zSecure Visual

Version 2.3.0

Client Manual

IBM

SC27-5647-04
zSecure Visual
Version 2.3.0

Client Manual

IBM

SC27-5647-04
 Note
Before using this information and the product it supports, read the information in “Notices” on page 155.

August 2017
This edition applies to version 2, release 3, modification 0 of IBM Security zSecure Visual (product number
5655-N20) and to all subsequent releases and modifications until otherwise indicated in new editions.
© Copyright IBM Corporation 1998, 2017.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
Contents
About this publication . . . . . . . . v Setting interface options according to your access
zSecure documentation . . . . . . . . . . . v level . . . . . . . . . . . . . . . . . 27
Obtain licensed documentation . . . . . . . v Setting the date format . . . . . . . . . . 28
IBM zSecure Suite library . . . . . . . . . vi Drag and drop function . . . . . . . . . . 30
IBM zSecure Manager for RACF z/VM library viii Copy and paste function . . . . . . . . . . 30
Related documentation. . . . . . . . . . . ix Toolbar buttons . . . . . . . . . . . . . 30
Accessibility . . . . . . . . . . . . . . xi Right mouse button . . . . . . . . . . . 31
Technical training . . . . . . . . . . . . xi Naming conventions . . . . . . . . . . . 31
Support information . . . . . . . . . . . xi Changing column sequences. . . . . . . . . 31
Statement of Good Security Practices . . . . . . xi Site-specific columns and fields . . . . . . . . 31
Saving and exporting printable data . . . . . . 32
Chapter 1. IBM Security zSecure Visual Printing . . . . . . . . . . . . . . . 32
Previewing a print file . . . . . . . . . . 33
setup and configuration . . . . . . . . 1 Tables available for printing . . . . . . . . 33
Release information . . . . . . . . . . . . 1 Server Information dialog . . . . . . . . . 33
Prerequisites for installation . . . . . . . . . 1 Display of the ? character. . . . . . . . . . 34
Installing IBM Security zSecure Visual . . . . . . 2
IBM Security zSecure Visual maintenance. . . . . 4
Uninstalling IBM Security zSecure Visual . . . . 4
Chapter 3. RACF database operations 35
Modifying IBM Security zSecure Visual . . . . 5 Select Nodes dialog: multi-system options . . . . 36
Repairing IBM Security zSecure Visual. . . . . 5 Verification of actions across multiple systems . . . 37
Upgrading IBM Security zSecure Visual . . . . . 5 Using the Find dialog . . . . . . . . . . . 38
Configuring IBM Security zSecure Visual . . . . . 6 Ambiguous Class selection . . . . . . . . 42
Server definition parameters . . . . . . . . 7 Finding classes with the Select class dialog . . . . 42
Multiple Visual server definitions . . . . . . 9 Viewing connected users and groups . . . . . . 43
Copy function for multiple server definitions . . 10 Viewing the groups. . . . . . . . . . . . 43
Automated setup and configuration . . . . . . 10 Selecting resources for a specific user ID or group
Configuration file . . . . . . . . . . . 10 with the Permits function. . . . . . . . . . 45
Creating a configuration file . . . . . . . 10 Using Scope . . . . . . . . . . . . . . 46
Configuration file layout . . . . . . . . 11 Using Scope * . . . . . . . . . . . . . 50
Running a configuration file on the target Viewing RACF SETROPTS settings . . . . . . 52
machine . . . . . . . . . . . . . 12 Viewing an Access List . . . . . . . . . . 53
Updating server definitions from a Viewing an Effective Access List . . . . . . . 53
configuration file . . . . . . . . . . 12 Viewing a member list. . . . . . . . . . . 54
Configuration limitations . . . . . . . . 12
Modifying an existing configuration file . . . 12 Chapter 4. User management . . . . . 55
Notes . . . . . . . . . . . . . . 13 User table . . . . . . . . . . . . . . . 55
Configuration file sample tasks . . . . . . 13 MFA Factor management . . . . . . . . . 59
Silent installation . . . . . . . . . . . 14 MFA policy management . . . . . . . . . 61
Log file for silent installation . . . . . . 14 Viewing user properties . . . . . . . . . . 62
Examples of silent installation commands . . 15 Duplicating a user . . . . . . . . . . . . 66
Automate upgrade path examples . . . . . . 15 Deleting a user . . . . . . . . . . . . . 70
Resuming a user. . . . . . . . . . . . . 71
Chapter 2. IBM Security zSecure Visual Disabling a user . . . . . . . . . . . . . 71
Enabling a user . . . . . . . . . . . . . 72
customization and primary tasks . . . 17
Setting passwords (or passphrases) . . . . . . 73
Selecting to work locally or in a multi-system
Setting a default password (or passphrase) . . . . 76
environment . . . . . . . . . . . . . . 18
Removing the default password (or passphrase) . . 78
Logging on . . . . . . . . . . . . . . 19
About Schedules. . . . . . . . . . . . . 79
Selecting available nodes . . . . . . . . . 20
Viewing and editing schedules . . . . . . . 80
An example first task . . . . . . . . . . 21
Adding a schedule interval . . . . . . . . 81
Logging off . . . . . . . . . . . . . . 22
Repeating a schedule interval . . . . . . . 81
Exiting . . . . . . . . . . . . . . . . 22
Deleting a schedule interval . . . . . . . . 81
Turning off the server definition name . . . . . 22
Mappings . . . . . . . . . . . . . . . 82
Viewing the log files . . . . . . . . . . . 22
Viewing mappings . . . . . . . . . . . 82
Using the Communication window . . . . . . 24
Setting display preferences . . . . . . . . . 25

© Copyright IBM Corp. 1998, 2017 iii

Chapter 5. Group management . . . . 85 EJBROLE - TME . . . . . . . . . . 138
Group table . . . . . . . . . . . . . . 85 FACILITY - DLFDATA . . . . . . . . 138
Viewing group properties. . . . . . . . . . 87 FACILITY - EIM . . . . . . . . . . 139
Adding a subgroup. . . . . . . . . . . . 89 FACILITY - PROXY . . . . . . . . . 139
Duplicating a group . . . . . . . . . . . 91 FACILITY - TME . . . . . . . . . . 139
Deleting a group . . . . . . . . . . . . 94 LDAPBIND - EIM . . . . . . . . . . 140
LDAPBIND - ICTX . . . . . . . . . 140
Chapter 6. Connect management . . . 97 LDAPBIND - PROXY. . . . . . . . . 140
MFADEF - MFPOLICY . . . . . . . . 140
Connects table . . . . . . . . . . . . . 97
PROGRAM - SIGVER . . . . . . . . 140
Connects in multi-system mode . . . . . . . 98
PTKTDATA - SSIGNON . . . . . . . . 141
Viewing and changing Connect properties . . . . 99
REALM - KERB . . . . . . . . . . 141
Creating a connect. . . . . . . . . . . . 102
ROLE - TME . . . . . . . . . . . 141
Attributes gSpec, gOper and gAud . . . . . 104
STARTED - STDATA . . . . . . . . . 142
Drag-and-drop and copy-paste . . . . . . 104
SYSMVIEW - SVFMR. . . . . . . . . 142
Deleting a connect. . . . . . . . . . . . 104
Segments of group profiles . . . . . . . . 142
Copy, merge, and move functions for connects . . 106
GROUP - CSDATA . . . . . . . . . 142
GROUP - DFP . . . . . . . . . . . 142
Chapter 7. Resource management . . 109 GROUP - OMVS . . . . . . . . . . 142
Resource profiles . . . . . . . . . . . . 110 GROUP - OVM. . . . . . . . . . . 143
Resource table . . . . . . . . . . . . 110 GROUP - TME . . . . . . . . . . . 143
Viewing mapping information . . . . . . . 112 Segments of user profiles . . . . . . . . 143
Adding a resource profile . . . . . . . . . 113 USER - CICS . . . . . . . . . . . 144
Duplicating a resource profile . . . . . . . . 114 USER - CSDATA . . . . . . . . . . 144
Editing resource profile properties . . . . . . 115 USER - DCE. . . . . . . . . . . . 144
Deleting a resource profile . . . . . . . . . 117 USER - DFP . . . . . . . . . . . . 144
Modifying an Access List (ACL) . . . . . . . 118 USER - EIM . . . . . . . . . . . . 144
Adding a user or group to an access list . . . . 120 USER - KERB . . . . . . . . . . . 145
Editing an access list entry . . . . . . . . . 121 USER - LANGUAGE . . . . . . . . . 145
Deleting an access list entry . . . . . . . . 122 USER - LNOTES . . . . . . . . . . 145
Profile members . . . . . . . . . . . . 122 USER - NDS. . . . . . . . . . . . 145
Example of grouping class . . . . . . . . 122 USER - NETVIEW . . . . . . . . . . 145
Exceptions . . . . . . . . . . . . . 123 USER - OMVS . . . . . . . . . . . 146
Viewing and changing a member list . . . . . 123 USER - OPERPARM . . . . . . . . . 146
Adding a member . . . . . . . . . . . . 124 USER - OVM . . . . . . . . . . . 147
Editing a member . . . . . . . . . . . . 125 USER - PROXY . . . . . . . . . . . 147
Deleting a member . . . . . . . . . . . 125 USER - TSO . . . . . . . . . . . . 147
Refreshing a class . . . . . . . . . . . . 126 USER - WORKATTR . . . . . . . . . 148

Chapter 8. Segment management . . . 127 Chapter 9. Running REXX scripts . . . 149

Authorities and settings required to manage Prerequisites for running REXX scripts on the
segments . . . . . . . . . . . . . . . 127 Visual Server . . . . . . . . . . . . . 149
Viewing and editing segment types . . . . . . 127 Running a REXX script in the Visual Client . . . 149
Application segments. . . . . . . . . . 128
Viewing the segment list . . . . . . . . . 130
Chapter 10. Managing client
Using the Segment Detail window . . . . . . 130
Adding a segment. . . . . . . . . . . . 132 definitions. . . . . . . . . . . . . 151
Exceptions . . . . . . . . . . . . . . 133 Maintaining client definitions . . . . . . . . 151
Segment fields . . . . . . . . . . . . . 134 Batch mode to add multiple client definitions . . 153
Segments of resource profiles . . . . . . . 134 Client definition attributes . . . . . . . . . 153
APPCLU - SESSION . . . . . . . . . 135 Copying a client definition to the clipboard . . . 153
CDT - CDTINFO . . . . . . . . . . 135
CFIELD - CFDEF . . . . . . . . . . 136 Notices . . . . . . . . . . . . . . 155
CSFKEYS, GCSFKEYS, XCSFKEY, Trademarks . . . . . . . . . . . . . . 157
GXCSFKEY - ICSF. . . . . . . . . . 136
DATASET - DFP . . . . . . . . . . 137 Glossary . . . . . . . . . . . . . 159
DATASET - TME . . . . . . . . . . 137
DIGTCERT - CERTDATA . . . . . . . 137
Index . . . . . . . . . . . . . . . 161
DIGTRING - CERTDATA . . . . . . . 138
DLFCLASS - DLFDATA . . . . . . . . 138

iv Client Manual
About this publication
IBM® Security zSecure™ Visual enables administrators to manage mainframe
security and administration from a Microsoft Windows workstation through a
Windows interface to the mainframe server. IBM Security zSecure Visual has two
components: IBM Security zSecure Visual Server and IBM Security zSecure Visual
Client. This publication describes how to install, configure, and use IBM Security
zSecure Visual Client.

Readers need to be familiar with RACF® administrative tasks and using Microsoft
Windows-based applications. This publication assumes that the IBM Security
zSecure Visual server mainframe component is installed and configured.

Note: Information about setting up and configuring a Visual Server on a z/OS®

system is available in the IBM Security zSecure CARLa-Driven Components Installation
and Deployment Guide.

zSecure documentation
The IBM Security zSecure Suite and IBM Security zSecure Manager for RACF
z/VM libraries consist of unlicensed and licensed publications. This section lists
both libraries and instructions to access them.

Unlicensed zSecure publications are available at the IBM Knowledge Center for
IBM zSecure Suite (z/OS) or IBM zSecure Manager for RACF z/VM. The IBM
Knowledge Center is the home for IBM product documentation. You can customize
IBM Knowledge Center, create your own collection of documents to design the
experience that you want with the technology, products, and versions that you use.
You can also interact with IBM and with your colleagues by adding comments to
topics and by sharing through email, LinkedIn, or Twitter. For instructions to
obtain the licensed publications, see “Obtain licensed documentation.”
Table 1.
IBM Knowledge Center for
product URL
IBM zSecure Suite (z/OS) www.ibm.com/support/knowledgecenter/SS2RWS/
welcome
IBM zSecure Manager for RACF www.ibm.com/support/knowledgecenter/SSQQGJ/
z/VM welcome

The IBM Terminology website consolidates terminology for product libraries in one
location.

Obtain licensed documentation

All licensed and unlicensed publications for IBM Security zSecure Suite 2.3.0 and
IBM Security zSecure Manager for RACF z/VM 1.11.2, except the Program
Directories, are included on the IBM Security zSecure Documentation CD, LCD7-5373.
Instructions for downloading the disk image (.iso) file for the zSecure
Documentation CD directly are included with the product materials.

© Copyright IBM Corp. 1998, 2017 v

 To obtain the .iso file of the Documentation CD, or PDF files of individual licensed
publications, send an email to [email protected]. Request access to the licensed
publications for IBM Security zSecure Suite 2.3.0. Include your company's IBM
customer number and your preferred contact information. You will receive details
to fulfill your order.

IBM zSecure Suite library

The IBM Security zSecure Suite library consists of unlicensed and licensed
publications.

Unlicensed publications are available at the IBM Knowledge Center for IBM
zSecure Suite. Unlicensed publications are available to clients only. To obtain the
licensed publications, see Obtaining licensed publications. Licensed publications
have a form number that starts with L; for example, LCD7-5373.

The IBM Security zSecure Suite library consists of the following publications:
v About This Release includes release-specific information as well as some more
general information that is not zSecure-specific. The release-specific information
includes the following:
– What's new: Lists the new features and enhancements in zSecure V2.3.0.
– Release notes: For each product release, the release notes provide important
installation information, incompatibility warnings, limitations, and known
problems for the IBM Security zSecure products.
– Documentation: Lists and briefly describes the zSecure Suite and zSecure
Manager for RACF z/VM libraries and includes instructions for obtaining the
licensed publications.
– Related documentation: Lists titles and links for information related to zSecure.
– Support for problem solving: Solutions to problems can often be found in IBM
knowledge bases or a product fix might be available. If you register with IBM
Software Support, you can subscribe to IBM's weekly email notification
service. IBM Support provides assistance with product defects, answers
frequently asked questions, and helps to resolve problems.
v IBM Security zSecure CARLa-Driven Components Installation and Deployment Guide,
SC27-5638
Provides information about installing and configuring the following IBM
Security zSecure components:
– IBM Security zSecure Admin
– IBM Security zSecure Audit for RACF, CA-ACF2, and CA-Top Secret
– IBM Security zSecure Alert for RACF and CA-ACF2
– IBM Security zSecure Visual
– IBM Security zSecure Adapters for SIEM for RACF, CA-ACF2, and CA-Top
Secret
v IBM Security zSecure Admin and Audit for RACF Getting Started, GI13-2324
Provides a hands-on guide introducing IBM Security zSecure Admin and IBM
Security zSecure Audit product features and user instructions for performing
standard tasks and procedures. This manual is intended to help new users
develop both a working knowledge of the basic IBM Security zSecure Admin
and Audit for RACF system functionality and the ability to explore the other
product features that are available.
v IBM Security zSecure Admin and Audit for RACF User Reference Manual, LC27-5639

vi Client Manual
 Describes the product features for IBM Security zSecure Admin and IBM
Security zSecure Audit. Includes user instructions to run the admin and audit
features from ISPF panels. This manual also provides troubleshooting resources
and instructions for installing the zSecure Collect for z/OS component. This
publication is available to licensed users only.
v IBM Security zSecure Admin and Audit for RACF Line Commands and Primary
Commands Summary, SC27-6581
Lists the line commands and primary (ISPF) commands with very brief
explanations.
v IBM Security zSecure Audit for ACF2 Getting Started, GI13-2325
Describes the zSecure Audit for CA-ACF2 product features and provides user
instructions for performing standard tasks and procedures such as analyzing
Logon IDs, Rules, Global System Options, and running reports. The manual also
includes a list of common terms for those not familiar with ACF2 terminology.
v IBM Security zSecure Audit for ACF2 User Reference Manual, LC27-5640
Explains how to use zSecure Audit for CA-ACF2 for mainframe security and
monitoring. For new users, the guide provides an overview and conceptual
information about using CA-ACF2 and accessing functionality from the ISPF
panels. For advanced users, the manual provides detailed reference information,
troubleshooting tips, information about using zSecure Collect for z/OS, and
details about user interface setup. This publication is available to licensed users
only.
v IBM Security zSecure Audit for Top Secret User Reference Manual, LC27-5641
Describes the zSecure Audit for CA-Top Secret product features and provides
user instructions for performing standard tasks and procedures. This publication
is available to licensed users only.
v IBM Security zSecure CARLa Command Reference, LC27-6533
Provides both general and advanced user reference information about the
CARLa Auditing and Reporting Language (CARLa). CARLa is a programming
language that is used to create security administrative and audit reports with
zSecure. The CARLa Command Reference also provides detailed information about
the NEWLIST types and fields for selecting data and creating zSecure reports.
This publication is available to licensed users only.
v IBM Security zSecure Alert User Reference Manual, SC27-5642
Explains how to configure, use, and troubleshoot IBM Security zSecure Alert, a
real-time monitor for z/OS systems protected with the Security Server (RACF)
or CA-ACF2.
v IBM Security zSecure Command Verifier User Guide, SC27-5648
Explains how to install and use IBM Security zSecure Command Verifier to
protect RACF mainframe security by enforcing RACF policies as RACF
commands are entered.
v IBM Security zSecure CICS Toolkit User Guide, SC27-5649
Explains how to install and use IBM Security zSecure CICS® Toolkit to provide
RACF administration capabilities from the CICS environment.
v IBM Security zSecure Messages Guide, SC27-5643
Provides a message reference for all IBM Security zSecure components. This
guide describes the message types associated with each product or feature, and
lists all IBM Security zSecure product messages and errors along with their
severity levels sorted by message type. This guide also provides an explanation
and any additional support information for each message.
v IBM Security zSecure Visual Client Manual, SC27-5647

About this publication vii

 Explains how to set up and use the IBM Security zSecure Visual Client to
perform RACF administrative tasks from the Windows-based GUI.
v IBM Security zSecure Documentation CD, LCD7-5373
Supplies the IBM Security zSecure documentation, which contains the licensed
and unlicensed product documentation. The Documentation CD is available as a
downloadable .iso file; see Obtaining licensed publications to obtain this file.

Program directories are provided with the product tapes. You can also download
the latest copies from Program Directories.
v Program Directory: IBM Security zSecure CARLa-Driven Components, GI13-2277
This program directory is intended for the systems programmer responsible for
program installation and maintenance. It contains information concerning the
material and procedures associated with the installation of IBM Security zSecure
CARLa-Driven Components: Admin, Audit, Visual, Alert, and the IBM Security
zSecure Adapters for SIEM.
v Program Directory: IBM Security zSecure CICS Toolkit, GI13-2282
This program directory is intended for the systems programmer responsible for
program installation and maintenance. It contains information concerning the
material and procedures associated with the installation of IBM Security zSecure
CICS Toolkit.
v Program Directory: IBM Security zSecure Command Verifier, GI13-2284
This program directory is intended for the systems programmer responsible for
program installation and maintenance. It contains information concerning the
material and procedures associated with the installation of IBM Security zSecure
Command Verifier.
v Program Directory: IBM Security zSecure Admin RACF-Offline, GI13-2278
This program directory is intended for the systems programmer responsible for
program installation and maintenance. It contains information concerning the
material and procedures associated with the installation of the IBM Security
zSecure Admin RACF-Offline component of IBM Security zSecure Admin.
v Program Directories for the zSecure Administration, Auditing, and Compliance
solutions:
– 5655-N23: Program Directory for IBM Security zSecure Administration, GI13-2292
– 5655-N24: Program Directory for IBM Security zSecure Compliance and Auditing,
GI13-2294
– 5655-N25: Program Directory for IBM Security zSecure Compliance and
Administration, GI13-2296

IBM zSecure Manager for RACF z/VM library

The IBM Security zSecure Manager for RACF z/VM library consists of unlicensed
and licensed publications.

Unlicensed publications are available at the IBM Knowledge Center for IBM
zSecure Manager for RACF z/VM. Licensed publications have a form number that
starts with L; for example, LCD7-5373.

The IBM Security zSecure Manager for RACF z/VM library consists of the
following publications:
v IBM Security zSecure Manager for RACF z/VM Release Information
For each product release, the Release Information topics provide information
about new features and enhancements, incompatibility warnings, and

viii Client Manual

 documentation update information. You can obtain the most current version of
the release information from the zSecure for z/VM® documentation website at
the IBM Knowledge Center for IBM zSecure Manager for RACF z/VM.
v IBM Security zSecure Manager for RACF z/VM: Installation and Deployment Guide,
SC27-4363
Provides information about installing, configuring, and deploying the product.
v IBM Security zSecure Manager for RACF z/VM User Reference Manual, LC27-4364
Describes how to use the product interface and the RACF administration and
audit functions. The manual provides reference information for the CARLa
command language and the SELECT/LIST fields. It also provides
troubleshooting resources and instructions for using the zSecure Collect
component. This publication is available to licensed users only.
v IBM Security zSecure CARLa Command Reference, LC27-6533
Provides both general and advanced user reference information about the
CARLa Auditing and Reporting Language (CARLa). CARLa is a programming
language that is used to create security administrative and audit reports with
zSecure. The zSecure CARLa Command Reference also provides detailed
information about the NEWLIST types and fields for selecting data and creating
zSecure reports. This publication is available to licensed users only.
v IBM Security zSecure Documentation CD, LCD7-5373
Supplies the IBM Security zSecure Manager for RACF z/VM documentation,
which contains the licensed and unlicensed product documentation.
v Program Directory for IBM zSecure Manager for RACF z/VM, GI11-7865
To use the information in this publication effectively, you must have some
prerequisite knowledge that you can obtain from the program directory. The
Program Directory for IBM zSecure Manager for RACF z/VM is intended for the
systems programmer responsible for installing, configuring, and deploying the
product. It contains information about the materials and procedures associated
with installing the software. The Program Directory is provided with the
product tape. You can also download the latest copies from the IBM Knowledge
Center for IBM zSecure Manager for RACF z/VM.

Related documentation
This section includes titles and links for information related to zSecure.

See: For:
IBM Knowledge Center for All zSecure unlicensed documentation.
IBM Security zSecure For information about what is specific for a release, system
requirements, incompatibilities and so on, select the version
of your choice and About This Release; see “What's new”
and “Release notes”.
IBM Knowledge Center for Information about z/OS. Table 2 on page x lists some of the
z/OS most useful publications for use with zSecure.

About this publication ix

 See: For:
z/OS Security Server More information about Resource Access Control Facility
Documentation (RACF) and the types of events that can be reported using
zSecure Admin and Audit.
For information about the RACF commands, and the
implications of the various keywords, see the z/OS Security
Server RACF Command Language Reference and the z/OS
Security Server RACF Security Administrator's Guide. You can
find information about the various types of events that are
recorded by RACF in the z/OS Security Server RACF
Auditor's Guide.

For additional information about using IBM Security zSecure Visual, see these
publications:
v IBM Security zSecure CARLa-Driven Components Installation and Deployment Guide,
SC27-5638
Provides reference information for installing, configuring, and deploying IBM
Security zSecure Visual Server on a z/OS system.
v IBM Security zSecure Admin and Audit for RACF User Reference Manual, LC27-5639
Provides information about the IBM Security zSecure Admin and Audit for
RACF components and explains how to use the features from the ISPF panels. It
also describes RACF administration and audit user documentation as well as
troubleshooting resources and instructions for installing the zSecure Collect for
z/OS component. This publication is available to licensed users only.
v IBM Security zSecure CARLa Command Reference , LC27-6533
Provides both general and advanced user reference information about the
CARLa Auditing and Reporting Language (CARLa) programming language, that
can be used to create security administrative and audit reports with zSecure.
This publication is available to licensed users only.
Table 2. Some of the most useful z/OS publications for use with zSecure
Manual Title Order Number
z/OS Communications Server: IP Configuration Reference SC27-3651
z/OS Integrated Security Services Enterprise Identity Mapping SA23-2297
(EIM) Guide and Reference
z/OS MVS Programming: Callable Services for High Level SA23-1377
Languages
z/OS MVS System Commands SA38-0666
z/OS Security Server RACF Security Administrator's Guide SA23-2289
z/OS Security Server RACF Auditor's Guide SA23-2290
z/OS Security Server RACF Command Language Reference SA23-2292
z/OS Security Server RACF Macros and Interfaces SA23-2288
z/OS Security Server RACF Messages and Codes SA23-2291
z/OS Security Server RACF Security Administrator's Guide SA23-2289
z/OS Security Server RACF System Programmer's Guide SA23-2287
®
z/Architecture Principles of Operation SA22–7832

x Client Manual
Accessibility
Accessibility features help users with a physical disability, such as restricted
mobility or limited vision, to use software products successfully. With this product,
you can use assistive technologies to hear and navigate the interface. You can also
use the keyboard instead of the mouse to operate all features of the graphical user
interface.

Technical training
For technical training information, see the IBM Training and Skills website at
www.ibm.com/training.

See the zSecure Training page in the zSecure public Wiki for information about
available training for zSecure.

Support information
IBM Support provides assistance with code-related problems and routine, short
duration installation or usage questions. You can directly access the IBM Software
Support site at www.ibm.com/software/support/probsub.html.

