RACF Utilities HTML readme file.
1. Overview of utilities
2. Release Notes
3. Quick Reference
4. More detailed notes on each utility
5. Sample JCL used to obtain input data
1. Overview of
utilities
The idea of these utilities is to take a flatfile download from the mainframe
onto the PC and then process it to produce reports and or JCL. The JCL can be
checked and when you are satisfied it will do what you want you then upload it
onto the mainframe and submit it as with any other JCL.
To get started you will need to get the flat file download from RACF, one or
more of these utilities, and a suitable RACF.INI file. I have supplied sample
JCL at the end for obtaining the flat file from RACF although this is well
documented in the IBM manuals. The utilities can be downloaded from my home
page much as with this readme.htm file. The home page also has a sample
RACF.INI file, which should be downloaded.
The sample RACF.INI file is expecting to find the flat file input in the
sub-directory prod and with a filename of racfprod.
The output refers to the prefix on the output files. For example utility
RACF02.EXE will write its output to file ???02.HTM and ???02.JCL where ??? is the output string defined. Hence the sample RACF.INI defines the
output files as RACF02.HTM and RACF02.JCL.
When transferring the flat file to PC the ASCII and CR/LF options should be selected
so that the PC file is a conventional ASCII text file.
Essentially, I keep all my programs in a 'RACF' directory. Then under that in
sub-directories called DEV and PROD I copy the flat file. Also residing in DEV
and PROD are the RACF.INI files. The main purpose of these is to tell the
programs which flat file to look at, although they contain some other self
explanatory stuff as well.
I have my ..\RACF directory defined in my PATH statement and simply change
directory into the desired directory, i.e. DEV or PROD and the utilities look
for an ini file in the current directory.
..\RACF\RACF*.EXE -- directory included in PATH
this is also the directory used for comparison
utilities, namely RACF35 and RACF40
..\RACF\DEV\RACF.INI -- ini file
\RACFDEV -- downloaded ASCII flat file
\RACF*.HTM -- generated html reports
\RACF*.JCL -- generated jcl
..\RACF\PROD\RACF.INI
\RACFPROD
\RACF*.HTM
\RACF*.JCL
2. Release
Notes
Release 1.10 dated 4 July 2001
RACF38 and RACF69 bug fixes.
Bug fixes were required due to differences in the resultant data downloaded
depending on method used for file transfer. These utilities were originally
developed around native 3270 terminal emulator
Release 1.09 dated
RACF36 bug fix.
Readme updated to include revised notes on RACF68
Release 1.08 dated 25 March 2001
RACF07, RACF12 changed in two ways,
first length restriction which was pre-html format has been removed from the
installation data field giving much more info and making the reports much more
readable, and second the WARNING attribute has been added to the information.
Release 1.07 dated
RACF92 added to list all users.
All html reports have also been amended so that the title displays both the
name and date of the unload file from which the report was generated.
Minor cosmetic fixes made to RACF07, RACF09,
RACF12, RACF38, RACF53
Sample reports.bat
and associated reports.htm
now available. Save these to the directory containing the unload and racf.ini
files, run the reports.bat file and then view reports.htm.
Release 1.06 dated
RACF89 minor fix to show correct owner on dataset
profiles.
Also, readme.htm (i.e. this file) corrected not to force web access when
following internal links within the readme file.
Release 1.05 dated 24 January 2001
Utilities have had all conversions to uppercase removed except in RACF08 so
that they are capable of handling lower case data such as irrcerta supplied User ID.
Minor fix to RACF37
RACF00 and RACF91 have been added.
RACF01, RACF02, RACF11,
RACF66 updated to include v2.10 changes such as LNOTES
and KERB segments etc.
RACF17, RACF39, RACF40,
RACF41 have all been discontinued.
Release 1.04 dated
Utilities which were previously written for CICS classes and had the class
names hard coded have now been converted to operate on classes specified on the
command line parameters.
Utilities amended are RACF16, RACF22,
RACF33, RACF34, RACF35,
and RACF37.
(Utilities RACF17, RACF39, RACF40 and RACF41 have been dropped as they were
CICSCMD versions of CICSTRN utilities and are no longer required as the CICSTRN
versions have been made generic)
Release 1.03 dated 1 September 2000
RACF42 extended to list all discrete profiles with ALTER
access, i.e. DATASET and General Resource not just DATASET as before.
