Valid HTML 4.01!

RACF Utilities HTML readme file.
1. Overview of utilities
2. Release Notes
3. Quick Reference
4. More detailed notes on each utility
5. Sample JCL used to obtain input data
1. Overview of utilities

The idea of these utilities is to take a flatfile download from the mainframe onto the PC and then process it to produce reports and or JCL. The JCL can be checked and when you are satisfied it will do what you want you then upload it onto the mainframe and submit it as with any other JCL.

To get started you will need to get the flat file download from RACF, one or more of these utilities, and a suitable RACF.INI file. I have supplied sample JCL at the end for obtaining the flat file from RACF although this is well documented in the IBM manuals. The utilities can be downloaded from my home page much as with this readme.htm file. The home page also has a sample RACF.INI file which should be downloaded.

The sample RACF.INI file is expecting to find the flat file input in the sub-directory prod and with a filename of racfprod. The output refers to the prefix on the output files. For example utility RACF02.EXE will write its output to file ???02.HTM and ???02.JCL where ??? is the output string defined. Hence the sample RACF.INI defines the output files as RACF02.HTM and RACF02.JCL.

When transferring the flat file to PC the ASCII and CR/LF options should be selected so that the PC file is a conventional ASCII text file. Note: it is important that this file is the raw output from the unload process and must not be sorted, otherwise the resultant reports will be very unpredictable!

Essentially, I keep all my programs in a 'RACF' directory. Then under that in sub-directories called DEV and PROD I copy the flat file. Also residing in DEV and PROD are the RACF.INI files. The main purpose of these is to tell the programs which flat file to look at, although they contain some other self explanatory stuff as well.

I have my ..\RACF directory defined in my PATH statement and simply change directory into the desired directory, i.e. DEV or PROD and the utilities look for an ini file in the current directory.

..\RACF\RACF*.EXE -- directory included in PATH
this is also the directory used for comparison utils, namely RACF35 and RACF40

..\RACF\DEV\RACF.INI -- ini file
\RACFDEV -- downloaded ASCII flat file
\RACF*.HTM -- generated html reports
\RACF*.JCL -- generated jcl
..\RACF\PROD\RACF.INI
\RACFPROD
\RACF*.HTM
\RACF*.JCL
2. Release Notes

Release 1.29 dated 4 July 2006

One new utility and some changes and bug fixes.

Minor change, but it applies across the board, is an enhancement to the title data in the html at the top of the window. It now includes the version number, so that when you look back at old reports you know exactly which version of the utilities were used to generate them.

RACF04 - change to the content of the report. Where it used to have Owner ID this has been replaced with the Creation Date.

RACF05 - enhanced to also accept a Group as a parameter. Run without any command line parameters it still generates a list of all redundant users. If a Group is given as a parameter, it only lists the redundant users who are connected to that group. Also, delete user command generated for all dormant users now.

RACF110 - Previously this only listed users where they had a TSO segment with the TSOPROC name was not blank. It now lists users with TSO segments where the TSOPROC name is blank, thus listing all users with TSO segments.

RACF113 - new annotation program for annotating Groups. Similar to the utilities that annotate users but this one is for Groups.



Release 1.28 dated 11 March 2006

Just bug fixes for RACF11 and RACF99.



Release 1.27 dated 10 February 2006

One new utility and some enhancements (and bug fixes).

RACF112 - New, lists all issued certificates sorted by issuer. Very useful if you are generating your own certificates from RACF.

RACF11 - Enhanced to include command line options to allow better control on the granularity of reporting. You can report on the ACL entries for just a UserID, the UserID plus selected connected groups, or the UserID and all connected groups.

RACF00 - Enhanced to allow for European characters with accents. This also resulted in minor updates to the certificate reports.



Release 1.26 dated 20 November 2005

One new utility and some enhancements (and bug fixes).

RACF111 - New, basically a Group listing report that includes user creation date. This has been asked for by Sarbanes Oxley Auditors.

RACF87 - Enhanced to include hex values.

RACF88 - Enhanced to include hex values.

The enhancements to RACF87 an RACF88 were at the suggestion from Ulrich Boche as this could be useful when used in conjunction with the IRRUT200 utility which refers to hex values.

RACF109 - Bug fix, and enhancement so report now also shows creator as well as owner. Doesn't search on creator, simply displays creator info.

RACFDIAG - Significant development of this to output lots of diagnostic information, especially relating to unexpected characters found in the unload.


Release 1.25 dated 26 July 2005

A couple of new utilities and an enhanement.

RACF38 - Updated to include new section listing users with UAUDIT attribute

RACF109 - Search / report for digital certificates.

RACF110 - Lists all users with a TSO segment sorted by TSOPROC and showing region sizes. This also produces JCL based on the existing TSO region and max sizes which can be edited and used to effect changes.


Release 1.24 dated 28 June 2005

There have been quite a few additions / improvements with this release.

RACF01 - Updated to include new record types added in z/OS v1.6

RACF02 - Bug fixed. Thanks to the assistance of Rolf Pfister we managed to identify and fix a bug which caused it to hang after encoutrering a 0508 filter data record. Also, enhanced to handle conditional accesses on both datasets and general resources.

