TACF Commands

This chapter describes the TACF commands.

1. Overview

The TACF Manager (tacfmgr) is used for.

  • Registering and deleting user accounts

  • Registering, deleting or modifying resource profiles

  • Adding or changing access authorities

The tacfmgr commands are executed by using the given authority of the user. Therefore, this tool is used rather by those with the security authority than those without such authority.

To use tacfmgr, a login process is required. The login sequence is proceeded in the following order.

  • Enter the USERID, GROUPNAME, and PASSWORD by using the -i option.

  • Take the user-entered value for USERID, GROUPNAME, and PASSWORD as the account information.

The following table describes the syntax used by tacfmgr to execute TACF commands.

Symbol Meaning Example

( )

Positional parameter. Must be placed in a specific position in the operand field and cannot be omitted. The positional/optional parameter can have one or more operands. If necessary, use () after the parameter.

(userid …​)

[ ]

Optional parameter without any specified position. If omitted, the default value is used.

[UNIT(type)]

{ }

Single parameter selected. If not specified, the default value is used.

{ADDCATEGORY | DELCATEGORY}

space

TACF commands, parameters, and operands are separated by spaces.

name1 name2 …​

Italic

User-defined input value.

[MODEL(dsname)]

underline

Default value

ADSP | NOADSP

‘ ‘

Special character

‘D’

Repetitive use of multiple operands.

profile-name …​

Capital letter

All commands and parameters can only recognize capital letters.

ADDSD
List of Commands

The following is the list of TACF commands.

Command Description

ADDGROUP (AG)

Defines a new group to TACF.

ADDUSER (AU)

Defines a new user to TACF, and connects the user to the default group.

ADDSD (AD)

Defines a discrete data set profile or a generic data set profile to TACF.

ALTDSD (ALD)

Modifies a specified data set profile.

ALTGROUP (ALG)

Modifies the profile of a specified group.

ALTUSER (ALU)

Modifies the profile of a specified user.

CONNECT (CO)

Sets a user connection group, and then sets the group properties of a user.

DELDSD (DD)

Deletes a specified data set profile.

DELGROUP (DG)

Deletes a specified group profile.

DELUSER (DU)

Deletes a specified user profile.

LISTDSD (LD)

Displays the data set profiles registered in TACF.

LISTGRP (LG)

Displays the information of group files registered in TACF, and the information of connection profiles linked to a group.

LISTUSER (LU)

Displays the user profile of a specified user, and the connection profile of the user.

PASSWORD (PW)

Sets a user password, or a password change interval.

PERMIT (PE)

Grants or removes authority for a specific resource to/from a user or group.

RALTER (RALT)

Modifies a resource profile.

RDEFINE (RDEF)

Registers a discrete profile or generic profile for a new resource.

RDELETE (RDEL)

Deletes a resource profile.

REMOVE (RE)

Removes a user from a group.

RLIST (RL)

Displays the profile information of a registered resource and the authority list information for the resource.

SEARCH (SR)

Displays the profiles filtered from the profiles, users, and groups registered in TACF according to search conditions specified by a user.

HELP (H)

Displays instruction for tacfmgr commands.

QUIT

Quits tacfmgr.

2. ADDGROUP (AG)

Registers a new group in TACF. After a new group has been registered by this command, a hierarchical relationship is established between the new group and its superior group.

Issuing this command requires the user to have at least one of the following.

  • Special attribute

  • Superior group

  • JOIN authority to the superior group

  • Group-special attribute for the superior group

Syntax

The ADDGROUP command is used as follows:

{ADDGROUP | AG}
    (group-name ...)
    [DATA('installation-defined-data')]
    [MODEL(dsname)]
    [OWNER(userid | group-name)]
    [SUPGROUP(group-name)]

The following describes the parameters for the ADDGROUP command.

Field Description

(group-name …​)

Specifies the name of the group to be registered. Only eight or less English alphabets, numbers and symbolic letters (@,#,$) are allowed. To register multiple groups, separate each group by a single space. Each group name must be unique in TACF. The group is not registered if it has the same name as an existing group name.

DATA ('installation-defined-data')

Specifies notes on installation in no more than 255 characters. Spaces or special characters in the field must be enclosed in single quotation marks (' ').

MODEL (dsname)

Specifies the name of the data set profile to be used as the model data set for the group. Not supported in the current version.

OWNER (userid | group-name)

Specifies the user ID or group name of a user. (Default value: current user ID)

SUPGROUP (group-name)

Specifies the name of the group. (Default value: current connect group)
Examples

The following example uses the ADDGROUP command and views its result through the LISTGRP command.

ADDGROUP GROUP001 DATA('GROUP001 ADDED.') OWNER(ROOT) SUPGROUP(SYS1)
INFORMATION FOR GROUP GROUP001
  SUPERIOR GROUP=SYS1           OWNER=ROOT
  DATA=GROUP001 ADDED.
  NO-MODEL-DATA-SET
  TERMUACC
  NO SUBGROUPS

3. ADDUSER (AU)

Registers a new user in TACF, and establishes the user’s relationship to an exiting group set as the default group.

Using the ADDUSER command requires the user to have one of the following.

  • Special attribute

  • CLAUTH attribute for the USER class while one of the following is true:

    • The user owns the default group profile of the newly added user

    • The user holds the JOIN authority to the default group of the newly added user

    • The user has the group-special attribute for the default group of the newly added user

Syntax

The ADDUSER command is used as follows:

{ADDUSER | AU}
    (userid ...)
    [ADDCATEGORY(category-name...)]
    [AUDITOR | NOAUDITOR]
    [AUTHORITY(group-authority)]
    [CLAUTH(class-name...) | NOCLAUTH]
    [DATA('installation-defined-data')]
    [DFLTGRP(group-name)]
    [GRPACC | NOGRPACC]
    [MODEL(dsname)]
    [NAME('user-name')]
    [OPERATIONS | NOOPERATIONS]
    [OWNER(userid | group-name)]
    [PASSWORD(password) | NOPASSWORD]
    [RESTRICTED | NORESTRICTED]
    [SECLEVEL(seclevel-name)]
    [SPECIAL | NOSPECIAL]
    [SECLABEL(seclabel-name)]
    [UACC(access-authority)]
    [WHEN([DAYS(day-info)][TIME(time-info)])]
    [CICS(
       [OPCLASS(operator-class ...)]
       [OPIDENT(operator-id)]
       [OPPRTY(operator-priority)]
       [RSLKEY(rslkey ...)]
       [TIMEOUT(timeout-value)]
       [TSLKEY(tslkey ...)]
       [XRFSOFF(FORCE | NOFORCE)])]

The following describes the parameters for the ADDUSER command.

Field Description

(userid …​)

Specifies the user ID. Only eight or less English alphabets, numbers and symbolic letters (@,#,$) are allowed. An error occurs if an existing ID is used.

ADDCATEGORY (category-name …​)]

For syntax check only.

AUDITOR | NOAUDITOR

If not specified, NOAUDITOR is used as the default value.

  • AUDITOR: Specifies the auditor attribute for a new user.

  • NOAUDITOR: Does not specify auditor attribute for a new user.

AUTHORITY (group-authority)

Specifies an authority for the default group of a new user. For more information about the group authority, refer to Group-related Authorities.

CLAUTH (class-name…​) | NOCLAUTH

  • CLAUTH (class-name …​): Specifies a class that can be defined by a new user in TACF. The current TACF version supports USER only.

  • NOCLAUTH: Specifies that CLAUTH is not specified. Used as the default value if neither CLAUTH nor NOCLAUTH is specified.

DATA ('installation-defined-data')

Specifies notes on installation with up to 255 characters. Must be enclosed in single quotation marks (' ') if an empty space or special character is included.

DFLTGRP (group-name)

Specifies the default group of a new user. The default group must be registered in TACF.

GRPACC | NOGRPACC

  • GRPACC: Gives other users within the group access to user-defined group data sets.

  • NOGRPACC: Used as the default value if GRPACC is not used.

MODEL(dsname)

For syntax check only.

NAME ('user-name')

Specifies the name of a new user. Special characters must be enclosed in single quotation marks (' '). The name can be up to 31 characters long.

OPERATIONS | NOOPERATIONS

  • OPERATIONS: Grants a new user the ALTER authority for all resources protected by TACF. However, this authority is applied only when the resource access authority is specified by using the ACCESS parameter in the PERMIT statement.

  • NOOPERATIONS: Used as the default value of OPERATIONS is not described.

OWNER (userid | group-name)

Specifies the user ID or group name for the owner of the profile of a new user. The user ID or group name must match the user ID or group name registered in TACF.