Release 1.02 dated 21 July 2000
RACF01 fixed enabling it to cope with hex values in the
record type
RACFAWK also fixed to enable it to cope with hex values
in record type
RACF38 extended to include a section listing all
PROTECTED User IDs
RACF68 extended to include additional output file listing
APFs which do not have corresponding DATASET profiles. This can be used as
input to RACFJCL to generate required JCL to correct.
Release 1.00 dated
This is a major new release. Here is a sum
All code has been converted from 16-bit DOS code to 32-bit Windows code,
although it is still intended to be run from a command prompt. This has meant a
reduction in the sizes of the executables along with the ability to
significantly extend some of the previously limiting array parameters. Running
it from the command prompt still allows for the development of batch (or
command) files containing many steps so that when an up-to-date unload is
downloaded fresh reports are easily generated.
Virtually all output reports have been converted from dull text format to a
much slicker HTML format. This has meant that they always overwrite any
previous reports rather than appending as some used to do. If at the command
prompt having generated a report simply enter the report name including
extension and if using NT it will make the association with your default
hypertext browser and load the report.
RACF88 has been both fixed and extended to give more
information.
The README file has been converted to HTML and enhanced.
RACF01 and RACF66 have been updated
to take account enhancements made to RACF. This brings the utilities up to
being in line with OS390 Version 2 Release 6.
U=User ID G=Group D=Dataset
R=General Resource C=CICS X=General Function
|
Utility |
U |
G |
D |
R |
C |
X |
Key |
Key words |
|
|
|
|
|
|
■ |
|
Pre-processor |
|
|
■ |
■ |
■ |
■ |
■ |
■ |
|
Sum |
|
|
■ |
|
|
|
|
|
JCL |
Non-existent
User IDs |
|
|
|
■ |
|
|
|
|
|
Group tree |
|
|
|
■ |
|
|
|
|
JCL |
All Groups |
|
|
■ |
|
|
|
|
|
JCL |
Expired User
IDs |
|
|
|
■ |
|
|
|
|
JCL |
List Group |
|
|
|
|
■ |
|
|
|
|
Dataset (mask) |
|
|
■ |
|
|
|
|
|
TEXT |
User ID(s)
(not-HTML) |
|
|
■ |
|
|
|
|
|
JCL |
User IDs (mask) |
|
|
RACF10 |
|
|
|
|
|
|
|
Discontinued |
|
■ |
■ |
|
|
|
|
JCL |
XREF (JCL to
grant) |
|
|
|
|
|
■ |
|
|
|
General
Resources (mask) |
|
|
RACF13 |
|
|
|
|
|
|
|
Discontinued |
|
RACF14 |
|
|
|
|
|
|
|
Discontinued |
|
RACF15 |
|
|
|
|
|
|
|
Discontinued |
|
|
|
|
|
■ |
|
|
List Member /
Group Class |
|
|
RACF17 |
|
|
|
|
|
|
|
Discontinued |
|
■ |
|
|
|
|
|
TEXT |
All User IDs
(not-HTML) |
|
|
|
|
|
■ |
|
|
|
General
Resource |
|
|
|
|
|
■ |
|
|
JCL |
General
Resource - Re-create - Prefixed |
|
|
■ |
■ |
|
|
|
|
JCL |
XREF (JCL to
remove) |
|
|
|
|
|
|
■ |
|
|
Member class
Installation data |
|
|
|
|
■ |
|
|
|
JCL |
Dataset -
Re-create - Prefixed |
|
|
■ |
|
|
|
|
|
JCL |
Revoked User
IDs |
|
|
|
|
|
■ |
|
|
JCL |
General
Resource - Delete - Prefixed |
|
|
RACF26 |
|
|
|
|
|
|
|
Discontinued |
|
RACF27 |
|
|
|
|
|
|
|
Discontinued |
|
|
|
|
■ |
|
|
|
General
Resource (prefix.mask) |
|
|
RACF29 |
|
|
|
|
|
|
|
Discontinued |
|
|
|
|
■ |
|
|
|
STARTED |
|
|
RACF31 |
|
|