RACF52 - Minor enhancement to display certificate names properly with spaces rather than dollar signs.

RACF99 - Report remains unchanged, but JCL output is now generated for deleting expired certificates, all except ones owned by users starting with 'irr' such as certificate authority ones.

RACF108 - All new utility. Takes displays certificates by owner, also giving details of expiry date and if private key present or just certificate. Very useful, and helps identify if uers have lots of certificates, i.e. a risk of loosing all those certifictes should that user be deleted. This also generates JCL for changing the ownership of user owned certifictes, i.e. doesn't attempt to do anything with any certificated owned by a user starting 'irr' such as certificate authorities.


Release 1.23 dated 6 June 2005

There have been quite a few additions / improvements with this release.

RACF00 - Refined the filtering in relation to dollar and pound signs. The main place where this was manifesting itself was in the digital certificate reports (RACF94 through RACF101).

RACF07 - Addition of output file containing list of datasets as plain text.

RACF11 - Now reports on attributes, both user and connection, class authorisations, and if password is set to non-expiring, and if UID of zero is defined for user. Also, if report is being generated on a user, it prompts with question should report include enumeration of all connected groups.

RACF107 - All new utility. Takes as input output from LISTCAT commands and tries to reconcile RACF dataset profiles against list of cataloged datasets and reports list of profiles along with access control lists of any profile which doesn't appear to have any corresponding datasets.


Release 1.22 dated 6 February 2005

Bug fix maintenance release, no change to documentation.


Release 1.21 dated 30 January 2005

RACF105 generates a report by first building a list of UserIDs referenced from STARTED class profiles and then enumerating them with various details, in particular do they have the PROTECTED attribute set?

RACF106 generates a report by first building a list of UserIDs with a UID of zero and then enumerating them with various details, in particular do they have the PROTECTED attribute set?


Release 1.20 dated 15 January 2005

RACF104 generates a text file of Groups which can be imported directly into Visio's Organisational Chart Wizard.

RACF58 - fixed error in syntax of JCL relating to generic general resource class profiles.

All utility executables have now been made lowercase, along with all output files generated are now lowercase filenames. This has been done since discovering problems with reports.htm and RACF101 outputs when transferring them up unto IBM HTTP Server. The webserver is case sensitive and hence broken links result unless care is taken, so I've standardised on lowercase for all output filenames.


Release 1.19 dated 11 October 2004

One new utility RACF103 and several updated ones.

RACF103 finds UserIDs which have duplicate name data in the 20 character description field.

RACF82 and RACF102 have both been enhanced to show in bold any UserID which could not be annotated if not found in the unload. Previously it was just dropped with no indication.

RACF99 and RACF101 have both been enhanced to accept command line parameter of a UserID in order to be able to report on a subset of certificates for just that UserID.


Release 1.18 dated 15 August 2004

One new utility RACF102 and one updated utility RACF88.

RACF102 annotates a list of UserIDs with information relating to dates and passwords. Useful when reviewing UserIDs which may be dormant or may be used for started tasks etc.

RACF88 has had another column added to show default group of each user listed. It has also been extended in functionality to accept a runtime command line argument of a group. If a group is specified it will list all members of that group whether or not they have an OMVS segment.


Release 1.17 dated 22 June 2004

The difference between release 1.16 and 1.17 is that the array sizes have been significantly increased to allow the utilities to handle larger unloads.

Also, to aid problem diagnosis I have re-introduced an updated RACFDIAG.


Release 1.16 dated 5 June 2004

The reason for this release can be summed up in just two words - UNIVERSAL GROUPS.
Here is a list of the utilities which have been updated in order to correctly handle UNIVERSAL GROUPS:

RACF03, RACF04, RACF06, RACF11, RACF36, RACF47, RACF50, RACF52, RACF53, RACF66, RACF70, RACF73, RACF75, RACF76, RACF77, RACF86, RACF89

Note: some have been amended to correctly report on the Group Authority and some have simply had the Group Authority removed from the report where it was not deemed to be worth the effort of amending.

For those of you who are still wondering what this is all about, with UNIVERSAL GROUPS if the connect authority is USE then no 0102 records are cut in the unload. This hence requires in some cases minor tweaks and in some cases significant re-writes in the code.


Release 1.15 dated 8 May 2004

RACF100 has been added which lists certificates but also allows for a cut-off-date to be specified rather than having to list all the certificates.
RACF101 has been added which lists certificates sorted by month of expiry. This is useful for getting a feel for the distribution of the expiry dates for certificates within RACF.
Also some minor improvements in formatting on many utilities, continued tidying up of code from the days when it was all written for fixed pitch font reports, pre-html.

Release 1.14 dated 7 February 2004

RACF99 has been changed so that it now includes User ID and certificate label. There is also an Expiry Date-Line shown on the report (beware only looks at dates, not times).
RACF52 has also been improved in relation to handling, i.e. displaying digital certificate information. This can be used to report on certificates owned by a UserID (note: all irrcerta certificates are actually owned by IBMUSER)

Release 1.13 dated 3 January 2004

RACF92 has had another column added (by request) with the Last Password date showing the date the password was last changed.
RACF38 has been revamped, including new options in racf.ini to enable suppression of sections, introduction of a variable to define threshold at which reporting occurs on password expiry of users.
As a result of the changes for RACF38 to the racf.ini file I have also introduced system variables for the dates used in RACF05 and RACF69. These can now be picked up from the date of the unload file, thus removing any need to manually edit the racf.ini file for each set of reports generation.