Statement of Good Security Practices

IT system security involves protecting systems and information through
prevention, detection, and response to improper access from within and outside
your enterprise. Improper access can result in information being altered, destroyed,
misappropriated, or misused or can result in damage to or misuse of your systems,
including for use in attacks on others. No IT system or product should be
considered completely secure and no single product, service, or security measure
can be completely effective in preventing improper use or access. IBM systems,
products, and services are designed to be part of a comprehensive security
approach, which will necessarily involve additional operational procedures, and
may require other systems, products, or services to be most effective. IBM DOES
NOT WARRANT THAT ANY SYSTEMS, PRODUCTS, OR SERVICES ARE
IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

About this publication xi

xii Client Manual
Chapter 1. IBM Security zSecure Visual setup and
configuration
To use zSecure Visual on a client, you must:
v Install the client software on the system that you are using as the Visual client.
v Define the client on the mainframe where the Visual server is installed.
v Configure the client to connect to and establish a session with the Visual server.

For information about installing the zSecure Visual server on the mainframe, see
the IBM Security zSecure CARLa-Driven Components: Installation and Deployment
Guide. For information about known problems and limitations, see Release Notes in
About This Release on the IBM Knowledge Center for IBM Security zSecure V2.3.0 at
www.ibm.com/support/knowledgecenter/SS2RWS_2.3.0/
com.ibm.zsecure.doc_2.3.0/landing/about_this_release.html.

Installation and configuration are described in the following topics:

v “Prerequisites for installation”
v “Installing IBM Security zSecure Visual” on page 2
v “IBM Security zSecure Visual maintenance” on page 4
v “Upgrading IBM Security zSecure Visual” on page 5
v “Configuring IBM Security zSecure Visual” on page 6
v “Automated setup and configuration” on page 10

Release information
The zSecure release information includes details on new features and
enhancements, incompatibility warnings, and documentation update information.

You can find the latest versions of What's New and Release Notes in About This
Release on the IBM Knowledge Center for IBM Security zSecure V2.3.0 at:
www.ibm.com/support/knowledgecenter/SS2RWS_2.3.0/
com.ibm.zsecure.doc_2.3.0/landing/about_this_release.html.

Prerequisites for installation

Before you install the zSecure Visual client, ensure that the system meets these
hardware and software requirements:
Hardware requirements
v 1 GHz processor or greater
v 512 MB RAM or greater
v Minimum 350 MB disk space
v Minimum S-VGA display
v TCP/IP adapter for connection to the mainframe
v Minimum disk space for .NET Framework Version 4 client:
– 32-bit: 600 MB
– 64-bit: 1.5 GB
Software requirements

© Copyright IBM Corp. 1998, 2017 1

 v Microsoft Windows 7, Windows 8, Windows 10, Windows Server
2008R2, Windows Server 2012, or Windows Server 2016
You can check the operating system level when you start the
workstation.
v To work with the IBM Knowledge Center Help System, use one of the
following browsers: Internet Explorer 9+, Mozilla Firefox 17+, Google
Chrome 20+, or Microsoft Edge 37+. To ensure that you can use all the
functions of the IBM Knowledge Center Help System:
– Enable cookies and JavaScript in the browser.
– Disable the blocking of pop-up windows in the browser.
v To connect to the zSecure Visual server on the mainframe, you must
configure:
– TCP/IP network that provides a connection to the mainframe.
– Name of the localhost where the client is installed.

To connect to the zSecure Visual server on the mainframe, install and configure
this software on the mainframe:
v Supported release of z/OS, up to V2R3
v RACF Security Server
v TCP/IP
v IBM Security zSecure Visual 2.3.0 server

After installation, you must create a server definition on the client to connect to the
mainframe. Determine these settings to prepare for the server definition:
v Server IP address or name
v Server TCP port number
v Client ID
v Initial password

You can obtain this information from your system administrator.

Installing IBM Security zSecure Visual

Use this task to install the Visual client component.

About this task

You can install the new version of the IBM Security zSecure Visual client only once
on a workstation. You can upgrade from a previously installed version of the
client, for example, version 2.2.1. See “Upgrading IBM Security zSecure Visual” on
page 5 and "Compatibility of IBM Security zSecure Visual and zSecure
components" in IBM Security zSecure CARLa-Driven Components: Installation and
Deployment Guide for guidelines on upgrading the client.

You cannot install the new Visual client multiple times on the same workstation
but you can define multiple Visual server definitions in one client and run multiple
Visual client instances concurrently. See “Multiple Visual server definitions” on
page 9.

The zSecure Visual client software for Windows is available on CD. The CD also
contains the zSecure Visual client manual in PDF format.

2 Client Manual
Note: Information on installing and configuring the zSecure Visual server is in the
IBM Security zSecure CARLa-Driven Components: Installation and Deployment Guide.

You can either install a complete version or a custom version of the zSecure Visual
client program.

The Complete version of the installation program installs the Java Runtime. If you
want to continue using your current version of the Java Runtime, use the Custom
version of the installation and specify to bypass installing the Java Runtime.

This section describes how to complete each type of installation.

Procedure

Follow these steps to install the Visual client program:

1. Ensure that the system where you are installing the Visual client meets the
hardware and software requirements. Review the requirements in “Prerequisites
for installation” on page 1.
2. Take one of the following actions to start the installation:
v Install directly from CD.
a. Insert the CD in the system where you are installing the Visual client. The
installation starts automatically after inserting the CD.
b. If the automatic installation fails or is canceled, start the installation by
running zSecureVisualLauncher.exe from the root directory.
v Install from a LAN directory.
a. Specify the network location of the CD image.
b. If the installation directory contains one or more spaces, you must specify
the filepath in quotation marks, for example:
"C:\installation dir\visual23\DISK1\setup.exe"
3. Click Next in the welcome window.
4. Accept the license agreement and click Next.

Note: You can print the terms of the license agreement by clicking Print. The
license files are in the \License subdirectory. You can view the license in
English and the locale language configured on the target system, but other
languages might not be viewable.
5. Select one of the following options and click Next.
Complete
Installs all program files in the default directory. This option is for
normal use and uses more disk space.
Custom
Provides two options for advanced users.
v If you do not want to install the program files in the default directory:
a. Click Change... to specify a different installation directory than
the default directory (C:\Program Files (X86)\IBM\Security
zSecure Visual\2.3).

Attention: If the Windows system folder is not located on the

destination drive, but you know the destination drive has
adequate space to receive the files, the following warning could
still occur when you click Next:

Chapter 1. IBM Security zSecure Visual setup and configuration 3

 There is not enough space to install these option(s).
Please free some disk space or modify your selections.

This warning refers to the drive that contains the Windows

system folder. If it occurs, use the Feature description area in the
Custom Setup dialog to determine how much space is required
by the selected components and ensure that the drive containing
the Windows system folder also has adequate space.
b. Browse to the directory where you want to install the files or
specify the complete filepath in the Folder name field.

Note: If you are upgrading a previous version of the Visual

client, each version must reside in its own folder; ensure that the
version number is shown in the folder title so you can distinguish
between different versions.
c. Click OK to return to the Custom Setup window.
v If you do not want to install the help files associated with the product (for
example, you might have limited space on your destination drive):
a. Click Help Files > This feature will not be available.

Note: The first two options (beginning with This Feature...)

perform the same installation. All help files are installed in both
cases.
b. Click Space to view the storage requirements for the help files.
c. Click OK to return to the Custom Setup window.
6. Click Install to start the installation.
7. Click Finish to exit the installation program or click Launch zSecure Visual to
start the Visual client and set up the client to connect to a Visual server.

What to do next

Before you can use zSecure Visual, you must configure it. You can manually or
automatically configure it. For more information about configuration, see
“Configuring IBM Security zSecure Visual” on page 6.

If the installation does not complete without errors, you can examine the log file
for information to help troubleshoot the causes. The information is detailed and
intended for expert use.

IBM Security zSecure Visual maintenance

An administrator uses these maintenance topics to uninstall, modify, and repair
IBM Security zSecure Visual.

You can uninstall, modify, and repair IBM Security zSecure Visual. This section
provides the procedures to perform these tasks.

A fix pack is provided as a zip file. Installing it effectively overwrites the existing
instance of the Client.

Uninstalling IBM Security zSecure Visual

The administrator uses this task to uninstall IBM Security zSecure Visual.

4 Client Manual
 Procedure

To completely remove IBM Security zSecure Visual and all of its components,
perform these steps:
1. Go to the Control Panel.
2. Select Programs and Features.
3. Select IBM Security zSecure Visual 2.3.0.
4. When the uninstall program detects a shared file, you get a warning message.
Click Yes to continue. Maintenance starts to remove IBM Security zSecure
Visual.
When Maintenance is complete, the Maintenance Complete window is
displayed.

Modifying IBM Security zSecure Visual

The administrator uses this task to change selected installed components in IBM
Security zSecure Visual.

About this task

If you are an advanced user, you can modify your Visual client installation to add
new program components or remove currently installed components.

Procedure

Perform these steps to change a Visual client installation:

1. Start Control Panel and select Programs and Features.
2. Right-click IBM Security zSecure Visual 2.3.0 and select Modify.
3. In the Select Components window, select the components to be modified.
4. Click Next to modify your installation. The Setup Status dialog is displayed to
monitor the setup process. When Maintenance has finished the modifications, it
ends with the Maintenance complete screen.

Repairing IBM Security zSecure Visual

The administrator uses this task to reinstall all program components for IBM
Security zSecure Visual.

About this task

If you find damaged files, reinstall all program components. To reinstall all
program components, perform these steps:

Procedure
1. Start Control Panel and select Programs and Features.
2. Right-click IBM Security zSecure Visual 2.3.0 and select Repair.
3. After the repair process completes, click Finish.

Upgrading IBM Security zSecure Visual

After you upgrade the zSecure Visual server, you can upgrade the zSecure Visual
client software on the client machines and connect to the new server instance.

Chapter 1. IBM Security zSecure Visual setup and configuration 5

 Before you begin

Contact your Visual Server administrator for the following information:

v Server name/IP address
v Server TCP port
v Recommended zSecure Visual Client version

About this task

You can upgrade IBM Security zSecure Visual using the method described in
“Installing IBM Security zSecure Visual” on page 2. The new installation does not
contain any server definitions. You can copy the server definitions from the
previous version, as described in “Copy function for multiple server definitions”
on page 10. You can also use the automated process, see “Automate upgrade path
examples” on page 15.

This procedure creates a new server definition in the new client that uses a copy of
the old certificate and points to the new server. Copying the old certificate enables
you to perform the upgrade process without having to create a new initial
password for the client.

Procedure

Follow these steps to upgrade zSecure Visual client software.

1. Install the new client software.
2. Start the client.
3. Update the configuration to create the server definition:
a. From the Visual client menu, select File > Configure > Copy.
b. On the Copy configuration panel, update the Visual server IP address or
name and TCP port to point to the location of the upgraded server.
c. Click Test Connection to verify the connection.
d. Click OK to save the changes and create the new server definition.

Configuring IBM Security zSecure Visual

Use the configuration task to define a Visual server to a Visual client.

About this task

You configure IBM Security zSecure Visual by defining the Visual server to the
client and by defining the Visual client to the Visual server. This topic describes
how to define the Visual server to the client. See “Maintaining client definitions”
on page 151 for information on adding client definitions to the Visual server.

The location where Visual server definitions are stored depends on the selection
made in the View -> Options menu.

If the Save server definitions in per-user folder check box is not selected, then the
server definitions are stored in the ProgramData folder C:\ProgramData\IBM\
Security zSecure Visual\2.3\Servers; this is the default location. The
ProgramData folder contains application data for all users of the system. The Visual
server definitions are available for all users who log on to that system.

6 Client Manual
 If the Save server definitions in per-user folder check box is selected, then the
server definitions are stored in the user-level AppData folder, for example:
C:\Users\User1\AppData\Roaming\IBM\Security zSecure Visual\2.3\Servers. The
AppData folder contains application data for a specific user of the system. The
Visual server definitions are available for this user only. Server definitions that are
stored in the AppData folder become part of the roaming profile for that user.
Therefore, the same user can use the server definitions in multiple systems in a
networked environment without having to configure every system.

Procedure
1. If no servers have been defined to the client, you enter the configuration part of
the program automatically after you start the program. Otherwise you can
select File > Configure from the main menu.

Figure 1. Configure dialog

The configuration window displays all defined servers and enables you to add,
copy, edit, and delete server definitions. When "Edit required" is displayed in
the list, you must complete the corresponding server definition before you can
use the server.
With the Import function, you can read server definition information from a
configuration file prepared for you. With Export, you can create configuration
files, which enables automatic setup and configuration.
2. After adding, editing or deleting one or multiple server definitions, click OK to
apply all changes. A status window is displayed, showing the steps performed
to configure the program.

Server definition parameters

Use the Add system dialog to create and edit a Visual Server definition in the
Visual client.

A server definition contains the parameters listed in this section. After completing
the fields, click OK to accept them. You can use Test Connection to verify if the
server is active. You can leave all fields blank except Name and complete the
definition in another run of IBM Security zSecure Visual.

Chapter 1. IBM Security zSecure Visual setup and configuration 7

 Figure 2. Server definition dialog

To use the server, you need a certificate. When you enter the correct initial
password, you get the certificate.

Attention: When you obtain a new certificate, ensure that the clock of your local
workstation is synchronized with the mainframe server clock. Out-of-synch clocks
can cause errors.

Refer to this list for information about the server definition parameters:
Name This arbitrary name refers to this specific server definition. It is displayed
in the Logon dialog. The name must be unique on the PC. The name must
be a valid filename for Windows, because a subdirectory is created to store
files related to the server.
HelpContact (optional)
Enter the name of a person, department name, or anything else that
informs the user who to contact in case of trouble. If the field is nonblank
it is displayed in error dialogs as follows: Error 3: Time Out. Contact
helpcontact.
Client ID
This number uniquely identifies the client to its server. It is always 12.1.n,
where n is an integer between 2 - 2,147,483,647. Typically these IDs are
defined on the server. Before you can use a client, you must ask for its ID,
and enter it here.
Server IP address or name
The IP address or the fully qualified host name of the server.
Server Port
The port that the server agent listens to. A port number is a number 0 -
65535. If you are configuring multiple server definitions to connect to
multiple zSecure server instances, see “Multiple Visual server definitions”
on page 9 for guidelines on specifying port values.

8 Client Manual
 Local port (optional)
The client agent uses two port numbers to communicate with the server
and with the user interface. By default these port numbers are the server
port number and the server port number + 1. If there are two servers with
equal port numbers, port conflicts occur. With this field, you can override
the default local port number. The user interface uses local port number +
1. If you are configuring multiple server definitions to connect to multiple
zSecure Server instances, see “Multiple Visual server definitions” for
guidelines on specifying port values.
Initial password
A 10 digit hex password required to obtain a new certificate. The certificate
is used for encryption. Usually the initial password can be obtained from
your mainframe system administrator.
Test connection
To verify if the Server IP address or fully qualified host name and the
Server Port are correct, click Test Connection. After some time Connect
succeeded or Connect failed is displayed in the status field.

Note: Connection fails if the server parameters are correct but the server is
not running.

Multiple Visual server definitions

Use these guidelines to plan for the implementation of multiple Visual Server
definitions.

You cannot install the new Visual client multiple times on the same workstation,
but you can define multiple Visual server definitions in one client. You can run
multiple Visual client instances (sessions) concurrently. You can use each session to
administer different RACF databases, based on the server configuration that you
select when you log on to a Visual server.

If you configure the zSecure Server to service multiple nodes, the Visual server
using that zSecure Server can administer two or more nodes and RACF databases
in a single session. You must run the client in multi-system mode to administer
multiple nodes (and RACF databases) in a single session. See “Selecting to work
locally or in a multi-system environment” on page 18.

To administer multiple Visual servers concurrently, you must ensure that a unique
port number is used by each Visual server. For example, if you create two or more
Visual server definitions using server TCP 8000, the Visual client tries to use the
same local port number (base port+1=8001) for the traffic coming from each server.
This will cause port conflict problems and must be avoided. Here are two ways
you can configure multiple Visual servers to avoid a port-use conflict:
v Run the Visual servers on different port numbers. For example, if server X uses
port 8000, server Y uses port 8010, and server Z uses port 8020, the Visual client
automatically uses the local ports 8001, 8011, and 8021, respectively, to
communicate with the three servers.
v If the Visual servers are already running using the same port number, for
example, port 8000, you can use the Local port field in the server definition
dialog to separate the traffic coming from the different servers. For example, you
can leave the Local port field blank in the server definition for server X, which
results in that server using port 8001. For server Y, you can specify local port
number 8010, and for server Z specify port number 8020.

Chapter 1. IBM Security zSecure Visual setup and configuration 9

 Copy function for multiple server definitions
Use the Copy function to create multiple Visual server definitions.

A client needs a definition for each server to access, see “Server definition
parameters” on page 7. However, it is not always necessary to enter the whole
definition from scratch. You can copy server definitions between different versions
of IBM Security zSecure Visual. Avoid port conflicts when doing so. If needed,
consult your system administrator.

The Copy function shows you an exact copy of the existing server definition. Some
of the fields in the definition are disabled so that you cannot change them.

Automated setup and configuration

You can use automated setup and configuration for an initial installation of the
Visual client.

Configuration file
Use a configuration file to distribute configuration parameters for zSecure Visual.

With the configuration file, you do not have to type the same information again.
You write parameters to a file. The target computers read it during their setup and
configuration.

Creating a configuration file

Use zSecure Visual to create a configuration file.

About this task

When you create the configuration file, the changes do not affect your PC. All the
server and setup data options you configure are saved to a file.

Procedure

To create a configuration file, perform these steps:

1. Select File > Configure from the main menu to enter the configure dialog.
2. Click Export to switch to Export mode. The following window displays:

10 Client Manual
Figure 3. Configuration dialog in export mode

Note: To prevent an accidental switch in or out of Export mode, the Export

button is disabled after any of these actions: Add, Edit, Delete or Import.
From this point, all changes in the configuration do not affect your PC; but the
resulting server and setup data can be written to a configuration file by clicking
OK. You can save an intermediate state by using Save As.
3. Specify manual or automated configuration parameters:
Manual setup
Use the Add, Copy, Edit, Delete, and Import functions to specify the
server data.
In general, you do not save all servers defined on your PC in the file.
You can delete all servers that you do not want to include and clear the
fields that you do not want to specify, such as Client ID.
4. To save an interim version of the configuration file at any point in the
configuration process, click Save As and specify the configuration file name.
5. To save the configuration file, click OK.

Configuration file layout

Use the configuration file layout parameter descriptions to add contents to a
configuration file.

The settings that define a server are in a Server section. A configuration file can
contain more than one Server section.
NAME=server_definition_name
Specifies the server definition name.
CLIENTID=12.1.n
Specifies the Client ID, where n is an integer between 2 - 2,147,483,647.
SERVERIP=Servername
Specifies the IP address or hostname of the server.
SERVERPORT=8000
Server IP port.
HELPCONTACT=System support
Specifies the help contact, as shown in the error dialogs.

Chapter 1. IBM Security zSecure Visual setup and configuration 11

 Running a configuration file on the target machine
You can run the setup command to configure zSecure Visual on the system.

Procedure
v On the target machine, run setup with the configuration filename as a
command-line argument:
<full path>\setup /s /v"CMDVISUAL=<full path to configuration file>"

Attention:
– You must specify the CMDVISUAL option in uppercase.
– IBM Security zSecure Visual can find the configuration file only if you specify
the full path.
v When installation is finished, setup starts IBM Security zSecure Visual with the
configuration file as an input parameter.

Updating server definitions from a configuration file

Run the c2racvn command to update Visual server definitions on the system.

Procedure
v On the target machine, run IBM Security zSecure Visual with the configuration
filename as a command-line argument:
<full path>\c2racvn <full path to configuration file>
v The server definitions are updated according to the parameters found in the
configuration file. After this update, the program exits directly.

Configuration limitations
Use the configuration limitation guidelines to create zSecure Visual configuration
files.

Note these configuration limitations:

Storing initial passwords in configuration files
For security reasons, initial passwords cannot be saved to configuration
files.
Renaming a server on the target machine
You cannot rename a system on the target machine, since the old name
cannot be written to the configuration file.
Same version needed for creating and using configuration files
IBM Security zSecure Visual can only read configuration files that were
created using the same version. If the versions differ, no server definitions
are copied.

Modifying an existing configuration file

The administrator uses this task to change a zSecure Visual configuration file.

About this task

You can modify an existing configuration file. See “Notes” on page 13 for
guidelines on changing or using configuration files.

12 Client Manual
Procedure

To change an existing configuration file, follow these steps:

1. Switch to Export mode.
2. Delete all servers.
3. Import the configuration file to be edited.
4. Edit the data.
5. Save it with the same name.

Notes
The administrator uses these guidelines to create and change zSecure Visual
configuration files.
Using a configuration file to copy a certificate
You can copy a certificate using a configuration file. When you prepare the
configuration file, perform the copy as if it is on your system. The copying
is performed on the target machine when it reads the configuration file. To
copy a certificate that is not on the machine where you are making the
configuration file, you can enter the server name and version directly.
Blank fields in configuration files
Server parameters that you leave blank are not stored in the configuration
file. If a server with the same name exists on the target machine, blank
fields are left unchanged.
Client IDs in configuration files
The target computers must have unique Client IDs. You cannot specify a
Client ID in a configuration file that is used by multiple target computers.
If you specify a dot in the Client ID field after 12.1, the target machine
replaces the dot by the Client ID of its other server definitions. This only
works if all its other server definitions contain the same Client ID.
Modifying an existing configuration file
See “Modifying an existing configuration file” on page 12 for the steps.

Configuration file sample tasks

Use these sample tasks to implement configuration files for zSecure Visual.

Procedure
1. Example 1: Prepare automated setup and configuration with one server for
multiple clients
a. Start IBM Security zSecure Visual.
b. Select File > Configure from the main menu.
c. Select Export and confirm you are going to prepare configuration files.
d. Edit the server definitions using the Add, Edit, and Delete functions until
you have only the server definition you want to configure on the target
machines.
Specify only Name, HelpContact, Server IP address or name and Server
Port. Leave the Client ID field blank, because this field needs to be unique
for each target machine. In this example, Local Host and Local Port are also
left blank.
e. Click OK and save the configuration file as setup2.cfg. Now the
configuration file is finished.
f. On each target machine run this command:
c2racvn setup2.cfg

Chapter 1. IBM Security zSecure Visual setup and configuration 13

 g. After completing these steps, specify the correct Client ID and Initial
Password on the target machine.
2. Example 2: Add a new server to multiple clients
a. Start IBM Security zSecure Visual.
b. Select File > Configure from the main menu.
c. Select Export and confirm you are going to prepare configuration files.
d. Edit the server definitions using the Add, Edit, and Delete functions until
you only have the server definition you want to configure on the target
machines.
Specify only Name, HelpContact, Server IP address or name and Server
Port. Leave the Client ID field blank, because this field needs to be unique
for each target machine. In this example, Local Host and Local Port are also
left blank.
e. Click OK and save the configuration file as setup2.cfg. Now the
configuration file is finished.
f. On each target machine run this command:
c2racvn setup2.cfg
g. After completing these steps, specify the correct Initial Password on the
target machine to obtain a certificate.

Silent installation
Follow these guidelines to plan a silent installation of zSecure Visual.

A silent installation is an installation that is performed without any user interaction.

For the silent installation to succeed, the initial machine and target machines must
have similar configurations. Any deviation that can influence the setup procedure,
such as the existence or nonexistence of the target folder to install, can cause the
installation to fail.

Silent installation assumes that the accepted license agreement recorded from the
initial installation applies to all target machines. Therefore, the silent installation
copies the license files to the designated directory on the target systems and creates
the status file without user interaction.

To help troubleshoot any silent installation problems, you must log the installation
process. See “Log file for silent installation”

Log file for silent installation

You can specify the log file location for a silent installation of zSecure Visual. This
section describes how to specify the log file.

A log file is created for each silent installation. If you do not specify the location,
the log file is created as setup.log in the folder that contains
zSecureVisualSetup.exe.

To specify the log file location, use this option:

-f2<full path to log file>

For diagnostics, you can create a detailed log with this command-line option:

/g<full path to detail log>

14 Client Manual
 The detailed log contains the steps of the installation process, including any error
messages. This information must provide pointers to solve what went wrong
during the installation.

Attention: Take care to avoid any filename conflicts with the setup log!

Examples of silent installation commands

To perform a silent installation, run the setup program with the appropriate
command line options. This section provides some examples.

These examples use standard Microsoft command line parameters with the
InstallShield setup command. Only the CMDVISUAL property is specific to the
zSecure Visual client application.

Specify command-line options that require a parameter with no space between the
option and its parameter. For example, this command is valid:
zSecureVisualSetup.exe /v"INSTALLDIR=c:\MyDirectory"

This command is not valid:

zSecureVisualSetup.exe /v "INSTALLDIR=c:\MyDirectory"

Put quotation marks around the parameters of an option only if the parameter
contains spaces.

If a path in a parameter contains spaces, you might need to use quotation marks in
quotation marks, as in this example:
zSecureVisualSetup.exe /v"INSTALLDIR=\"c:\My Directory\""
Silent installation with default settings
zSecureVisualSetup.exe /s /v"/qn”
Silent installation with a different target directory
zSecureVisualSetup.exe /s /v"/qn INSTALLDIR=<c:\target_directory>"
Silent installation with a different target directory and a configuration file
zSecureVisualSetup.exe /s /v"/qn CMDVISUAL=C:\temp\setup1.cfg
INSTALLDIR=<c:\target_directory>"
Silent installation with a different target directory and a log file
zSecureVisualSetup.exe /s /v"/l*v c:\test.log
"INSTALLDIR=<c:\target_directory> /qb"
Silent installation with default settings and no reboot
zSecureVisualSetup.exe /s /v"/qn /norestart ”

Automate upgrade path examples

You can automate the upgrading of zSecure Visual with the /COPYSERVERS setup
command-line option.