|
|
|
|
|
Discontinued |
|
|
|
|
■ |
|
|
|
WARNING |
|
|
|
|
|
|
■ |
|
|
Sorted Member /
Group Class pair |
|
|
|
|
|
|
■ |
|
|
Duplicate Member
/ Group Class pair |
|
|
|
|
|
|
■ |
|
|
Compare Member
/ Group Class pair |
|
|
■ |
■ |
|
|
|
|
JCL |
Compare Group |
|
|
|
|
|
|
■ |
|
JCL |
XREF - Member /
Group Class pair |
|
|
■ |
|
|
|
|
|
|
Audit Report |
|
|
RACF39 |
|
|
|
|
|
|
|
Discontinued |
|
RACF40 |
|
|
|
|
|
|
|
Discontinued |
|
RACF41 |
|
|
|
|
|
|
|
Discontinued |
|
|
|
■ |
|
|
|
|
discrete ALTER |
|
|
RACF43 |
|
|
|
|
|
|
|
Discontinued |
|
RACF44 |
|
|
|
|
|
|
|
Discontinued |
|
RACF45 |
|
|
|
|
|
|
|
Discontinued |
|
■ |
|
|
|
|
|
JCL |
Delete User IDs |
|
|
|
■ |
|
|
|
|
JCL |
Change Group |
|
|
|
|
|
■ |
|
|
JCL |
General
Resource - Re-create - non-Prefixed |
|
|
|
|
|
■ |
|
|
|
General
Resource - Delete - non-Prefixed |
|
|
|
■ |
|
|
|
|
|
Connected
Groups |
|
|
|
|
|
■ |
|
|
|
General
Resource friendly format |
|
|
■ |
■ |
|
|
|
|
|
OwnerID |
|
|
|
■ |
|
|
|
|
|
List Group |
|
|
RACF54 |
|
|
|
|
|
|
|
Discontinued |
|
RACF55 |
|
|
|
|
|
|
|
Discontinued |
|
|
|
■ |
|
|
|
JCL |
UACC |
|
|
RACF57 |
|
|
|
|
|
|
|
Discontinued |
|
|
|
|
■ |
|
|
JCL |
Notify |
|
|
|
|
■ |
■ |
|
|
|
Audit
Attributes |
|
|
RACF60 |
|
|
|
|
|
|
|
Discontinued |
|
|
|
■ |
|
|
|
JCL |
Dataset - Grant
access - Prefixed |
|
|
|
|
|
■ |
|
|
JCL |
General
Resource - Grant access - Prefixed |
|
|
RACF63 |
|
|
|
|
|
|
|
Discontinued |
|
|
|
|
■ |
|
|
JCL |
General
Resource - Re-create - non-Prefixed |
|
|
|
|
|
■ |
|
|
|
General
Resource |
|
|
■ |
|
|
|
|
|
|
ListUser |
|
|
|
|
|
■ |
|
|
JCL |
Notify |
|
|
|
|
■ |
|
|
|
|
APF |
|
|
■ |
■ |
|
|
|
|
JCL |
Revoked
Connections |
|
|
|
■ |
|
|
|
|
|
Count Connections |
|
|
|
|
■ |
|
|
|
|
Dataset (mask) |
|
|
|
|
|
■ |
|
|
|
Sum |
|
|
|
■ |
|
|
|
|
|
Connected
Groups |
|
|
RACF74 |
|
|
|
|
|
|
|
Discontinued |
|
|
■ |
|
|
|
|
TEXT |
List Group
(non-HTML) |
|
|
|
■ |
|
|
|
|
JCL |
List Group |
|
|
|
■ |
|
|
|
|
JCL |
Connections |
|
|
RACF78 |
|
|
|
|
|
|
|
Discontinued |
|
■ |
|
|
|
|
|
JCL |
User IDs |
|
|
|
|
■ |
|
|
|
JCL |
Discrete
Dataset |
|
|
RACF81 |
|
|
|
|
|
|
|
Discontinued |
|
■ |
|
|
|
|
|
|
Annotate |
|
|
RACF83 |
|
|
|
|
|
|
|
Discontinued |
|
■ |
|
|
|
|
|
|
User IDs |
|
|
|
|
|
■ |
|
|
JCL |
General
Resource |
|
|
■ |
|
|
|
|
|
JCL |
LIMBO |
|
|
|
■ |
|
|
|
|
|
GID |
|
|
■ |
|
|
|
|
|
|
UID |
|
|
|
|
■ |
■ |
|
|
|
SECURITY |
|
|
|
|
■ |
|
|
|
JCL |
Dataset |
|
|
|
|
|
■ |
|
|
JCL |
General
Resource - Re-create |
|
|
RACF92 |
■ |
|
|
|
|
|
JCL |
User IDs
(Detailed) |
|
■ |
■ |
■ |
■ |
■ |
■ |
|
Ad-hoc
(non-HTML) |
|
|
RACFDIAG |
|
|
|
|
|
■ |
|
Database
Diagnostic |
|
■ |
■ |
■ |
■ |
■ |
■ |
JCL |
JCL Generator
(similar to CLIST) |
4. More
detailed notes on each utility
Here are more detailed notes on each utility including a rating for each where
the ratings used are as follows:
|
*** |
General and
useful utility recommended for general use |
|
** |
Specialised
utility for a particular requirement |
|
* |
Either very
specialised or very unusual requirement |
i.e. investigate the *** ones, if you see a ** one that you can relate to then
fine, but tend to ignore the * ones.