PASSWORD(password) | NOPASSWORD

Both PASSWORD and NOPASSWORD are not described, the default group name of the new user is used as the password. If the password is specified through this parameter, saf_exit_password cannot be executed.

  • PASSWORD (password): Specifies the password of a new user. If specified, no other rules or restrictions are imposed by TACF for creating passwords, than saf_exit_password.

  • NOPASSWORD: Specifies the new user as Protected User.

RESTRICTED | NORESTRICTED

  • RESTRICTED: Prevents a new user from accessing any resources protected by TACF. Can allow a user to access certain resources only by using the ACCESS parameter in the PERMIT statement, independent of the UACC parameter value of the resources.

  • NORESTRICTED: Used as the default value if RESTRICTED is not used.

SECLEVEL (seclevel-name)

For syntax check only.

SPECIAL | NOSPECIAL

If both SPECIAL and NOSPECIAL are not specified, NOSPECIAL is used as the default value.

  • SPECIAL: Specifies the special attribute for a new user.

  • NOSPECIAL: Does not specify the special attribute for a new user.

SECLEVEL (seclevel-name)

For syntax check only.

UACC (access-authority)

Specifies the universal access authority for the current data set. For more information about access authorities, refer to Specifying Access Authorities for a Data Set.

WHEN([DAYS(day-info)]

[TIME(time-info)])

Modifies available date and time window for the user to access the system.

  • DAYS (day-info)

    Specifies the days of the week when the user can access the system. day-info can be any one of the following: ANYDAY, WEEKDAYS, or any specified day of the week from SUNDAY to SATURDAY.

    • ANYDAY: Specifies that the user can access the system on any day. ANYDAY is the default when DAYS is omitted.

    • WEEKDAYS: Specifies that the user can access the system only on weekdays (Monday-Friday).

    • day : Specifies the days when the user can access the system, where the value can be MONDAY, TUESDAY, WEDNESDAY, THURSDAY, FRIDAY, SATURDAY, or SUNDAY.

  • TIME(time-info)

    Specifies the hours in the day when the user can access the system. (Default value: '0000:2400', meaning the user can access the system any time)

CICS(

[OPCLASS(operator-class …​)]

[OPIDENT(operator-id)]

[OPPRTY(operator-priority)]

[RSLKEY(rslkey …​)]

[TIMEOUT(timeout-value)]

[TSLKEY(tslkey …​)]

[XRFSOFF(FORCE | NOFORCE)])

Specifies fields in the CICS segment for the new CICS terminal user.

  • OPCLASS (operator-class …​)

    Specifies numbers ranging from 1 to 24 that correspond to classes to which basic mapping support (BMS) messages will be sent.

  • OPIDENT (operator-id)

    Specifies a 1-to-3 character operator ID to be used by BMS. If nothing is specified, the field displays blanks in the LISTUSER command output.

  • OPPRTY (operator-priority)

    Specifies a number ranging from 0 to 255 that indicate the user’s priority. (Default value: 0)

  • RSLKEY (rslkey …​)

    Specifies resource security level (RSL) keys to be assigned to the user. The RSL keys can be specified as one or more numbers from the following: 1-24, 0, or 99. (Default value: 0)

  • TIMEOUT (timeout-value)

    Specifies the time that the user can remain idle before being signed off. The value for TIMEOUT can be entered in hours and minutes as in the following: m, mm, hmm, and hhmm.

  • TSLKEY (tslkey …​)

    Specifies transaction security level (TSL) keys to be assigned to the user. The TSL keys can be one or more numbers of 1-64, 0, 1, or 99. (Default value: 1)

  • XRFSOFF (FORCE|NOFORCE)

    Specifies whether to terminate a CICS terminal user’s access if the extended recovery facility (XRF) is used with CICS.

    • FORCE: Signs off the operator.

    • NOFORCE: Does not sign off the operator.
Examples

The following examples use the ADDUSER command, and view the result by using the LISTUSER command.

ADDUSER USER001 AUTHORITY(USE) CLAUTH(UTILITY) DATA('USER001 ADDED.') DFLTGRP(SYS1) NAME('USERNAME') OPERATIONS OWNER(ROOT) PASSWORD(PASSWORD) NOSPECIAL WHEN(DAYS(ANYDAY)TIME(0000:2400)) CICS(OPIDENT(ABC) OPCLASS(3) RSLKEY(3 5 12))
USER=USER001  NAME=USERNAME  OWNER=ROOT     CREATED=20111222
  DEFAULT-GROUP=SYS1      PASSDATE=20111222 PASS INTERVAL=30
  ATTRIBUTES=OPERATIONS
  REVOKE DATE=NONE    RESUME DATE=NONE  EXPIRED
  LAST ACCESS=
  CLASS AUTHORIZATIONS=UTILITY
  DATA=USER001 ADDED.
  NO-MODEL-DATA-SET
  LOGON ALLOWED   (DAYS)            (TIME)
  ----------------------------------------
                                   0000:2400
    GROUP=SYS1       AUTH=USE     CONNECT-OWNER=ROOT     CONNECT-DATE=20111222
    CONNECTS=    00  UACC=NONE    LAST-CONNECT=UNKNOWN
    CONNECT ATTRIBUTES=NONE
    REVOKE DATE=NONE             RESUME DATE=NONE
  SECURITY LEVEL=NONE-SPECIFIED
  CATEGORY AUTHORIZATION
  NONE-SPECIFIED
  SECURITY LABEL=NONE-SPECIFIED

CICS INFORMATION
----------------
  OPCLASS=003
  OPIDENT= ABC
  OPPRTY= 0
  RSLKEY= 00003 00005 00012
  TIMEOUT= NOTIMEOUT
  TSLKEY= 1

4. ADDSD (AD)

Defines a discrete data set profile or a generic data set profile to TACF. If the GENERIC, MODEL or TAPE option is not used, a discrete data set profile is created by default.

Executing the ADDSD command requires the user to satisfy one of the following conditions.

  • Special attribute holder

  • The high-level qualifier of the new data set profile matching the user ID

  • Owner of the data set profile with group-special attribute

Syntax

The ADDSD command is used as follows:

{ADDSD | AD}
    (profile-name-1 ...)
    [ADDCATEGORY(category-name ...)]
    [AUDIT(access-attempt[(autid_access-level)] ...)]
    [DATA('installation-defined-data')]
    [NOTIFY[(userid)]]
    [OWNER(userid | group-name)]
    [SECLABEL(seclabel-name)]
    [SECLEVEL(seclevel-name)]
    [UACC(access-authority)]
    [GENERIC]
    [MODEL]
    [TAPE]
    [UNIT(type)]
    [VOLUME(volser ...)]

The following describes the parameters for the ADDSD command.

Field Description

(profile-name-1 …​)

Specifies the name of the data set profile to be added to the TACF database. The format of the generic profile must follow the naming conventions. Each profile name must be unique. The profile is not registered if it has the same name as an existing profile name. For more information about the naming convention for generic data set profiles, refer to Creating Generic Data Set Profiles.

ADDCATEGORY (category-name …​)

For syntax check only.

AUDIT (access-attempt[(autid_access-level)] …​)

Specifies which access attempts and access levels to be logged for the data set.

  • Access Attempt

    • ALL: Specifies that both successful accesses and failed accesses are to be logged.

    • FAILURE: Specifies that failed accesses are to be logged.

  • Audit Access Level

    • ALTER: Logs access attempts at the READ, UPDATE, DELETE, RENAME, MOVE, and SCRATCH levels.

    • CONTROL: Logs control-interval access attempts (to VSAM data sets) or access attempts at the RETRIEVE, UPDATE, DELETE, or INSERT levels. Refer to OpenFrame Data Set Guide for more information on VSAM data sets.

    • UPDATE: Logs access attempts at the READ, WRITE, and COPY levels.

    • READ: Logs access attempts at the READ level. (Default)

DATA ('installation-defined-data')

Specifies notes on installation with no more than 255 characters. Spaces or special characters in the field must be enclosed in single quotation marks (' ').

NOTIFY [(userid)]

Specifies the user ID to be displayed when TACF denies access to the data set to be added. If not specified, the current user ID is used.

OWNER (userid | group-name)

Specifies a TACF-registered user or group to be defined as the owner of the data set profile.

SECLABEL (seclabel-name)

For syntax check only.

SECLEVEL (seclevel-name)

For syntax check only.

UACC (access-authority)

Specifies the level of the universal access authority (UACC) for the data set. For more information about access authorities, refer to Specifying Access Authorities for a Data Set.

GENERIC

Creates a generic data set profile. Even if not specified, when the data set profile name contains a wildcard character, the profile is created as generic data set profile type.

MODEL

Creates a model data set profile. If the data set profile name contains a wildcard character, this parameter is ignored.