After an initial installation, IBM Security zSecure Visual needs some configuration
before the user can log on to a server. For an upgrade, it can be automated with
the /COPYSERVERS setup command-line option. Any server definition already
defined on the system is replicated to the newly installed version, so they are
ready for use immediately after installation.

Examples:

Chapter 1. IBM Security zSecure Visual setup and configuration 15

 The following examples:
v Apply only to an interactive installation.
v Require you to specify the COPYSERVERS option in uppercase.
v Copies only the most recent server definitions.

Note: If the machine contains more than one version of zSecure Visual, the
server definitions of the most recent version are copied. Older versions are
skipped.

Example 1:
zSecureVisualSetup.exe /s /v"/qn CMDVISUAL=/COPYSERVERS”

Example 2:

The following example specifies to uninstall the existing version of the Visual
Client before installing the new version.
zSecureVisualSetup.exe /x /s /v"/qn CMDVISUAL=/COPYSERVERS”

16 Client Manual
Chapter 2. IBM Security zSecure Visual customization and
primary tasks
IBM Security zSecure Visual maintains an IBM RACF security database from a
Windows workstation. Some customization and primary tasks are described in the
following topics.
“Release information” on page 1
“Selecting to work locally or in a multi-system environment” on page 18
To limit or expand the scope of your task, you can work with users and
resources on the local RACF database or with users and resources that are
defined in multiple nodes across multiple systems.
“Logging on” on page 19
You log on to the Visual client so that the program can determine your scope of
operation.
“Selecting available nodes” on page 20
If you log on in multi-system mode, the zSecure server is queried for a list of
available nodes. The nodes that are defined in the zSecure server are made
available to the Visual client. Select the zSecure and RACF Remote Sharing
Facility (RRSF) nodes that you want to work with.
“An example first task” on page 21
As an example first task, you can use the user interface to perform various
operations related to users, groups, and resources.
“Logging off” on page 22
You log off the Visual client after completing your tasks.
“Exiting” on page 22
You exit the Visual client after logging off the Visual Server.
“Turning off the server definition name” on page 22
You can create a simple file and entry to turn off the displaying of the server
definition name in the Visual client.
“Viewing the log files” on page 22
You can view logged information about the Visual application in the cesys and
ceaud files.
“Using the Communication window” on page 24
Use the Communication window to view information exchanged between the
zSecure Visual client and the components and programs on the mainframe side.
“Setting display preferences” on page 25
Use the Option dialog to specify how you want to display IBM Security
zSecure Visual.
“Setting interface options according to your access level” on page 27
You can adjust the interface to display specific groups of options, according to
the access level you are assigned.
“Setting the date format” on page 28
You can define your own format or select a predefined format to display dates.
“Drag and drop function” on page 30
You can use the drag and drop function to change users or connects in the
RACF database.
“Copy and paste function” on page 30
You can use the Copy, Paste, and Paste Special functions to perform various
copy, merge, and move tasks.

© Copyright IBM Corp. 1998, 2017 17

 “Toolbar buttons” on page 30
You can use the Visual client toolbar buttons to show the most frequently used
menu options.
“Right mouse button” on page 31
You can right-click a row to display Navigate and Action options.
“Naming conventions” on page 31
Use these guidelines to create names for users and groups.
“Changing column sequences” on page 31
You can use click and drag to change the arrangement of a table column or to
change the border of a column.
“Site-specific columns and fields” on page 31
If configured, you can view information that is specific to your organization.
“Saving and exporting printable data” on page 32
You can save a printable table in CSV format and export the communication
window to RTF format.
“Printing” on page 32
You can print data and see print previews in the Visual client.
“Previewing a print file” on page 33
You can preview and change the layout of a print file in the Visual client.
“Tables available for printing” on page 33
You can print these tables and lists in the Visual client.
“Server Information dialog” on page 33
The Server Information dialog displays the information about the server to
which you are currently logged on.
“Display of the ? character” on page 34
The question mark (?) is displayed if a field is not within the scope of the user.

Selecting to work locally or in a multi-system environment

To limit or expand the scope of your task, you can work with users and resources
on the local RACF database or with users and resources that are defined in
multiple nodes across multiple systems.

Before you begin

To work with users and resources in a multi-system environment, the

administrator must first complete these tasks:
1. Configure the zSecure server and the Visual server to manage multiple RACF
databases on multiple systems. See the IBM Security zSecure CARLa-Driven
Components: Installation and Deployment Guide.
2. Create and verify a server definition on the Visual client that connects to the
Visual server. See “Configuring IBM Security zSecure Visual” on page 6.

Procedure
v To work locally, ensure that the Use zSecure Server for multi-system services
option is not selected in the Options dialog of the Visual client. By default, this
option is not selected. When operating in local mode, the Visual client does not
request node details from the zSecure server.
v To work with users and resources in a multi-system environment, set the Visual
client to operate in multi-system mode. Use these steps to specify multi-system
mode:
1. Select Start > Programs > Security zSecure Visual to start the Visual client.

18 Client Manual
 2. Select View > Options to start the Options dialog (see “Setting display
preferences” on page 25).
3. Select Use zSecure Server for multi-system services > OK.
You are prompted to accept the list of systems that are configured for the
multi-system environment or to specify the systems to which your actions
will apply for the session.

Note: If the client cannot establish a session with the zSecure server, the
client issues a message indicating that the server is not active. It begins
operation in local mode.

Logging on
You log on to the Visual client so that the program can determine your scope of
operation.

About this task

After starting the program you must logon to RACF to determine your access to
certain commands, as CKG profiles in the RACF database control your access
levels. Based on responses from the CKGRACF program on the mainframe, the
names of the schedules you can work with are loaded and certain features are
disabled. Next, a list of all classes defined on the complex is presented.

Procedure

Follow these steps to logon to RACF on the mainframe:

1. Select File > Logon from the main menu to access IBM Security zSecure Visual,
or click Logon from the toolbar. The Logon to RACF dialog is displayed.

Figure 4. Logon dialog

2. Enter your mainframe user ID and password or passphrase.

Or select New Password/Passphrase to change your password or passphrase.
3. Confirm your new password or passphrase.
4. Click OK to continue.

Note: If this logon is your first logon to the mainframe, it takes time to set up
a cryptographically secure communication channel.
5. If you log on in multi-system mode, you are prompted to select the nodes that
you want to work with. See “Selecting available nodes” on page 20

Chapter 2. IBM Security zSecure Visual customization and primary tasks 19

 6. After a successful logon, the Find dialog is displayed. Use the Find dialog to
display or change users, groups, or resources. See “An example first task” on
page 21.

Selecting available nodes

If you log on in multi-system mode, the zSecure server is queried for a list of
available nodes. The nodes that are defined in the zSecure server are made
available to the Visual client. Select the zSecure and RACF Remote Sharing Facility
(RRSF) nodes that you want to work with.

The list of nodes includes zSecure nodes and RRSF nodes, which are displayed in
the Node selection dialog. Use these guidelines to help determine which nodes
you want to work with:
v You must select at least one zSecure node to continue. The Visual client sends
your request to the server, which directs it to the zSecure node. The node returns
data from the associated RACF database. After the client receives data, it can
send requests to the zSecure node to change the data.
v Nodes that you can operate on only as zSecure nodes are listed only in the
zSecure Nodes column.
v Nodes that you can operate on only as RRSF nodes are listed in the RRSF
Nodes column.
v Nodes that are listed in the same row under the zSecure Nodes column and the
RRSF Nodes column are available in both environments.
v The nodes you select become your list of preferred nodes. You change your
preferred zSecure and RRSF nodes using the Select Nodes dialog (see “Select
Nodes dialog: multi-system options” on page 36). You can also change your
preferred list of zSecure nodes by selecting >>Advanced in the Find dialog.
v Operations that you perform on RRSF nodes are not verified for successful
completion. You can send edit requests to a RACF database through an RRSF
node. However, the client does not receive feedback on the final outcome of the
action. Consequently, the software assumes that RRSF operations are successful.

20 Client Manual
 Figure 5. Node Selection dialog

An example first task

As an example first task, you can use the user interface to perform various
operations related to users, groups, and resources.

About this task

The following procedure describes an example task that shows how to use the user
interface to view the connections between users and groups. See Chapter 6,
“Connect management,” on page 97 for more information on performing connect
tasks.

Procedure
1. In the Find dialog window, select User or Group from the Class drop-down
list.
2. Type a user or group in the Search field and click OK. A search results window
is displayed.
3. To view what the connections are for the selected user or group, follow these
steps:
a. Select a specific user or group from the search results window.

Chapter 2. IBM Security zSecure Visual customization and primary tasks 21

 b. Select Navigate > Connects. A Connects window displays all groups or
users related to this specific user or group.
c. Double-click any of the user or group in the Connects window to see its
properties.

Logging off
You log off the Visual client after completing your tasks.

Procedure

Select File > Logoff from the main menu to log off IBM Security zSecure Visual.

Exiting
You exit the Visual client after logging off the Visual Server.

Procedure
1. To exit IBM Security zSecure Visual, select File > Exit from the main menu.
2. Specify whether the program prompts for a confirmation on exit in the Option
dialog.
For more information, see the section “Setting display preferences” on page 25.
If you press Exit while you are still on IBM Security zSecure Visual, the
program logs off before exiting.

Turning off the server definition name

You can create a simple file and entry to turn off the displaying of the server
definition name in the Visual client.

About this task

The IBM Security zSecure Visual client includes the server definition name in the
application title. The server definition name is enclosed between square brackets.
By default, the application turns on the server name definition during logon and
turns it off during logoff, but you can turn off this feature.

Procedure

To turn off the server definition name in the application title, follow these steps:
1. Go to the application folder. The default directory is C:\Program Files
(x86)\IBM\Security zSecure Visual\2.3\.
2. Create a text file named c2racvn.cfg.
3. Add this option:ShowHost=No
4. Save the file.
5. Exit and log on again for the change to take effect.

Viewing the log files

You can view logged information about the Visual application in the cesys and
ceaud files.

22 Client Manual
About this task

The zSecure Visual client provides log files to capture errors, warnings, and
informational messages that can help locate the source of a problem and diagnose
its severity.

Procedure
Follow these steps to access the log files:
1. Navigate to the log directory:
user_profile\AppData\Roaming\IBM\Security zSecure Visual\version\
Servers\ServerName\ClientLogs
Example directory: C:\Administrator\AppData\Roaming\IBM\Security zSecure
Visual\version\Servers\ServerName\ClientLogs
Various logs are recorded in this directory. The log files include the process
identifier in the titles, so multiple versions from different runs of the client can
be stored in the same directory. Here is an example of same-named files that
are differentiated by process identifiers:
About0480.log
CKGPRINT0480.log
Requests0480.log
SYSPRINT0480.log
SYSTERM0480.log

About6412.log
CKGPRINT6412.log
Requests6412.log
SYSPRINT6412.log
SYSTERM6412.log
You must provide these log files when reporting problems related to the
zSecure Visual client.
2. Navigate to the other log file directory. The location of the log directory
depends on whether the server definition is stored in the ProgramData or
AppData folder, as determined by the choice made in the View -> Options
dialog for the Save server definitions in per-user folder option.
If the Save server definitions in per-user folder check box was not selected
(default), the log file directory is stored in the ProgramData folder and the
directory is: C:\ProgramData\IBM\Security zSecure Visual\version\Servers\
ServerName. For example: C:\ProgramData\IBM\Security zSecure
Visual\2.3\Servers\Server_A.
If the Save server definitions in per-user folder check box was selected, then
the log file directory is stored in the AppData folder and the directory is:
user_profile\AppData\Roaming\IBM\Security zSecure Visual\version\
Servers\ServerName\. For example: C:\Users\UserA\AppData\Roaming\IBM\
Security zSecure Visual\2.3\Servers\Server1.
The log files named cesys and ceaud are stored in this directory. These log files
provide information about the communication layer between the client and
server. Though this information is not for user interpretation, it is useful to
diagnose communication-related problems. You must also provide these log
files when reporting problems related to the zSecure Visual client.
3. View the latest updates contained in these log files from the tabs of the
Communication window GUI.

Note: When you start the client it clears log files that are older than 7 days.

Chapter 2. IBM Security zSecure Visual customization and primary tasks 23

 For information about the messages and possible resolutions, see IBM Security
zSecure: Messages Guide.

Using the Communication window

Use the Communication window to view information exchanged between the
zSecure Visual client and the components and programs on the mainframe side.

About this task

The Communication window enables you to view most of the information
exchanged between the zSecure Visual client and the components and programs on
the mainframe side, including the zSecure Visual server, CKRCARLA, CKGRACF,
and RACF. In general, the client issues requests for the CKRCARLA and
CKGRACF programs to obtain information about the client and to modify the
RACF database. You can use the Communication window to view real-time logs
for the client requests and their results.

You can print the information found in the Communication window and export it
to rich text format (.rtf). See “Printing” on page 32 and “Saving and exporting
printable data” on page 32.

Procedure

Follow these steps to view the Communication window:

1. Display the Communication window, using one of these options:
a. From the main menu, select View > Communication; or,
b. Select the Communication button on the toolbar. This button always puts
the Communication window on top.

Figure 6. Communication window

2. Select the Requests tab to see all requests issued by the client, which include
the latest CARLa commands, CKGRACF commands, and commands sent to the
server. You can find the commands that are sent to the server under the
extension section of this tab.
3. Select the SYSTERM tab to view status messages and messages with a return
code (RC) of 12 or higher.

24 Client Manual
 v If the most recent request is for CKRCARLA, the SYSPRINT tab contains the
detailed SYSPRINT output of the CKRCARLA program. The SYSPRINT
output includes CKRCARLA listings and critical and informational messages.
This information helps locate the command causing problems.
v If the most recent request is for CKGRACF, the CKGPRINT tab contains the
detailed CKGPRINT output of the CKGRACF program. The CKGPRINT
output includes CKGRACF commands and messages. This information can
help you locate a command causing problems. You can also view messages
returned directly from RACF.
4. Select the About tab to see aggregated client and server information. You can
copy and paste this information as text. From this tab, you can find:
v Client information: the specific version of zSecure Visual client and
information about the building of the GUI and its engine.
v Server information. See “Server Information dialog” on page 33.
v Copyright notice.

Setting display preferences

Use the Option dialog to specify how you want to display IBM Security zSecure
Visual.

Procedure

Follow these steps to set the options:

1. Select View > Options from the main menu to start the Options dialog.

Figure 7. Options dialog

2. (Optional) Change any of the general behaviors:

Chapter 2. IBM Security zSecure Visual customization and primary tasks 25

 Confirm exit
Specifies whether the program has to prompt for confirmation on exit
or exit directly.
Find window always on top
Specifies whether the Find dialog remains on top or closes after every
search.
Save server definitions in per-user folder
Specifies where the server definitions will be stored:
v If the option is not selected, then the server definitions are stored in
the ProgramData folder. All users who can log on to the system can
use the same server definition.
v If the option is selected, then the server definitions are stored in the
per-user AppData folder. Server definitions that are stored in the
AppData folder become part of the roaming profile for that user.
Therefore, the same user can use the server definitions in multiple
systems in a networked environment without having to configure
every system.
Use zSecure Server for multi-system services
Specifies whether to operate the Visual client in local mode only or
multi-system mode. The default is local mode (check box is clear). You
must specify the operational mode before you log on. You cannot
change from one mode to another while you are logged on. See
“Selecting to work locally or in a multi-system environment” on page
18 for information about operating in multi-system mode.
Add zSecure diagnostic messages to print
Select this option to include a DEBUG statement in the requests to
remote nodes. The DEBUG statement generates information to assist in
debugging node problems. Leave this check box clear if you do not
want to generate troubleshooting information.
Interface level
Determines which functions are available and shown to the user.
3. (Optional) Change any of the table and grouptree behaviors:
Date format
You can specify two date formats: one format for all tables, where the
width of the columns is an issue, and one date format for all dialogs.
Select a date format from the list to get the wanted date format.
Font selection
You can specify two different fonts, one for the table and the grouptree,
the other for the dialogs. A font size must be 8 - 12 points.

4. (Optional) Change any of RACF behaviors:

Default connect owner
Specify who is the default owner for new connects. If you leave the
Owner field blank in the connect dialog, zSecure Visual uses the owner
specified here.
Include access due to Group Operations in effective Access List
Specifies whether the Group Operations attributes determine the
effective access list. By default, this option is on.

26 Client Manual
 Include access due to System Operations and Universal Groups in effective
Access List
Specifies whether the System Operations attributes and Universal
Group access determine the effective access list. By default, this option
is off.

CAUTION:
If you select this option, zSecure Visual must read the entire RACF
database to create an Effective Access List. It can cause a significant
drop in performance.
Include profiles you can list
Determines which profiles you can see and edit. When this option is
on, you see the profiles you can edit and the profile in your CKGLIST
and group-auditor scope. When it is off, you see only the profiles you
can edit. By default, this option is on.
5. When you finish the changes, perform one of these steps:
a. Click Restore defaults to set the options to factory defaults.
b. Click OK to accept the changes.
c. Click Cancel to close the Options dialog window without changing the
settings.

Setting interface options according to your access level

You can adjust the interface to display specific groups of options, according to the
access level you are assigned.

About this task

Use the Options dialog to adjust the interface according to your role as a user.

Procedure
v You can select one administration level from the Interface level drop-down list.
If you are not authorized to perform all functions of the particular level, the
options that you cannot access are either hidden or displayed in gray. If you
change the administration level, the Find dialog changes to adapt to that level.
These options are the administration levels for you to select:
Helpdesk
Helpdesk is the lowest level, the functionality is limited to:
– List users
– Resume a user
– Set password
– Manage schedules
– List mapping profiles
– View the mapping profiles of a user
Connect
This level expands the functionality from the Helpdesk level to:
– List groups
– List connects
– View the grouptree
– Create connects

Chapter 2. IBM Security zSecure Visual customization and primary tasks 27

 – Change connect attributes
– Remove connects
User This level expands the functionality from the Connect level to:
– Duplicate user
– Change properties of user
– Mark user for deletion
Access list
This level expands the functionality from the User level to:
– List resources
– List Access List
– List effective Access List
– Change access lists (RACF command: permit)
Group This level expands the functionality from the Permit level to:
– Add subgroup
– Duplicate group
– Change group properties
– Delete group
Full Full is currently the highest level, functionality for this level includes:
– List member list
– List scope
– Create resource profile
– Duplicate resource profile
– Modify resource profile
– Delete resource profile
– Change member list
– Segment management
Automatic
Displays the highest administration level to which the user has access.
The CKGRACF SHOW MYACCESS command determines access.
v In the right field, you can select how the interface looks. If you are not
authorized on the mainframe for all commands in your administration level, you
can select either of these options:
Gray desired unauthorized functions
Display all unauthorized functions in gray.
Hide desired unauthorized functions
Do not display all unauthorized functions. You can use this setting for
further customization between different levels. You can select the higher
level and remove undesired functions by refusing access to their
corresponding CKG profiles on the mainframe.
CKG profiles cannot control the availability of the list commands, which are
based on the administration level only.

Setting the date format

You can define your own format or select a predefined format to display dates.

28 Client Manual
About this task

The date format dialog specifies how dates are displayed. You can select one of the
predefined formats or build your own format.

Figure 8. Date format dialog

Procedure
v Use these options to specify the predefined formats.
Windows short date
The Windows date formats are taken from the Windows configuration
settings. You can change these formats by selecting Control Panel >
Clock, Language, and Region and clicking on Change the data, time
and number format under the Region and Language option. The
modified format affects all applications that use the format.
Windows long date
See description of Windows short date.
CKRCARLA date format
This format is used by the CKRCARLA program on the mainframe,
which is dd mmm yyyy. This format has no special meaning or
advantages.
ISO date format
This format is yyyy-mm-dd.

Chapter 2. IBM Security zSecure Visual customization and primary tasks 29

 v If you want to change from the predefined formats, select Custom and build
your own format using these characters in the format string.

Note: You can use the characters / and - as separators, but the separator
character defined in the Windows Control Panel > Clock, Language, and
Region settings can replace them. You can prevent replacement by placing a /
before the character.
Table 3. Date formatting characters
d one-digit day, two digits only if necessary
dd two-digit day
ddd day of week, three characters
dddd day of week, full name
m one-digit month, two digits only if necessary
mm two-digit month
mmm three-character month name
mmmm full month name
yy two-digit year
yyyy four-digit year

Drag and drop function

You can use the drag and drop function to change users or connects in the RACF
database.

Use drag-and-drop to change users or connects in the RACF database, instead of

using menus, pop-up menus, or the toolbar. After every drop, a dialog or a pop-up
window for confirmation displays to avoid accidental changes. With dragging and
dropping you can delete and change users, and delete, change, copy, merge, and
move connects. You can also change subgroups and modify access lists and
member lists.

Copy and paste function

You can use the Copy, Paste, and Paste Special functions to perform various copy,
merge, and move tasks.

Use Copy, Paste, and Paste Special options on the main menu to perform these
tasks:
v Copy users, groups, connects, access lists, and member lists
v Create, merge, move, and copy connects

Toolbar buttons
You can use the Visual client toolbar buttons to show the most frequently used
menu options.

The toolbar buttons show the most frequently used menu options. When you
hover the mouse cursor over each button, a yellow pop-up with the description
displays.

30 Client Manual
Right mouse button
You can right-click a row to display Navigate and Action options.

In most tables and the group tree, right-click a row to display a pop-up menu with
frequently used Navigate and Action options.

Naming conventions
Use these guidelines to create names for users and groups.

When you add new users or groups, follow these naming conventions:
v The name must be from 1 to 8 characters long.
v The characters must be the letters A-Z, number 0-9, or #, $, @.
v The name cannot start with a number.
v A group cannot have the same name as another group.
v A group name cannot have same name as an existing user ID.

Changing column sequences

You can use click and drag to change the arrangement of a table column or to
change the border of a column.

Procedure

You can rearrange the columns in a table and change the size of a column.
v To change the arrangement of the columns in a table, drag a column to where
you want it so you can compare columns. The column arrangement you make
becomes the default when you start the program next time.
v To change the size of a column, click a vertical border and move it left or right.
Double-clicking gives you the required size of a column.

Site-specific columns and fields

If configured, you can view information that is specific to your organization.

Your site administrator can customize zSecure Visual to display user information
that is defined by your organization. For example, a site might want to display
employee IDs and department numbers. These fields are displayed in front of or
instead of the INSTDATA column for USER profiles.

Your administrator defines the number, order, and characteristics of site-specific

fields; you do not configure these fields in the Visual client. Configuration
instructions are in the IBM Security zSecure CARLa-Driven Components: Installation
and Deployment Guide.

If defined, site-specific fields are in the User properties dialog, User table, and the
Find dialog:
User properties
Site-specific columns can replace the InstData field or be included in
addition to the InstData field. Depending on the number of site-specific
fields, these fields can be displayed under a separate tab. The contents of
the fields are read-only.

Chapter 2. IBM Security zSecure Visual customization and primary tasks 31

 User table
Scroll right to view site-specific columns. Depending on the configuration
of your site, you might be able to search on some fields.
Find dialog
If site-specific columns are specified with a search capability, the dialog
displays the fields when you select the >>Advanced button.

Saving and exporting printable data

You can save a printable table in CSV format and export the communication
window to RTF format.

About this task

You can save all printable tables as Comma Separated Values format (CSV).
Different programs, such as Microsoft Excel, can read this format. You can also
export the communication window to an RTF format. See “Using the
Communication window” on page 24.

Procedure

To save table information in CSV or RTF format, perform these steps:

1. Select File > Save As.
2. In the Save as dialog, enter a file name. If this name exists, a warning box
displays. If you do not change the name, it overwrites the original file.
3. Click Save.

Printing
You can print data and see print previews in the Visual client.

About this task

You can print data and see print previews.

Procedure

To print data, perform these steps:

1. From the main menu, select File > Print, or click the printer icon on the
toolbar.
2. In the print dialog, select the options you want. The Current Page option is
only enabled if you print from the print preview.
3. Click OK.
Every printout has these elements:
v Page header with the name of the data list on the left and the product version
number on the right
v Date
v Page number
You can print every list and export to CSV, see “Saving and exporting printable
data.”

32 Client Manual
 Previewing a print file
You can preview and change the layout of a print file in the Visual client.

Procedure
1. To get a print preview, select File >Print Preview from the main menu or click
the print preview icon on the toolbar.
2. Select PgUp or PgDown on your keyboard to scroll through the preview.
3. Select the desired printing option from the list of icons:
v Click the print icon to print the information as shown. All pages are printed.
v Select the zoom icon to specify the size of the text that is included on the
print page. The percentage values are: 10, 25, 50, 75, 100, 150, 200, and 500
percent.
v Select one of the page icons to view the page layout of 1 (default), 2, 3, 4, or
6 pages of the print file.
v Click Close to go back to the main program.

Tables available for printing

You can print these tables and lists in the Visual client.

You can print the tables described in these topics:

v “User table” on page 55
v “Group table” on page 85
v “Connects table” on page 97
v “Resource profiles” on page 110
v “Selecting resources for a specific user ID or group with the Permits function”
on page 45.
v “Viewing an Access List” on page 53
v “Viewing an Effective Access List” on page 53
v “Using Scope *” on page 50
v “Viewing a member list” on page 54.

If you cannot print a table, the print and preview options are not active.

Server Information dialog

The Server Information dialog displays the information about the server to which
you are currently logged on.

To view the server information, select Help > Server Information from the main
menu. The following information is available:
v Release information of the server CKRCARLA and CKGRACF
v Host name of the server and its IP port
v The possibly resolved value of the C2RSERVE parameter in the zSecure
configuration
v Time that the server established itself as a certificate authority
v Time that the server was last started.