This does of course mean racf.ini will need to be updated for this release, please download a fresh racf.ini

Release 1.12 dated 25 August 2003

RACF93 added to produce listing of CICS users with OPID
RACF94 through RACF99 added to provide reporting on Digital Certificates.

Also, reports.htm and reports.bat have both been updated to include the Digital Certificate reports.

Release 1.11 dated 8 July 2002

RACF00 updated to include a check to detect when an unload has been sorted.

Readme updated to include revised notes on RACF38 regarding PROTECTED users.

Release 1.10 dated 4 July 2001

RACF38 and RACF69 bug fixes.

Bug fixes were required due to differences in the resultant data downloaded depending on method used for file transfer. These utilities were originally developed around native 3270 terminal emulator ind$file transfers, but there are significant differences if data is transferred using ftp. These bug fixes mean they will work with either method of file transfer.

Release 1.09 dated 29 April 2001

RACF36 bug fix.

Readme updated to include revised notes on RACF68

Release 1.08 dated 25 March 2001

RACF07, RACF12 changed in two ways, first length restriction which was pre-html format has been removed from the installation data field giving much more info and making the reports much more readable, and second the WARNING attribute has been added to the information.

Release 1.07 dated 17 March 2001

RACF92 added to list all users.

All html reports have also been amended so that the title displays both the name and date of the unload file from which the report was generated.

Minor cosmetic fixes made to RACF07, RACF09, RACF12, RACF38, RACF53

Sample reports.bat and associated reports.htm now available. Save these to the directory containing the unload and racf.ini files, run the reports.bat file and then view reports.htm.

Release 1.06 dated 16 February 2001

RACF89 minor fix to show correct owner on dataset profiles.

Also, readme.htm (i.e. this file) corrected not to force web access when following internal links within the readme file.

Release 1.05 dated 24 January 2001

Utilities have had all conversions to uppercase removed except in RACF08 so that they are capable of handling lower case data such as irrcerta supplied UserID.

Minor fix to RACF37

RACF00 and RACF91 have been added.

RACF01, RACF02, RACF11, RACF66 updated to include v2.10 changes such as LNOTES and KERB segments etc.

RACF17, RACF39, RACF40, RACF41 have all been discontinued.

Release 1.04 dated 12 November 2000

Utilities which were previously written for CICS classes and had the class names hard coded have now been converted to operate on classes specified on the command line parameters.

Utilties amended are RACF16, RACF22, RACF33, RACF34, RACF35, and RACF37.

(utilities RACF17, RACF39, RACF40 and RACF41 have been dropped as they were CICSCMD versions of CICSTRN utilities and are no longer required as the CICSTRN versions have been made generic)

Release 1.03 dated 1 September 2000

RACF42 extended to list all discrete profiles with ALTER access, i.e. DATASET and General Resource not just DATASET as before.

Release 1.02 dated 21 July 2000

RACF01 fixed enabling it to cope with hex values in the record type
RACFAWK also fixed to enable it to cope with hex values in record type
RACF38 extended to include a section listing all PROTECTED UserIDs
RACF68 extended to include additional output file listing APFs which do not have corresponding DATASET profiles. This can be used as input to RACFJCL to generate required JCL to correct.

Release 1.00 dated 1 May 2000

This is a major new release. Here is a summary of the enhancements.

All code has been converted from 16-bit DOS code to 32-bit Windows code, although it is still intended to be run from a command prompt. This has meant a reduction in the sizes of the executables along with the ability to significantly extend some of the previously limiting array parameters. Running it from the command prompt still allows for the development of batch (or command) files containing many steps so that when an up-to-date unload is downloaded fresh reports are easily generated.

Virtually all output reports have been converted from dull text format to a much slicker HTML format. This has meant that they always overwrite any previous reports rather than appending as some used to do. If at the command prompt having generated a report simply enter the report name including extension and if using NT it will make the association with your default hypertext browser and load the report.

RACF88 has been both fixed and extended to give more information.

The README file has been converted to HTML and enhanced.

RACF01 and RACF66 have been updated to take account enhancements made to RACF. This brings the utilities up to being in line with OS390 Version 2 Release 6.