TAPE

Creates a tape data set profile. If the data set profile name contains a wildcard character, this parameter is ignored.

UNIT (type)

For syntax check only.

VOLUME [(volser …​)]

Specifies the volume serials to which the data set belongs. The volumes are displayed in the order they are identified. If not specified, when the data set to be added is a discrete data set profile and NVSM, the catalog is searched to locate the volume containing the data set. Then, the volume is stored to the table. If the data set is a generic data set profile type, this parameter is ignored.
Examples

The following examples use the ADDSD command and view the result by using the LISTDSD command.

ADDSD TMAX.DSD001 AUDIT(ALL(READ)) DATA('TMAX.DSD001 ADDED.') NOTIFY(ROOT) OWNER(ROOT) UACC(NONE) VOLUME(DEFVOL)
INFORMATION FOR DATASET TMAX.DSD001
  LEVEL OWNER    UNIVERSAL ACCESS WARNING ERASE
  ----- -------- ---------------- ------- -----
   00   ROOT           NONE        NO    NO
  AUDITING
  --------
  SUCCESS(READ),FAILURES(READ)
  NOTIFY
  --------
  ROOT
  YOUR ACCESS  CREATION GROUP  DATASET TYPE
  -----------  --------------  ------------
  ALTER                        DISCRETE

  VOLUMES ON WHICH DATASET RESIDES  UNIT
  --------------------------------  ----
  DEFVOL
  DATA=TMAX.DSD001 ADDED.
                SECURITY LEVEL
  ------------------------------------------
  NO SECURITY LEVEL
  CATEGORIES
  ----------
  NOCATEGORIES
  SECLABEL
  ----------
  NO SECLABEL

5. ALTDSD (ALD)

Alters the specified data set profile.

Executing the ALTDSD command requires the user to satisfy one of the following conditions.

  • Special attribute holder

  • Owner of the data set profile

  • The high-qualifier of the data set profile matching the user ID

  • Group-special attribute owner

  • Discrete data set profile and the universal access authority set to ALTER

Syntax

The ALTDSD command is used as follows:

ALTDSD | ALD
    (profile-name-1 ...)
    [{ADDCATEGORY | DELCATEGORY}(category-name ...)(category-name)]
    [AUDIT(access-attempt[(audit_access-level)] ...)]
    [DATA('installation-defined-data') | NODATA]
    [NOTIFY(userid) | NONOTIFY]
    [OWNER(userid | group-name)]
    [SECLABEL(seclabel-name) | NOSECLABEL]
    [SECLEVEL(seclevel-name) | NOSECLEVEL]
    [UACC(access-authority)]
    [UNIT(type)]
    [VOLUME(volser)]

The following describes the parameters for the ALTDSD command.

Field Description

(profile-name-1 …​)

Specifies the name of the data set profile to be modified. When specifying multiple profiles, the profile names are separated each by a single space. If a specified profile does not exist in TACF, an error occurs and the ALTDSD command fails.

{ADDCATEGORY | DELCATEGORY}(category-name …​) (category-name)

For syntax check only.

AUDIT(access-attempt[(audit_access-level)] …​)

Specifies the resource audit level. For more information, refer to Access Attempt and Audit Access Level.

DATA('installation-defined-data') | NODATA

Specifies notes on installation with no more than 255 characters. Spaces or special characters in the field must be enclosed in single quotation marks (' '). NODATA is the default value.

NOTIFY(userid) | NONOTIFY

  • NOTIFY(userid): Specifies the user ID to be displayed when TACF denies access to the data set to be modified.

  • NONOTIFY: NONOTIFY is the default when NOTIFY is not specified.

OWNER(userid | group-name)

Specifies a user to be defined as the owner of the data set profile. If not specified, the current user ID is used.

SECLABEL(seclabel-name) | NOSECLABEL

For syntax check only.

SECLEVEL(seclevel-name) | NOSECLEVEL

For syntax check only.

UACC(access-authority)

Specifies the level of the universal access authority (UACC) for the data set. For more information about access authorities, refer to Specifying Access Authorities for a Data Set.

UNIT(type)

For syntax check only.

VOLUME[(volser)]

Specifies the volume serials to which the data set to be modified belongs. The volumes are displayed in the order they are identified. If not specified, when the data set to be added is a discrete data set profile and NVSM, the catalog is searched to locate the volume containing the data set. Then, the volume is stored to the table. If the data set is a generic data set profile type, this parameter is ignored.
Examples

The following examples use the ALTDSD command, and view the result by using the LISTDSD command.

ALTDSD TMAX.DSD001 DATA('TMAX.DSD001 ALTERED.') NOTIFY(USER002) OWNER(ROOT) UACC(NONE) VOLUME(DEFVOL)
INFORMATION FOR DATASET TMAX.DSD001
  LEVEL OWNER    UNIVERSAL ACCESS WARNING ERASE
  ----- -------- ---------------- ------- -----
   00   ROOT           NONE        NO    NO
  AUDITING
  --------
  FAILURES(READ)
  NOTIFY
  --------
  USER002
  YOUR ACCESS  CREATION GROUP  DATASET TYPE
  -----------  --------------  ------------
  ALTER                        DISCRETE

  VOLUMES ON WHICH DATASET RESIDES  UNIT
  --------------------------------  ----
  DEFVOL
  DATA=TMAX.DSD001 ALTERED.
                SECURITY LEVEL
  ------------------------------------------
  NO SECURITY LEVEL
  CATEGORIES
  ----------
  NOCATEGORIES
  SECLABEL
  ----------
  NO SECLABEL

6. ALTGROUP (ALG)

Alters the profile of the specified group.

Executing the ALTGROUP command requires the user to satisfy one of the following conditions.

  • Special attribute holder

  • Owner of the data set profile

  • Group-special attribute holder

Syntax

The ALTGROUP command is used as follows:

{ALTGROUP | ALG}
    (group-name ...)
    [DATA('installation-define-data') | NODATA]
    [MODEL(dsname) | NOMODEL]
    [OWNER(userid | group-name)]
    [SUPGROUP(group-name)]
    [TERMUACC | NOTERMUACC]

The following describes the parameters for the ALTGROUP command.

Field Description

(group-name …​)

Specifies the group profile. When specifying multiple profiles, each profile is separated by a single space. If the specified profile does not exist in TACF, an error occurs and the ALTGROUP command fails.

DATA('installation-define-data') | NODATA

Specifies notes on installation with no more than 255 characters. Spaces or special characters in the field must be enclosed in single quotation marks (' '). The default value is NODATA.

MODEL(dsname) | NOMODEL

For syntax check only.

OWNER(userid | group-name)

Specifies a user or group to be defined as the owner of the group profile.

SUPGROUP(group-name)

Specifies the superior group.

TERMUACC | NOTERMUACC

For syntax check only.
Examples

The following examples use the ALTGROUP command, and view the result by using the LISTGRP command.

ALTGROUP GROUP001 DATA('GROUP001 ALTERED.') NOMODEL OWNER(ROOT) SUPGROUP(SYS1)
INFORMATION FOR GROUP GROUP001
  SUPERIOR GROUP=SYS1           OWNER=ROOT
  DATA=GROUP001 ALTERED.
  NO-MODEL-DATA-SET
  TERMUACC
  NO SUBGROUPS

7. ALTUSER (ALU)

Alters the profile of the specified user.

Executing the ALTUSER command requires the user to satisfy one of the following.

  • The specified user

  • Special attribute holder

  • Owner of the profile

  • Group-special attribute holder

Syntax

The ALTUSER command is used as follows:

{ALTUSER | ALU}
    (userid ...)
    [{ADDCATEGORY | DELCATEGORY}(category-name...) (category-name)]
    [ADSP | NOADSP]
    [AUDITOR | NOAUDITOR]
    [AUTHORITY(group-authority)]
    [{CLAUTH | NOCLAUTH}(class-name...)]
    [DATA('installation-defined-data') | NODATA]
    [DFLTGRP(group-name)]
    [GRPACC | NOGRPACC]
    [MODEL(dsname) | NOMODEL]
    [NAME('user-name')]
    [OPERATIONS | NOOPERATIONS]
    [OWNER(userid | group-name)]
    [PASSWORD(password) | NOPASSWORD]
    [RESTRICTED | NORESTRICTED]
    [RESUME]
    [REVOKE]
    [EXPIRED | NOEXPIRED]
    [SECLABEL(seclabel-name) | NOSECLABEL]
    [SECLEVEL(seclevel-name) | NOSECLEVEL]
    [SPECIAL | NOSPECIAL]
    [UACC(access-authority)]
    [WHEN([DAYS(day-info)][TIME(time-info)])]
    [CICS(
       [OPCLASS(operator-class ...)]
       [OPIDENT(operator-id)]
       [OPPRTY(operator-priority)]
       [RSLKEY(rslkey ...)]
       [TIMEOUT(timeout-value)]
       [TSLKEY(tslkey ...)]
       [XRFSOFF(FORCE | NOFORCE)])]

The following describes the parameters for the ALTUSER command.