See your server documentation for additional information.

Chapter 2. IBM Security zSecure Visual customization and primary tasks 33

Display of the ? character
The question mark (?) is displayed if a field is not within the scope of the user.

If you find a ? in a field of a table, it means that this field is not loaded because it
is out of your scope.

34 Client Manual
Chapter 3. RACF database operations
Use the Visual client Navigate option to find and view users, groups, and
resources and their connects, permits, and schedules.

This chapter explains the different options you can use to work with the databases.
Click Navigate to go to the databases that you want to see. You can find
individual users, groups, and resources and their relations such as connects,
permits, schedules, and so on.
“Select Nodes dialog: multi-system options” on page 36
Specify the systems and nodes you want to work with in the Select Nodes
dialog.
“Verification of actions across multiple systems” on page 37
Use the Status of progress form to verify actions for each selected node in a
multi-system task.
“Using the Find dialog” on page 38
Use the Find dialog to view users, groups, or resources for one or more RACF
databases.
“Viewing connected users and groups” on page 43
Select Navigate > Connects to view connect relationships for users and groups.
“Viewing the groups” on page 43
You can view a group tree to understand the hierarchy of groups and
subgroups.
“Selecting resources for a specific user ID or group with the Permits function”
on page 45
You can select resources related to a specific user ID or group so that you can
see the resource profiles.
“Using Scope” on page 46
Use the various filtering options in the Scope dialog to view users, groups, and
resources that can be accessed by a specific user ID or group.
“Using Scope *” on page 50
Use the various filtering options in the Scope * dialog to view users, groups,
and resources that can be accessed by every user.
“Viewing RACF SETROPTS settings” on page 52
Use the RACF SETROPTS Settings report to view the system-wide RACF
options as set or as retrieved by the SETROPTS command.
“Viewing an Access List” on page 53
Use the Access List window to view the access list for all user IDs of a resource
profile.
“Viewing an Effective Access List” on page 53
Use the Effective Access List window to view the access list for groups of users
of a resource profile that are in your scope.
“Viewing a member list” on page 54
Use the Members window to view the member list of a general resource
profile.
“Finding classes with the Select class dialog” on page 42
Use the Select class dialog to find a specific class.

© Copyright IBM Corp. 1998, 2017 35

Select Nodes dialog: multi-system options
Specify the systems and nodes you want to work with in the Select Nodes dialog.

If you select to work with multiple systems when you start the Visual client, the
Select Nodes dialog is displayed each time you start an action. For example, if you
select Duplicate to duplicate a user or group, the Select Nodes dialog displays
your preferred list of nodes.

Note: If you select a single node (which becomes your preferred list) to work in
multi-system mode, the Select Nodes dialog is not displayed before your request is
processed. You must select at least two nodes to view the Select Nodes dialog
before the processing of a client request.

If you have performed an action already, the nodes you selected for the previous
action are displayed. If needed, you can change the nodes to which the action
applies. You must select at least one node to continue. The local node entry is
highlighted.

If a node is defined as a zSecure node and an RRSF node, you can select only one
of these node types. If you select an RRSF node, you can use the AT or ONLYAT
options to select an alternative user ID to run the command.

For RRSF nodes, if other user IDs are associated with your user ID (using the
RACLINK command), those associated IDs are displayed.

When you click OK, the selected list of nodes is verified, then the specified action
is performed for each selected node.

Click Cancel to return to the previous dialog without selecting any nodes.

Figure 9. Select Nodes dialog

The Select Nodes dialog has these fields and options:

36 Client Manual
 Check box column
The left check boxes enable you to select the nodes to which you want to
apply your request.
zSecure Nodes
Lists the available zSecure nodes in your preferred nodes list.
Radio button
If the row contains entries for zSecure and RRSF nodes, a radio
button is displayed beside the zSecure node. This button enables
you to select or clear the zSecure node. If you select the row and
the radio button, your request is processed for the zSecure and
RRSF nodes. If you select the row and clear the button, your
request is processed only for the RRSF node.
System_name
Displays the name of the available zSecure system. You can select
and clear the systems to which the action applies.
RRSF Nodes
Lists the available RRSF nodes in your preferred nodes list.
System_name
Displays the name of the available RRSF system. You can select
and clear the systems to which the action applies.
Alternative ID (drop-down list column)
Select this dropdown option to specify a different ID than the
associated user ID to perform the action on the selected RRSF
system. Associated IDs on RRSF systems are defined using the
RACLINK command.
Specify only IDs that are defined with the authority to execute
your action. If the specified ID does not have the authority on the
selected system to issue the command corresponding to your
action, RACF will reject the command.
The alternative user IDs that you specify are saved in the
drop-down list for your reuse during a logon session. The
alternative IDs are not saved between logon sessions.
AT Specifies how the instruction is processed at the selected RRSF
node. If you select the AT option, it is used to build the command,
for example, AT(RRSF0000.userid).
ONLYAT
Specifies how the instruction is processed at the selected RRSF
node. If you select the ONLYAT option, it is used to build the
command, for example, ONLYAT(RRSF0000.userid).

Verification of actions across multiple systems

Use the Status of progress form to verify actions for each selected node in a
multi-system task.

If you execute an action for multiple systems, the Status of progress form is
displayed to show the progress of the action for each selected node.

Chapter 3. RACF database operations 37

 Figure 10. Multiple system progress Status form

As each action completes, the progress form is updated to indicate the status of the
action on each node. For example, the Progress field indicates if the action
completes, fails, or is in progress for each node. You can click Cancel to prevent
starting the action on nodes where the action has not begun. You cannot cancel an
action in progress.

If an action fails, you can review any error messages before closing the form. Click
Close when the action completes successfully on all listed nodes.

Note: The completion status cannot be determined for RRSF nodes. Consequently,
all RRSF node requests are assumed to be successful.

Using the Find dialog

Use the Find dialog to view users, groups, or resources for one or more RACF
databases.

Procedure

Follow these steps to open the Find dialog:

1. Select Navigate > Find.
2. Enter the class and the search string.
3. Specify how the search string value is interpreted, such as Exact, Filter, or
Mask.
4. Select the scope of the nodes for which you are searching.
5. Click OK.

38 Client Manual
Figure 11. Find dialog

Depending on your configuration, you might see one or more site-specific

fields in conjunction with user information. This information is either at the
bottom of the dialog or on the right of the dialog. If installation data (INSTDATA)
is displayed, up to three site-specific search fields are added to the bottom of
the dialog. If there is no installation data, up to four site-specific search fields
are added to the bottom of the dialog. If there are more than four site-specific
search fields, the fields are displayed on right side of the dialog.

Chapter 3. RACF database operations 39

 Figure 12. Find dialog with site-specific fields

The Find dialog presents these fields and options:

Class Specifies the name of the class. If you do not know the class, click the
button next to the class field to open the Select class dialog. See
“Finding classes with the Select class dialog” on page 42. When you
leave the class field empty, you receive all records except users or
groups.
You can use keyboard shortcut keys to specify the class field:
Table 4. Shortcut keys for the class
Shortcut keys Class
Ctrl + D Dataset
Ctrl + G Group
Ctrl + U User

Exact The search string is the only user ID, group ID, or profile that is
loaded.
If you have site-specific fields, do not specify values in these fields if
you want to search on an exact match to the specified string in the
search field. If you select Exact and specify one or more values in the
site-specific fields, the Visual client returns message C2RU163. This
message warns that you cannot specify values in the site-specific fields
when searching for an exact match.
Filter If the search string is used as a filter, all characters of the profile key
must match. The percentage (%) character matches any character and
the asterisk (*) character matches all succeeding characters. The *
character is only accepted as a last character. For example:
v "IBMUSER" matches "IBMUSER" only.
v "I%MUSER" matches "IBMUSER," "ICMUSER," "IDMUSER" and so
on.

40 Client Manual
 v "IBM*" matches "IBM," "IBMUSER," "IBMGROUP," "IBMSYS" and so
on.
The only exception is that an empty string used as a filter selects all,
just as an empty mask does.
Mask When the string is used as a mask, the first characters of the item must
match the string. "IBM" matches "IBMUSER," "IBMGROUP," "IBMSYS"
and so on.
Advanced
When clicking <<Advanced, you get additional criteria, which you can
use to reduce the selection. Only profiles that match all criteria can be
selected.
v See Chapter 4, “User management,” on page 55 for a description of
the extra fields for users.
v See Chapter 5, “Group management,” on page 85 for a description
of the extra fields for groups.
v See Chapter 7, “Resource management,” on page 109 for a
description of the extra fields for resources.
Your list of preferred nodes is maintained in the <<Advanced search
options. You can change the preferred nodes using the <<Advanced
option.
Mode selection listbox
This drop-down field is displayed only if you are operating in
multi-system mode.
Search All Nodes
Select this mode to perform operations on all preferred zSecure
nodes. You cannot include RRSF nodes in the search because
they do not return data.
Search in Selected Nodes
Default. Select this mode to perform operations on specific
zSecure nodes. Nodes are searched in the order in which they
are listed. The Search in Selected Nodes listbox is enabled
when you specify Search in Selected Nodes.
Segment
The segment option lets you refine the class you open. Select only the
profiles that have the segment you have chosen. The default option is
any, which gives you the complete profile list including the profiles that
have no segments.
If you are not authorized to view segments, or if there are no segments
present, the Segment option is shaded in gray to indicate that it is not
available.
The Find window always on top option in the Options dialog specifies
whether the dialog disappears after you click OK. The interface options
determine which fields and options are available in this dialog.
Site-specific fields
Site-specific fields with user information can be configured by your
organization. If so, one or more fields with site-specific names and
content are on the right.
View each node in a separate table
This option is displayed only if you are operating in multi-system

Chapter 3. RACF database operations 41

 mode. Select this option to view the search results for each node in a
separate table. If you do not select this option, all nodes are shown in
the same table.
Search in Selected Nodes
Your list of preferred nodes is displayed here if you select Search in
Selected Nodes in the drop-down list next to <<Advanced. The list
contains only preferred nodes. You can change the list of search nodes
as needed. The nodes are not selected for your current request but your
changes are used for the next action you specify.

Ambiguous Class selection

To view the desired search results, specify the exact class name in the Find dialog.

If you open the User or Group table and make a mistake in the Find dialog (for
example, you enter Users instead of User), the software displays the Ambiguous
Class selection "class_name" warning. If you continue the search, the program
tries to find resources of the class you type. Typically this results in the message No
matching resources found.

Figure 13. Ambiguous Class specification

Figure 14. Warning

To view the User table, select No, then select the right class.

Finding classes with the Select class dialog

Use the Select class dialog to find a specific class.

About this task

The Select class dialog helps you find the class you need.

42 Client Manual
 Figure 15. Select class dialog

Procedure
v Click OK to select the desired class.
The table contains these columns:
Class: Name of the class.
Active:
Flag indicating whether RACF protection for the class is active.
Description:
Description of the purpose of the class.
v To limit the list of classes, use the Classes field:
All classes
Displays all classes that have been read from the class descriptor table
during logon.
Active classes
Displays only classes that are active, as set by SETROPTS CLASSACT
and SETROPTS NOCLASSACT commands on the mainframe.
Authorized classes
Displays only classes that you are authorized to change, according to
your class authorizations or system-wide special attribute.

Viewing connected users and groups

Select Navigate > Connects to view connect relationships for users and groups.

Procedure
1. To see the connected users or groups, select a user or group.
2. Select Navigate > Connects from the main menu. You can find the explanation
of the columns of the resulting table in these topics:
v Chapter 4, “User management,” on page 55
v Chapter 5, “Group management,” on page 85
v Chapter 6, “Connect management,” on page 97

Viewing the groups

You can view a group tree to understand the hierarchy of groups and subgroups.

Chapter 3. RACF database operations 43

 About this task

A superior group can have zero or more subgroups. A group always belongs to
only one superior group except for the group SYS1. SYS1 does not have a superior
group because it is the root of the tree.

Figure 16. Group tree

To display the group tree, use one of these methods:

Procedure
1. Select Navigate > Group tree from the main menu, or
2. Click the Group tree button from the toolbar.
If you are operating in multi-system mode, a Select Node dialog displays the
list of zSecure complex nodes. You can select only one zSecure complex. Select
the complex that you want to display in the group tree.

Figure 17. Select complex for group tree

If you close and reopen the session, you must reopen the group trees for the
nonlocal nodes.
The Group tree window normally does not contain all groups defined in the
RACF database. It contains only the groups that are in your scope and their

44 Client Manual
 superior groups up to SYS1. Though you can see the superior groups
displayed, you are not able to see any information about any superior group
that is out of your scope.
Load Complete is a time saving feature. It loads all groups in your scope and
their superior ones from the mainframe. It stores them in the memory of your
PC, so you can use them during this session. This loading is only possible if
your PC has enough memory capacity.
3. To select groups, enter a filter in the filter box in the grouptree window.
4. Click Find.
The grouptree is extended with the wanted groups. The first one that matches
the filter is highlighted. If you select just one group, use its name for a filter.
The Find command loads the wanted information directly from the mainframe
except when the Load Complete option is used. Then it looks into the memory
of your PC.
In the Options dialog, you can specify whether the available installation data
of the group is shown in the tree.

Selecting resources for a specific user ID or group with the Permits

function
You can select resources related to a specific user ID or group so that you can see
the resource profiles.

Procedure

Follow these steps to select the resources:

1. Select the user ID or group.
2. Select Navigate > Permits.

Figure 18. Permits

When you use Permits, you effectively select these profiles:

v Resource profiles that contain the user ID or group on their Access List
v Resource profiles that are owned by the user ID or group
v DATASET profiles that have the user ID or group as first qualifier. This
qualifier is often referred to as the high level qualifier (HLQ). These profiles
are selected because RACF users and groups have ALTER access to the data
sets that have the user ID or group as the HLQ.

Note: This procedure does not select all resources that the user has access to
because the connects of the user are not taken into account. To get a list that
takes into account the connects, use View Scope.
In addition to the columns of a resources table explained in Chapter 7,
“Resource management,” on page 109, the table contains these columns:

Chapter 3. RACF database operations 45

 Access
This field contains the access the user or group has to the resource. It
can be an access level between None and Alter, and one of the values:
Owner
The user ID or group is the owner of the resource profile.
QualOwner
The user ID or group is the first qualifier of a DATASET profile.
When If this field is not blank, the access is only granted if the condition is
met. If the field is blank, the access is granted without restriction.

Using Scope
Use the various filtering options in the Scope dialog to view users, groups, and
resources that can be accessed by a specific user ID or group.

About this task

Users, groups, and resources that can be accessed by a specific user ID or group
are in scope of the user ID or group. To find the resources that every user can
select, use Scope *. See “Using Scope *” on page 50.

Procedure

To select users, groups, or resources in scope of a user or group, perform these

steps:
1. Select the user or group.
2. Select Navigate > Scope from the main menu.

46 Client Manual
Figure 19. Scope dialog

The Scope dialog displays these fields and options:

List users and groups
Select this option to get a list of users and groups that are in scope of
the specified user ID or group. When you select this option, some of
the other options become disabled because they do not apply to these
users and groups.
Filter Use this field only if you select List users and groups. You can enter a
user or group filter, for example, IBM,* to select only users and groups
that are in scope and match the filter. When you leave this field empty,
all users and groups in scope are selected. It leads to a large table.
List resources
Select this option to get a list of resources that are in scope of the
specified user ID or group.
Class Use this field only if you select List resources. You can enter a class
name or class filter to select only resource profiles in a class that
matches the filter. If you leave this field empty, no class filter is used. It
leads to a large table.
Profile filter
Use this field only if you select List resources. You can enter a profile
filter to select only resource profiles that match the filter. If you leave
this field empty, no profile filter is used. It leads to a large table.
UACC When selecting this option, resources that have a UACC other than
None are considered in scope.

Chapter 3. RACF database operations 47

 * on Access List, that grants access to all RACF defined users
When selecting this option, resources that have * on the Access List
with an access other than None are considered in scope.
group auditor attributes (gAud) of ID
By selecting this option, the group auditor attributes of the selected
user are taken into account when determining whether a user, group,
or resource is within scope. If you select a group, this option is disabled
because groups have no auditor attributes.
group operations attributes (gOper) of ID
By selecting this option, the group operations attributes of the selected
user are taken into account when determining whether a user, group,
or resource is within scope. If you select a group, this option is disabled
because groups have no group auditor attributes.
group special attributes (gSpec) of ID
By selecting this option, the group special attributes of the selected user
are taken into account when determining whether a user, group, or
resource is within scope. If you select a group, this option is disabled
because groups have no group special attributes.
ID is owner
When selecting this option, user, groups, or resources owned by the ID
you select are considered in scope.
ID can change password of owner of ...
When selecting this option, users, groups, or resources owned by the
ID you select are considered in scope. It is because ID might change the
password, logon, user, group or resource, and set the password back to
the previous value.
group special attributes (gSpec) of ID allow new connects to groups in scope
By selecting this option, the user ID ID can connect to a group in scope
of the user ID. The user ID has group special attribute (gSpec) to the
groups in scope. If you select a group, this option is disabled because
groups have no such group special attributes.
ID can change their own profile
When selecting this option, users, groups, or resources, which become
within scope when ID has changed their own profile, are considered
within scope.
ID has CKGRACF authorities over ...
When selecting this option, users, group, or resources within the
CKGRACF scope are considered in scope.
Global Access Table
When selecting this option, a resource is considered in scope if the
Global Access Table allows access.
Profile is in Warning Mode (allows ALTER)
When selecting this option, all resources protected by profiles in
Warning Mode are considered within scope. Warning Mode implies all
access is accepted, but a warning message is generated where a
violation occurs.
3. Click OK.
The requested table displays the columns that are found in user, group, and
resources tables, which are described in Chapter 4, “User management,” on
page 55

48 Client Manual
page 55, Chapter 5, “Group management,” on page 85, and Chapter 7,
“Resource management,” on page 109. The table also contains these columns:
Access
This field contains the access to the user, group, or resource. It can be
in the range Execute-Read-Update-Control-Alter and has these options:
Owner
The user or group that owns the user, group, or resource.
QualOwner
The user ID or group that is the first qualifier of a DATASET
profile.
Alter-Operations
The user that can alter the resource using their operations
attribute.
CKGOwner
Access granted by CKGRACF.
CKGList
Read access granted by CKGRACF.
Alter-M
The user can alter 'myself' - a user can alter some fields in their
own user profile.
Alter-P
Alter access on a discrete profile, enabling you to issue
PERMIT.
When If this field is not blank, the access is only granted if the condition is
met. If the field is blank, the access is granted without restriction.
Via This field contains the user ID, group, or connected group that was
granted the specified access, or it contains one of these options:
Warning
Access is granted because the profile is in warning mode.
* Access is granted because * is on the Access List with access
other than None.
UACC Access is granted because the UACC is not None or the Global
Access Table allows access.
Auditor
Access is granted because the user has a group auditor
attribute.
Operations
Access is granted because the user has a group operations
attribute.
SCP.G Access is granted because the group or the owner of the user,
group, or resource lies in the CKGRACF scope, according to a
CKG.SCP.G.... scope profile.
SCP.U Access is granted because the user or the owner of the user,
group, or resource lies in the CKGRACF scope according to a
CKG.SCP.U... scope profile.
SCP.ID
The access is granted because the user or group, or the owner

Chapter 3. RACF database operations 49

 of the user, group, or resource lies in the CKGRACF scope
according to a CKG.SCP.ID... scope profile.
Global
Access is granted because the Global Access Table allows
access.

Note:
v When the Via column shows Global, the Access List and Effective Access List
options are deactivated. These lists do not yield any usable information.
v This list is a snapshot. If you want to see any changes made after you
display the list, you must close it and display it again.
A related function for resources is the effective Access List, which results in a
list of all users and groups that have access according to the profile.

Using Scope *
Use the various filtering options in the Scope * dialog to view users, groups, and
resources that can be accessed by every user.

About this task

You can use the Scope * function to view a list of resources that can be accessed by
every user. To find the users, groups, or resources that can only be accessed by a
specific user, use the Scope function. See “Using Scope” on page 46.

Procedure
1. To find the Scope * function, select Navigate > Scope * from the main menu.

Figure 20. Scope *

The Scope * dialog displays these fields and options:

Class You can enter a class name or class filter to select only resource profiles
in a class that matches the filter. If you do not know the class, click the
button next to the class field to view the Select class dialog. See
“Finding classes with the Select class dialog” on page 42. If you leave
this field empty, no class filter is used, which can result in a large table.
Profile filter
You can enter a profile filter to select only resource profiles that match
the filter. If you leave this field empty, no profile filter is used, which
can result in a large table.

50 Client Manual
 UACC When selecting this option, resources that have a UACC other than
None is in scope.
ID * on Access List
When selecting this option, resources that have * on the Access List
with an access other than None are in scope.
2. Click OK to view the requested table.
The table contains columns found in resources tables, which are described in
Chapter 7, “Resource management,” on page 109. The table also contains these
columns:
Access
This field contains the access to the user, group, or resource. It can be
in the range Execute-Read-Update-Control-Alter and has these options:
Owner
The user or group that owns the user, group, or resource.
QualOwner
The user ID or group that is the first qualifier of a DATASET
profile.
Alter-Operations
The user that can alter the resource using their operations
attribute.
CKGOwner
Access granted by CKGRACF.
CKGList
Read access granted by CKGRACF.
Alter-M
The user can alter 'myself' - a user can alter some fields in their
own user profile.
Alter-P
Alter access on a discrete profile, enabling you to issue
PERMIT.
When If this field is not blank, the access is only granted if the condition is
met. If the field is blank, the access is granted without restriction.
Via This field contains the user ID, group, or connected group that was
granted the specified access, or it contains one of these options:
Warning
Access is granted because the profile is in warning mode.
* Access is granted because * is on the Access List with access
other than None.
UACC Access is granted because the UACC is not None or the Global
Access Table allows access.
Auditor
Access is granted because the user has a group auditor
attribute.
Operations
Access is granted because the user has a group operations
attribute.

Chapter 3. RACF database operations 51

 SCP.G Access is granted because the group or the owner of the user,
group, or resource lies in the CKGRACF scope, according to a
CKG.SCP.G.... scope profile.
SCP.U Access is granted because the user or the owner of the user,
group, or resource lies in the CKGRACF scope according to a
CKG.SCP.U... scope profile.
SCP.ID
The access is granted because the user or group, or the owner
of the user, group, or resource lies in the CKGRACF scope
according to a CKG.SCP.ID... scope profile.
Global
Access is granted because the Global Access Table allows
access.

Note:
v When the Via column shows Global, the Access List and Effective Access List
options are deactivated. These lists do not yield any usable information.
v This list is a snapshot. If you want to see any changes made after you
display the list, you must close it and display it again.
A related function for resources is the effective Access List, which results in a
list of all users and groups that have access according to the profile.

Viewing RACF SETROPTS settings

Use the RACF SETROPTS Settings report to view the system-wide RACF options
as set or as retrieved by the SETROPTS command.

About this task

The RACF SETROPTS Settings report is read-only.

Procedure
To view the RACF SETROPTS Settings report, Select Navigate > System Audit >
RACF SETROPTS Settings from the main menu.

52 Client Manual
 Figure 21. RACF SETROPTS Settings

Viewing an Access List

Use the Access List window to view the access list for all user IDs of a resource
profile.

About this task

The access list contains user IDs and groups. When a group is in an access list, all
its users get access.

Follow these steps to view the access list of a resource profile.

Procedure
v To view the access list of a resource profile, select a resource profile then select
Navigate > Access List. The columns of the resulting table are explained in
“Modifying an Access List (ACL)” on page 118.
v To view the users in groups that are in your scope, select the Effective Access
List option. See “Viewing an Effective Access List”

Viewing an Effective Access List

Use the Effective Access List window to view the access list for groups of users of
a resource profile that are in your scope.

About this task

The Effective Access List contains all user IDs of the access list and all users that
are in the groups on the access list. If a user is in more than one group on the
access list, the highest access is displayed, just as RACF displays the access.

Chapter 3. RACF database operations 53

 Procedure

To view the Effective Access List of a resource profile, follow these steps:
1. Select a resource profile from the main menu.
2. Select Navigate > Effective Access List.
“Modifying an Access List (ACL)” on page 118 explains all columns of the
resulting table except the Via column, which contains the connect group of the
user that results in the access.

Note:
v In the Options dialog, you can specify whether Group Operations or System
Operations (together with Universal Groups) are used when determining the
Effective Access List.
v When activated, the last option might cause a significant drop in
performance while creating the Effective access list.
v If a group on the access list is out of your scope, the access list displays the
group but does not display its users.
v When you load Effective Access List, the access list is loaded as well, so you
can quickly switch to the access list.
v This list is a snapshot. If you want to see any changes made after you
display the list, you must close it and display it again.

Viewing a member list

Use the Members window to view the member list of a general resource profile.

Procedure
1. To view the member list of a general resource profile, select the profile from the
main menu.
2. Select Navigate > Members. See “Viewing and changing a member list” on
page 123 for information about the columns of the resulting table.

54 Client Manual
Chapter 4. User management
In IBM Security zSecure Visual, user management tasks include viewing the user
table and properties, deleting, duplicating, and resuming users, setting passwords,
and using schedules. These tasks are described in the following topics.
“User table”
Review user data, such as owner and status, in the User table.
“Viewing user properties” on page 62
Use the User properties window to view and edit the attributes and status of
users.
“Duplicating a user” on page 66
Use the Duplicate user window to create a new user from existing users.
“Deleting a user” on page 70
Use the Delete user dialog to revoke access for one or more users.
“Resuming a user” on page 71
Use the Resume user dialog to resume a user that has revoked status. The steps
are described in this topic.
“Disabling a user” on page 71
Use the Disable user dialog to prevent a user from logging on.
“Enabling a user” on page 72
Use the Enable user dialog to enable a revoked or disabled user to log on.
“Setting passwords (or passphrases)” on page 73
Set or reset the user password or passphrase with the Set Password or Set
passphrase dialog.
“Setting a default password (or passphrase)” on page 76
Use the Edit default password or Edit default passphrase dialog to set the
default password or passphrase for a user.
“Removing the default password (or passphrase)” on page 78
Use the Edit default password or Edit default passphrase dialog to remove the
default password or passphrase for a user.
“About Schedules” on page 79
Use schedules to specify intervals during which a user is revoked or resumed.