3. Quick Reference

UtilityKey Key words
RACF00Pre-processor
RACF01Summary
RACF02JCLNon-existent UserIDs
RACF03Group tree
RACF04JCLAll Groups
RACF05JCLExpired UserIDs
RACF06JCLList Group
RACF07TEXTDataset (mask)
RACF08TEXTUserID(s) (not-HTML)
RACF09JCLUserIDs (mask)
RACF11JCLXREF (JCL to grant)
RACF12General Resources (mask)
RACF16List Member / Group Class
RACF18TEXTAll UserIDs (not-HTML)
RACF19General Resource
RACF20JCLGeneral Resource - Re-create - Prefixed
RACF21JCLXREF (JCL to remove)
RACF22Member class Installation data
RACF23JCLDataset - Re-create - Prefixed
RACF24JCLRevoked UserIDs
RACF25JCLGeneral Resource - Delete - Prefixed
RACF28General Resource (prefix.mask)
RACF30STARTED
RACF32WARNING
RACF33Sorted Member / Group Class pair
RACF34Duplicate Member / Group Class pair
RACF35Compare Member / Group Class pair
RACF36JCLCompare Group
RACF37JCLXREF - Member / Group Class pair
RACF38Audit Report
RACF42discrete ALTER
RACF46JCLdelete UserIDs
RACF47JCLchange Group
RACF48JCLGeneral Resource - Re-create - non-Prefixed
RACF49General Resource - Delete - non-Prefixed
RACF50Connected Groups
RACF51General Resource friendly format
RACF52OwnerID
RACF53List Group
RACF56JCLUACC
RACF58JCLNotify
RACF59Audit Attributes
RACF61JCLDataset - Grant access - Prefixed
RACF62JCLGeneral Resource - Grant access - Prefixed
RACF64JCLGeneral Resource - Re-create - non-Prefixed
RACF65General Resource
RACF66ListUser
RACF67JCLNotify
RACF68APF
RACF69JCLRevoked Connections
RACF70Count Connections
RACF71Dataset (mask)
RACF72Summary (General Resources)
RACF73Connected Groups
RACF75TEXTList Group (non-HTML)
RACF76JCLList Group
RACF77JCLConnections
RACF79JCLUserIDs
RACF80JCLDiscrete Dataset
RACF82Annotate Users
RACF84UserIDs
RACF85JCLGeneral Resource
RACF86JCLLIMBO
RACF87GID
RACF88UID
RACF89SECURITY
RACF90JCLDataset
RACF91JCLGeneral Resource - Re-create
RACF92List of all users
RACF93CICS OPID
RACF94Certificate labels
RACF95Certificates (unsorted)
RACF96Key Rings
RACF97Certificate Mappings
RACF98Certificate Trusts
RACF99JCLCertificates (sorted by expiry)
RACF100Certificates (sorted by expiry)
RACF101Certificates (sorted by month)
RACF102Annotate Users
RACF103duplicate UserID names
RACF104Visio Import of Groups
RACF105STARTED task UserIDs and PROTECTED
RACF106UID(0) UserIDs and PROTECTED
RACF107Reconcile DATASET profiles
RACF108JCLCertificates by OWNER
RACF109JCLSearch / list Digital Certificates
RACF110TSO users sorted by TSOPROC
RACF111Group report including creation date
RACF112Issued certificates sorted by Issuer
RACF113Annotate Groups
RACFAWKAd-hoc (non-HTML)
RACFDIAGDiagnostic information gathering tool
RACFJCLJCLAd-hoc (non-HTML)

4. More detailed notes on each utility

Here are more detailed notes on each utility including a rating for each where the ratings used are as follows:

***General and useful utility recommended for general use
**Specialised utility for a particular requirement
*Either very specialised or very unusual requirement

i.e. investigate the *** ones, if you see a ** one that you can relate to then fine, but tend to ignore the * ones.