Field Description

(userid …​)

Specifies the user whose profile is to be modified. When specifying multiple users, each ID is separated by a single space. If the specified user profile does not exist in TACF, an error occurs and the ALTUSER command fails.

{ADDCATEGORY | DELCATEGORY}(category-name…​) (category-name)

For syntax check only.

ADSP | NOADSP

For syntax check only.

AUDITOR | NOAUDITOR

  • AUDITOR: Gives the auditor attribute to the user.

  • NOAUDITOR: Does not give the auditor attribute to the user. (Default value)

AUTHORITY(group-authority)

Specifies the authority of the user in the default group. For more information about the group authority, refer to Group-related Authorities.

{CLAUTH | NOCLAUTH}(class-name…​)

  • CLAUTH: Specifies the classes the user can define to TACF. The current TACF version supports USER only.

  • NOCLAUTH: Specifies the classes the user cannot define to TACF. (Default value)

DATA('installation-defined-data') | NODATA

Specifies notes on installation with no more than 255 characters. Spaces or special characters in the field must be enclosed in single quotation marks (' '). (Default value: NODATA)

DFLTGRP(group-name)

Specifies a TACF-defined group to be used as the default group of the user. The user must be already connected to the specified group.

GRPACC | NOGRPACC

  • GRPACC: Specifies that all other users can access the user-defined group data set.

  • NOGRPACC: Default value.

MODEL(dsname) | NOMODEL

For syntax check only.

NAME('user-name')

Specifies the name of the new user. Special characters must be enclosed in single quotation marks (' '). The user name can be up to 31 characters long.

OPERATIONS | NOOPERATIONS

  • OPERATIONS: Gives the user the ALTER authority for all resources protected by RACF. However, this authority is applied only when specifying the resource access authority by using the ACCESS parameter in the PERMIT statement.

  • NOOPERATIONS: Default value.

OWNER(userid | group-name)

Specifies a TACF-registered user or group to be defined as the owner of the profile for the new user.

PASSWORD(password) | NOPASSWORD

If both PASSWORD and NOPASSWORD are not specified, the default value is the default group name of the user.

  • PASSWORD(password): Specifies the password for the user. There are no password creation rules and constraints of TACF except for saf_exit_password.

  • NOPASSWORD: Specifies the user as a protected user.

RESTRICTED | NORESTRICTED

  • RESTRICTED: Restricts the new user’s access to the TACF-protected resources. The user can be allowed to access the resources only by using the ACCESS parameter in the PERMIT statement, regardless of the UACC parameter value of the resources.

  • NORESTRICTED: Default value.

RESUME

Specifies that the user can access the system. Users already in the REVOKE status are not affected.

REVOKE

Specifies that the user cannot access the system. Users already in the REVOKE status are not affected.

EXPIRED | NOEXPIRED

Sets the user status to EXPIRED or NOEXPIRED.

SPECIAL | NOSPECIAL

  • SPECIAL: Assigns the special attribute to the user.

  • NOSPECIAL: Removes the special attribute from the user.

SECLABEL(seclabel-name) | NOSECLABEL

For syntax check only.

SECLEVEL(seclevel-name) | NOSECLEVEL

For syntax check only.

UACC(access-authority)

Specifies the level of the universal access authority for users. For more information about access authorities, refer to Specifying Access Authorities for a Data Set.

WHEN([DAYS(day-info)]

[TIME(time-info)])

Changes the days of the week and the hours in the day when the user can access TACF.

  • DAYS (day-info): Can be any one of ANYDAY, WEEKDAYS, or any specified day of the week from SUNDAY to SATURDAY. For more information about day-info, refer to DAYS(day-info).

  • TIME (time-info): Specifies the hours in the day when the user can access the system. (Default value: '0000:2400', meaning the user can access the system any time)

CICS(

[OPCLASS(operator-class …​)]

[OPIDENT(operator-id)]

[OPPRTY(operator-priority)]

[RSLKEY(rslkey …​)]

[TIMEOUT(timeout-value)]

[TSLKEY(tslkey …​)]

[XRFSOFF(FORCE | NOFORCE)])

Specifies fields in the CICS segment for the new CICS terminal user. For more information, refer to ADDUSER (AU).
Examples

The following examples use the ALTUSER command, and view the result by using the LISTUSER command.

ALTUSER USER001 ADSP NOCLAUTH(UTILITY) NODATA DFLTGRP(SYS1) GRPACC NAME(TMAXSOF)
OPERATIONS OWNER(SYS1) NOPASSWORD NORESTRICTED RESUME REVOKE SPECIAL
WHEN(DAYS(WEEKDAYS)TIME(1200:2200)) CICS(OPIDENT(DEF) OPCLASS(6) TSLKEY(10 12 15 17))
USER=USER001  NAME=TMAXSOFT  OWNER=SYS1     CREATED=20111222
  DEFAULT-GROUP=SYS1      PASSDATE=20111222 PASS INTERVAL=30
  ATTRIBUTES=SPECIAL OPERATIONS ADSP GRPACC
  REVOKE DATE=NONE    RESUME DATE=NONE  NOPASSWORD
  LAST ACCESS=
  CLASS AUTHORIZATIONS=NONE
  NO-INSTALLATION-DATA
  NO-MODEL-DATA-SET
  LOGON ALLOWED   (DAYS)            (TIME)
  ----------------------------------------
  WEEKDAYS                         1200:2200
    GROUP=SYS1       AUTH=USE     CONNECT-OWNER=ROOT     CONNECT-DATE=20111222
    CONNECTS=    00  UACC=NONE    LAST-CONNECT=UNKNOWN
    CONNECT ATTRIBUTES=NONE
    REVOKE DATE=NONE             RESUME DATE=NONE
  SECURITY LEVEL=NONE-SPECIFIED
  CATEGORY AUTHORIZATION
  NONE-SPECIFIED
  SECURITY LABEL=NONE-SPECIFIED

CICS INFORMATION
----------------
  OPCLASS=006
  OPIDENT= DEF
  OPPRTY= 0
  RSLKEY= 00003 00005 00012
  TIMEOUT= NOTIMEOUT
  TSLKEY= 00010 00012 00015 00017

8. CONNECT (CO)

Connects a user to a group and establishes group-related attributes for the user.

Executing the CONNECT command requires the user to satisfy one of the following conditions.

  • Special attribute holder

  • Owner of the group profile

  • Group-special attribute holder

Syntax

The CONNECT command is used as follows:

{CONNECT | CO}
    (userid ...)
    [AUDITOR | NOAUDITOR]
    [AUTHORITY(group-authority)]
    [GROUP(group-name)]
    [GRPACC | NOGRPACC]
    [OPERATIONS | NOOPERATIONS]
    [OWNER(userid | group-name)]
    [SPECIAL | NOSPECIAL]
    [UACC(access-authority)]

The following describes the parameters for the CONNECT command.

Field Description

(userid …​)

Specifies the user ID to be connected to a group. When specifying multiple users, each user is separated by a single space. If a specified user does not exist in TACF, an error occurs and the CONNECT command fails.

AUDITOR | NOAUDITOR

  • AUDITOR: Assigns auditor attribute for the connected group to the user.

  • NOAUDITOR: Default value.

AUTHORITY(group-authority)

Specifies the authority of the user in the default group. For more information about the group authority, refer to Group-related Authorities.

GROUP(group-name)

Specifies the group to be connected with the user.

GRPACC | NOGRPACC

  • GRPACC: Specifies that all other users can access the user-defined group data set.

  • NOGRPACC: Default value.

OPERATIONS | NOOPERATIONS

  • OPERATIONS: Specifies to give the OPERATIONS attribute to the connected users.

  • NOOPERATIONS: Default value.

OWNER(userid | group-name)

Specifies a user or group to be defined as the owner of the CONNECT profile.

SPECIAL | NOSPECIAL

  • SPECIAL: Specifies the user as the authorized owner of the group-special attribute for the corresponding group.

  • NOSPECIAL: Does not specify ownership of the group-special attribute. (Default value)

UACC(access-authority)

Specifies the level of universal access authority for the resources created by the user connected to the corresponding group. For more information about authorities, refer to Specifying Access Authorities for a Data Set.
Examples

The following examples use the CONNECT command, and view the result by using the LISTUSER command.