User table
Review user data, such as owner and status, in the User table.

The User table consists of a list of users and their properties. Use the Find dialog
(see “Using the Find dialog” on page 38) to open the User table. Every icon in the
list can be either red or green. When an icon is green, it means that the user is
active; when it is red, the user is revoked or inactive.

© Copyright IBM Corp. 1998, 2017 55

Figure 22. User table

The User table has these columns:

Complex
The name of the zSecure node where the result was found. This column is
displayed only if you are operating in multi-system mode.
Userid
The RACF user ID.
Name Real name of the user, or any other description.
Revoked
A revoked user cannot log on, but the profile is still present. A user can be
revoked for these reasons:
v An administrator revokes the user.
v The user makes too many unsuccessful password attempts and is
revoked automatically.
v An administrator schedules the revocation on a specified date.
v The user does not log on in a specified timeframe and is revoked
automatically.
The status is derived from the revoke status flag, the current date, the
revoke date, the resume date, and the date the user last logged on.
Inactive
A user ID becomes inactive when it is not used for a period of time set by
the SETROPTS INACTIVE command on the mainframe. An inactive user
who tries to logon is revoked immediately. The field presented takes into
account the RACF inactive setting and the last use date.

Note: If a user ID has never been used, it does not become inactive.
Attempts
Count of logon attempts with an invalid password. This count is only kept
if the RACF user revoke setting has been activated with the RACF
SETROPTS PASSWORD(REVOKE(nn)) command on the mainframe. After
nn invalid password attempts, the user is revoked.
LastConnect
This field contains the last RACINIT date for any group that the user is
connected to.

56 Client Manual
 Note: RACF uses a different date to calculate the inactivity interval of the
user.
LastPwdChange
The most recent date the password is changed.
LastPhrChange
This field displays the user's last passphrase change date.
PwdExpired
This field indicates whether the password has expired. When the password
has expired, the user must change the password at the next logon. The
field presented takes into account the current date, the password interval
of the user, the system-wide password interval, and the most recent
password change date.
PhrExpired
This field indicates whether the passphrase of the user has expired.
Interval
The period in days after which the user needs to change the password.
Owner
The owner can change the user definition.
DefaultGrp
The default group is the group that the user automatically connects at
logon.
InstData
This field has a site-defined layout and purpose. Typically it contains
organizational data on the user ID. The InstData field might be replaced
by site-specific fields, depending on the configuration used by your
organization.
Created
Date on which the user is defined.
MappingsCount
The number of distributed identity filters that are associated with the user
ID.
LegacyPwdUsed
This field indicates if the current user password is encrypted using a
legacy algorithm. A legacy algorithm can either be DES or the algorithm as
indicated by the ICHDEX01 password encryption exit (masking, DES, or
installation-defined encryption method).
LegacyPwdCount
This field indicates how many passwords in the password history are
encrypted using a legacy algorithm.
Auth Method
This field indicates the combination of authentication mechanisms to logon
to RACF that are allowed for a user:
Pwd
User can use a password.
PPhr
User can use a passphrase.
MFA
User can use the MFA mechanism.

Chapter 4. User management 57

 Protected
User is a protected user.
Password Fallback
This field indicates whether the user can logon to RACF with a password
or passphrase if the MFA server is unavailable.
PwdExpireDate
This field displays the password expiration date of the user. For users
whose passwords have been explicitly expired, this field shows a date in
the past. In such cases, it shows the last use date of the user. If the user ID
has never been used, this field shows the creation date of the user ID.
PhrExpireDate
This field displays the passphrase expiration date of the user. For users
whose passphrases have been explicitly expired, this field shows a date in
the past. In such cases, it shows the last use date of the user. If the user ID
has never been used, this field shows the creation date of the user ID.
Site-specific fields
If your organization has configured site-specific fields with user
information, you might see fields with user information that have
site-specific names and content. Site-specific fields are on the right of the
InstData field; scroll right to view them.

The extra selection fields for users in the Find dialog are:

Figure 23. Find dialog for users

Name A substring that must exist in the name.

Installation data
A substring that must exist in the installation data.
Owner
Select users by owner. The field is used as a filter.
Default Group
Select users by default group. The field is used as a filter.

58 Client Manual
 Revoke status
Select users that are revoked, not revoked, or independent of the revoke
status.
Attempts
Select users that have more or less than a certain number of password
attempts. A blank field selects users independent of the number of
password attempts.
Segment
Select the users that have the segment you specify. If this option is
disabled, you cannot view segments or there are no segments. If you select
Any, you have the complete user list, whether the profiles have segments
or not.

MFA Factor management

You can use the MFA Factors window to perform various MFA Factors
administration tasks such as adding or deleting MFA Factors, activating or
deactivating an MFA Factor, and editing Factor Tags.

Note: MFA Factors do not apply to protected users.

To manage MFA Factors, on the User table window(see Figure 22 on page 56),
select a user profile. Right click and then select MFA Factors as indicated in the
following sample:

Figure 24. MFA User table

The MFA Factors dialog then lists all the factors and their corresponding factor
tags. You can add Factors to or delete Factors from a user profile, edit Factor tags,

Chapter 4. User management 59

 and activate and disable Factors.

Figure 25. MFA Factors dialog

To add an MFA Factor to the user profile, perform the following steps:
1. On the MFA Factors dialog, click Add Factors. The Add MFA Factors window
is displayed.

Figure 26. Add MFA Factors window

2. Enter the Factor Name in 20 characters or less.

3. Enter the list of Factor Tags in format TagName:TagValue, where TagName can be
20 characters or less and TagValue can be 1024 characters or less. Each Factor
Tag must be on a new line.

To delete MFA Factors from the user profile, select the factors to be deleted on the
MFA Factors dialog and click Delete Factors.

To edit MFA Factor Tags, perform the following steps:

1. On MFA Factors dialog, click Edit factor tags. The Edit MFA Factor Tags
window is displayed.

60 Client Manual
 Figure 27. Edit MFA Factor Tags window

2. To add a Factor Tag to the MFA factor, click Add Factor Tag and follow the
procedure of Add Factors as shown in MFA Factors dialog.
3. To delete Factor Tags from the MFA Factor, select the Factor Tags to be deleted
and click Delete Factor Tag.
4. To delete all Factor Tags from the MFA Factor, click Delete All Tags.

To activate a selected MFA Factor for use during logon, click Activate Factor.

To disable a selected MFA Factor, click Deactivate Factor.

MFA policy management

You can use the MFA Policies dialog to perform various policy administration tasks
such as adding or deleting policies.

Note: MFA policies do not apply to protected users.

To manage MFA Policies, on the User table window(see Figure 22 on page 56),
select a user profile. Right click and then select MFA Policies (see Figure 24 on
page 59). The MFA Policies dialog is then displayed, listing all the policies that are
available for a user. You can add policies to or delete policies from a user profile.

Chapter 4. User management 61

 Figure 28. MFA Policies dialog

To add an MFA Policy to the user profile, perform the following steps:
1. On the MFA Policies dialog, click Add Policy. The Add policy dialog is
displayed.

Figure 29. Add policy dialog

2. Enter the new policy name as defined in the MFA policy profile in the
MFADEF class in 20 characters or less and click OK.

To delete a selected policy from the user's list of MFA policies, click Delete Policy.

Viewing user properties

Use the User properties window to view and edit the attributes and status of
users.

About this task

The user property dialog presents the user properties in three categories:
Attributes, More attributes, and Status.

Follow these steps to view the properties of a user.

62 Client Manual
Procedure
1. Select Navigate > Properties from the main menu. You can also start with these
actions:
v Select and double-click the user.
v Select the user from the user table and press Enter.
v Right-click a user and select Properties from the pop-up menu.
v Click Properties on the toolbar.

Figure 30. User properties dialog

If your organization configured four or less site-specific fields as a replacement

for the installation data field, those fields are at the bottom of the dialog:

Figure 31. User properties dialog with site-specific fields

Note: If more than four site-specific fields are configured, or they are
configured in addition to Installation data, those fields are shown in a panel
with the separate tab named Data.
2. View or edit the fields as needed and click OK to accept the changes.

Note: Your level of authorization determines whether you can edit the user
properties.

Chapter 4. User management 63

 The following information is included in the header of the dialog only if you
are operating in multi-system mode:
Complex
The name of the complex associated with the user ID.
Node The name of the node associated with the user ID.
These fields are displayed in the Attributes tab:
Userid
The RACF user ID.
Name Real name of the user, or any other description.
Owner
The owner can change the user definition.
DefaultGrp
The defaultgroup is the group that the user automatically connects to at
logon.
Site-specific fields
If configured, displays one or more fields with user information that
have site-specific names and content. The contents are read-only.
Installation data
The purpose and layout of this field are site-defined. Typically it
contains organizational data on the user ID. The installation data field
can contain as much as 255 characters. The field is displayed in
multiple lines as it is when displayed by the RACF LISTUSER
command: the first line contains 62 characters and the succeeding lines
contain 80 characters. A changed installation data field can be
composed of the separate lines. It is possible to change the font of this
field, see “Setting display preferences” on page 25.
The Installation data field might be replaced by site-specific fields,
depending on the configuration used by your organization.
Special
System-wide special attribute.
Operations
System-wide operations attribute.
Auditor
System-wide auditor attribute.
RO-Auditor
System-wide read-only auditor attribute.
Protected
This field indicates whether the user is a protected user.
In the More attributes tab, you see these fields:
Security level
Security level.
Categories
Security categories to which the user has access.
Security label
Security label.

64 Client Manual
Class authorizations
Class in which the user is authorized to define profiles.
In the Status tab, you see these fields or buttons:
Revoked
Revoked users cannot logon, but their profiles are still present. An
administrator revokes the user, or the user is revoked automatically due
to too many unsuccessful password attempts, or by scheduled actions.
The status is derived from the revoke status flag, the current date, the
revoke date, the resume date, and the last used date.
Inactive
An inactive user that tries to logon is revoked immediately. A user ID
becomes inactive when it is not used for a period set by the SETROPTS
INACTIVE command on the mainframe. The field presented takes into
account the RACF inactive setting and the last use date.

Note: If a user ID is not used yet, it does not become inactive.

Password expired
This field indicates whether the password expires. When the password
expires, the user must change the password at the next logon. The field
presented takes into account the current date, the password interval of
the user, the system-wide password interval, and the most recent
password change date.
Passphrase expired
This field indicates whether the passphrase of the user has expired.
Password interval
The period in days after which the user must change the password.
Password attempts
Count of logon attempts with an invalid password. This count is only
kept when the RACF user revoke setting is activated with the RACF
SETROPTS PASSWORD(REVOKE(nn)) command on the mainframe.
After nn invalid password attempts, the user is revoked.
Last password change
The most recent date the password is changed.
Last passphrase change
This field displays the user's last passphrase change date.
Last connect
This field contains the last RACINIT date for any group the user is
connected to.

Note: RACF uses a different date to calculate the inactivity interval of

the user.
Last logon
The last time the user logs on to RACF.
Created
Date on which the user is defined.
Mappings count
The number of distributed identity filters that are associated with the
user ID.

Chapter 4. User management 65

 The Data tab is displayed only if your organization has configured the use of
site-specific fields in addition to the use of the Installation data field or when
more than four site-specific fields have been configured. If site-specific fields
are used as a replacement to the Installation data field, and there are four or
less site-specific fields configured, the site-specific data is displayed in the
Attributes tab.
When you execute the corresponding commands on the mainframe, you can
use these buttons and check box for actions on the user ID.
Edit Default Password
Opens the Edit Default Password dialog (see “Setting a default
password (or passphrase)” on page 76).
Edit Default Passphrase
Opens the Edit Default Passphrase dialog; see Edit default passphrase
dialog
Resume
Displays the Resume dialog. See “Resuming a user” on page 71.
Set Password
Displays the Set Password dialog. See “Setting passwords (or
passphrases)” on page 73.
Set Passphrase
Displays the Edit Passphrase dialog; see Set password dialog.
Schedules
Displays the Schedules dialog. See “About Schedules” on page 79.
Mappings
Displays the Mappings window. See “Mappings” on page 82.

Duplicating a user
Use the Duplicate user window to create a new user from existing users.

About this task

You can generate new users by duplicating an existing user. You can take the
existing user as the prototype user.

Note: If you are operating in multi-system mode, you can duplicate users across
zSecure nodes only; you cannot duplicate users across multiple RRSF nodes.

66 Client Manual
Figure 32. Duplicate user dialog

Procedure

To duplicate a user, follow these steps:

1. Select the prototype user in a user window and click Action > Duplicate in the
main menu. You can also start with these actions:
v Select a user and click Duplicate on the toolbar.
v Right-click a user and select Duplicate from the pop-up menu.
2. Complete the fields in the dialog.
Userid
User ID of the new user.
Name Name of the new user.
Installation data
Installation data of the new user.
Owner
Owner of the new user.
Default Group
Default group of the new user. The default group must be one of the
connected groups of the prototype user.
Passwords or passphrases (optional)
The passwords or passphrases fields are optional.

Chapter 4. User management 67

 Password (or phrase)
Password (or phrase) of the new user.
Confirm password (or phrase)
Confirmation of the password (or phrase) of the new user.
Default password (or phrase)
Optional. Default value that you can set for the new user
password (or phrase). For more information, see “Setting a
default password (or passphrase)” on page 76.
Confirm default password (or phrase)
Confirms the value specified for the default password (or
phrase). Must be equal to the default password (or phrase).
Additional Actions
Enforce creation of dataset profile
Create a generic data set profile with the new user ID as High
Level Qualifier or HLQ. It has the new user ID as owner and a
UACC of none. This command is also available on the Action
menu.

Note: If the existing, prototype user already has one or more

data set profiles with the HLQ equal to the user ID, these
profiles can be copied instead. It is done regardless whether the
check box here is on or off.
Define Alias
Defines an alias for the user pointing to the user catalog. You
must know the user catalog data set name to use this option.
This command is also available on the Action menu.

Note: This action attempts to retrieve the user catalog data set
name by searching the XFACILIT class or the class configured
as the Site Module general resource class during the server
setup, as described in the IBM Security zSecure CARLa-Driven
Components: Installation and Deployment Guide. It looks for
profiles with names starting with "CKG.UCAT." using the
SHOW MYACCESS command. If one or more such profiles are
found, this option can be activated. If more than one data set
name is found, you are prompted to select one of them when
activating the option.
Do not duplicate OMVS Segment
Prevents the duplication of the OMVS Segment of the existing
user.
Set user as Protected
Sets the duplicated user as a protected user.
Segments
Use the segment fields to store information about specific subsystems
or components of z/OS. If these segments are present for the original
profile, the values are copied to the new user profile.
Some of these values must be changed while others can remain the
same. If no value exists for the duplicated user or the segment is not in
your scope, the field is disabled. For more information about
authorities needed to manage segments, see “Authorities and settings
required to manage segments” on page 127.

68 Client Manual
 The fields shown in the panel are just a subset of all fields that are
present in the segments. All other fields in your scope are copied
unchanged. The segment fields are divided into two columns.
In the left column, you can find the segments that need unique values;
you must change the value for the new user profile:
KERB Kerberos name
KERB KERBNAME field that defines the local Kerberos
principal name of the user.
LNOTES Lotus® Notes® short username
LNOTES SNAME field indicating the short name as found in
the Lotus Notes address book.
NDS username
NDS UNAME field defining the user name as stored in the
Novell Directory Services for z/OS directory.

In the right column, you can find the other segment fields. These
values do not need to be unique per user profile:
OMVS UNIX user (uid)
OMVS UID field with the user identifier. To have the system
assign an unused value, use "auto." If you want more than one
user to share the UID, add "s" at the end of the UID value.
OMVS Initial program
OMVS PROGRAM field describing the path name of the first
program to be started when an OMVS session is started.
OMVS UNIX home path
OMVS HOME field defining the hierarchical file system (HFS)
or z/OS file system (zFS) directory path name of the working
directory.
DCE UUID
DCE UUID field indicating the principal name of the user as
defined in the DCE registry.
3. Click OK to start the duplication, or click Cancel to quit the dialog without
changes. The field values are validated to determine whether the unique fields
differ from the original values. If no field is changed, this warning displays and
the dialog is not closed:
Please change the <Name> field. It needs to be unique for this system.

Note: There is no check whether the value is unique in the RACF database.
Checking on this scale triggers a full database read, which can consume system
and network resources for an extended period.
4. If you are operating in multi-system mode, the Select Nodes dialog displays
your preferred list of zSecure nodes. You cannot duplicate a user across
multiple RRSF nodes. If you have performed an action already, the zSecure
nodes that you selected previously are displayed. Complete these steps if you
are using multi-system mode:
a. Specify the nodes to which the action applies. You must select at least one
node to continue. The local node entry is highlighted.
b. Click OK to verify the selected list of nodes. The action is performed for
each selected node.

Chapter 4. User management 69

Deleting a user
Use the Delete user dialog to revoke access for one or more users.

About this task

You cannot delete users from the RACF database if you are using zSecure Visual.
However, you can revoke their access by marking them for deletion. You can
revoke access for one or more selected users.

Follow these steps to revoke user access.

Procedure
1. Select a user ID and click Action > Delete in the main menu. You can also
revoke user access using these actions:
v Right-click a user ID to display the pop-up menu and select Delete.
v Select a user ID and click Delete from the toolbar.
v Drop the users on the Recycle Bin.
2. Enter a reason for the deletion. This reason is displayed if you undo a Delete.
3. Click OK, or click Cancel to quit the dialog to discard any changes. The
selected user IDs are disabled in the $DELETE schedules of the users.

Figure 33. Mark user for deletion dialog

If you are using multi-system mode, the Select Nodes dialog displays your
preferred list of nodes. If you have performed an action already, the nodes that
you selected previously are displayed. Complete these steps if you are using
multi-system mode:
a. Specify the nodes to which the action applies. You must select at least one
node to continue. The local node entry is highlighted.
b. If a node is defined as a zSecure node and an RRSF node, select only one of
these node types. If you select an RRSF node, you can use the AT or
ONLYAT options to select from the drop-down list an alternative user ID to
run the command.
c. Click OK to verify the selected list of nodes. The action is performed for
each selected node.

70 Client Manual
 Results

To undo Delete, go to the schedules of the user and delete the disabled action in
the $DELETE schedule. If there are no other scheduled actions, you must also
resume the user. A related dialog is displayed in that case.

Resuming a user
Use the Resume user dialog to resume a user that has revoked status. The steps
are described in this topic.

About this task

A resume resets the revoke status of the user. It succeeds only if the revoke is not
due to scheduled actions. In that case, you must delete the scheduled action.

To resume one or more users in single-node mode, complete these steps.

Procedure
1. Select the user IDs and click Action > Resume from the main menu. You can
also use these actions:
v Right-click the user IDs to display the pop-up menu and select Resume.
v Select the user IDs and click Resume on the toolbar.
The Resume user userid userid dialog is displayed for one of the users you
selected:

Figure 34. Resume user dialog

2. Click OK to invoke the resume, or click Cancel to return to the previous

dialog.
3. If you are resuming two or more users, the Resume user userid dialog is
displayed for each user you select. Click OK in each dialog to finish resuming
all selected users.

Disabling a user
Use the Disable user dialog to prevent a user from logging on.

About this task

You can disable a user from logging on. The disabling schedule starts the same day
you set the option. To use this option, you need UPDATE or better on resource

Chapter 4. User management 71

 CKG.CMD.USER.REQ.SCHEDULE and at least one schedule in your scope,
excluding the reserved $DELETE schedule.

To disable a user, follow these steps:

Procedure
1. Select a user ID from the main menu.
2. Select Action > Disable, or right-click a user ID and select Disable from the
pop-up menu:

Figure 35. Disable user dialog

If you are operating in multi-system mode, the node associated with the user is
displayed in the header of the dialog.
3. Enter the reason for disabling the user. If the user is already disabled, the
reason can be shown in the Details field.
4. Click OK to finish.

Enabling a user
Use the Enable user dialog to enable a revoked or disabled user to log on.

About this task

You can enable a revoked or disabled user to log on again. When enabling a user,
any schedule that disables the user expires. If there is more than one schedule
available to enable the user, you can select any one of them from the selection list.

To use this option, you need UPDATE or better on resource

CKG.CMD.USER.REQ.SCHEDULE and at least one schedule in your scope,
excluding the reserved $DELETE schedule.

To enable a user, follow these steps:

Procedure
1. Select a user ID and select Action > Enable from the main menu, or right-click
a user ID and select Enable from the pop-up menu:

72 Client Manual
 Figure 36. Enable user dialog

If you are operating in multi-system mode, the node associated with the user is
displayed in the header of the dialog.
2. Enter the reason for enabling the user. If a future schedule disables the user
again, the reason can be shown in the Details field. If no schedules exist to
disable the user, a dialog is displayed to do a normal resume.

Note: The Enable user dialog is displayed even if you do not have the
authority to resume.
3. If the user is marked for deletion, confirm the enabling action. Once confirmed,
the user is no longer marked for deletion. If the user is disabled with one or
more schedules that are out of your scope, an error message is displayed that
lists the out-of-scope schedules.
4. Click OK to finish.
5. To enable users on multiple systems, select each user individually in the list of
users, then repeat these steps.

Setting passwords (or passphrases)

Set or reset the user password or passphrase with the Set Password or Set
passphrase dialog.

About this task

The procedure for setting a passphrase is very similar to the procedure for setting
a password. Therefore, to set a passphrase, follow the procedures for setting a
password in this section, but use the Set passphrase dialog instead of the Set
password dialog:

Chapter 4. User management 73

 Figure 37. Set passphrase dialog

Procedure

To set a password, follow these steps:

1. Select a user ID and select Action > Set Password from the main menu. You
can also start with these actions:
v Right-click a user ID to display the pop-up menu and select Set Password.
v Select a user ID and click Set Password on the toolbar.

74 Client Manual
Figure 38. Set password dialog

If you are operating in multi-system mode, the complex and node associated
with the user is displayed in the header of the dialog.
The available options and checkboxes depend on your update access level. If
your client display is set to Gray desired unauthorized functions, you can
view the unavailable options. If your client display is set to Hide desired
unauthorized functions, you see only the available options and checkboxes.
See “Setting interface options according to your access level” on page 27. The
next step describes all possible options and checkboxes.
2. Complete the appropriate fields in the dialog.
Reset Password
Sets the password to the default password and sets the password to
"expired."
Previous password
Sets the password back to the previous value. This setting works only if
a password history is maintained in RACF and the user remembers the
previous password.
Default password
Sets the password to the default password that the administrator set
previously.
New password
Sets the password to a new value. You must confirm the new value by
retyping it in the Confirm new password field. This value must be
compliant with the password rules. It must not occur in the password
history unless you have the necessary access to the corresponding
resources to bypass these checks. See IBM Security zSecure
CARLa-Driven Components: Installation and Deployment Guide for more
information about specifying passwords.

Chapter 4. User management 75

 Reason
Logs the reason why the password is changed. Depending on company
policy, input might be required. Examples are: Forgotten password, Never
used, and Revoked.
Set password to expired
When this option is active, the new password becomes expired. When
the user logs on, the user has to specify a new password.
Also resume
Resumes the user ID when resetting the password. When the user is
revoked due to too many unsuccessful password attempts, a resume is
required to enable the logon again. Use Resume to avoid setting the
password.
Disable password
This option can be selected to disable the password. This option is
disabled if the user does not have a password.
Set user as protected
This option can be selected to make the user protected. This option is
disabled if the user is already a protected user.
3. Click OK to finish, or click Cancel to quit the dialog without changes. If you
are operating in multi-system mode, the Select Nodes dialog displays your
preferred list of nodes. If you have performed an action already, the nodes that
you selected previously are displayed.
4. Complete these steps if you are using multi-system mode:
a. Specify the nodes to which the action applies. You must select at least one
node to continue. The local node entry is highlighted.
b. If a node is defined as a zSecure node and an RRSF node, select only one of
these node types. If you select an RRSF node, you can use the AT or
ONLYAT options to select from the drop-down list an alternative user ID to
run the command.
c. Click OK to verify the selected list of nodes. The action is performed for
each selected node.

Setting a default password (or passphrase)

Use the Edit default password or Edit default passphrase dialog to set the default
password or passphrase for a user.

About this task

The procedure for setting a default passphrase is very similar to the procedure for
setting a default password. Therefore, to set a default passphrase, follow the
procedures for setting a default password in this section, but use the Edit default
passphrase dialog instead of the Edit default password dialog:

76 Client Manual
Figure 39. Edit default passphrase dialog

The default password (or passphrase) is a fixed value that the user can set. By
default, the default password (or passphrase) is set system-wide. It is outside the
scope of zSecure Visual. However, it is more secure to set an individual default
password (or passphrase) for each user, especially for users with important roles.

Figure 40. Status

To set the default password, perform these steps:

Chapter 4. User management 77

 Procedure
1. Select a user ID and select Navigate > Properties from the main menu to open
the properties dialog.
2. Select the Status tab.
3. Click Edit Default Password to open the Edit Default Password dialog.