Note: where runtime command line parameters are required the syntax can be displayed by simply executing the utility without any parameters.
UtilityKeyDescriptionRating
RACF00Pre-processor. This filters the unloaded data to enusre all characters are valid ASCII and will not cause any unpredictable behaviour. The need for this utility arose during OS upgrades when the database was preped for a later version than the one it was running under. Sympton was empty reports due to encoutering an end-of-file character before finding the data to be reported on. Now also contains a check to detect if unload has been sorted. Unloads must not be sorted otherwise results become very unpredictable depending on the utility. If the correct character mapping is defined between mainframe and PC then you are likely to get zero characters changed. If the character mapping is not spot on then this utility will filter out the binary values likely to cause problems when running reports. This utility should always be run first before running any other reports.***
RACF01Text report of summary information***
RACF02.JCLText report of profiles owned by non-existent userids. Also produces JCL to remove any non-existent userid from any access list.***
RACF03Text report showing group tree structure. Similar to DSMON but better. Shows the number of connections to each group. See also RACF104***
RACF04JCLList all groups showing both the installation data (truncated) and the create date of the group.***
RACF05.JCLList expired userids where expiry is determined by listing those users who have not accessed the system since the date specified in the RACF.INI file. JCL is produced to delete all dormant users listed Care needs to be taken not to delete apparently dormant, but required system userids such as started tasks etc. Enhanced to now accept optional command line parameter of a Group thus only listing the dormant users that are connected to that Group.***
RACF06JCLList group showing userids, names, authority and flag if group-special attribute is operative. JCL is for removal of userids from the group and is useful when deleting large groups. Beware, however, that as it can also be edited to become a connect job instead of a remove job where ever group-special is operative this appears on the remove command although it is an invalid option. See also RACF76 and RACF111.***
RACF07TEXTReport showing access lists for DATASETs showing both userids and names. It is recursive and hence if you specify a high level qualifier it will list out all profiles starting with that HLQ. Because of the recursive name lookup this can be slow to run so if it is not important to show names RACF71 may be better. Also creates RACF07 containing simple text list of DATASET profile names.***
RACF08TEXTSearch for userid using string supplied. Searches both userid and name field from the database. Mainly used for searching on names field, e.g. find a user by their first name if you can't find them by their userid. Includes Installation data now as well.**
RACF09JCLList userids based on a mask. e.g. can list all userids starting with letter A or AB or ABC etc. Report shows userid, name, if revoked, when last logged on, if TSO segment exists and if CICS segment exists. JCL is also produced for resuming all the userids listed.**
RACF10Discontinued.
RACF11JCLLists access for a userid or group. Very similar to XREF expect this also shows level of access! Very useful. JCL is also generated with the permit statements required to grant the access. Can be usefully edited and used to selectively model access for other groups or users. Now reports on attributes, both user and connection, class authorisations, and if password is set to non-expiring, and if UID of zero is defined for user. Also, if report is being generated on a user, it prompts with question should report include enumeration of all connected groups. See also RACF37 and RACF41 and RACF21***
RACF12Report showing access lists for General Resources showing both userids and names. This is similar to RACF07 expect for General Resources rather than DATASETs. It is recursive and hence if you specify a high level qualifier it will list out all profiles starting with that HLQ.***
RACF13Discontinued.
RACF14Discontinued.
RACF15Discontinued.
RACF16List all profiles in a member / group class pair with access lists. Useful for CICS classes.***
RACF17Discontinued. See RACF16
RACF18TEXTGenerate data file for allowing fast searching for userids Output consists simply of all userids and associated names**
RACF19List all General Resource profiles with access lists for the class and group-class specified.*
RACF20JCLList all General Resource profiles with access lists where prefix matches that specified. JCL is produced which will re-create profiles for that class / group-class pair and prefix. Useful for establishing environments such as modelling a prefixed CICS region or even taking a test set of profiles an implementing them on a live environment. See also RACF48,RACF51 and RACF91***
RACF21JCLList access of a userid or group. Similar to RACF11 but creates JCL to remove the access. Mainly used where a user has done a lot of RACF administration and their userid has appeared on profiles which they have created but not removed themselves from the access list. Similar also to RACF45 which only looks at ALTER accesses and can use a userid mask.**
RACF22List all member class profiles with installation data.*
RACF23JCLList all DATASET profiles with access lists where the prefix matches that specified. JCL is produced which will re-create profiles with that prefix. Sometimes useful for establishing environments by modelling existing ones. See also RACF90**
RACF24JCLList revoked users. JCL to delete if no TSO segment.*
RACF25JCLSimilar to RACF20 except JCL is for deleting profiles. Useful for cleaning up profiles no longer required. See also RACF49***
RACF26Discontinued.
RACF27Discontinued.
RACF28List General Resource class profiles for a specified class pair where the initial letter matches. e.g. most useful for listing all TCICSTRN / GCICSTRN where initial letter is 'C' signifying IBM supplied.**
RACF29Discontinued.
RACF30List all STARTED class profiles with STDATA***
RACF31Discontinued. See RACF65
RACF32List all profiles with WARNING attribute set***
RACF33List all Member / Group class profiles sorted. Useful for comparing profiles for similar CICS trancodes but with varying prefixes. Slow to run because of recursive sorting. See also RACF34**
RACF34List Member / Group class profiles which have duplicate entries. Useful for TCICSTRN profiles or GCICSTRN members. As with RACF33 this is unfortunately slow to run.**
RACF35Compare prefixed Member / Group profiles with specified prefix. Useful for comparing prefixed profiles in a test CICS region with those of the corresponding live region. Expects to find the flatfiles in sub-directories directly below. I normally run from \DATA\RACF with flat files in \DATA\RACF\DEV and \DATA\RACF\PROD This report details differences and gives a summary of the matching profiles.***
RACF36JCLCompares 2 RACF groups and reports any userids found in both groups.*
RACF37JCLList out all members with specified userid or group on the access list. Similar to an XREF or RACF11 but only looks at Member / Group profiles and expands out the Group profiles to show all the actual Members. Useful for determining access to CICS trancodes.***
RACF38List userids with higher than normal authority. The report is split into sections and they are:
List of users with system attributes,
List of users with group attributes,
List of users with class authority,
List of users with group connection other than use,
List of users with password intervals greater than x days,
List of users with nopassword allowed,
List of protected users
List of restricted users