Note: where runtime command line parameters are required the syntax can be
displayed by simply executing the utility without any parameters.
|
Utility |
Key |
Description |
Rating |
|
|
Pre-processor.
This filters the unloaded data to ensure all characters are valid ASCII and
will not cause any unpredictable behaviour. The need for this utility arose
during OS upgrades when the database was prepped for a later version than the
one it was running under. Symptom was empty reports due to encountering an
end-of-file character before finding the data to be reported on. |
** |
|
|
|
Text report of sum |
*** |
|
|
.JCL |
Text report of
profiles owned by non-existent User IDs. Also produces JCL to remove any
non-existent User ID from any access list. |
*** |
|
|
|
Text report
showing group tree structure. Similar to DSMON but better. Shows the
number of connections to each group. |
*** |
|
|
JCL |
List all groups
showing both the installation data (truncated) and the ownerid
of the group. |
*** |
|
|
.JCL |
List expired
User IDs where expiry is determined by listing those users who have not
accessed the system since the date specified in the RACF.INI file. JCL is
produced such that expired CICS users are deleted and expired TSO users are
revoked. Care needs to be taken not to delete apparently dormant but required
system User IDs such as started tasks etc. |
*** |
|
|
JCL |
List group showing User IDs, names, authority and
flag if group-special attribute is operative. JCL is for removal of User IDs
from the group and is useful when deleting large groups. Beware, however,
that as it can also be edited to become a connect job instead of a remove job
wherever group-special is operative this appears on the remove command
although it is an invalid option. See also RACF76. |
*** |
|
|
|
Report showing
access lists for DATASETs showing both User IDs and names. It is
recursive and hence if you specify a high level qualifier it will list out
all profiles starting with that HLQ. Because of the recursive name lookup
this can be slow to run so if it is not important to show names RACF71 may be better. |
*** |
|
|
TEXT |
Search for User
ID using string supplied. Searches both User ID and name field from the
database. Mainly used for searching on names field, e.g. find a user by their
first name if you can't find them by their User ID. Includes Installation
data now as well. |
** |
|
|
JCL |
List User IDs
based on a mask, e.g., can list all User IDs starting with letter A or AB or
ABC etc. Report shows User ID, name, if revoked, when last logged on, if TSO
segment exists and if CICS segment exists. JCL is also produced for resuming
all the User IDs listed. |
** |
|
|
|
Discontinued. |
|
|
|
JCL |
Lists access
for a User ID or group. Very similar to XREF expect this also shows
level of access! Very useful. JCL is also generated with the permit
statements required to grant the access. Can be usefully edited and used to
selectively model access for other groups or users. See also RACF37
and RACF41 and RACF21 |
*** |
|
|
|
Report showing
access lists for General Resources showing both User IDs and names.
This is similar to RACF07 expect for General Resources
rather than DATASETs. It is recursive and hence if you specify a high level
qualifier it will list out all profiles starting with that HLQ. |
*** |
|
|
|
Discontinued. |
|
|
|
|
Discontinued. |
|
|
|
|
Discontinued. |
|
|
|
|
List all profiles
in a member / group class pair with access lists. Useful for CICS classes. |
*** |
|
|
|
Discontinued. See RACF16 |
|
|
|
TEXT |
Generate data
file for allowing fast searching for User IDs Output consists simply of all
User IDs and associated names |
** |
|
|
|
List all General
Resource profiles with access lists for the class and group-class
specified. |
* |
|
|
JCL |
List all
General Resource profiles with access lists where prefix matches that
specified. JCL is produced which will re-create profiles for that class /
group-class pair and prefix. Useful for establishing environments such as
modelling a prefixed CICS region or even taking a test set of profiles an
implementing them on a live environment. See also RACF48,RACF51 and RACF91 |
*** |
|
|
JCL |
List access of
a User ID or group. Similar to RACF11 but creates JCL
to remove the access. Mainly used where a user has done a lot of RACF
administration and their User ID has appeared on profiles which they have
created but not removed themselves from the access list. Similar also to RACF45 which only looks at ALTER accesses and can use a User
ID mask. |
** |
|
|
|
List all member
class profiles with installation data. |
* |
|
|
JCL |
List all
DATASET profiles with access lists where the prefix matches that specified.