Figure 41. Edit default password dialog

4. Check the Default Password box.

5. Type and confirm the default password.
6. Optionally, enter the reason why the default password is changed.
7. Click OK to finish, or click Cancel to quit the dialog without changes.
8. If you are operating in multi-system mode, the Select Nodes dialog displays
your preferred list of nodes. If you have performed an action already, the nodes
that you selected previously are displayed. Complete these steps if you are
using multi-system mode:
a. Specify the nodes to which the action applies. You must select at least one
node to continue. The local node entry is highlighted.
b. If a node is defined as a zSecure node and an RRSF node, select only one of
these node types. If you select an RRSF node, you can use the AT or
ONLYAT options to select from the drop-down list an alternative user ID to
run the command.
c. Click OK to verify the selected list of nodes. The action is performed for
each selected node.

Removing the default password (or passphrase)

Use the Edit default password or Edit default passphrase dialog to remove the
default password or passphrase for a user.

78 Client Manual
 About this task

Removing or changing the default password (or passphrase) does not affect the
normal password (or passphrase). The normal password (or passphrase) changes to
the default password (or passphrase) only if it is reset to it. If you change the
default password (or passphrase) after resetting, it does not affect the normal
password (or passphrase); it retains the old default value.

The procedure for removing a passphrase is very similar to the procedure for
removing a password. Therefore, to remove a passphrase, follow the procedures
for removing a password in this section, but use the Edit default passphrase dialog
instead of the Edit default password dialog:

Procedure
You can remove the default password using these steps:
1. Select a user ID and select Navigate > Properties from the main menu to open
the properties dialog.
2. Select the Status tab.
3. Click Edit Default Password to open the Edit Default Password dialog.
4. Select the Remove Default Password box.
5. Optionally, enter the reason why the default password is removed.
6. Click OK. When a default password is set, the Edit default password dialog
displays this information:
v The user ID of the person who changed the password
v The date and time of the change

About Schedules
Use schedules to specify intervals during which a user is revoked or resumed.

The only way to revoke a user in zSecure Visual is to use schedules. Schedules are
a facility provided by the CKGRACF mainframe program that enables different
groups of administrators to set the revoke status of a user.

You can separately revoke and resume a user, or you can combine these two
actions. These are called intervals. The CKGRACF program updates the revoke
flags of the user based on the schedules. A disabling interval starts with a revoke
and ends with a resume. An enabling interval starts with a resume and ends with
a revoke. A single revoke or resume corresponds with an interval without an end
date. All actions of an interval are written to the RACF database, together with the
schedule name, date, author, and reason. The schedule name is categorize intervals.
New intervals wipe previous conflicting actions only in the same schedule. When
all past scheduled actions are deleted, CKGRACF leaves the user's revoke status
unchanged.

The equivalent of revoking a user is Disable from today forever. The equivalent of
deleting a user is Disable from today forever with schedule name $DELETE. The
deletion is sent to the mainframe after you click OK in the schedules dialog.

Users are only able to log on when all scheduled actions enable them to. Schedules
can be set by centralized and decentralized administrators. When given access to

Chapter 4. User management 79

 just a part of the defined schedule names while others reserved for centralized
administrators only, decentralized administrators cannot undo intervals set by a
centralized administrator.

Viewing and editing schedules

Use the Schedules dialog to view, set, or edit schedules that revoke or resume
users.

Procedure
v To view the schedules of a user, perform one of these steps:
1. Select the user and select Navigate > Schedules from the main menu.
2. Right-click the user to display the pop-up menu and select Schedules.
3. Select the user and click Schedules on the toolbar.

Figure 42. Schedules dialog

A schedule dialog window displays these columns:

Name Name of the schedule.
Type Type of the interval, either Enable or Disable.
Start Start date of the interval.
End End date of the interval.
Reason column
Reason of the schedule.
Author
Administrator who enters the schedule.
Created
Date and time the author enters the interval.
v To edit schedules, perform these steps:
1. Click Add to add an interval to the table.
2. Select an interval and click Repeat to enter a similar interval in the table.
3. Select an interval and click Delete or press the Delete key to delete an
interval from the table.
4. After you edit schedules, click OK to apply the changes to the RACF
database, or click Cancel to cancel the changes.

80 Client Manual
Adding a schedule interval
Use the Add schedule dialog to add a new schedule that enables or disables a
user.

Procedure

To add a schedule interval, follow these steps:

1. Select a user and select Navigate > Schedules > Add from the main menu. The
Add schedule interval dialog displays.

Figure 43. Add schedule interval dialog

2. Enter the fields and click OK to add the schedule to the table. The new
schedule interval becomes active after clicking OK in the Schedules dialog.
The dialog contains these fields:
Name Name of the schedule. You can select one of the predefined names or
type a new name.
Type Select Disable to disable the user for a certain period, select Enable to
enable the user.
Start Enter the start date of the interval. The start date is included in the
interval.
End Either enter an end date, or select Forever to indicate there is no end
date for this interval. The end date is included in the interval.
Reason
Enter a reason for the enabling or disabling the user.

Repeating a schedule interval

Use the Repeat function to make a new schedule based on an existing schedule.

You cannot edit an existing schedule, but with the Repeat function, you can make
a new schedule based on the existing one. If the existing schedule and the new
schedule overlap, the program creates a new schedule. The new schedule begins at
the earliest start date and ends at the last termination date.

To create a new schedule using the existing schedule, select Navigate > Schedules
> Repeat from the main menu.

Deleting a schedule interval

Use the Delete schedule dialog to delete an existing schedule interval.

Chapter 4. User management 81

 Procedure

To delete a schedule, follow these steps:

1. Select a schedule interval and click Delete.
The Delete schedule interval dialog displays the properties of the schedule.

Figure 44. Delete schedule interval dialog

2. For auditing purposes, enter a reason for the deletion.

3. Click OK to delete the schedule interval. The deletion is sent to the mainframe
after you click OK in the schedules dialog.

Mappings
Use mapping profiles to determine the distributed identity filters associated with
RACF user IDs.

RACF supports distributed identity filters which are mapping associations between
a RACF user ID and one or more distributed user identities, as they are known to
Web-based application servers and defined in distributed user registries. The
Mappings window provides the information about distributed identity filters
associated with the RACF user ID. These filters are in fact the IDIDMAP profiles.
For the remainder of this chapter, such profiles are referred as mapping profiles.

Viewing mappings
Use the various Mappings selections to view information about the mapping
profile of a user.

Procedure
To view mapping information of a user, perform one of these steps:
v Select the user and select Navigate > Mappings from the main menu.
v Right-click the user to display the pop-up menu and select Mappings.
v Click the Mappings button on the User Properties dialog.

82 Client Manual
Figure 45. Mapping information for a user

A Mappings window displays these columns:

Label The label associated with this mapping profile.
Distributed Identity User Name Filter
The name of the mapping profile.
Registry name
The registry name of the mapping profile.

Chapter 4. User management 83

84 Client Manual
Chapter 5. Group management
You can use IBM Security zSecure Visual to display, add, duplicate, and delete
groups. These tasks are described in the following topics.
“Group table”
You can review group data, such as owner and connected users, in the Groups
table.
“Viewing group properties” on page 87
Use the Properties of group window to view and edit the attributes and status
of groups.
“Adding a subgroup” on page 89
Use the Add subgroup dialog to add a new subgroup to a group.
“Duplicating a group” on page 91
Use the Duplicate group window to create a new group from an existing
group.
“Deleting a group” on page 94
Use the Delete group dialog to delete a group or to prevent users from using
the group (incomplete deletion).

Group table
You can review group data, such as owner and connected users, in the Groups
table.

Use the Find dialog to view a list of groups. A group is displayed in two colors,
blue as default and gray when the installation data of the group is not yet loaded.

Figure 46. Groups table

The list of groups has these columns:

Complex
The name of the zSecure node where the result was found. This column is
displayed only if you are operating in multi-system mode.
Group The ID of the RACF group.

© Copyright IBM Corp. 1998, 2017 85

 InstData
The purpose and layout of this field are site-defined. Typically it contains
organizational data on the group.
Owner
The owner can change the group definition.
SupGroup
The superior group of the group. All groups except group SYS1 belong to
one superior group.
SubGroups
Number of subgroups of the group. A subgroup is a group that belongs to
another group.
Universal
A universal group can have an unlimited number of users with USE
authority connected to it.

Note:
1. A group can be created as a universal group. It is not possible to
change the attribute after creation.
2. In most cases, it is not possible to delete a universal group.
3. The old limitation of 5957 connections is still valid for users with
authority higher than USE or with the attributes SPECIAL,
OPERATIONS, or AUDITOR at the group level.
4. For universal groups, the Connected Users table shows only the users
with authority higher than USE or with the attributes SPECIAL,
OPERATIONS, or AUDITOR at the group level.
5. On sites where universal groups are not yet supported, the Universal
column or field stays empty and disabled.
Users Number of users connected to the group.
Created
Date of creation of the group.

The extra selection fields for groups in the Find dialog are:

86 Client Manual
 Figure 47. Find dialog for groups

Installation data
A substring that appears in the installation data.
Owner
Select groups by owner. The field is used as a filter.
Users Select groups that have more or less than a certain number of connected
users. A blank in the number field selects groups independently of this
number. Typing < or > in the number field selects the corresponding
operator.
Segment
Select the groups that have the segment you specified. If this option is
disabled, you cannot view segments or there are no segments. The option
ANY gives you the complete group list, whether the profiles have
segments or not.

Viewing group properties

Use the Properties of group window to view and edit the attributes and status of
groups.

About this task

The Group properties dialog provides detailed information about a specific group.

To view the properties of a group, perform these steps.

Procedure
1. Select a group and select Navigate > Properties from the main menu.

Chapter 5. Group management 87

 Figure 48. Group properties dialog

2. Double-click on the group.

3. Select a group and press Enter.
4. Right-click a group and select Properties from the pop-up menu.
5. Select a group and click Properties on the toolbar.
The following information is included in the header of the dialog only if you
are operating in multi-system mode:
Complex
The name of the complex associated with the user ID.
Node The name of the node associated with the user ID.
The Properties dialog contains these fields:
Group The ID of the RACF group.
SupGroup
The superior group of the group. All groups except group SYS1 belong
to one superior group. You can change this field to another existing
group name.
TermUACC
Terminal access is granted through the UACC of TERMINAL profiles,
as well as through access list entries.
Owner
The owner can change the group definition. You can change this field
for another existing group name.
SubGroups
Number of subgroups of the group. A subgroup is a group that belongs
to another group.
Universal
A universal group can have an unlimited number of users with USE
authority connected to it. This field is read-only.

88 Client Manual
 Note:
a. A group can be created as universal group. It is not possible to
change the attribute after creation.
b. In most cases, it is not possible to delete a universal group.
c. The old limitation of 5957 connections is still valid for users with
authority higher than USE or with the attributes SPECIAL,
OPERATIONS, or AUDITOR at the group level.
d. For universal groups, the Connected Users table shows only the
users with authority higher than USE or with the attributes
SPECIAL, OPERATIONS, or AUDITOR at the group level.
e. On sites where universal groups are not yet supported, the
Universal column or field stays empty and disabled.
Created
Date of creation of the group.
Installation data
The purpose and layout of this field are defined by your organization.
You can change the contents of this field.

Adding a subgroup
Use the Add subgroup dialog to add a new subgroup to a group.

Procedure

To add a new subgroup to group, complete these steps:

1. Select a group and select Action>Add subgroup from the main menu. You can
also start with these actions:
v Click Add subgroup on the toolbar.
v Right-click a group and select Add subgroup from the pop-up menu.

Chapter 5. Group management 89

 Figure 49. Add subgroup dialog

The following information is displayed for your reference:

Complex: Node
The complex and node names to which this action applies are
displayed in the header of the dialog only if you are operating in
multi-system mode.
Group Displays the name of the group to which you are adding a subgroup.
Supgroup
Displays the supergroup of the group to which you are adding a
subgroup.
Universal
Indicates whether the selected group is a universal group.
Installation Data
Displays the data for the group to which you are adding a new
subgroup.
2. Change these fields as needed:
New group
Group Required. You must change the name from the copied name to
a new name.
Installation Data
Required. You must change the copied data to new data.
Additional Actions
Enforce creation of data set profile
Optional. Creates a generic data set profile with the new group
name as High Level Qualifier or HLQ. It has the new group as
owner and a UACC of none. This command is also available on
the Action menu.

90 Client Manual
 Define Alias
Optional. Defines an alias for the group pointing to the user
catalog. You must know the user catalog data set name to use
this option. This command is also available on the Action
menu. This action attempts to retrieve the user catalog data set
name by searching the XFACILIT class, or the class configured
as the Site Module general resource class during the server
setup, as described in the IBM Security zSecure CARLa-Driven
Components: Installation and Deployment Guide. It looks for
profiles with names starting with "CKG.UCAT." using the
SHOW MYACCESS command. If one or more such profiles are
found, this option can be activated. If more than one data set
name is found, you are prompted to select one of them when
activating the option.

Note: Note: If your access is NONE, the profiles with names

starting with "CKG.UCAT." are ignored.
3. Click OK to create the subgroup, or click Cancel to cancel the change.
4. If you are operating in multi-system mode, the Select Nodes dialog displays
your preferred list of nodes. If you have performed an action already, the nodes
that you selected previously are displayed. Complete these steps if you are
using multi-system mode:
a. Specify the nodes to which the action applies. You must select at least one
node to continue. The local node entry is highlighted.
b. If a node is defined as a zSecure node and an RRSF node, select only one of
these node types. If you select an RRSF node, you can use the AT or
ONLYAT options to select from the drop-down list an alternative user ID to
run the command.
c. Click OK to verify the selected list of nodes. The action is performed for
each selected node.

Duplicating a group
Use the Duplicate group window to create a new group from an existing group.

About this task

You can create a group by duplicating a group, or by adding a new subgroup to a

group. The duplicate group has the same connects, permits, and attributes as the
original group. Adding a subgroup to a group is described in “Adding a
subgroup” on page 89.

Note: If you are operating in multi-system mode, you can duplicate groups across
zSecure nodes only; you cannot duplicate groups across multiple RRSF nodes.

Procedure

To duplicate a group, follow these steps:

1. Select a group and click Action > Duplicate in the main menu. You can also
start with these actions:
v Select a group and click Duplicate on the toolbar.
v Right-click a group and select Duplicate from the pop-up menu.

Chapter 5. Group management 91

 Figure 50. Duplicate group dialog

The following information is displayed for your reference:

Complex: Node
The complex and node names to which this action applies are
displayed in the header of the dialog only if you are operating in
multi-system mode.
Group Displays the name of the group from which you are creating the new
group.
Supgroup
Displays the supergroup of the group from which you are creating a
group. This group becomes the supergroup of the new group.
Universal
Indicates whether the selected group is a universal group.
Installation Data
Displays the data for the group from which you are creating a new
group.
2. Change these fields as needed:

92 Client Manual
 New group
Group Required. Change the name from the copied name to a new
name.
Installation Data
Required. The data shown is copied from the group you are
using to create the new group. You can change the copied data
to new data.
Additional Actions
Enforce creation of data set profile
Optional. Creates a generic data set profile with the new group
name as High Level Qualifier or HLQ. It has the new group as
owner and a UACC of none. This command is also available on
the Action menu.
Define Alias
Optional. Defines an alias for the group pointing to the user
catalog. You must know the user catalog data set name to use
this option. This command is also available on the Action
menu.

Note: This action attempts to retrieve the user catalog data set
name by searching the XFACILIT class, or the class configured
as the Site Module general resource class during the server
setup, as described in the IBM Security zSecure CARLa-Driven
Components: Installation and Deployment Guide. It looks for
profiles with names starting with "CKG.UCAT." using the
SHOW MYACCESS command. If one or more such profiles are
found, this option can be activated. If more than one data set
name is found, you are prompted to select one of them when
activating the option.
Do not duplicate OMVS Segment
Prevents the duplication of the OMVS Segment of the existing
group.
Segment
If the segment is present in the original group profile, the value is
copied to the new group and displayed in this field. If no segment
value exists for the duplicated group or if the segment is not in your
scope, this field is disabled. If this field is disabled, you cannot create
this segment for the new group in this dialog. For more information
about the authorities needed to manage segments, see “Authorities and
settings required to manage segments” on page 127.
OMVS z/OS UNIX group (grpid)
The z/OS UNIX group identifier. To have the system assign an
unused value, use "auto." If you want more than one group to
share the group ID, add "s" at the end of the grpid value.
3. Click OK to create the duplicate group, or click Cancel to cancel the changes.
4. If you are operating in multi-system mode, the Select Nodes dialog displays
your preferred list of nodes. If you have performed an action already, the
zSecure nodes that you selected previously are displayed.
Complete the following steps if you are using multi-system mode.

Note: You cannot duplicate a group across multiple RRSF nodes.

Chapter 5. Group management 93

 a. Specify the nodes to which the action applies. You must select at least one
node to continue. The local node entry is highlighted.
b. Click OK to verify the selected list of nodes. The action is performed for
each selected node.

Deleting a group
Use the Delete group dialog to delete a group or to prevent users from using the
group (incomplete deletion).

About this task

You can delete a group only if the group does not own resources. If the group
owns resources, the group remains present. However, because all permits and
connects have been removed, no user can use the group. A dialog is displayed to
inform you about the incomplete deletion.

Procedure
Follow these steps to delete a group:
1. Select the group and click Action > Delete in the main menu. You can also use
these actions:
v Select the group and press the Delete key.
v Right-click a group to display the pop-up menu and select Delete.
v Select the group and click Delete from the toolbar.

Figure 51. Delete group dialog

The dialog lists the Group, SupGroup, and Installation Data of the group to be
deleted. If you are operating in multi-system mode, the associated complex and
node names are listed at the top of the dialog.
2. Click OK to delete the group, or click Cancel to quit the dialog without making
changes.
3. If you are using multi-system mode, the Select Nodes dialog displays your
preferred list of nodes. If you have performed an action already, the nodes that
you selected previously are displayed.
Complete these steps if you are using multi-system mode:
a. Specify the nodes to which the action applies. You must select at least one
node to continue. The local node entry is highlighted.

94 Client Manual
b. If a node is defined as a zSecure node and an RRSF node, select only one of
these node types. If you select an RRSF node, you can use the AT or
ONLYAT options to select from the drop-down list an alternative user ID to
run the command.
c. Click OK to verify the selected list of nodes. The action is performed for
each selected node.

Chapter 5. Group management 95

96 Client Manual
Chapter 6. Connect management
Perform connect management tasks in the Visual Client to establish and maintain
the connection associations between users and groups.

RACF users are connected to one or more groups. Different kinds of connects
result in different authorizations for the users. Users get at least some of the
authorizations of their groups. Their authorizations depend on the attributes of the
connect, but they can use the resources that their groups have access to.
Connection relationships between users and groups are described in the following
topics.
“Connects table”
Review connects and access levels for a user or group in the Connects table.
“Connects in multi-system mode” on page 98
Follow these guidelines to create and change connects for users and groups in
multi-system mode.
“Viewing and changing Connect properties” on page 99
Use the Properties dialogs for users and groups to view or change the
properties of a connect.
“Creating a connect” on page 102
To view or change the properties of a connect, use the Properties dialogs for
users and groups.
“Deleting a connect” on page 104
Use the Delete connect dialog to delete the connects of a user and a group.
“Copy, merge, and move functions for connects” on page 106
Use the Drag and Drop and Copy and Paste functions to copy, merge, and
move connects.

Connects table
Review connects and access levels for a user or group in the Connects table.

The Connects table displays the connects of a user or group. Use these methods to
open the connects table:
v Select a user or group and select Navigate > Connects from the main menu.
v Right-click a user or group and select Connects from the pop-up menu.
v Select a user or group and click Connect on the toolbar.

Figure 52. Connects table

The Connects table has the following columns.

© Copyright IBM Corp. 1998, 2017 97

 For groups, the other columns are the same as the group table in “Group table” on
page 85.

Note: For universal groups, the Connected Users table shows only the users with
authority higher than USE or with the SPECIAL, OPERATIONS, or AUDITOR
attributes at the group level.

For users, the other columns are the same as the user table in “User table” on page
55, except the revoked column. The revoked column indicates the users whose
connection to the group is revoked.
Complex
The name of the zSecure node where the result was found. This column is
displayed only if you are operating in multi-system mode.
Auth Connect authority. The value can be any of these options:
Use The user can access the resources that the group has access to.
Create The user has the same authorizations as with Use. The user is also
authorized to create data sets and data set profiles that have a
High-Level-Qualifier (HLQ) as the name of the group.
Connect
The user has the same authorizations as with Create and is also
authorized to connect existing users to the group.
Join The user has the same authorizations as with Connect and is also
authorized to create new subgroups.
gSpec Group special attribute. When a user is connected with the group special
attribute, the user can do everything with users, groups, and resources that
are in the scope of the group, except changing auditing attributes.
gOper Group operations attribute. When a user is connected to a group with the
group operations attribute, the user can do everything with resources that
are in the scope of the group.
gAud Group auditor attribute. When a user is connected to a group with the
group auditor attribute, the user can change auditing attributes of the
users, groups, and resources that are in the scope of the group.

Connects in multi-system mode

Follow these guidelines to create and change connects for users and groups in
multi-system mode.

You can connect users and groups only on the same node. You cannot connect
users and groups across separate nodes. However, if the same-name groups and
users exist in another node, you can propagate the connects to that node.

Note: Use caution if you intend to propagate connects across nodes. You can create
unintended consequences if the names and groups are not identical.

Example of unintended consequences:

If you have two users with different names but identical user IDs on separate
nodes, you can unintentionally propagate a user's connect properties to a different
user. The Visual client does not ensure that user IDs refer to the same user or
group names.

98 Client Manual
Viewing and changing Connect properties
Use the Properties dialogs for users and groups to view or change the properties
of a connect.

Procedure
1. To see the properties of the connected users of a group, perform one of these
steps:
v Select the users and select Navigate > Show Connects from the main menu.
v Right-click the users and select Show Connects from the pop-up menu.
v Click Show Connects on the toolbar.
If you want to see the connects between a group and its users, the columns of
the resulting table are described in Chapter 4, “User management,” on page 55.
If you want to see the connects between the groups of a user, the columns of
the resulting table are described in Chapter 5, “Group management,” on page
85.
2. To see or change the properties of a connect, perform one of these steps:
v Select the connected user or group and select Navigate > Properties from the
main menu.
v Right-click a connected user or group and select Properties from the pop-up
menu.
v Click Properties on the toolbar.
The resulting dialog depends on whether you select to view properties for a
user or group.
3. If you select to view properties for a group, the following dialog is displayed:

Figure 53. Connect properties dialog for a group

The complex and node names are displayed in the header of the dialog only if
you are operating in multi-system mode.
The Properties dialog for a group has two tabs: Connect and Group. Your
authorization to create connects on the mainframe determines which of these
fields are editable.
The Connect tab for group properties displays these fields:

Chapter 6. Connect management 99

 User The connected user of the selected group.
Owner
The user or group that owns the group.
Authority
Connect authority. From the connect authority dropdown list, you can
select either Use, Connect, Create or Join.
Use The user can access the resources that the group has access to.
Create The user has the same authorizations as with Use. The user is
also authorized to create data sets and data set profiles that
have a High-Level-Qualifier (HLQ) as the name of the group.
Connect
The user has the same authorizations as with Create and is also
authorized to connect existing users to the group.
Join The user has the same authorizations as with Connect and is
also authorized to create new subgroups.
gSpec Group special attribute. When a user is connected to a group with the
group special attribute, the user can do everything with users, groups,
and resources that are in the scope of the group, except changing
auditing attributes.
gOper Group operations attribute. When a user is connected to a group with
the group operations attribute, the user can do everything with
resources that are in the scope of the group.
gAud Group auditor attribute. When a user is connected to a group with the
group auditor attribute, the user can change auditing attributes of the
users, groups, and resources that are in the scope of the group.
Created
Date that the connect was created.
Last connect
Most recent time that the user was connected to the group.
Resume Date
Specifies the date that the connection to the group is resumed for the
user ID in the User field. If the RESUME attribute is required, the check
box is selected and the calendar (date selector) is enabled. Use the
calendar to specify the date.
Revoke Date
Specifies the date that the connection to the group is revoked for the
user ID in the User field. If the REVOKE attribute is required, the check
box is selected and the calendar (date selector) is enabled. Use the
calendar to specify the date. To change the status from active to
revoked, specify a date that is equal to or prior to the current date. If you
specify today's date or a prior date, the Visual Client issues the REVOKE
command immediately instead of scheduling it for a future date.
Connect Revoked
Indicates the revocation status of the user in the User field. This field is
Read-only. Revoked indicates the status is currently revoked. No value
(blank) indicates the status is active or suspended. To change the
revocation status, you must update the revoke and resume dates.
In the Group tab, you see the Group Properties fields. For detailed description,
see “Viewing group properties” on page 87.

