 NEVER Do not log any accesses
 SUCCESSES Log all successful accesses
 FAILURES  Log all violations
 DEFAULT Log according to the profile audit settings
• SUCCESSES and FAILURES augment resource profile audit settings
• ALWAYS and NEVER override resource profile audit settings
• ALWAYS logs access by TRUSTED Started Tasks
• NEVER does not suppress user UAUDIT logging
• SUCCESSES and ALWAYS
 Will not log access granted via GLOBAL or where the RACROUTE caller specifed LOG=NONE
 Does not affect logging for RACROUTE REQUEST=FASTAUTH ‐ only profile log options apply
• FAILURES(PROCESS PROCACT IPCOBJ ) activates logging of violations for related
Unix events
RACF SETROPTS SHARE
11
SETROPTS
 ADSP | NOADSP 
• Will automatically create a discrete dataset profile when a dataset is first created
for any user whose ID also has the ADSP attribute
 EGN  | NOEGN
• Enables use of enhanced generic naming for datasets, including the ** generic
character
• When first enabled, profiles formerly ending in * display as *.**
 REALDSN | NOREALDSN
• Applicable when the Naming Conventions Table ICHNCV00 is used
• Causes RACF messages and SMF records to display the true dataset name rather
than the converted name
RACF SETROPTS SHARE
12
SETROPTS
 JES ( BATCHALLRACF  | NOBATCHALLRACF )
• Requires all batch jobs to have an associated USERID
• RJE jobs must have RACF IDs
 JES ( XBMALLRACF  | NOXBMALLRACF ) (JES2 only)