CONNECT USER001 AUTHORITY(CONNECT) GROUP(GROUP001) GRPACC OPERATIONS OWNER(ROOT) NOSPECIAL
USER=USER001  NAME=TMAXSOFT  OWNER=SYS1     CREATED=20111222
  DEFAULT-GROUP=SYS1      PASSDATE=20111222 PASS INTERVAL=30
  ATTRIBUTES=SPECIAL OPERATIONS ADSP GRPACC
  REVOKE DATE=NONE    RESUME DATE=NONE  NOPASSWORD
  LAST ACCESS=
  CLASS AUTHORIZATIONS=NONE
  NO-INSTALLATION-DATA
  NO-MODEL-DATA-SET
  LOGON ALLOWED   (DAYS)            (TIME)
  ----------------------------------------
  WEEKDAYS                         1200:2200
    GROUP=GROUP001   AUTH=CONNECT CONNECT-OWNER=ROOT     CONNECT-DATE=20111223
    CONNECTS=    00  UACC=NONE    LAST-CONNECT=UNKNOWN
    CONNECT ATTRIBUTES=GRPACC OPERATIONS
    REVOKE DATE=NONE             RESUME DATE=NONE
    GROUP=SYS1       AUTH=USE     CONNECT-OWNER=ROOT     CONNECT-DATE=20111222
    CONNECTS=    00  UACC=NONE    LAST-CONNECT=UNKNOWN
    CONNECT ATTRIBUTES=NONE
    REVOKE DATE=NONE             RESUME DATE=NONE
  SECURITY LEVEL=NONE-SPECIFIED
  CATEGORY AUTHORIZATION
  NONE-SPECIFIED
  SECURITY LABEL=NONE-SPECIFIED

9. DELDSD (DD)

Deletes the profile of the specified data set.

Executing the DELDSD command requires the user to satisfy one of the following conditions.

  • Special attribute holder

  • The profile of the specified data set

  • The high-qualifier of the profile matching the user ID

  • Group-special attribute holder

  • Discrete data set profile with the universal access authority set to ALTER

Syntax

The DELDSD command is used as follows:

{DELDSD | DD}
    (profile-name ...)
    [VOLUME(volser)]

The following describes the DELDSD command.

Field Description

(profile-name …​)

Specifies the name of the data set profile to be deleted. When specifying multiple data sets, they are separated each by a single space. If the specified data set profile does not exist, an error exist and the DELDSD command fails.

VOLUME[(volser)]

Specifies the volume serial to which the data set to be deleted belongs. If not specified, when the data set to be deleted is a discrete data set and NVSM, the catalog is searched to locate the volume containing the data set.
Example

The following example uses the DELDSD.

DELDSD TMAX.DSD001 VOLUME(DEFVOL)

10. DELGROUP (DG)

Deletes the profile of the specified group.

Executing the DELGROUP command requires the user to satisfy one of the following conditions.

  • Special attribute holder

  • Owner of the specified profile

  • Owner of the superior group of the specified group

  • Holder of the JOIN authority to the superior group of the specified group

  • Group-special attribute holder

Syntax

The DELGROUP command is used as follows:

{DELGROUP | DG}
    (group-name ...)

The following describes the parameter for the DELGROUP command.

Field Description

(group-name …​)

Specifies the group profile to be deleted. When specifying multiple groups, they are separated each by a single space. If a specified group does not exist, an error occurs and the DELGROUP command fails.
Example

The following example uses the DELGROUP command.

DELGROUP GROUP001

11. DELUSER (DU)

Deletes the specified user profile.

Executing the DELUSER command requires the user to satisfy one of the following conditions.

  • Special attribute holder

  • Owner of the specified profile

  • Group-special attribute holder

Syntax

The DELUSER command is used as follows:

{DELUSER | DU}
    (user-id ...)

The following describes the DELUSER command.

Field Description

(user-id …​)

Specifies the user profile to be deleted. When specifying multiple users, they are separated each by a single space. If a specified user does not exist, an error occurs and the DELUSER command fails.
Examples

The following example uses the DELUSER command.

DELUSER USER001

12. LISTDSD (LD)

Displays the profiles of data sets defined to TACF and their access list.

Executing the LISTDSD command requires the user to satisfy one of the following conditions.

  • Special attribute holder

  • Auditor attribute holder

  • Operations attribute holder

  • Owner of the specified data set profile

  • The high-qualifier of the profile matching the user ID

  • Group-special attribute holder

  • Group-auditor attribute holder

  • Group-operations attribute holder

  • READ or higher universal access authority to the data set

  • READ or higher access authority to the data set

Syntax

The LISTDSD command is used as follows:

{LISTDSD | LD}
    [ALL]
    [{DATASET(profile-name) | ID(name) | PREFIX(char ...)}]
    [{GENERIC | NOGENERIC}]
    [VOLUME(volser)]

The following describes the parameters for the LISTDSD command.

Field Description

ALL

Specifies to display not only the data set profile information but also the access list profile information for the data set.

{DATASET(profile-name) | ID(name) | PREFIX(char …​)}

  • {DATASET(profile-name): Specifies the data set profile to display.

  • ID(name): Specifies the user ID or group name. A data set having the specified user ID or group name as the high-qualifier is displayed.

  • PREFIX(char …​)}: Specifies character strings. A data set profile beginning with the specified strings is displayed.

{GENERIC | NOGENERIC}

  • GENERIC: Specifies to display only generic profiles.

  • NOGENERIC: Specifies to display only discrete profiles.

VOLUME[(volser)]

Specifies the volume serial to which the data set to be displayed belongs. If not specified, all data sets with the same name are displayed.
Examples

The following examples use the LISTDSD command.

LISTDSD ALL DATASET(TMAX.DSD001) GENERIC VOLUME(DEFVOL)
INFORMATION FOR DATASET TMAX.DSD001
  LEVEL  OWNER    UNIVERSAL ACCESS  WARNING  ERASE
  ----- -------- ----------------- ------- ------
   00     ROOT             NONE         NO        NO
  AUDITING
  --------
  FAILURES(READ)
  NOTIFY
  -------
  ROOT
  YOUR ACCESS  CREATION GROUP  DATASET TYPE
  -----------  --------------  ------------
  ALTER                        GENERIC

  VOLUMES ON WHICH DATASET RESIDES  UNIT
  --------------------------------  ----
  DEFVOL
  NO INSTALLATION DATA
                SECURITY LEVEL
  ------------------------------------------
  NO SECURITY LEVEL
  CATEGORIES
  ----------
  NOCATEGORIES
  SECLABEL
  ----------
  NO SECLABEL
     ID     ACCESS   ACCESS COUNT
  -------  -------  ------------         <==== access list information
  LNIJPROD  READ          0
     ID     ACCESS   ACCESS COUNT  CLASS    ENTITY NAME
--------  ------   ------------  -----    -----------
NO  ENTRIES IN CONDITIONAL ACCESSLIST

13. LISTGRP (LG)

Displays the group profiles information defined to TACF and their CONNECT profiles.

Executing the LISTGRP command requires the user to satisfy one of the following conditions.

  • Special attribute holder

  • Auditor attribute holder

  • Owner of the specified group profile

  • Holder of the CONNECT or greater authority while belonging to the group to be viewed. (Refer to Specifying Access Authorities for a Data Set.)

  • Group-special attribute holder

  • Group-auditor attribute holder

Syntax

The LISTGRP command is used as follows:

{LISTGRP | LG}
    [(group-name ...) | *]

The following describes the parameter for the LISTGRP command.

Field Description

(group-name …​) | *

  • (group-name …​): Specifies the group name. When specifying multiple groups, each name is separated by a single space.

  • *: Specifies to view all users having the authority.
Examples

The following example uses the LISTGRP command.

LISTGRP GROUP001

The following example view the result.

INFORMATION FOR GROUP GROUP001
  SUPERIOR GROUP=               OWNER=ROOT
  NO-INSTALLATION-DATA
  NO-MODEL-DATA-SET
  NOTERMUACC
  SUBGROUP(S) = GRP1 GRP2 C H BATCH CANY
  USER(S)=      ACCESS=      ACCESS COUNT=     UNIVERSAL ACCESS=
  TEST            USE           000110             NONE
    CONNECT ATTRIBUTES=NONE
    REVORK DATE=NONE            RESUME DATE=NONE
  TEST01          USE           000001             NONE
    CONNECT ATTRIBUTES=NONE
    REVORK DATE=NONE            RESUME DATE=NONE
  hhhh            USE           000000             NONE
    CONNECT ATTRIBUTES=NONE
    REVORK DATE=NONE            RESUME DATE=NONE
  miachel         USE           000009             NONE
    CONNECT ATTRIBUTES=NONE
    REVORK DATE=NONE            RESUME DATE=NONE
  nouser          USE           000000             NONE
    CONNECT ATTRIBUTES=NONE
    REVORK DATE=NONE            RESUME DATE=NONE

14. LISTUSER (LU)

Displays specific user profiles and their associated connect profiles. The command displays the details of segments only when they exist.