List of users with uaudit attribute.		***
RACF39Discontinued. See RACF34
RACF40Discontinued. See RACF35
RACF41Discontinued. See RACF37
RACF42List all discrete profiles with ALTER access. This is useful because normally this is a bad idea as if a user has ALTER access to a discrete profile this means they have full administration access using the PERMIT command over that profile unlike with generic profiles where it simply means the user has ALTER access to the resources.***
RACF43Discontinued.
RACF44Discontinued.
RACF45Discontinued.
RACF46JCLTakes as input a list of users to be deleted in the form of one userid per line with no spaces. This is designed to interface with output from our HR system and onwardly interfaces to an application. Likely to be of little use to anyone else.*
RACF47JCLLists a group and produces JCL to change the owner and dfltgrp of each member to that specified on the command line.*
RACF48JCLLike RACF20 but for non-prefixed General Resource pairs. See also RACF51*
RACF49JCLLike RACF25 but for non-prefixed General Resource pairs. See also RACF51*
RACF50List userids in a group with dfltgrp and all other connected groups. If many groups per user are involved then line length can grow to be awkwardly large, but can be useful. Similar to RACF73 which also shows names.**
RACF51List prefixed profile pairs in friendly format. If using RACF20 or RACF25 to migrate profiles because they have to create profiles and then add members and then do any permits they are not very user friendly. This is a more readable report which can be used in conjunction with them. See also RACF48 and RACF49**
RACF52List all profiles and access lists belonging to OwnerID Note: all irrcerta (i.e. CERTAUTH) digital certificates are owned by IBMUSER.***
RACF53List group showing userid, name, last access, if revoked, if TSO segment present, if CICS segment present, and CICS segment timeout value.***
RACF54Discontinued.
RACF55Discontinued.
RACF56.JCLList all DATASET and JESSPOOL profiles with a UACC greater than NONE. Produces 2 JCL output files RACF56A.JCL and RACF56B.JCL. The first grants the same access as the UACC to the profiles and the second sets the UACC to none.*
RACF57Discontinued.
RACF58JCLList either all profiles with notify set or just those with a specific userid set to notify. JCL produced for removing notify from listed profiles.*
RACF59List profiles with non-default audit attributes set. Default audit attributes are defined as violation on READ or greater and no globalaudit attributes set. Gives a good picture of what is being effectively audited.**
RACF60Discontinued.
RACF61JCLGrant access to some (i.e. don't if already on access list) DATASET profiles with the specified prefix for the given ID and access level. In order to generate JCL for all profiles simply give a fictitious Group which doesn't appear on any of the access lists.*
RACF62JCLGrant access to some General Resource profiles with prefix for ID and access. Some being where it is omitted if ID is already on the access list. In order to generate JCL for all profiles simply give a fictitious Group which doesn't appear on any of the access lists. Similar to RACF26*
RACF63Discontinued.
RACF64JCLList all General Resource profiles with access lists. JCL is produced which will re-create profiles for that class / group-class pair. Similar to RACF20 but without any prefix. See also RACF48 and RACF51*
RACF65List General Resource class.***
RACF66Similar to doing a ListUser command online***
RACF67JCLSet or clear notify on all profiles in a prefixed General Resource class pair.**
RACF68.In addition to taking the flat file as input this utility also requires the output from a DSMON. It then reports the fully qualified profiles and access lists for all APF authorised libraries. In addition to RACF68 listing all APFs, RACF68.APF has been added to list those APFs which do not have corresponding DATASET profiles. Note: if several LPARs all share the same DASD then concatentate the DSMON outputs as shown to ensure all APFs are protected from all LPARs.
type \data\racf\prda\dsmon > \data\racf\prda\dsmonx
type \data\racf\prdb\dsmon >> \data\racf\prda\dsmonx
type \data\racf\prdb\dsmon > \data\racf\prdb\dsmonx
type \data\racf\prda\dsmon >> \data\racf\prdb\dsmonx
and then run RACF68 as
RACF68 dsmonx
for both prda and prdb
i.e. this checks to ensure all APF authorised profiles are protected on both LPARs irrespective of which LPAR they have been authorised on.		***
RACF69JCLList all revoked group connections. Doesn't quite work as intended as connections don't appear to become revoked until the connection is used after the revoke date. See also RACF83 Intended to pick up revoke attribute but this is not usually set in download. Hence have added a revoke date parameter to racf.ini file which works similar to expired users, i.e. compares the actual dates.***
RACF70Count the number of users in a group. Very simplistic but useful never the less.**
RACF71List DATASET access but without names. Quicker running version of RACF07**
RACF72Summary breakdown of General Resource profiles.***
RACF73List group with names and all other group connections. Similar to RACF50**
RACF74Discontinued.
RACF75TEXTList group with only userid and group on report, one per line and separated by a single space.*
RACF76JCLList group showing userid, name, connect owner, authority and if group-special attribute is present. This is essentially the same as a RACF06 but with the connect owner added. See also RACF111***
RACF77JCLList all group connections where connect is not owned by the group connected to. Shows where a connect has been done where the owner is not explicitly set to the same as the group.**
RACF78Discontinued.
RACF79JCLList all userids where the owner of the userid is not the same as the dfltgrp.**
RACF80JCLList discrete DATASET profiles and produce JCL to convert to generic (i.e. delete and re-create). Ignores anything with HLQ starting DFHSM. See also RACF42*
RACF81Discontinued.
RACF82Annotate a list of userids. Where the input is in the form of one userid per line and no spaces. The output from this is userid, name, dfltgrp, date last accessed, etc. See also RACF102 Now reports in bold any UserID which cannot be found (previously dropped witout any indication). **
RACF83Discontinued.
RACF84Generates a list of userids where the 2nd and 3rd positions are numeric but ignoring those which fit the mask 'Xnnnnn ' where X is any alpha and n is any numeric. Info list includes userid, name, dfltgrp, create date, last access date and if TSO present.*
RACF85JCLSimilar to RACF20 / RACF64 but lists all profiles for a general resource class pair. Generates JCL to re-create for migrating to another platform.***
RACF86JCLGenerates JCL intended for users who should be deleted from the system but can't be because they still own datasets. It assumes the group 'LIMBO' exists, connects the user to LIMBO with a revoked connection, makes it the DFLTGRP and OWNER of the userid, removes all other connections and all dataset and general resource access list entries. Also deletes any dataset profiles commencing with the userid except userid.** which has its access list reset.***
RACF87Generates list in essentially 3 columns, Group, Installation Data, and GID (any groups without a GID are not listed). Updated to include hex GID in addition to decimal GID.***
RACF88Generates list in essentially 6 columns, giving user details and OMVS segment details such as UserID, Name, default group, UID home path, program (any users without a UID are not listed). Update to inlcude hex UID in addition to decimal UID.
Now, also accepts a group to be specified on the command line. In this mode it lists only users who are members of the group and lists all members of the group whether they have an OMVS segment or not.		***