• Requires all batch jobs run under an Execution Batch Monitor to have an
associated USERID
 JES ( EARLYVERIFY | NOEARLYVERIFY  )
• Requires JES to verify batch job users (ID and password) at the time of submission
rather than waiting until execution
• Obsolete legacy option ‐ only applies to pre‐3.1.3 versions of JES (circa 1990)
• Newer releases of JES behave as if EARLYVERIFY is active
RACF SETROPTS SHARE
13
SETROPTS
 PROTECTALL( FAILURES  | WARNING ) | NOPROTECTALL
• Requires all datasets to be ‘defined’ to RACF to gain access
• Only applies to datasets
• Mode Options
 WARNING Allows and logs access to undefined datasets
 FAILURES Denies access to undefined datasets
• Privileged/Trusted Started Tasks & System‐SPECIAL users can access undefined
datasets
 SETR TAPEDSN | NOTAPEDSN
• Activates DATASET profile protection for tape datasets
•  ‐ Any of the following options
 RACF SETROPTS TAPEDSN
 z/OS PARMLIB(DEVSUPxx) parameter TAPEAUTHDSN=YES
 CA‐1 configuration option OCEOV is set to YES
 RETPD( nnnnn | 0  )
• Default security retention period in days for tape dataset profiles
• nnnnn values can be 0 ‐ 65533 or 99999 (never)
• Typically handled by tape management system
RACF SETROPTS SHARE
14
SETROPTS
 ERASE( ALL | SECLEVEL(seclevel) | NOSECLEVEL ) | NOERASE
•  ALL or NOSECLEVEL
• Enables overwriting of datasets upon deletion to protect against scavenging of
residual data
• NOSECLEVEL ‐ uses ERASE option setting on dataset profile
• Applies to DASD datasets only
• Newer DASD devices eliminate performance concerns
 PREFIX( prefix  ) | NOPREFIX
• Activates RACF protection for single‐qualifier datasets
• Appends pseudo‐HLQ prefix to the dataset name before checking authorization
• Prefix should match name of predefined group
  Create a unique, standalone group to be used solely for the prefix
• Enables protection via normal dataset profiles (e.g., prefix.** )
• With NOPREFIX & EGN active, profiles like HLQ.** will protect single‐level named
datasets whose name matches the HLQ
RACF SETROPTS SHARE
15
SETROPTS
 GRPLIST  | NOGRPLIST
• Determines whether all a user's connected groups are used for access
authorization ‐or‐ just the user's current logon group
• When authorization checking uses all a user’s groups (GRPLIST), access authority is
based on highest level of access allowed by any of the groups
 INACTIVE( nnn ) | NOINACTIVE ( <= 90)
• Specifies the number of days ( up to 255 ) that a USERID can remain unused and
still be considered active
• First logon attempt after limit has been crossed results in the ID being revoked
RACF SETROPTS SHARE
16
SETROPTS
 MODEL( options ) | NOMODEL 
• Prompts the automatic creation of a discrete dataset profile for each new dataset
at the time the dataset is created
• Options
 GDG | NOGDG
 Ensures all GDG generations are given identical profiles
 When a new generation dataset is created, RACF copies the discrete profile defined for the GDG
base to create a new discrete profile for the generation
 GROUP | NOGROUP
 When a new group dataset is created, RACF uses the model profile referenced in the group profile to
create a new discrete profile
 Group profile must specify MODEL(model‐profile‐name)
 USER | NOUSER
 When a new user dataset is created, RACF uses the model profile referenced in the user profile to
create a new discrete profile
 User profile must specify MODEL(model‐profile‐name)
• If no corresponding model profile is defined, no discrete profile is created
• Model dataset profiles are defined using the ADDSD MODEL operand
RACF SETROPTS SHARE
17
SETROPTS
 PASSWORD( suboperand … )
• ALGORITHM  | NOALGORITHM
 Directs RACF to use the KDFAES algorith to encrypt new passwords and password phrases
• INTERVAL( nnn | 30 ) (  <= 90)
 Number of days ( 1 to 254 ) before user must change password
• MINCHANGE( nnn | 0 ) (  => 1)
 Number of days ( 0 to 254 ) before user can change password again
• MIXEDCASE  | NOMIXEDCASE
 Specifies whether passwords are to be mixed case
• SPECIALCHAR  | NOSPECIALCHAR
 Enables use of special characters in passwords, including: . < + | & ! * ‐ % _ > ? : =
• HISTORY( nn ) | NOHISTORY (  => 12)
 Number of previous passwords ( up to 32 ) that cannot be reused
• REVOKE( nnn ) | NOREVOKE (  <= 5)
 Number of consecutive incorrect password attempts ( up to 255 ) before USERID is revoked
• WARNING( nnn ) | NOWARNING (  <= 5)
 Specifies the number of days ( up to 255 ) before a password expires to begin issuing an upcoming
expiration notice to the user
 Warnings are only displayed by applications designed to process this setting (e.g., TSO)
RACF SETROPTS SHARE
18
SETROPTS
 PASSWORD( suboperand … ) ‐ continued
• RULEn( LENGTH( m1 [ :m2 ] ) [ content‐keyword(position) … ] )
| NORULEn | NORULES
 Specifies password syntax for new user‐selected passwords
 Up to 8 separate rules ‐ a password must match one for acceptance
 Does not apply to ADDUSER or ALTUSER PASSWORD(password), unless NOEXPIRED is also
specified
 Length ‐ 'm1' minimum to (optional) 'm2' maximum (e.g., 6 or 5:7 ) ‐ up to 8
 Content‐Keywords ( Defaults to ANYTHING ‐ * )
 ALPHA ALPHANUM VOWEL NOVOWEL CONSONANT NUMERIC NATIONAL SPECIAL
 MIXED CONSONANT MIXED NUMERIC MIXED VOWEL (MIXEDCASE options)
 MIXEDALL 
 Content position ‐ position number or range (e.g., 3 or 5:8)
 Alternative recommendations (with APAR OA43999, use MIXEDALL instead of ALPHANUM)
RULE1(LENGTH(6:8))
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
RULE1(LENGTH(6:8) ALPHANUM(6:8))
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
RULE1( LENGTH(6) ALPHA(1,6) ALPHANUM(2:5) )
RACF SETROPTS SHARE
19
SETROPTS
 RVARYPW( SWITCH( password )  | STATUS( password )  )
• Sets console password that must be entered to execute RVARY
• Default password is YES
 SECLEVELAUDIT( seclevel ) | NOSECLEVELAUDIT
• Activates auditing of all access attempts to resources at or above a specified
security level
• The specified seclevel must be defined in a SECDATA SECLEVEL profile
 SECLABELAUDIT | NOSECLABELAUDIT
• Specified that SECLABEL profile auditing options are to be used in addition to the
resource profile auditing options in logging access
 SECLABELCONTROL | NOSECLABELCONTROL
• Restricts who can change the SECLABEL on a profile to only those users with
System and Group SPECIAL
RACF SETROPTS SHARE
20
SETROPTS
 GENERICOWNER  | NOGENERICOWNER
• Applies to users with CLAUTH for general resource class
• Restricts creation of more specific, undercutting profiles
• To create a more specific profile, user must:
 Have System‐SPECIAL
 Be the Owner of the existing profile
 Have Group‐SPECIAL over the group owning the existing profile
 COMPATMODE | NOCOMPATMODE
• Allows users & jobs not using SECLABELs to be on a system enforcing SECLABELs
(using RACROUTE pre‐1.9 keywords)
 MLQUIET | NOMLQUIET
• Allows only Started Tasks, console operators, or users with SPECIAL attribute to
logon or access resources
 MLSTABLE | NOMLSTABLE
• Prevents alter of SECLABELs unless system is in MLQUIET mode
RACF SETROPTS SHARE
21
SETROPTS
 MLS( FAILURES | WARNING ) | NOMLS
• Prevents users from de‐classifying data
 MLACTIVE( FAILURES | WARNING ) | NOMLACTIVE
• Requires SECLABELs for all work entering system and on USER, DATASET and classes
requiring SECLABELs ( SLBLREQ= in CDT )
 CATDSNS( FAILURES | WARNING ) | NOCATDSNS
• Requires all DFP‐managed datasets to be catalogued in order to access them
• Uncataloged datasets are only accessible to users with:
 Privileged/Trusted Started Task or SPECIAL attribute
 Access to FACILITY Profile ‘ICHUNCAT.dsname’
 Access to FACILITY Profile ‘ICHUSERCAT’ when using a private catalog (JOBCAT or STEPCAT)
 Access authority to datasets protected by Discrete Profiles
 JES ( NJEUSERID( non‐existing‐userid | ????????  ) )