Executing the LISTUSER command requires the user to satisfy one of the following conditions.

  • The specified user

  • Special attribute holder

  • Auditor attribute holder

  • Owner of the specified user profile

  • Group-special attribute holder

  • Group-auditor attribute holder

Syntax

The LISTUSER command is used as follows:

{LISTUSER | LU}
    [(userid ...) | *]

The following describes the parameter for the LISTUSER command.

Field Description

(userid …​) | *

  • (userid …​): Specifies the user ID. When specifying multiple users, each is separated by a single space.

  • *: Specifies to view all users having the authority.
Examples

The following example uses the LISTUSER.

LISTUSER USER001

The following example views the result.

USER=USER001  NAME=TMAXSOFT  OWNER=SYS1     CREATED=20050720
  DEFAULT-GROUP=SYS1      PASSDATE=20050720 PASS INTERVAL=30
  ATTRIBUTES=SPECIAL OPERATIONS ADSP GRPACC
  REVOKE DATE=NONE    RESUME DATE=NONE  NOPASSWORD
  LAST ACCESS=
  CLASS AUTHORIZATIONS=NONE
  NO-INSTALLATION-DATA
  NO-MODEL-DATA-SET
  LOGON ALLOWED   (DAYS)            (TIME)
  ----------------------------------------
  WEEKDAYS                         1200:2200
    GROUP=GROUP001   AUTH=CONNECT CONNECT-OWNER=ROOT     CONNECT-DATE=20050720
    CONNECTS=    00  UACC=NONE    LAST-CONNECT=UNKNOWN
    CONNECT ATTRIBUTES=GRPACC OPERATIONS
    REVOKE DATE=NONE             RESUME DATE=NONE
    GROUP=SYS1       AUTH=USE     CONNECT-OWNER=ROOT     CONNECT-DATE=20050720
    CONNECTS=    00  UACC=NONE    LAST-CONNECT=UNKNOWN
    CONNECT ATTRIBUTES=NONE
    REVOKE DATE=NONE             RESUME DATE=NONE
  SECURITY LEVEL=NONE-SPECIFIED
  CATEGORY AUTHORIZATION
  NONE-SPECIFIED
  SECURITY LABEL=NONE-SPECIFIED

CICS INFORMATION
----------------
  OPCLASS=006
  OPIDENT= DEF
  OPPRTY= 0
  RSLKEY= 00003 00005 00012
  TIMEOUT= NOTIMEOUT
  TSLKEY= 00010 00012 00015 00017

15. PASSWORD (PW)

Specifies the password of the user or the password change interval.

Executing the PASSWORD command requires the user to satisfy one of the following conditions.

  • The specified user

  • Special attribute holder

  • Group-special attribute holder

Syntax

The PASSWORD command is used as follows:

{PASSWORD | PW}
    [INTERVAL(change-interval) | NOINTERVAL]
    [PASSWORD(current-password new-password)]
    [USER(userid ...)]

The following describes the parameters for the PASSWORD command.

Field Description

INTERVAL(change-interval) | NOINTERVAL

  • INTERVAL (change-interval): Specifies the password change interval. The user must modify the password within the specified period. If the password remains unchanged after this period, the user status turns to EXPIRED.

  • NOINTERVAL: Does not specify the password change interval. If NOINTERVAL, the user does not expire.

PASSWORD(current-password new-password)

Delimits the current password and new password by a space. If the password is specified, no additional rules or restrictions are imposed by TACF for in creating password, except saf_exit_password. If used along with the USER parameter, this parameter is ignored and no password change happens.

USER(userid …​)

Specifies the user whose password to be initialized. If the user has an existing password, it is ignored and initialized. The initialized password is used as the name of the default group of the user and turns into the EXPIRED state. Therefore, when connecting to the system, the user must modify the initialized password. If used along with the [INTERVAL | NOINTERVAL] parameter, not the password but the password change interval is specified.
Examples

  • Example 1

    The following example uses the PASSWORD command to modify the user (USER01)'s password change interval to 60.

    PASSWORD INTERVAL(60) USER(USER001)
    USER=USER001  NAME=unknown  OWNER=ROOT     CREATED=20180806
  DEFAULT-GROUP=SYS1      PASSDATE=20180806 PASS INTERVAL=60
  ATTRIBUTES=NONE
  REVOKE DATE=NONE    RESUME DATE=NONE
  LAST ACCESS=
  CLASS AUTHORIZATIONS=NONE
  NO-INSTALLATION-DATA
  NO-MODEL-DATA-SET
  LOGON ALLOWED   (DAYS)            (TIME)
  ----------------------------------------
  ANYDAY                           0000:2400
    GROUP=SYS1       AUTH=USE     CONNECT-OWNER=ROOT     CONNECT-DATE=20180806
    CONNECTS=    00  UACC=NONE    LAST-CONNECT=UNKNOWN
    CONNECT ATTRIBUTES=NONE
    REVOKE DATE=NONE             RESUME DATE=NONE
  SECURITY LEVEL=NONE-SPECIFIED
  CATEGORY AUTHORIZATION
  NONE-SPECIFIED
  SECURITY LABEL=NONE-SPECIFIED

  • Example 2

    The following example initializes USER01’s password.

    PASSWORD USER(USER001)
    USER=USER001  NAME=unknown  OWNER=ROOT     CREATED=20180806
  DEFAULT-GROUP=SYS1      PASSDATE=20180806 PASS INTERVAL=60
  ATTRIBUTES=NONE
  REVOKE DATE=NONE    RESUME DATE=NONE  EXPIRED
  LAST ACCESS=
  CLASS AUTHORIZATIONS=NONE
  NO-INSTALLATION-DATA
  NO-MODEL-DATA-SET
  LOGON ALLOWED   (DAYS)            (TIME)
  ----------------------------------------
  ANYDAY                           0000:2400
    GROUP=SYS1       AUTH=USE     CONNECT-OWNER=ROOT     CONNECT-DATE=20180806
    CONNECTS=    00  UACC=NONE    LAST-CONNECT=UNKNOWN
    CONNECT ATTRIBUTES=NONE
    REVOKE DATE=NONE             RESUME DATE=NONE
  SECURITY LEVEL=NONE-SPECIFIED
  CATEGORY AUTHORIZATION
  NONE-SPECIFIED
  SECURITY LABEL=NONE-SPECIFIED

16. PERMIT (PE)

Grants or removes resource authorities to/from users or groups. TACF manages access authorities by using a standard access list and a conditional access list. The standard access list contains user IDs and group names assigned with the access authority. The conditional access list contains user IDs and group names assigned with the access authority conditioned with a specific value for the WHEN parameter.

  • The standard access list contains the following.

    • Users or groups authorized to access the data set

    • The level of access authority for each user or group

    • The data set access count of each user

  • In addition to the standard access list, the conditional access list provides the following

    • The resource class

    • The name of individual resource (entity name)

Currently, TACF does not display the data set access count, the resource class, and the resource name.

Executing the PERMIT command requires the user to satisfy one of the following conditions.

  • If the resource is a data set

    • Special attribute holder

    • Owner of the specified data set profile

    • The high-qualifier of the data set profile matching the user ID

    • Group-special attribute holder with the data set protected in the group

    • Discrete data set profile with the universal access authority set to ALTER

  • If the resources is a general resource

    • Special attribute holder

    • Owner of the specified resource

    • Group-special attribute holder with the data set protected in the group

    • The universal access authority set to ALTER

Syntax

The PERMIT command is used as follows:

{PERMIT | PE}
    profile-name-1
    [ACCESS(access-authority) | DELETE]
    [CLASS(profile-name-class)]
    [ID(name ...)]
    [RESET[(ALL | STANDARD | WHEN)]]
    [GENERIC]
    [VOLUME(volser)]
    [WHEN(
      [PROGRAM(program-name)]
      [TERMINAL(terminal-id)]
      [DAYS(day-info)][TIME(time-info)])]

The following describes the parameters for the PERMIT command.

Field Description

profile-name-1

Specifies the name of a TACF-defined profile.

ACCESS(access-authority) | DELETE

  • ACCESS (access-authority): Assigns access authority to the specified user. For more information about access authorities, refer to Specifying Access Authorities for a Data Set. Depending on whether the operand of the WHEN parameter is specified, the authority is set to the standard access list or conditional access list.

  • DELETE: Removes a specific user from the standard access list. Depending on whether the operand of the WHEN parameter is specified, TACF removes the user from the standard or conditional access list.