RACF89List all profiles and access lists where the string SECURITY is found in the installation data field. (i.e. groups, datasets and general resources, ignores users)***
RACF90JCLList all DATASET profiles with access lists. JCL is produced which will re-create all profiles. Similar to RACF23 but without the limitation of prefix.**
RACF91JCL List all Genreral Resource profiles for the specified CLASS pair with access lists. JCL is produced which will re-create all profiles. Similar to RACF20 but without the limitation of prefix.**
RACF92 List all UserIDs along with name, owner, date created, date last accessed, and if revoked.***
RACF93 List all CICS users with showing any OPIDs. This utility was provided at the request of Rolf W Valters.**
RACF94 List all Digital Certificates by UserID and label.***
RACF95 List all Digital Certificates (unsorted).**
RACF96 List all Digital Certificate King Rings.**
RACF97 List all Digital Certificate Mappings.**
RACF98 List all Digital Certificate Trusts.***
RACF99JCL List all Digital Certificates sorted by expiry date. Now also includes UserID and certificate label which makes this a very useful report. The Expiry Date-Line shown in the report is calculated purely on the date and does not take into account the time. Now accepts optional command line parameter of a UserID to restrict the report to a subset of certificates owned by said UserID. Now also generates JCL to delete expired certificates. See also RACF109 and RACF112. ***
RACF100 Same as RACF99 but has addition of a cut-off-date so that you can list certificates up until the specified date. ***
RACF101 List all Digital Certificates sorted by month of expiry date. This is really useful if trying to manage certificates where you need to get a feel for the distribution of the expiry dates of the issued certificates. Now accepts optional command line parameter of a UserID to restrict the report to a subset of certificates owned by said UserID. ***
RACF102 Annotate a list of userids. Where the input is in the form of one userid per line and no spaces. The output from this is userid, name, dfltgrp, date last accessed, etc. Similar to RACF82 but this report focuses on dates (creation, last access, password changed) and password (expiry, generation number). Now reports in bold any UserID which cannot be found (previously dropped witout any indication). **
RACF103 Report on UserIDs which have duplicate name data. Because there are likely to be UserIDs with duplicate data which is intentional it looks for an input file of RACF103 for name data to be ignored. **
RACF104 This utility generates a text (txt) file which can be directly imported into the Visio Organisational Chart Wizard. Note: if there is a large number of groups then it can take quite a long time for Visio to process this import! I have been asked where the idea for this utility came from, well Doc Farmer suggested it to me. Also, I have since discovered it is possible to specifiy the level within the tree to report from meaning you can generate a tree structure report on just part of the group structure which makes this more useful. See also RACF03 **
RACF105 This utility generates a report by first building a list of UserIDs referenced from STARTED class profiles and then enumerating them with details, in particular do they have the PROTECTED attribute set?
See also RACF106 and RACF30 		***
RACF106 This utility generates a report by first building a list of UserIDs with a UID(0) and then enumerating them with details, in particular do they have the PROTECTED attribute set?
See also RACF106 and RACF88 		***
RACF107 This utility takes as input, the output from LISTCAT commands across all catalogs (see sample JCL at end of readme). It then processes the list of dataset profiles, listing those for which it cannot find a corresponding datset. A note of caution, be careful some profiles will be required for transient datasets! This utility requires the name of the input dataset as a commandline parameter. It will then look for an additional optional parameter. By default it will check for datasets and dataset profiles from A to Z. However, it will accept a commandline string of characters. e.g. AHM will check just those letters, or $#@ will check just the national characters, or ABCDEFGHIJKLMNOPQRSTUVWXYZ$#@ will check the lot. ***
RACF108 This utility generates a report of certificates sorted by the owner user ID. It has a number of optional command line parameters. First is a user ID on which to report, no parameters means it gnerates a full report for all users. Then there are a couple of additional optional parameters of user ID to change to and HLQ for export datasets. Both these parameters are only relevant for the generated JCL. For each certificate found for the first user ID specified it generates the following RACDCERT commands, (1) a list of the cert on the user (2) an export to a dataset (3) a delete of the cert (4) an import back in from dataset to new user (5) finally a list of the cert on the new user. ***
RACF109 This is a search facility for certificates. It accepts up to 9 search strings on the command line and reports back any certifictes which match all search strings specified. The search is across the 4 fields that appear in the report, and scores a hit if found in any of the four fields, namely: UserID, label, common name (i.e. CN) within the certificate details, or expiry date. Only the UserID and label of any found certificates are displayed on the command line, but a full html report is always generated listing UserID, label, CN, and Exipry date. Updated to include listing of UserID who created the certificate. This has no relevance to RACF but can be useful to know. See also RACF112 and RACF99. ***
RACF110JCL Lists all users with a TSO segment sorted by the default TSOPROC. The report also lists both region size and max region size along with user details and default group. JCL is generated for each user using the currently defined region and max sizes. This can be easily edited and then submitted to effect changes to the TSO region sizes. ***
RACF111 List group showing userids, names, last access date, creation date and if the revoked attribute is operative. This report was requested by Sarbanes Oxley Auditors specifically to see the user creation date. See also RACF06 and RACF76. ***
RACF112 List certificates showing owner, creator, certificate label and expiry date and sorted by certificate authority. Note: any CERTAUTH (or irrcerta) certificate which doesn't have certificates which have been issued under it (i.e. matching Common Names) are suppressed. See also RACF109 and RACF99. ***
RACF113 Annotate a list of groups. Where the input is in the form of one group per line and no spaces. The output from is similar to RACF04 which is full list of all groups. **
RACFAWKGeneral purpose tool to extract information from the flat file. Requires some knowledge of the format of the flat file which is defined in the IBM RACF Macros and Interfaces Manual. In its simplest form it can be used to pull out all records of a single type, e.g. racfawk 0200 1 0200 or a string can be searched for within the record type at a specified location. Can be very useful on occasions.***
RACFDIAGThis is an information gathering tool to assist in the event of problems. If you are unable to resolve a problem, then please use this tool to generate RACFDIAG.HTM and send it to me for analysis with a description of the problem you are encountering.**
RACFJCLJCLThis is similar to the clist option on the RACF search command and builds the header and footer information around it from the RACF.INI file. Very useful in conjunction with other utilities such as RACF75 where you can build a RACF command round a list of userids, e.g. RCAFJCL RACF75 "ALU " " CICS(TIMEOUT(15))" where this will build the JCL to set everyone listed it the file RACF75 to a CICS timeout value of 15.***