JCL is produced which will re-create profiles with that prefix. Sometimes useful
for establishing environments by modelling existing ones. See also RACF90 |
** |
|
|
JCL |
List revoked
users. JCL to delete if no TSO segment. |
* |
|
|
JCL |
Similar to RACF20 except JCL is for deleting profiles. Useful for
cleaning up profiles no longer required. See also RACF49 |
*** |
|
|
|
Discontinued. |
|
|
|
|
Discontinued. |
|
|
|
|
List General
Resource class profiles for a specified class pair where the initial letter
matches, e.g. most useful for listing all TCICSTRN / GCICSTRN where initial
letter is 'C' signifying IBM supplied. |
** |
|
|
|
Discontinued. |
|
|
|
|
List all STARTED
class profiles with STDATA |
*** |
|
|
|
Discontinued. See RACF65 |
|
|
|
|
List all
profiles with WARNING attribute set |
*** |
|
|
|
List all Member
/ Group class profiles sorted. Useful for comparing profiles for similar CICS
trancodes but with varying prefixes. Slow to run
because of recursive sorting. See also RACF34 |
** |
|
|
|
List Member /
Group class profiles which have duplicate entries. Useful for TCICSTRN
profiles or GCICSTRN members. As with RACF33 this is
unfortunately slow to run. |
** |
|
|
|
Compare
prefixed Member / Group profiles with specified prefix. Useful for comparing
prefixed profiles in a test CICS region with those of the corresponding live
region. Expects to find the flatfiles in sub-directories directly below. I
normally run from \DATA\RACF with flat files in \DATA\RACF\DEV and
\DATA\RACF\PROD This report details differences and gives a sum |
*** |
|
|
JCL |
Compares 2 RACF
groups and reports any User IDs found in both groups. |
* |
|
|
JCL |
List out all
members with specified User ID or group on the access list. Similar to an XREF
or RACF11 but only looks at Member / Group profiles and
expands out the Group profiles to show all the actual Members. Useful for
determining access to CICS trancodes. |
*** |
|
|
|
List User IDs
with higher than normal authority. The report is split into sections and they
are:
|
*** |
|
|
|
Discontinued. See RACF34 |
|
|
|
|
Discontinued. See RACF35 |
|
|
|
|
Discontinued. See RACF37 |
|
|
|
|
List all discrete
profiles with ALTER access. This is useful because normally this is a bad
idea as if a user has ALTER access to a discrete profile this means they have
full administration access using the PERMIT command over that profile unlike
with generic profiles where it simply means the user has ALTER access to the
resources. |
*** |
|
|
|
Discontinued. |
|
|
|
|
Discontinued. |
|
|
|
|
Discontinued. |
|
|
|
JCL |
Takes as input
a list of users to be deleted in the form of one User ID per line with no
spaces. This is designed to interface with output from our HR system and onwardly interfaces to an application. Likely to be of
little use to anyone else. |
* |
|
|
JCL |
Lists a group
and produces JCL to change the owner and DFLTGRP of each member to that
specified on the command line. |
* |
|
|
JCL |
Like RACF20 but for non-prefixed General Resource pairs. See
also RACF51 |
* |
|
|
JCL |
Like RACF25 but for non-prefixed General Resource pairs. See
also RACF51 |
* |
|
|
|
List User IDs
in a group with DFLTGRP and all other connected groups. If many groups per
user are involved then line length can grow to be awkwardly large, but can be
useful. Similar to RACF73 which also shows names. |
** |
|
|
|
List prefixed
profile pairs in friendly format. If using RACF20 or RACF25 to migrate profiles because they have to create
profiles and then add members and then do any permits they are not very user
friendly. This is a more readable report, which can be used in conjunction
with them. See also RACF48 and RACF49 |
** |
|
|
|
List all
profiles and access lists belonging to OwnerID |
*** |
|
|
|
List group showing User ID, name, last access, if
revoked, if TSO segment present, if CICS segment present, and CICS segment
timeout value. |
*** |
|
|
|