CLASS(profile-name-class)

Specifies the name of the class that the specified profile belongs to. (Default value: data set name)

ID(name …​)

Specifies the user IDs of the user(s) whose resource authorities are being added/removed. When specifying multiple users, each must be separated by a single space. If a specified user does not exist in TACF, an error occurs and the PERMIT command fails.

RESET[(ALL | STANDARD | WHEN)]

  • RESET(ALL): Deletes both the standard access list and the conditional access list from the profile. If both RESET(ALL) and ACCESS are specified, the access lists are deleted first and the new access authority is added.

  • RESET(STANDARD): Deletes the standard access list from the profile.If both RESET(STANDARD) and ACCESS are specified, the access list is deleted first and then the new access authority is added.

  • RESET(WHEN): Deletes the conditional access list from the profile. If both RESET(WHEN) and ACCESS are specified, the access list is deleted first and then the new access authority is added.

GENERIC

Specifies profiles to grant the authority as generic data set profile. If not specified and the profile name contains a wildcard character, it is specified as a generic data set profile. If not specified and the profile name does not contain any wildcard character, it is specified as a discrete data set profile.

VOLUME[(volser)]

Specifies the volume serial to which the data set to grant the authority belongs. If not specified, the volume information of the data set profile is searched for, and if more than one volume are found, an error occurs. If used along with the GENERIC parameter, the VOLUME parameter is ignored.

PROGRAM(program-name)

Assigns conditional access to the specified data set.

TERMINAL(terminal-id)

For syntax check only.

DAYS(day-info)][TIME(time-info)])

Specifies the days of the week and the hours of the day when a specific user can access the specified resource.
Examples

The following examples use the PERMIT command, and views the result by using the RLIST command.

PERMIT PS ACCESS(EXECUTE) CLASS(TJESMGR) ID(GROUP001) RESET(ALL)
  CLASS      NAME
  -----      ----
  TJESMGR    PS
  GROUP CLASS NAME
  ----- ----- ----
  GTJESMGR
  RESOURCE GROUPS
  -------- ------
  NONE
  LEVEL  OWNER    UNIVERSAL ACCESS  YOUR ACCESS    WARNING
  -----  -----    ----------------  -----------    -------
   00    ROOT          NONE        NO       NO
  INSTALLATION DATA
  -----------------
  NONE
  APPLICATION DATA
  ----------------
  NONE
  SECLEVEL
  ----------------
  NO SECLEVEL
  CATEGORIES
  ----------------
  NO CATEGORIES
  SECLABEL
  ----------------
  NO SECLABEL
  AUDITING
  --------
  FAILURES(READ)

  NOTIFY
  ------
  ROOT
/* standard access list */
     ID     ACCESS   ACCESS COUNT
  --------  ------   ------------
  GROUP001   EXECUTE         0
/* conditional access list */
     ID     ACCESS   ACCESS COUNT  CLASS    ENTITY NAME
  --------  ------   ------------  -----    -----------
  NO ENTRIES IN CONDITIONAL ACCESS LIST

17. RALTER (RALT)

Modifies the profile of a resource.

Executing the RALTER command requires the user to satisfy one of the following.

  • Special attribute holder

  • Owner of the specified resource

  • Group-special attribute holder, with the resource protected in the group

  • The resource’s universal access authority set to ALTER

Syntax

The RALTER command is used as follows:

{RALTER | RALT}
    class-name
    (profile-name ...)
    [ADDCATEGORY(category-name ...) | DELCATEGORY(category-name ...)]
    [{ADDMEM(member ...) | DELMEM}(member ...)]
    [AUDIT(access-attempt[(audit_access-level)] ...)]
    [DATA('installation-defined-data') | NODATA]
    [NOTIFY(userid) | NONOTIFY]
    [OWNER(userid | group-name)]
    [SECLABEL(seclabel-name) | NOSECLABEL]
    [SECLEVEL(seclevel-name) | NOSECLEVEL]
    [UACC(access-authority)]

The following describes the parameters for the RALTER command.

Field Description

class-name

Specifies the name of the class that the specified resource belongs to.

(profile-name …​)

Specifies the resource profile name. When specifying multiple profiles, each must be separated by a single space. If a specified profile does not exist, an error occurs and the RALTER command fails.

ADDCATEGORY(category-name …​) | DELCATEGORY(category-name …​)

For syntax check only.

{ADDMEM(member …​) | DELMEM}(member …​)

  • ADDMEM(member …​): Specifies the profile name of a member. Separate each profile with a single space when specifying multiple profiles.

  • DELMEM}(member …​): Specifies the profile name of a member that is defined to the specified group resource profile. Separate each profile with a single space when specifying multiple profiles. The profile is ignored if it is not defined as a member.

AUDIT(access-attempt[(audit_access-level)] …​)

Specifies the audit level for the resource. For more information, refer to Access Attempt and Audit Access Level.

DATA('installation-defined-data') | NODATA

Specifies notes with up to 255 characters. Spaces or special characters in the field must be enclosed in single quotation marks (' '). (Default value: NODATA)

NOTIFY(userid) | NONOTIFY

  • NOTIFY(userid): Specifies the user ID of the user who notifies of the data set access denial. If not specified, a current user ID is used.

  • NONOTIFY: Specifies that no user is notified when data access is denied using his or her user ID. (default)

OWNER(userid | group-name)

Specifies the user ID or group name to be defined as the owner of the profile.

SECLABEL(seclabel-name) | NOSECLABEL

For syntax check only.

SECLEVEL(seclevel-name) | NOSECLEVEL

For syntax check only.

UACC(access-authority)

Specifies the level of the universal access authority for the specified resource. The access authorities include NONE, READ, EXECUTE, CONTROL, UPDATE, and ALTER. For more information, refer to Specifying Access Authorities for a Data Set.
Examples

The following examples use the RALTER command, and view the result by using the RLIST command.

RALTER TJESMGR PS AUDIT(ALL(CONTROL)) DATA('TJESMGR PS ALTERED.') NOTIFY(USER002) OWNER(ROOT) UACC(NONE)
  CLASS      NAME
  -----      ----
  TJESMGR    PS
  GROUP CLASS NAME
  ----- ----- ----
  GTJESMGR
  RESOURCE GROUPS
  -------- ------
  NONE
  LEVEL  OWNER    UNIVERSAL ACCESS  YOUR ACCESS    WARNING
  -----  -----    ----------------  -----------    -------
   00    ROOT          NONE        NO       NO
  INSTALLATION DATA
  -----------------
  TJESMGR PS ALTERED.
  APPLICATION DATA
  ----------------
  NONE
  SECLEVEL
  ----------------
  NO SECLEVEL
  CATEGORIES
  ----------------
  NO CATEGORIES
  SECLABEL
  ----------------
  NO SECLABEL
  AUDITING
  --------
  SUCCESS(CONTROL),FAILURES(CONTROL)

  NOTIFY
  ------
  USER002

18. RDEFINE (RDEF)

Defines a new discrete or general profile for a resource.

Executing the RDEFINE command requires the user to satisfy one of the following conditions.

  • Special attribute holder

Syntax

The RDEFINE command is used as follows:

{RDEFINE | RDEF}
    class-name
    (profile-name-1 ...)
    [ADDCATEGORY(category-name ...)]
    [ADDMEM(member ...)]
    [AUDIT(access-attempt[(audit_access-level)] ...)]
    [DATA('installation-defined-data')]
    [NOTIFY(userid)]
    [OWNER(userid | group-name)]
    [SECLABEL(seclabel-name)]
    [SECLEVEL(seclevel-name)]
    [UACC(access-authority)]

The following describes the parameters for the RDEFINE command.

Field Description

class-name

Specifies the classes that are defined to TACF.

(profile-name-1 …​)

Specifies the name of the profile to be defined. When specifying multiple profiles, each must be separated by a single space. For more information about the naming conventions for generic profiles, refer to Creating Generic Data Set Profiles.

ADDCATEGORY(category-name …​)

For syntax check only.

ADDMEM(member …​)

Specifies the profile name of the members in the group resource profile. When specifying multiple profiles, each must be separated by a single space.

AUDIT(access-attempt[(audit_access-level)] …​)

Specifies the audit level for the resource. For more information, refer to Access Attempt and Audit Access Level.

DATA('installation-defined-data')

Specifies notes with up to 255 characters. Spaces or special characters in the field must be enclosed in single quotation marks (' ').

NOTIFY(userid)

Specifies the user ID of the user who notifies of the resource access denial. If not specified, the current user ID is used by default.

OWNER(userid | group-name)

Specifies the user ID or group name to be defined as the owner of the profile.

SECLABEL(seclabel-name)

For syntax check only.

SECLEVEL(seclevel-name)

For syntax check only.