5. Sample JCL used to obtain input data

Sample JCL to copy and then unload RACF database to a sequential flat file.

//EXPORT JOB ((2331)),
// 'NIGEL',
// CLASS=A,
// MSGCLASS=X,
// MSGLEVEL=(1,1),
// NOTIFY=&SYSUID,
// TIME=1440
//*
//* THIS CREATES A SEQUENTIAL FLAT FILE FROM THE RACF BACKUP DATABASE
//*
//UNLOAD EXEC PGM=IRRDBU00,PARM=NOLOCKINPUT
//SYSPRINT DD SYSOUT=A,COPIES=1,DEST=U1018
//INDD1 DD DSN=SYS1.RACF.DEVA.BACKUP,DISP=SHR
//OUTDD DD DSN=username.RACF.FLATFILE,DISP=SHR
//
Sample JCL to obtain DSMON output in a DATASET for downloading.
(This is used in utility RACF68 to identify APF authorised libraries.)

//DSMON JOB ,'DSMON',CLASS=F,MSGCLASS=X,
// NOTIFY=&SYSUID
//*
//DSMON EXEC PGM=ICHDSM00
//SYSPRINT DD SYSOUT=*
//SYSUT2 DD DSN=username.DSMON,DISP=SHR
//SYSIN DD *
FUNCTION ALL
//
Sample JCL to obtain LISTCAT input for RACF107. First stage is to obtain a list of user CATALOGs.

//RACFDSN1 JOB ,'LIST MASTCAT',CLASS=A,
// REGION=0M,NOTIFY=&SYSUID
//*
//STEP01 EXEC PGM=IKJEFT01,REGION=25M
//SYSTSPRT DD DSN=xxxxxxx.CATLIST,
// DISP=(NEW,CATLG,DELETE),
// UNIT=3390,
// SPACE=(CYL,(100,100),RLSE),
// LRECL=133,BLKSIZE=27930,RECFM=FB
//SYSOUT DD SYSOUT=*
//SYSTSIN DD *
PROFILE NOPREFIX
LISTCAT CATALOG('SYS1.xxxxxx.MASTCAT') UCAT
/*
Second stage is to list out all of those user CATALOGs.

//RACFDSN2 JOB ,'LIST CATALOGS',CLASS=A,
// REGION=0M,NOTIFY=&SYSUID
//*
//STEP01 EXEC PGM=IKJEFT01,REGION=25M
//SYSTSPRT DD DSN=xxxxxx.DSLIST,
// DISP=(NEW,CATLG,DELETE),
// UNIT=3390,
// SPACE=(CYL,(200,200),RLSE),
// LRECL=133,BLKSIZE=27930,RECFM=FB
//SYSOUT DD SYSOUT=*
//SYSTSIN DD *
PROFILE NOPREFIX
LISTCAT CATALOG('SYS1.xxxxxxx') ALL
LISTCAT CATALOG('SYS1.xxxxxxx.xxxxxx') ALL
LISTCAT CATALOG('SYS1.xxxxxxx.xxxxxx') ALL
/*
End-of-file.