Discontinued. |
|
|
|
|
Discontinued. |
|
|
|
.JCL |
List all
DATASET and JESSPOOL profiles with a UACC greater than NONE. Produces 2 JCL
output files RACF56A.JCL and RACF56B.JCL. The first grants the same access as
the UACC to the profiles and the second sets the UACC to none. |
* |
|
|
|
Discontinued. |
|
|
|
JCL |
List either all
profiles with notify set or just those with a specific User ID set to
notify. JCL produced for removing notify from listed profiles. |
* |
|
|
|
List profiles
with non-default audit attributes set. Default audit attributes are defined
as violation on READ or greater and no GLOBALAUDIT attributes set. Gives a
good picture of what is being effectively audited. |
** |
|
|
|
Discontinued. |
|
|
|
JCL |
Grant access to some (i.e. don't if already on
access list) DATASET profiles with the specified prefix for the given ID and
access level. In order to generate JCL for all profiles simply give a
fictitious Group, which doesn’t appear on any of the access lists. |
* |
|
|
JCL |
Grant access to some General Resource profiles with
prefix for ID and access. Some being where it is omitted if ID is already on
the access list. In order to generate JCL for all profiles simply give a
fictitious Group, which doesn’t appear on any of the access lists.
Similar to RACF26 |
* |
|
|
|
Discontinued. |
|
|
|
JCL |
List all
General Resource profiles with access lists. JCL is produced which will
re-create profiles for that class / group-class pair. Similar to RACF20 but without any prefix. See also RACF48
and RACF51 |
* |
|
|
|
List General
Resource class. |
*** |
|
|
|
Similar to
doing a ListUser command online |
*** |
|
|
JCL |
Set or clear
notify on all profiles in a prefixed General Resource class pair. |
** |
|
|
. |
In addition to
taking the flat file as input this utility also requires the output from a
DSMON. It then reports the fully qualified profiles and access lists for all APF
authorised libraries. In addition to RACF68 listing all APFs, RACF68.APF has
been added to list those APFs, which do not have corresponding DATASET
profiles. Note: if several LPARs all share the same DASD then concatenate the
DSMON outputs as shown to ensure all APFs are protected from all LPARs.
i.e. this
checks to ensure all APF authorised profiles are protected on both LPARs
irrespective of which LPAR they have been authorised on. |
*** |
|
|
JCL |
List all
revoked group connections. Doesn't quite work as intended, as connections
don't appear to become revoked until the connection is used after the revoke
date. See also RACF83 Intended to pick up revoke attribute but this is not
usually set in download. Hence have added a revoke date parameter to racf.ini
file which works similar to expired users, i.e. compares the actual dates. |
*** |
|
|
|
Count the
number of users in a group. Very simplistic but useful never the less. |
** |
|
|
|
List DATASET
access but without names. Quicker running version of RACF07 |
** |
|
|
|
Sum |
*** |
|
|
|
List group with
names and all other group connections. Similar to RACF50 |
** |
|
|
|
Discontinued. |
|
|
|
TEXT |
List group with
only User ID and group on report, one per line and separated by a single
space. |
* |
|
|
JCL |
List group
showing User ID, name, connect owner, authority and if group-special
attribute is present. This is essentially the same as a RACF06
but with the connect owner added. |
*** |
|
|
JCL |
List all group
connections where connect is not owned by the group connected to. Shows where
a connect has been done where the owner is not explicitly set to the same as
the group. |
** |
|
|
|
Discontinued. |
|
|
|
JCL |
List all User
IDs where the owner of the User ID is not the same as the DFLTGRP. |
** |
|
|
JCL |
List discrete
DATASET profiles and produce JCL to convert to generic (i.e. delete and
re-create). Ignores anything with HLQ starting DFHSM. See also RACF42 |
* |
|
|
|
Discontinued. |
|
|
|
|