UACC(access-authority)

Specifies the level of the universal access authority for the specified resource. The following are supported access authorities. For more information, refer to Specifying Access Authorities for a Data Set.

  • ALTER

  • CONTROL

  • UPDATE

  • READ

  • NONE
Examples

The following examples use the RDEFINE command, and view the result by using the RLIST command.

RDEFINE TJESMGR PS AUDIT(FAILURE(UPDATE)) DATA('TJESMGR PS ADDED.') NOTIFY(ROOT) OWNER(ROOT) UACC(NONE)
  CLASS      NAME
  -----      ----
  TJESMGR    PS
  GROUP CLASS NAME
  ----- ----- ----
  GTJESMGR
  RESOURCE GROUPS
  -------- ------
  NONE
  LEVEL  OWNER    UNIVERSAL ACCESS  YOUR ACCESS    WARNING
  -----  -----    ----------------  -----------    -------
   00    ROOT          NONE        NO       NO
  INSTALLATION DATA
  -----------------
  TJESMGR PS ADDED.
  APPLICATION DATA
  ----------------
  NONE
  SECLEVEL
  ----------------
  NO SECLEVEL
  CATEGORIES
  ----------------
  NO CATEGORIES
  SECLABEL
  ----------------
  NO SECLABEL
  AUDITING
  --------
  FAILURES(READ)

  NOTIFY
  ------
  ROOT

19. RDELETE (RDEL)

Deletes the profile of a resource.

Executing the RDELETE command requires the user to satisfy one of the following conditions.

  • Special attribute holder

  • Owner of the specified profile

  • Group-special attribute holder, with the resource protected in the group

  • The resource profile’s universal access authority set to ALTER

Syntax

The RDELETE command is used as follows:

{RDELETE | RDEL}
    class-name
    (profile-name ...)

The following describes the parameters for the RDELETE command.

Field Description

class-name

Specifies the class to which the resource profile belongs to.

(profile-name …​)

Specifies the resource profile to be deleted. When specifying multiple resource profiles, each must be separated by a single space. If a specified profile does not exist, an error occurs and the RDELETE command fails.
Example

The following example uses the RDELETE command.

RDELETE TJESMGR PS

20. REMOVE (RE)

Removes users from a group.

Executing the REMOVE command requires the user to satisfy one of the following conditions.

  • Special attribute holder

  • Owner of the specified group profile

  • Group-special attribute holder

Syntax

The REMOVE command is used as follows:

{REMOVE | RE}
    (userid ...)
    [GROUP(group-name)]
    [OWNER(userid | group-name)]

The following describes the parameters for the REMOVE command.

Field Description

(userid …​)

Specifies the user ID of the user to be removed from a group. When specifying multiple users, each must be separated by a single space. If a specified user does not exist in TACF, an error occurs and the REMOVE command fails.

GROUP(group-name)

Specifies the group name.

OWNER(userid | group-name)

For syntax check only.
Example

The following example uses the REMOVE command.

REMOVE USER001 GROUP(GROUP001) OWNER(ROOT)

21. RLIST (RL)

Displays the profiles of TACF-defined resources and their associated access list.

Executing the RLIST command requires the user to satisfy one of the following conditions.

  • Special attribute holder

  • Owner of the specified profile

  • Group-special attribute and audit attributem with the resource protected in the group

  • The profile’s universal access attribute set to READ

  • READ or higher access-authority to the profile

Syntax

The RLIST command is used as follows:

{RLIST | RL}
    class-name
    {(profile-name ...) | *}
    [ALL]
    [{GENERIC | NOGENERIC}]

The following describes the parameters for the RLIST command.

Field Description

class-name

Specifies the name of the class to which the profile belongs.

(profile-name …​) | *

  • (profile-name …​): Specifies the name of the profile. When specifying multiple profiles, each must be separated by a single space.

  • * : Specifies to display all resources accessible to the user.

ALL

Specifies whether the access list assigned to the profile is displayed in addition to the resource profile.

GENERIC | NOGENERIC

  • GENERIC: Limits the view targets to generic profiles.

  • NOGENERIC: Limits the view targets to discrete profiles.
Examples

The following examples use the RLIST command.

RLIST TJESMGR PS ALL GENERIC
CLASS          NAME
  --------      ----
  TCICSTRN      IAA1
  GROUP CLASS NAME
  ----- ----- ----
  GCICSTRN
  RESOURCE GROUPS
  -------- ------
  GTNIA0
  LEVEL  OWNER    UNIVERSAL ACCESS  YOUR ACCESS    WARNING
  -----  -----    ----------------  -----------    -------
   00    ROOT          NONE        NO       NO
  INSTALLATION DATA
  -----------------
  0
  APPLICATION DATA
  ----------------
  NONE
  SECLEVEL
  ----------------
  NO SECLEVEL
  CATEGORIES
  ----------------
  NO CATEGORIES
  SECLABEL
  ----------------
  NO SECLABEL
  AUDITING
  --------
  SUCCESS(READ),FAILURES(READ)

  NOTIFY
  ------
  ROOT
     ID     ACCESS   ACCESS COUNT       ←====== access list information
  -------  ------   ------------
  NO ENTRIES IN CONDITIONAL ACCESS LIST
     ID     ACCESS   ACCESS COUNT  CLASS    ENTITY NAME
  --------  ------   ------------  -----    -----------
NO ENTRIES IN CONDITIONAL ACCESS LIST

displays search results from TACF-defined user, group, and resource profiles filtered by the user’s conditions.

The SEARCH command provides the following functions:

  • Search for profiles that contain specific character strings.

  • Search for profiles of the users who have not accessed the system for a specified time period.

Executing the RLIST command requires the user to satisfy one of the following conditions.

  • When searching for user profiles:

    • Owner of the specified profile

    • Special attribute or audit attribute holder

    • Group-special attribute or group-auditor attribute holder

    • The profile’s universal access authority set to READ

  • When searching for group profiles:

    • Owner of the specified profile

    • Special attribute or audit attribute holder

    • Group-special attribute or group-auditor attribute holder

  • When searching for data set or resource profiles:

    • The user ID matching the high-qualifier of the profile to be searched for.

    • Owner of the specified profile

    • Special attribute or audit attribute holder

    • Group-special attribute or group-auditor attribute holder

    • The profile’s universal access authority set to READ

    • The READ authority to the specified profile

Syntax

The SEARCH command is used as follows:

{SEARCH | SR}
    [AGE(number-of-days)]
    [ALL | GENERIC | NOGENERIC | MODEL | TAPE]
    [CLASS({DATASET | class-name})]
    [FILTER(filter-string)]
    [MASK({char-1 | *}[,char-2])]
    [USER(userid)]
    [VOLUME(volser)]

The following describes the parameters for the SEARCH command.

Field Description

AGE(number-of-days)

Specifies the number of days to be used as a search filter. TACF searches for the profiles of users who have not accessed the system within the specified period of time. Note that AGE is ignored if CLASS is set to a category other than USER.

ALL | GENERIC | NOGENERIC | MODEL | TAPE

Specifies the target profiles to be searched.

  • ALL: Searches all profiles. (Default value)

  • GENERIC: Searches generic profiles.

  • NOGENERIC: Searches discrete profiles.

  • MODEL: Searches the profiles specified as MODEL.

  • TAPE: Searches only TAPE profiles among the data set profiles.

CLASS({DATASET | class-name})

Specifies the search target class. The class names of users, groups, data sets, and general resources may be entered. (Default value: DATASET)

FILTER(filter-string)

Specifies character strings to be used as the search parameter. The field can contain special characters '%', '*', and '**'. TACF searches for character strings containing the special characters following the rules for generic profiles.

MASK({char-1 | *}[,char-2])

Specifies the range of profile names to be searched for.

  • char-1: Searches for profiles whose names start with the specified string.

  • char-2: Searches for profiles whose names contain the specified string.

  • *: Searches all profiles.

USER(userid)

Specifies the user ID to be searched for.

VOLUME[(volser)]

In case the search target is a data set, VOLUME specifies the volumes to which the data set belongs to. If the field is not specified for a discrete NVSM data set, TACF searches the catalog and identifies the data set.
Examples

The following examples use the SEARCH command, and view the result.

SEARCH AGE(30) ALL MASK(TMAX)
SEARCH RESULT:
  TMAX.DSD000
  TMAX.DSD001
  TMAX.DSD002

23. HELP (H)

Displays the syntax and description for all tacfmgr commands.

Syntax

The HELP command is used as follows:

{HELP | H}
    COMMAND
Field Description

COMMAND

Specifies the commands used in tacfmgr.

24. QUIT

Quits tacfmgr.

Syntax

The QUIT command is used as follows:

QUIT