• Defines the owner to be associated with NJE SYSOUT or jobs that arrive through
the network without an RTOKEN or UTOKEN
RACF SETROPTS SHARE
22
SETROPTS
 JES ( UNDEFINEDUSER( non‐existing‐userid | ++++++++  ) )

• Defines the owner to be associated with local jobs that enter the system without a
user ID (e.g., RJE)
 SESSIONINTERVAL( nnnnn | 30 ) | NOSESSIONINTERVAL

• Sets the maximum value in minutes ( up to 32767 ) that can be specified for
RDEFINE or RALTER session key expiration intervals on APPCLU profiles
• NOSESSIONINTERVAL sets the value to 0 ( no limit )
 APPLAUDIT  | NOAPPLAUDIT
• Enables auditing of APPC transactions
• Depends on AUDIT settings on associated APPL class profiles
 ADDCREATOR | NOADDCREATOR 
• Determines whether the USERID of the creator of a new dataset or general
resource profile is automatically placed on the access list with ALTER access when
the profile is created
RACF SETROPTS SHARE
23
SETROPTS
 KERBLVL( 0 | 1 )
• Specifies whether DES alone (0) or DES, DES3, and DESD (1) can be used in creating
Kerberos keys
• Obsolete option ‐ ignored beginning with z/OS 1.9
 MLFSOBJ( ACTIVE | INACTIVE )
• Specifies whether security labels are required for Unix files and directories
 MLIPCOBJ( ACTIVE | INACTIVE )
• Specifies whether security labels are required for Unix interprocess communication
 MLNAMES | NOMLNAMES
• Specifies whether users are restricted to viewing only the names of datasets and
Unix files and directories that their security labels would allow them to read
 LANGUAGE(PRIMARY(language) SECONDARY(language) )
• Sets default for system‐wide languages
• Default is ENU (U.S. English)
RACF SETROPTS SHARE
24

RSH Consulting - RACF SETROPTS - 2015-03 - SHARE - 16807

Uploaded by

Copyright:

Available Formats

RSH Consulting - RACF SETROPTS - 2015-03 - SHARE - 16807

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

RSH Consulting - RACF SETROPTS - 2015-03 - SHARE - 16807

Uploaded by

Copyright:

Available Formats

RACF

 SETROPTS ‐ SET RACF OPTIONS

 WHEN( PROGRAM )  | NOWHEN( PROGRAM ) ) [ REFRESH ]

 STATISTICS( class ... | * ) | NOSTATISTICS( class ... | *  )

 AUDIT( class ... | *  ) | NOAUDIT( class ... | * )

 GENLIST( class ... ) | NOGENLIST( class ...  )

 GLOBAL( class ... | * ) | NOGLOBAL( class ... | * ) [ REFRESH ]

 RACLIST( class ... ) | NORACLIST( class ... ) [ REFRESH ]

 JES ( XBMALLRACF  | NOXBMALLRACF ) (JES2 only)

 JES ( NJEUSERID( non‐existing‐userid | ????????  ) )

 JES ( UNDEFINEDUSER( non‐existing‐userid | ++++++++  ) )

 SESSIONINTERVAL( nnnnn | 30 ) | NOSESSIONINTERVAL

You might also like