Annotate a list of User IDs. Where the input is
in the form of one User ID per line and no spaces. The output from this is
User ID, name, DFLTGRP, date last accessed, etc. |
** |
|
|
|
Discontinued. |
|
|
|
|
Generates a
list of User IDs where the 2nd and 3rd positions are numeric but ignoring
those that fit the mask ‘Xnnnnn‘, where
X is any alpha and n is any numeric. Info list includes User ID, name,
DFLTGRP, create date, last access date and if TSO present. |
* |
|
|
JCL |
Similar to RACF20 / RACF64 but lists all
profiles for a general resource class pair. Generates JCL to re-create for
migrating to another platform. |
*** |
|
|
JCL |
Generates JCL
intended for users who should be deleted from the system but can't be because
they still own datasets. It assumes the group 'LIMBO' exists, connects
the user to LIMBO with a revoked connection, makes it the DFLTGRP and OWNER
of the User ID, and removes all other connections and all dataset and general
resource access list entries. Also deletes any dataset profiles commencing
with the User ID except User ID.** which has its access list reset. |
*** |
|
|
|
Generates list
in essentially 3 columns, Group, Installation Data, and GID (any
groups without a GID are not listed). |
*** |
|
|
|
Generates list
in essentially 3 columns, User ID, Name, and UID (any users without a
UID are not listed). |
*** |
|
|
|
List all
profiles and access lists where the string SECURITY is found in the
installation data field. (i.e. groups, datasets and general resources,
ignores users) |
*** |
|
|
JCL |
List all
DATASET profiles with access lists. JCL is produced which will re-create all
profiles. Similar to RACF23 but without the limitation
of prefix. |
** |
|
|
JCL |
List all
General Resource profiles for the specified CLASS pair with access lists. JCL
is produced which will re-create all profiles. Similar to RACF20
but without the limitation of prefix. |
** |
|
|
|
List all User
IDs along with name, owner, date created, date last accessed, and if revoked. |
*** |
|
|
|
General-purpose
tool to extract information from the flat file. Requires some knowledge of
the format of the flat file, which is defined in the IBM RACF Macros and
Interfaces Manual. In its simplest form it can be used to pull out all
records of a single type, e.g. RACFAWK 0200 1 0200 or a string can be searched for within the record
type at a specified location. Can be very useful on occasions. |
*** |
|
|
JCL |
This is similar
to the CLIST option on the RACF search command and builds the header and
footer information around it from the RACF.INI file. Very useful in
conjunction with other utilities such as RACF75 where
you can build a RACF command round a list of User IDs, e.g. RACFJCL RACF75 "ALU "
" CICS(TIMEOUT(15))" where this will build the JCL to set everyone
listed it the file RACF75 to a CICS timeout value of 15. |
*** |
5. Sample JCL
used to obtain input data
Sample JCL to copy and then unload RACF database to a sequential flat file.
//EXPORT JOB ((2331)),
// 'NIGEL',
// CLASS=A,
// MSGCLASS=X,
// MSGLEVEL=(1,1),
// NOTIFY=&SYSUID,
// TIME=1440
//*
//* THIS CREATES A RESTRUCTURED BACKUP DATABASE
//*
//COPY EXEC PGM=IRRUT200,PARM='NOLOCKINPUT'
//SYSPRINT DD SYSOUT=*
//SYSRACF DD DSN=SYS1.RACF.DEVA.DBASE,DISP=SHR
//SYSUT1 DD DSN=SYS1.RACF.DEVA.BACKUP,DISP=SHR
//SYSUT2 DD SYSOUT=*
//SYSIN DD *
INDEX
MAP
END
//*
//* THIS CREATES A SEQUENTIAL FLAT FILE FROM THE RACF BACKUP DATABASE
//*
//UNLOAD EXEC PGM=IRRDBU00,PARM=NOLOCKINPUT
//SYSPRINT DD SYSOUT=A,COPIES=1,DEST=U1018
//INDD1 DD DSN=SYS1.RACF.DEVA.BACKUP,DISP=SHR
//OUTDD DD DSN=username.RACF.FLATFILE,DISP=SHR
//
Sample JCL to obtain DSMON output in a DATASET for downloading.
(This is used in utility RACF68 to identify APF authorised libraries.)
//DSMON JOB
,'DSMON',CLASS=F,MSGCLASS=X,
// NOTIFY=&SYSUID
//*
//DSMON EXEC PGM=ICHDSM00
//SYSPRINT DD SYSOUT=*
//SYSUT2 DD DSN=username.DSMON,DISP=SHR
//SYSIN DD *
FUNCTION ALL
//
End-of-file.