100 Client Manual

4. Click OK to apply your changes.
5. If you select to view properties for a user, the following dialog is displayed:

Figure 54. Connect properties dialog for a user

The complex and node names are displayed in the header of the dialog only if
you are operating in multi-system mode.
The Properties dialog for a user has four tabs: Connect, Attributes, More
Attributes, and Status. Your authorization to create connects on the mainframe
determines which of the fields on these tabs are editable.
The Connect tab for user properties displays these fields.
Group The connected group of the selected user.
Owner
The user or group that owns the user.
Authority
Connect authority. From the connect authority dropdown list, you can
select either Use, Connect, Create or Join.
Use The user can access the resources that the group has access to.
Create The user has the same authorizations as with Use. The user is
also authorized to create data sets and data set profiles that
have a High-Level-Qualifier (HLQ) as the name of the group.
Connect
The user has the same authorizations as with Create and is also
authorized to connect existing users to the group.
Join The user has the same authorizations as with Connect and is
also authorized to create new subgroups.
gSpec Group special attribute. When a user is connected to a group with the
group special attribute, the user can do everything with users, groups,
and resources that are in the scope of the group, except changing
auditing attributes.
gOper Group operations attribute. When a user is connected to a group with
the group operations attribute, the user can do everything with
resources that are in the scope of the group.
gAud Group auditor attribute. When a user is connected to a group with the

Chapter 6. Connect management 101

 group auditor attribute, the user can change auditing attributes of the
users, groups, and resources that are in the scope of the group.
Created
Date that the connect was created.
Last connect
Most recent time that the user was connected to the group.
Resume Date
Specifies the date that the connection to the user ID is resumed for the
group ID in the Group field. If the RESUME attribute is required, the
check box is selected and the calendar (date selector) is enabled. Use
the calendar to specify the date.
Revoke Date
Specifies the date that the connection to the user ID is revoked for the
group ID in the Group field. If the REVOKE attribute is required, the
check box is selected and the calendar (date selector) is enabled. Use
the calendar to specify the date. To change the status from active to
revoked, specify a date that is equal to or prior to the current date. If you
specify today's date or a prior date, the Visual Client issues the REVOKE
command immediately instead of scheduling it for a future date.
Connect Revoked
Indicates the revocation status of the user. This field is Read-only.
Revoked indicates the status is currently revoked. No value (blank)
indicates the status is active or suspended. To change the revocation
status, you must update the revoke and resume dates.
The Attributes, More Attributes, and Status tabs are described in “Viewing user
properties” on page 62.
6. Click OK to apply your changes.

Creating a connect
To view or change the properties of a connect, use the Properties dialogs for users
and groups.

About this task

A connect is a relation between a user and a group. The kind of the relation
between a user and a group depends on its attributes.

Procedure
1. To create a connect, select either users or groups and perform one of these
steps:
v Select Action > Connect from the main menu.
v Right-click a user or group and select Connect from the pop-up menu.
v Click Connect on the toolbar.

102 Client Manual

Figure 55. Create connect dialog

The complex and node names are displayed in the header of the dialog only if
you are operating in multi-system mode.
2. Enter the user ID or group. You can select from these options:
Authority
Connect authority. The connect authority is either Use, Connect, Create,
or Join.
Use The user can access the resources that the group has access to.
Create The user has the same authorizations as with Use. The user is
also authorized to create data sets and data set profiles that
have a High-Level-Qualifier (HLQ) as the name of the group.
Connect
The user has the same authorizations as with Create and is also
authorized to connect existing users to the group.
Join The user has the same authorizations as with Connect and is
also authorized to create new subgroups.
gSpec Group special attribute. When a user is connected to a group with the
group special attribute, the user can do everything with users, groups,
and resources that are in the scope of the group, except changing
auditing attributes.
gOper Group operations attribute. When a user is connected to a group with
the group operations attribute, the user can do everything with
resources that are in the scope of the group.
gAud Group auditor attribute. When a user is connected to a group with the
group auditor attribute, the user can change auditing attributes of the
users, groups, and resources that are in the scope of the group.
Resume Date
Specifies the date that the connection to the group is resumed for the
user ID in the Userid field. If the RESUME attribute is required, the
check box is selected and the calendar (date selector) is enabled. Use
the calendar to specify the date.

Chapter 6. Connect management 103

 Revoke Date
Specifies the date that the connection to the group is revoked for the
user ID in the Userid field. If the REVOKE attribute is required, the
check box is selected and the calendar (date selector) is enabled. Use
the calendar to specify the date.
3. Click OK to connect.
4. If you are operating in multi-system mode, the Select Nodes dialog displays
your preferred list of nodes.
If you have performed an action already, the nodes that you selected previously
are displayed. If needed, you can change the nodes to which the create-connect
action applies. You must select at least one node to continue. Note that local
node entry is highlighted.

Note: You can create a connect for users and groups only on the same node.
You cannot create a connect for users and groups across separate nodes.
However, if the same-name groups and users exist in another node, selecting
multiple systems will propagate the new connect to the specified nodes. Use
caution if you intend to propagate new connects across nodes. See “Connects in
multi-system mode” on page 98.
If a node is defined as a zSecure node and an RRSF node, you can select only
one of these node types. If you select an RRSF node, you can use the AT or
ONLYAT options to select from the dropdown list an alternative user ID to run
the command.
a. Click OK. The selected list of nodes is verified, then the create-connect
action is performed for each selected node.
5. Click Cancel to return to the previous dialog without selecting any nodes.

Attributes gSpec, gOper and gAud

The GrpSpecial, GrpOperations, and GrpAuditor scope attributes might not be
available.

If the attributes GrpSpecial, GrpOperations, and GrpAuditor display in gray, you

cannot specify the attributes. The new connect cannot have them unless the
connect exists with these attributes.

Drag-and-drop and copy-paste

You can use the drag-and-drop or Copy-Paste functions to create a connect.

Another way to create connects is by drag-and-drop. A pop-up menu is displayed

after dropping users from one list on a group in another list, or vice versa. Select
Connect to create a connect.

Note: All new connects get the same attributes.

You can also use the Copy-Paste function available on the main menu bar. This
function copies all the attributes. For more information, see “Copy and paste
function” on page 30.

Deleting a connect
Use the Delete connect dialog to delete the connects of a user and a group.

104 Client Manual

Procedure

To delete connects, follow these steps:

1. Select the connects in a Connects table and perform one of these steps:
v Select Action > Delete from the main menu.
v Right-click the connects and select Delete from the pop-up menu.
v Click Delete on the toolbar.
v Press the Delete key.
v Drag the connects and drop them on the Recycle Bin.

Figure 56. Delete connect dialog

2. Specify that the user must be removed from all access lists of group resources
in the Remove user permits from group resources option.
3. Click OK to delete or remove the connect.
4. If you are operating in multi-system mode, the Select Nodes dialog displays
your preferred list of nodes. If you have performed an action already, the nodes
that you selected previously are displayed.
a. Select the nodes to which the delete-connect action applies. You must select
at least one node to continue. Note that the local node entry is highlighted.

Note: You can delete a connect for users and groups only on the same
node. You cannot delete a connect for users and groups across separate
nodes. However, if the same-name groups and users exist in another node,
selecting multiple systems will propagate the delete-connect action to the
specified nodes. Use caution if you intend to propagate the delete connects
action across nodes. See “Connects in multi-system mode” on page 98.

If a node is defined as a zSecure node and an RRSF node, you can select
only one of these node types. If you select an RRSF node, you can use the
AT or ONLYAT options to select from the dropdown list an alternative user
ID to run the command.
b. Click OK. The selected list of nodes is verified, then the delete-connect
action is performed for each selected node.
c. Click Cancel to return to the previous dialog without selecting any nodes.

Chapter 6. Connect management 105

Copy, merge, and move functions for connects
Use the Drag and Drop and Copy and Paste functions to copy, merge, and move
connects.

You can copy, merge, and move connects by using Drag and Drop or Copy and
Paste. If you use Drag and Drop, you can drag connects from one table and drop
them on a similar one. After the drop, a pop-up menu is displayed, listing these
options:
Copy The dragged connects are copied to the target table. If a connect exists and
has an authority higher than the dragged connect, the user can choose
between copying and merging the connects. If copy is selected, the
dragged connects replace the target connects. If merge is selected instead,
every new connect has the attributes of both connects and have the highest
connect authority.

Note: When copying a connect, if the revoke or resume dates are earlier
than or equal to the current date, RACF prevents you from copying or
entering the dates. Table 5 shows how revoke and resume values are
managed for copy-connect actions.
Table 5. Before-and-after revoke-and-resume values for copy-connect operation
Original Values Copy Output Values
Revoke Revoke Date Resume Date Revoke New Revoke New Resume
Flag Flag Date Date
None None None None
GT today None *Copy revoke None
date
GT today GT revoke *Copy revoke Copy resume
date date date
LT today LE today & (1)None None
GT revoke
date
Yes LE today None **Yes (2)None None
LT today Today None None
Yes LE today GT today **Yes (3)None Copy resume
date
Yes None None **Yes None None
None LT today None None
None Today None None
Yes None GT today **Yes None Copy resume
date
Legend: LT = less than, LE = less than or equal to, GT = greater than, None = not specified

106 Client Manual

Table 5. Before-and-after revoke-and-resume values for copy-connect operation (continued)
Original Values Copy Output Values

*For a temporary connect, you must remove the revoke date in order for the copy
operation to create a permanent connect.

**If the revoke flag is set in the copied values, the initial status of the connect is set to
revoked.

Copy outcome examples:

(1)The resume date takes precedence because it is less than or equal to today's date. The
new connection is not set to revoke and resume.

(2)The connection is already revoked (date in the past), therefore the new connection is set
to be revoked with no revoke or resume dates.

(3)The connection has a current status of revoked (date in the past), but a resume date later
than today is specified. The new connection is revoked and set to resume with the
specified date.

Merge The outcomes of merge-connect operations are based on various

combinations of resume and revoke dates. The goal is to prevent a
connection from becoming unintentionally active in these circumstances:
v Revoking too late.
v Resuming too soon.
v Resuming when a permanent revocation is wanted.
If the outcome from a merger is unexpected or unwanted, open the user or
group properties dialog and change the dates. The following example
shows how an outcome is derived.
Merge-connect example:
A merger of connects is executed between these connects:
v The current date is November 1.
v The source connect is active with a revoke date of November 15 and no
resume date.
v The target connect is active with a revoke date of November 5 and a
resume date of December 1st.
The outcome of this operation is a connect that is currently active until
revoked on November 5, with no resumption date.
Move The move action is a combination of a copy or merge followed by a delete
of the successfully copied or merged connects. A dialog in which you can
specify the move options is displayed. The Remove user permits from
group resources option specifies whether the user must be removed from
the access list of resource profiles of the group on the delete action.

Select Copy and Paste from the main menu to perform a copy and paste operation.
For more information about Copy and Paste, see “Copy and paste function” on
page 30.

Chapter 6. Connect management 107

108 Client Manual
Chapter 7. Resource management
The administrator performs zSecure resource management tasks to maintain the
access rules that different users and groups have to resources.
“Resource profiles” on page 110
Rules for access to various kinds of resources are kept in resource classes as
profiles. This section describes these resource profiles.
“Adding a resource profile” on page 113
Use the Add resource profile dialog to create a resource profile from scratch.
“Duplicating a resource profile” on page 114
Use the Duplicate resource profile dialog to create a resource profile from an
existing profile.
“Editing resource profile properties” on page 115
Use the Properties of resource profile dialog to change the properties of a
resource profile.
“Deleting a resource profile” on page 117
Use the Delete resource profile dialog to delete a resource profile.
“Modifying an Access List (ACL)” on page 118
Use the Access list window to view, add, and change entries in the access list
of a resource profile.
“Adding a user or group to an access list” on page 120
Use the Add to access list dialog to add a user or group to the access list of a
resource profile.
“Editing an access list entry” on page 121
Use the Edit Access List dialog to edit the entry of a user or group in the
access list of a resource profile.
“Deleting an access list entry” on page 122
Use the Delete option to remove the entry of a user or group in the access list
of a resource profile.
“Profile members” on page 122
The administrator uses these guidelines to plan and implement the use of
grouping classes.
“Viewing and changing a member list” on page 123
Use the Members window to view and change the member list of a general
resource profile.
“Adding a member” on page 124
Use the Add member dialog to add a new member to a member list of a
resource profile.
“Editing a member” on page 125
Use the Edit member dialog to change a member of a list.
“Deleting a member” on page 125
Use the Delete function to delete a member from a list.
“Refreshing a class” on page 126
Use the Refresh function to refresh a class after changing resource profiles in
the RACF database.

© Copyright IBM Corp. 1998, 2017 109

Resource profiles
Rules for access to various kinds of resources are kept in resource classes as
profiles. This section describes these resource profiles.

Access checks are done against specific resource classes, depending on the type of
resource the access check is for. For example, DATASET for reading a data set, or
TERMINAL to see if you can log on using a particular machine. Profiles within
each class describe sets of access settings. The profile name can be generic, like a
mask specification. RACF determines which access settings apply by looking for
the profile name that best matches the resource name within the particular class.

In RACF, a distinction is made between DATASET profiles and all other resource
profiles. The DATASET profiles reside in the DATASET class which controls access
to data sets. All other resource profiles are called General Resource Profiles. zSecure
Visual lets you work with both types of profiles.

To protect a resource with a profile, the profile has to reside in the appropriate
class. The name of the profile needs to match the name of the resource. For
example, to protect dataset CKR.CKR230.SCKRLOAD, you can make a profile
named CKR.CKR230.SCKRLOAD in the DATASET class.

To avoid creating a resource profile for every resource, RACF enables you to use
generic characters in the profile name. You can use character * to represent one
qualifier, or the rest of the current qualifier. The ** sequence matches zero or more
qualifiers. The following examples show the matches based on the use of the *
character:
CKR.CKR*.SCKRLOAD matches CKR.CKR230.SCKRLOAD.
CKR.CKR230.SCKRLOAD.* does not match CKR.CKR230.SCKRLOAD,
because it has no fourth qualifier.
CKR.** matches CKR.CKR230.SCKRLOAD.
CKR.**.SCKRLOAD matches CKR.CKR230.SCKRLOAD.

If there are different resource profiles that match a certain resource, RACF uses the
most specific profile. It is the one with the most characters left of the first generic
character.

Resource table
You can review resource profile contents in the Resources table.

Typically a profile contains an access list that specifies the access to the resources,
which users and groups have, covered by the profile. Some general resource
classes grant access by a different procedure.

Use the Find dialog to locate a list of all resources. You can use * in the class to get
profiles of different resource classes in one table. If you leave the class field empty,
you can get all resources but without users or groups.

110 Client Manual

Figure 57. Resources table

The resulting fields in the Resource table are:

Complex
The name of the zSecure node where the result was found. This column is
displayed only if you are operating in multi-system mode.
Class Class in which the profile resides.
Profile
Name of the profile.
ProfType
Profile type. For general resources, it can be discrete or generic. For data
sets, it can be generic, nonvsam, vsam, tapedsn, or model.
UACC Access granted by the profile to any user whose access cannot be
determined from the access list.
Warning
A profile in warning mode always allows access to the resource (!), but if
the access is more than the access that the Access List or UACC grants, an
audit log record is written.
Erase Overwrite the dataset on deletion. This flag is only taken into account if
the central Erase flag has been set using a SETROPTS ERASE command.
AuditS
Audit level for successes.
AuditF
Audit level for failures.
ACLCount
Number of user IDs and groups on the access list of the profile.
Owner
User ID or group that can change the profile.
Notify User ID that receives a message when an audited violation occurs.
InstData
The contents and means of this field are defined by your organization.
Appldata
This field is only defined for generic resource profiles, which are all
resource profiles except profiles in the DATASET class. Its contents and
means depend on the class.
Volser For discrete DATASET profiles, it contains the volumes the profile protects.

Chapter 7. Resource management 111

 Created
Date the profile was created.
UserIDcount
For the IDIDMAP profiles, it indicates the number of user ID associated
with this profile.

The extra selection fields for resources in the Find dialog are:
Installation data
Select only resources that have the specified pattern in their installation
data.
Owner
Select only resources whose owner matches the specified filter.
Segment
Select the resources that have the segment you specified. If this option is
disabled, you cannot view segments or there are none. The option any
gives you the complete resource list, whether the profiles have segments or
not.

Viewing mapping information

Use the Mappings selection to view mapping information for IDIDMAP profiles.

Procedure

For the IDIDMAP profiles, you can view their associated mapping information by
following these steps:
1. Select the IDIDMAP profile from the main menu.
2. Select Navigate > Mappings. Alternatively, you can right-click the IDIDMAP
profile to display the pop-up menu and select Mappings.

Figure 58. Mapping information of an IDIDMAP profile

On the displayed window, you can view these fields:

112 Client Manual

 Complex
The name of the complex where the result was found. This field is
displayed only if you are operating in multi-system mode.
Label The label associated with the identity mapping.
User ID
The user ID associated with the identity mapping.
Registry name
The registry name of the identity mapping.

Note: You cannot duplicate, add, edit, or delete an IDIDMAP profile. For more
information, see “Viewing mappings” on page 82.

Adding a resource profile

Use the Add resource profile dialog to create a resource profile from scratch.

About this task

You can create a new resource profile through the resource table.

Note: You can only create generic DATASET profiles, including fully qualified
generics.

Procedure

To create a resource profile from scratch, complete these steps:

1. Open a resource table.
2. Select the profile from the resource table and select Action > Add Resource.

Figure 59. Add resource profile dialog

3. Enter the profile data. The fields and options are described here:
Complex: Node
The complex and node names to which this action applies are
displayed in the header of the dialog only if you are operating in
multi-system mode.

Chapter 7. Resource management 113

 Class Class in which the profile resides. zSecure Visual uses as default class
the class of the profile you have selected. You can change the class.
Profile
Name of the profile.
UACC Access granted by the profile to any user whose access cannot be
determined from the access list.
Warning
A profile in warning mode always allows access to the resource (!), but
if the access is more than the access that the Access List or UACC
grants, an audit log record is written.
Erase This flag is only valid when class is DATASET. When the flag is set, the
dataset is overwritten on deletion, but only if the central Erase flag has
been set using a SETROPTS ERASE command.
AuditS
Audit level for successes.
AuditF
Audit level for failures.
Owner
User ID or group that can change the profile.
Notify User ID that can receive a message when an audited violation has
occurred.
InstData
The contents and means of this field are defined by your organization.
Appldata
This field is only defined for generic resource profiles, which are all
resource profiles except profiles in the DATASET class. Its contents and
means depend on the class.
Refresh
Refreshes the class, so the new profile becomes effective immediately,
even for users that have cached profiles of the class. If you do not
specify Refresh, the profile becomes active only for users that do not
have cached profiles.
4. If you need the profile changes to take effect immediately for all users, click
Refresh to refresh the class. If you do not refresh the class, the profile becomes
active only for those users that do not have it cached.
5. Click OK to create the profile, or click Cancel to cancel the new profile.
If you are operating in single-node mode, OK is disabled until you change one
or more values.
If you are operating in multi-system mode, OK is enabled so you can create the
selected resource profile in a different node.

Duplicating a resource profile

Use the Duplicate resource profile dialog to create a resource profile from an
existing profile.

114 Client Manual

 About this task

You can create a profile by duplicating an existing profile. Duplicating a profile

copies the access list and member list of the original profile to a new profile. You
can customize the new profile and change the data as required.

Note: You cannot copy a resource profile from a DATASET class to a general
resource class or vice versa.

Procedure

To duplicate a resource profile, perform these steps:

1. Select the resource profile in a resources table and select Action > Duplicate
from the main menu.

Figure 60. Duplicate resource profile dialog

2. If you are duplicating the profile to create a new profile for a single node,
change the data in the fields. For descriptions of the fields, see “Adding a
resource profile” on page 113.
3. If you need the new profile to take effect immediately for all users, click
Refresh to refresh the class. If you do not refresh the class, the profile becomes
active only for those users that do not have it cached.
4. Click OK to create the profile. If you are duplicating the profile for another
node, select the nodes to which the profile applies, then click OK.

Editing resource profile properties

Use the Properties of resource profile dialog to change the properties of a resource
profile.

Chapter 7. Resource management 115

 Procedure

To change the properties of a resource profile, complete these steps:

1. Select the profile and select Navigate > Properties from the main menu.

Figure 61. Properties of resource profile dialog

2. Edit the properties as needed.

Note: You cannot edit these properties in this dialog:

v Class
v Profile
v Volumes
v Access List Count
v User ID Count
If you are operating in multi-system mode, the complex and node to which you
selection applies is displayed in the header of the dialog.
The following properties are displayed:
Class Class in which the profile resides.
Profile type
Type of the RACF profile, for example, Generic, VSAM, Non VSAM,
Model, Type DSN, and so on.
Profile
Name of the profile.
Volumes
For discrete DATASET profiles, this field contains the volumes that the
profile protects.
Owner
User ID or group that can change the profile.
116 Client Manual
 Notify User ID that receives a message when an audited violation occurs.
Warning
A profile in warning mode always allows access to the resource (!), but
if the access is more than the access that the Access List or UACC
grants, an audit log record is written.
Erase Overwrite the dataset on deletion. This flag is only taken into account if
the central Erase flag has been set using a SETROPTS ERASE
command.
ACLCount
Number of user IDs and groups on the access list of the profile. You
cannot directly change the number here. However, if you select the
profile and select Navigate > Access List from the main menu, you can
extend or shorten the access list.
Application data
This field is only defined for generic resource profiles, which are all
resource profiles except profiles in the DATASET class. Its contents and
means depend on the class.
Installation data
The contents and means of this field are defined by your organization.
Profile type
Type of profile.
UACC Access granted by the profile to any user whose access cannot be
determined from the access list.
AuditF
Audit level for failures.
AuditS
Audit level for successes.
User ID count
For the IDIDMAP profiles, it indicates the number of user IDs
associated with this profile.
3. Click Refresh to refresh the class if you need the profile changes to take effect
immediately.
4. Click OK to apply your changes.
5. If you are operating in multi-system mode, the Select Nodes dialog displays
your preferred list of nodes. If you have performed an action already, the nodes
that you selected previously are displayed. Complete these steps if you are
using multi-system mode:
a. Specify the nodes to which the action applies. You must select at least one
node to continue. Note that the local node entry is highlighted.
b. If a node is defined as a zSecure node and an RRSF node, select only one of
these node types. If you select an RRSF node, you can use the AT or
ONLYAT options to select from the dropdown list an alternative user ID to
run the command.
c. Click OK to verify the selected list of nodes. The action is performed for
each selected node.

Deleting a resource profile

Use the Delete resource profile dialog to delete a resource profile.

Chapter 7. Resource management 117

 Procedure

To delete a resource profile, follow these steps:

1. Select the resource profile in a resource table and select Action > Delete from
the main menu.

Figure 62. Delete resource profile dialog

2. Select Refresh to apply the deletion of the profile immediately.

3. Click OK to delete the profile.
4. If you are operating in multi-system mode, the Select Nodes dialog displays
your preferred list of nodes. If you have performed an action already, the nodes
that you selected previously are displayed. Complete these steps if you are
using multi-system mode:
a. Specify the nodes to which the action applies. You must select at least one
node to continue. Note that the local node entry is highlighted.
b. If a node is defined as a zSecure node and an RRSF node, select only one of
these node types. If you select an RRSF node, you can use the AT or
ONLYAT options to select from the dropdown list an alternative user ID to
run the command.
c. Click OK to verify the selected list of nodes. The action is performed for
each selected node.

Modifying an Access List (ACL)

Use the Access list window to view, add, and change entries in the access list of a
resource profile.

About this task

The name access list is often abbreviated as ACL. A resource profile typically has
an access list, which is a list of user IDs and group IDs, their granted access and,
optionally, a condition.

Procedure
1. To view the access list of a resource profile, select the profile and click Navigate
> Access List in the main menu.

118 Client Manual

Figure 63. Access list

When a group is placed on the access list, all its users get access, see “Viewing
an Effective Access List” on page 53. The user and group columns are
described in Chapter 2, “IBM Security zSecure Visual customization and
primary tasks,” on page 17 and Chapter 4, “User management,” on page 55.
The following columns are also in the access list table:
Node The name of the node that is associated with the ID.
ID User ID or group.
Access
Granted access. It is always one of these options:
None All means of access is denied for the specified user or group.
Execute
The specified user or group can execute the resource. It is only
effective for data sets and programs.
Read The specified user or group can execute and read the resource.
Update
The specified user or group can execute, read, and update or
write the resource.
Control
The specified user or group can execute, read, update or write,
and create or remove the resource.
Alter The specified user or group can do anything with the resource
and change the resource profile, just as the owner.
When A blank field means there is no condition, so the access is granted
without restriction. Entries in this field have this form:
APPCPort appcport Console console JESInput class Program
program SYSID id Terminal terminal
2. Complete these steps to add, delete, or change ID entries in the list and process
your changes:
a. Select a list entry (ID).
b. Click Add, Edit, or Delete, to change the list entry. A dialog for the selected
task is displayed:
v “Adding a user or group to an access list” on page 120
v “Editing an access list entry” on page 121

Chapter 7. Resource management 119

 v “Deleting an access list entry” on page 122
c. After you make a change, the OK and Cancel buttons become available in
the main Access List window.
3. Click Refresh to refresh the class. The new access list becomes effective
immediately, even for users that have cached profiles of the class.

Note: Your changes do not become effective for users whose affected profiles
are cached until you refresh the class.
4. Click OK to apply your changes to the access list to the mainframe.
5. If you are operating in multi-system mode, the Select Nodes dialog displays
your preferred list of nodes. Complete these steps if you are using multi-system
mode:
a. Specify the nodes to which the changes applies. You must select at least one
node to continue. Note that the local node entry is highlighted.
b. If a node is defined as a zSecure node and an RRSF node, select only one of
these node types. If you select an RRSF node, you can use the AT or
ONLYAT options to select from the dropdown list an alternative user ID to
run the command.
c. Click OK to verify the selected list of nodes. The IDs of the current node, if
selected, are updated with your changes. Your changes to the current node
are then replicated to the other selected nodes.

Note:
v You must understand the differences in the ID data across your RACF
databases; other nodes might not have the same initial access list as the
current node.
v IDs that are different than the current node remain in the other nodes.
v The client does not verify that the user or group IDs exist in the other
nodes. If an ID does not exist in the target database, it is rejected by
RACF as an error and ignored.

Adding a user or group to an access list

Use the Add to access list dialog to add a user or group to the access list of a
resource profile.

Procedure

To add a user or group to the access list, follow these steps:

1. Display the access list and click Add in the table window.

Figure 64. Add to access list dialog

2. Specify this information:

120 Client Manual

 ID The user ID or group ID.
Access
The access level that is set for the ID.
When The condition for which access is granted.
3. Select Refresh to make the new ID immediately active for all users. If you do
not refresh, the ID only becomes active for those users that do not have it
cached.
4. To add the same ID with different conditions to the access list, click OK. If the
same ID is added with the same condition but a different access, the new
access overrides the previous access.
Your changes are updated in the Access List main form. The changes are not
processed until you click OK in the main Access List dialog to process all
changes.

Editing an access list entry

Use the Edit Access List dialog to edit the entry of a user or group in the access
list of a resource profile.

Procedure

To edit the entry of a user or group in the access list, follow these steps:
1. Select the entry and click Edit in the table window.

Figure 65. Edit access list dialog

2. Edit these fields as needed:

ID A user ID or group ID.
Access
The access level that is set for the ID.
When The condition for which access is granted.
3. Click OK to apply the changes to the access list.
Your changes are updated in the Access List main form. The changes are not
processed until you click OK in the main Access List dialog to process all
changes.

Chapter 7. Resource management 121

Deleting an access list entry
Use the Delete option to remove the entry of a user or group in the access list of a
resource profile.

Procedure

Follow these steps to delete an entry:

1. Select the user or group entry in the access list.
2. Click Delete in the table window or select Action > Delete.
3. Click OK to delete the selection.
Your changes are updated in the Access List main form. The changes are not
processed until you click OK in the main Access List dialog to process all
changes.

Profile members
The administrator uses these guidelines to plan and implement the use of grouping
classes.

All resource profiles except DATASET profiles can have a member list. In practice,
only some classes have profiles with members. The typical way to use profile
members is to access on groups of resources instead of individual resources. You
need a member and grouping class.

Member and grouping classes are linked together in the Class Descriptor Table.
The member class can contain profiles that accept access the normal way. The
grouping class is grant access for groups of resources. A group is represented by a
profile in the class. This grouping profile can have a list of members, each of which
contains a resource name. Any rights granted on the grouping profile accepts
access on all the resources named in the members.

Attention: The design of the group structure is important. For ease of use, a
group name must give a good indication of either the contents or the use of the
resource group. Avoid this usage:
v Use of both the member and grouping class simultaneously for the same
resource.
v Recurrence of the same resource in more than one group, if you plan to grant
access on those resource groups to a user or group.
The various issues involved when merging access rights for multiple resources are
complex and can result in unexpected and undesired effects. Also, no clear report
of the result is available.

Example of grouping class

The administrator uses this sample scenario to plan and implement grouping
classes.

The main reason to use grouping is to avoid excessive administration overhead. An

example of where this grouping can be useful is the administration of CICS
transactions. TCICSTRN, the member class, can be granted access on individual
transactions. For every transaction, a profile is needed. However, it quickly
becomes cumbersome. To avoid creating large piles of individual transaction
profiles, it is possible to organize them in the GCICSTRN grouping class. A useful

122 Client Manual

 group division might be by CICS system and job description:

Figure 66. Grouping class example

If you carefully plan and implement your groupings, granting rights on the
resource groups is simpler and less error-prone than granting rights on individual
transactions.

Exceptions
The administrator must be aware of these exceptional grouping classes, which
need special consideration.

In some classes profile members are used in different ways than previously
described. Explaining the mechanisms involved is beyond the scope of this
manual. Some of the better known exceptions are:
v The Global Access Table (GLOBAL class, DATASET profile)
v NODES class
v PROGRAM class
v RACFVARS class

Viewing and changing a member list

Use the Members window to view and change the member list of a general
resource profile.

Procedure

To display the member list of a resource profile and change the list, perform these
steps:
1. Select the profile and select Navigate > Members from the main menu.

Chapter 7. Resource management 123

 Figure 67. Member list

2. Click Add, Edit, or Delete to change the member list.

3. Click Refresh to make the changes effective immediately. For users that have
cached profiles of the same class, the changes might not become effective until
you refresh the class.
4. Click OK to apply the changes to the mainframe.
5. If you are operating in multi-system mode, the Select Nodes dialog displays
your preferred list of nodes. If you have performed an action already, the nodes
that you selected previously are displayed. Complete these steps if you are
using multi-system mode:
a. Specify the nodes to which the action applies. You must select at least one
node to continue. Note that the local node entry is highlighted.
b. If a node is defined as a zSecure node and an RRSF node, select only one of
these node types. If you select an RRSF node, you can use the AT or
ONLYAT options to select from the dropdown list an alternative user ID to
run the command.
c. Click OK to verify the selected list of nodes. The members of the current
node, if selected, are updated with your changes. The members lists of the
other selected nodes are replaced by the current members list.
d. Click Cancel to return to the previous dialog without selecting any nodes.

Adding a member
Use the Add member dialog to add a new member to a member list of a resource
profile.

Procedure

To add a member, perform these steps:

1. Click Add in the member table window.

124 Client Manual

 Figure 68. Add member dialog

2. Enter the new member.

Note: When adding a member to the PROGRAM class, use the DSN, Volume,
and PADCHK fields to construct the new member string.
3. Click OK to add the new member to the list. The changes do not become
effective for users whose affected profiles are cached until you refresh the class
in the main member list.

Editing a member
Use the Edit member dialog to change a member of a list.

Procedure

To edit a member, perform these steps:

1. Select the member and click Edit in the member table window.

Figure 69. Edit member dialog

2. Change the member and click OK to place it in the list.

Note: When editing a member in the PROGRAM class, use the DSN, Volume,
and PADCHK fields to construct the member string.
3. Click OK to apply the changes to the member list. The changes do not become
effective for users whose affected profiles are cached until you refresh the class
in the main member list.

Deleting a member
Use the Delete function to delete a member from a list.

Procedure

To delete a member, perform these steps:

1. Select the member and click Delete in the member table window, or select
Action > Delete from the main menu.

Chapter 7. Resource management 125

 2. Click Refresh to make the changes effective immediately. For users that have
cached profiles, the changes do not become effective until you refresh the class.
3. Click OK to send the deletion to the mainframe.
4. If you are operating in multi-system mode, the Select Nodes dialog displays
your preferred list of nodes. If you have performed an action already, the nodes
that you selected previously are displayed. Complete these steps if you are
using multi-system mode:
a. Specify the nodes to which the action applies. You must select at least one
node to continue. Note that the local node entry is highlighted.
b. If a node is defined as a zSecure node and an RRSF node, select only one of
these node types. If you select an RRSF node, you can use the AT or
ONLYAT options to select from the dropdown list an alternative user ID to
run the command.
c. Click OK to verify the selected list of nodes. The members of the current
node, if selected, are updated with your changes. The members lists of the
other selected nodes are replaced by the current members list.
d. Click Cancel to return to the previous dialog without selecting any nodes.

Refreshing a class
Use the Refresh function to refresh a class after changing resource profiles in the
RACF database.

About this task

After changing resource profiles in the RACF database, a refresh is required to

propagate the changes to cached profiles for all users.

Procedure

To refresh a class, perform these steps:

1. Select Action > Refresh from the main menu.

Figure 70. Refresh class dialog

2. Enter the class name in the Class field.

3. Select the Refresh GLOBAL class to refresh the global access table for this class
instead of the class itself. If you do not know the class, click the button next to
the class field to get the Select class dialog. See “Finding classes with the Select
class dialog” on page 42 for more information.

126 Client Manual

Chapter 8. Segment management
You can use the Visual Client to perform zSecure segment management tasks for
users, groups, and resources.

An application segment is part of a profile that contains information about a

mainframe application other than RACF, like TSO or OMVS. Users, groups, and
resources all have their own segments. Use the following tasks to manage
segments:
“Authorities and settings required to manage segments”
To manage segments, you must view and edit authorities and settings.
“Viewing and editing segment types”
To view and edit segments, open the Segmenttypes table.
“Viewing the segment list” on page 130
Use the Segment list option to view the segments of a class with a specific
segment type.
“Using the Segment Detail window” on page 130
Use the Segments option to view information about the segments of a single
profile. The procedure is described here.
“Adding a segment” on page 132
Use the Add segment option to add a segment directly to a profile.
“Exceptions” on page 133
Use the list in this topic to determine which segments cannot be edited with the
segment detail window.
“Segment fields” on page 134
Use segment field descriptions in this topic in to get information on the
segment type.

Authorities and settings required to manage segments

To manage segments, you must view and edit authorities and settings.

To view segments, you must set the Interface level option at administration level
Full. To select this level, go to View > Options on the main menu.

For more information on specific authorization requirements for segment

management, see the section on “Segment editing for users” in IBM Security
zSecure CARLa-Driven Components: Installation and Deployment Guide.

Viewing and editing segment types

To view and edit segments, open the Segmenttypes table.

About this task

IBM Security zSecure Visual enables you to view and edit segments. The
Segmenttypes table displays an overview of all segments that zSecure Visual can
show.

© Copyright IBM Corp. 1998, 2017 127

 Procedure

Follow these steps to view and edit segments:

1. Select Navigate > Segmenttypes in the main menu.

Figure 71. Segment types

The Segmenttypes table has these columns:

Complex
The name of the zSecure node to which segment applies. This column
is displayed only if you are operating in multi-system mode.
Class The class to which the segment belongs.
Segmenttype
The segment type.
Segmentcount
The number of segments.

Note: This number is not initially specified. Each time you view
information about a segment, the relevant number of that segment is
updated in the Segmenttypes list.
2. To view information about segments, right-click a row and select Segment List.
See “Viewing the segment list” on page 130.

Application segments
The administrator uses this table to determine which segments are associated with
the user, group, and resource profiles.

The following table lists the segments of resource profiles in their related classes.

Class Segment

APPCLU SESSION
CDT CDTINFO
CFIELD CFDEF
CSFKEYS ICSF

128 Client Manual

Class Segment

DATASET DFP
DATASET TME
DIGTCERT CERTDATA
DIGTRING CERTDATA
DLFCLASS DLFDATA
EJBROLE TME
FACILITY DLFDATA
FACILITY EIM
FACILITY PROXY
FACILITY TME
GCSFKEYS ICSF
GXCSFKEY ICSF
LDAPBIND EIM
LDAPBIND ICTX
LDAPBIND PROXY
MFADEF MFPOLICY
PROGRAM SIGVER
PTKTDATA SSIGNON
REALM KERB
ROLE TME
STARTED STDATA
SYSMVIEW SVFMR
XCSFKEY ICSF

The segments of group profiles are:

v CSDATA
v DFP
v OMVS
v OVM
v TME

The segments of user profiles are:

v CICS
v CSDATA
v DCE
v DFP
v EIM
v KERB
v LANGUAGE
v LNOTES
v NDS
v NETVIEW
v OMVS
v OPERPARM
v OVM
v PROXY
v TSO
v WORKATTR

Chapter 8. Segment management 129

Viewing the segment list
Use the Segment list option to view the segments of a class with a specific
segment type.

Procedure

To view the segment list, follow these steps:

1. Open the Segment Types window.
2. Select the class-segment type combination and select Navigate >Segment list
from the main menu, or,
3. Right-click the class-segment type and select Segment list.

Figure 72. Segment list

The segment list always starts with the name of the profile. The other fields are
segment specific. The names are abbreviations. You can find the complete
names in the segment detail window. For more information about the segment
fields, see “Segment fields” on page 134.
4. If you select a profile in the segment list, you have these possibilities:
v View the properties of the profile by performing one of these steps:
– Select Navigate > Properties on the main menu and double-click the
profile; or,
– Right-click the profile and select the option Properties.
v View the segment detail window of the profile by performing one of these
steps:
– Select Navigate > Segments from the main menu; or,
– Right-click the profile and select the option Segments.
v Add a segment to a profile. For more information, see “Adding a segment”
on page 132.

Using the Segment Detail window

Use the Segments option to view information about the segments of a single
profile. The procedure is described here.

About this task

The segment detail window gives you all the information about the segments of a
single profile. From this window, you can also edit the profile. To access the
Segment Detail Window, you must be in the segment list or in either the user,
group, resource, connected users, or connected groups table.

130 Client Manual

Procedure

To open the Segment Detail window, follow these steps:

1. Select the specific profile you want to edit or look at.
2. Select Navigate > Segments from the main menu, or
3. Right-click the profile and select Segments from the pop-up menu.

Figure 73. Segment Detail Window

When you open the segment detail window, on the left pane you see all
segments of the profile. If you select a segment here, you get the detailed
information about the right pane. The right pane has three columns:
Description
A description of the segment.
Fieldvalue
Value of the field. You can edit the value. All empty fields are shown
with a blue-colored <Empty> in this column. When a repeating field
count is zero, a single <Empty> field is shown here, although it does
not exists yet. It enables the user to create the first repeating field by
simply entering a value.
Changed
This column tells you whether any changes you made are yet to be
applied on the mainframe by clicking Apply.
The buttons on the right are the edit options.
4. To edit a field, follow these steps:
a. Select the row you want to change using one of these methods:
v Click the row you want to change then click the row a second time. After
a short pause the Fieldvalue field will open for you to start editing.
v Select the row you want to edit with the tab and arrow keys and press
the Ins key to open the editing dialog.
b. To cancel editing, use the Esc key or select another row.
c. Press Enter to save your changes.
The edit options are listed as follows:

Chapter 8. Segment management 131

 Add segment
Clicking this button opens the pop-up menu Add segment. You can
select the segment you want to add.
Delete segment
Select the segment you want to delete and click the button. You get a
warning box with the question if you want to delete the selected
segment. Click Yes to delete it or Cancel to undo the deletion.
Add Field
This option is only possible for repeating fields. To add a new, empty
field, select the field you want to add. The Add Field button becomes
enabled. Click the button to add the field.
Refresh
After changing a field, you check the box to refresh it to propagate the
changes to cached profiles for all users. You must have the right
authorization to refresh the profiles.
Apply To apply the changes to the mainframe, click Apply. All indications in
the Changed column disappear while the changes take effect.

Adding a segment
Use the Add segment option to add a segment directly to a profile.

About this task

You can add segments directly to a profile or from the segment detail window. See
“Using the Segment Detail window” on page 130 in information on adding
segments in the segment detail window.

Procedure
To add a segment directly to a profile, complete these steps:
1. In the table, right-click the profile you want to add a segment to.
2. Select Action > Add segment from the main menu, or select Add segment
from the pop-up menu.

132 Client Manual

 Figure 74. Add Segment dialog

3. Select the segment to add. Then, click OK.

4. If you are operating in multi-system mode, the Select Nodes dialog displays
your preferred list of nodes. If you have performed an action already, the nodes
that you selected previously are displayed. Complete these steps if you are
using multi-system mode:
a. Specify the nodes to which the action applies. You must select at least one
node to continue. Note that the local node entry is highlighted.
b. If a node is defined as a zSecure node and an RRSF node, select only one of
these node types. If you select an RRSF node, you can use the AT or
ONLYAT options to select from the dropdown list an alternative user ID to
run the command.
c. Click OK to verify the selected list of nodes. The action is performed for
each selected node.

Note:
v To propagate the add-segment action across nodes, the segments need to be
very similar.
v The segment is added to the node if possible.
v The segment is added immediately to the nodes.

Exceptions
Use the list in this topic to determine which segments cannot be edited with the
segment detail window.

Most segments exist in the segment list and can be edited with the segment detail
window. There are these exceptions:
v CSDATA segments are shown in SegmentTypes, SegmentList, and Segment Detail
only if present.
v DIGTCERT-CERTDATA is displayed but cannot be edited.
v DIGTCERT-CERTDATA-CERT is not read from the mainframe, as it causes errors
while doing so.
v DIGTCERT-CERTDATA-*RSV* is not read from the mainframe, they are reserved
fields and must not be shown.

Chapter 8. Segment management 133

 v DIGTCRIT cannot be edited, so it only appears in SegmentTypes and SegmentList,
not in Segment Detail.
v DIGTNMAP cannot be edited, so it only appears in SegmentTypes and SegmentList,
not in Segment Detail.
v DIGTRING cannot be edited, so it only appears in SegmentTypes and SegmentList,
not in Segment Detail.
v FACILITY PROXY-BINDPW and BINDPWKY are read-only fields, so they only exist in
SegmentList, not in Segment Detail.
v MFPOLICY is displayed but cannot be edited.
v REALM-KERB-CURKEY, CURKEYV, ENCTYPE, PREVKEY, PREVKEYV, and SALT are read-only
fields, so they only exist in SegmentList, not in Segment Detail.
v PTKTDATA-SSIGNON contains an encryption key only, so it only appears in
SegmentTypes, not in SegmentList or Segment Detail.
v USER-KERB-CURKEY, CURKEYV, DEFTKTLF, ENCTYPE, MINTKTLF, PREVKEY, PREVKEYV, and
SALT are read-only fields, so they only exist in SegmentList, not in Segment
Detail.
v USER PROXY-BINDPW and BINDPWKY are read-only fields, so they only exist in
SegmentList, not in Segment Detail.
v USER-TSO-TCONS, TOPTION, TPERFORM, TRBA, TUPT are read-only fields, so they only
exist in SegmentList, not in Segment Detail.

Segment fields
Use segment field descriptions in this topic in to get information on the segment
type.

You can find information about segments and segment fields in section “RACF
database templates” of the book “z/OS Security Server RACF Macros and Interfaces”
available at the IBM Knowledge Center for z/OS.

To view the segment fields for a segment type, click on the segment name. In the
segment field table, each column is explained as follows:
Fieldname
The names of the fields as you see them in the segment list.
Repeats
If the fields of the segment display more than once, you find them all in
the segment detail window. In the segment list, you find the number of
repetitions.
Description
The descriptions of the fields as you see them in the segment detail
window.
Command parameter
Lists the parameter that identifies the field in RACF commands that
manipulate the field. This column is filled in only when this parameter is
different from Fieldname.

Segments of resource profiles

You can use Visual Client to view the details of each segment in a resource profile.

This section lists the segments of resource profiles:

134 Client Manual

v “APPCLU - SESSION”
v “CDT - CDTINFO”
v “CFIELD - CFDEF” on page 136
v “CSFKEYS, GCSFKEYS, XCSFKEY, GXCSFKEY - ICSF” on page 136
v “DATASET - DFP” on page 137
v “DATASET - TME” on page 137
v “DIGTCERT - CERTDATA” on page 137
v “DIGTRING - CERTDATA” on page 138
v “DLFCLASS - DLFDATA” on page 138
v “EJBROLE - TME” on page 138
v “FACILITY - DLFDATA” on page 138
v “FACILITY - EIM” on page 139
v “FACILITY - PROXY” on page 139
v “FACILITY - TME” on page 139
v “LDAPBIND - EIM” on page 140
v “LDAPBIND - ICTX” on page 140
v “LDAPBIND - PROXY” on page 140
v “MFADEF - MFPOLICY” on page 140
v “PROGRAM - SIGVER” on page 140
v “PTKTDATA - SSIGNON” on page 141
v “REALM - KERB” on page 141
v “ROLE - TME” on page 141
v “STARTED - STDATA” on page 142
v “SYSMVIEW - SVFMR” on page 142

APPCLU - SESSION
Use this table to determine the fields in the APPCLU- SESSION segment type.

Fieldname Repeats Description Command parameter

CONVSEC No Conversation security flags

KEYDATE No Session key last change
date
KEYINTVL No Session key days to expiry INTERVAL
#
MAXFAIL No Failed tries before lockout #
SENTCNT No Session entities in list #
SENTFLCT Yes Failed attempts #
SENTITY Yes Session entity name
SESSKEY No Session key
SLSFAIL No Invalid attempts #
SLSFLAGS No Session flag byte LOCK

CDT - CDTINFO
Use the fields in the CDT-CDTINFO segment type to define classes in the dynamic
CDT.

The CDTINFO segment is only valid for the CDT resource class. It is used to define
classes in the dynamic CDT.

Chapter 8. Segment management 135

 Fieldname Repeats Description Command parameter

CDTCASE No Profile names case sensitive

CDTDFTRC No Default not-found RC
CDTFIRST No Syntax 1st character (raw)
CDTGEN No GENERIC/GENCMD
status
CDTGENL No GENLIST status
CDTGROUP No Related grouping class
CDTKEYQL No Generic scan limit (quals)
CDTMAC No MAC checking
CDTMAXLN No Maximum length with
ENTITY
CDTMAXLX No Maximum length
CDTMEMBR No Related member class
CDTOPER No OPERATIONS honored
CDTOTHER No Syntax remainder (raw)
CDTPOSIT No POSIT (options set id)
CDTPRFAL No Profile definition ed
CDTRACL No RACLIST status
CDTSIGL No Send ENF signal
CDTSLREQ No SECLABELs required
CDTUACC No Default UACC

CFIELD - CFDEF
Use the fields in the CFIELD - CFDEF segment type to define the characteristics of
the field.

The CFDEF (Custom Field DEFinition) segment for CFIELD class profiles defines the
characteristics of the field.

Fieldname Repeats Description Command parameter

CFDTYPE No Custom field type

CFFIRST No Custom field first char
CFHELP No Custom field help text
CFLIST No Custom field listing header
CFMIXED No Custom field mixed chars
CFMNVAL No Custom field min value
CFMXLEN No Custom field max length
CFMXVAL No Custom field max value
CFOTHER No Custom field other chars

CSFKEYS, GCSFKEYS, XCSFKEY, GXCSFKEY - ICSF

Use this table to determine the fields in the ICSF segment type.

The ICSF segment defines Integrated Cryptographic Service Facility storage

attributes for the keys that are controlled by general resources profiles in classes
CSFKEYS, GCSFKEYS, XCSFKEY, and GXCSFKEY.

Fieldname Repeats Description Command parameter

CSFSEXP No Symmetric key export SYMEXPORTABLE

option.
CSFCSPW No Symmetric key CPACF SYMCPACFWRAP
wrap option.

136 Client Manual

Fieldname Repeats Description Command parameter

CSFSKLCT No Count of PKDS labels.

CSFSKLBS Yes PKDS labels which might SYMEXPORTKEYS
be used to export this
symmetric key.
CSFSCLCT No Count of certificate labels.
CSFSCLBS Yes Certificate labels which SYMEXPORTCERTS
might be used to export
this symmetric key.
CSFAUSE No Asymmetric key usage. ASYMUSAGE

DATASET - DFP
Use this table to determine the fields in the DFP segment type.

Fieldname Repeats Description Command parameter

RESOWNER No DFP - resource owner

DATASET - TME
Use this table to determine the fields in the TME segment type.

Fieldname Repeats Description Command parameter

ROLEN No # TME role access specs

ROLES Yes TME role access specs

DIGTCERT - CERTDATA
Use this table to determine the fields in the DIGTCERT - CERTDATA segment
type.

Because this segment cannot be edited, it appears only in Segment List and
Segment Types.

Fieldname Repeats Description Command parameter

CERT No Digital certificate

CERTDFLT Yes Default cert for this
keyring
CERTEND No Certificate end date
CERTLABL Yes Digital certificate labels
CERTLSER No Certificate lse
CERTNAME Yes Digital certificate names
CERTPRVK No Private Key
CERTPRVS No Private Key Size
CERTPRVT No Private Key Type
CERTSJDN Yes Distinguished name of
Subject
CERTSTRT No Certificate start date
CERTUSAG Yes Certificate usage in this
keyring
RINGCT No Number of keyrings
RINGNAME Yes Name of the keyring
RINGSEQN No Ring sequence number

Chapter 8. Segment management 137

 DIGTRING - CERTDATA
Use this table to determine the fields in the DIGTRING - CERTDATA segment
type.

Because this segment cannot be edited, it appears only in Segment List and
Segment Types.

Fieldname Repeats Description Command parameter

CERT No Digital certificate

CERTCT No # Digital certificates
CERTDFLT Yes Default cert for this
keyring
CERTEND No Certificate end date
CERTLABL Yes Digital certificate labels
CERTNAME Yes Digital certificate names
CERTPRVK No Private Key
CERTPRVS No Private Key Size
CERTPRVT No Private Key Type
CERTSJDN Yes Distinguished name of
Subject
CERTSTRT No Certificate start date
CERTUSAG Yes Cert. usage in this keyring
RINGCT No Number of keyrings
RINGNAME Yes Name of the keyring
RINGSEQN No Ring sequence number

DLFCLASS - DLFDATA
Use this table to determine the fields in the DLFCLASS - DLFDATA segment type.

Fieldname Repeats Description Command parameter

JOBNAMES Yes Job names

OBNMCNT No Job names #
RETAIN No Retain flag byte

EJBROLE - TME
Use the table in this topic to determine the fields in the EJBROLE - TME segment
type.

Fieldname Repeats Description Command parameter

CHILDN No # TME child roles

CHILDREN Yes TME child roles
GROUPN No #TME associated groups
GROUPS Yes TME associated groups
PARENT No TME parent role
RESN No #TME resource access specs
RESOURCE Yes TME resource access specs
ROLEN No # TME role access specs
ROLEN Yes TME role access specs

FACILITY - DLFDATA
Use the table in this topic to determine the fields in the FACILITY - DLFDATA
segment type.

138 Client Manual

Fieldname Repeats Description Command parameter

JOBNAMES Yes Job names

JOBNMCNT No Job names #
RETAIN No Retain flag byte

FACILITY - EIM
Use the table in this topic to determine the fields in the FACILITY - EIM segment
type.

Definition of the Enterprise Identity Mapping (EIM) domain.

Fieldname Repeats Description Command parameter

DOMAINDN No EIM Domain Distinguished

Name
FIELDNAME REPEATS Description Command parameter
KERBREG No Kerberos registry for EIM KERBREGISTRY
LOCALREG No Local RACF registry for LOCALREGISTRY
EIM
OPTIONS No EIM options
X509REG No X509 registry for EIM X509REGISTRY

FACILITY - PROXY
Use the table in this topic to determine the fields in the FACILITY - PROXY
segment type.

BINDPW and BINDPWKY are read-only fields, so they only exist in SegmentList, not in
Segment Detail.

Fieldname Repeats Description Command parameter

LDAPHOST No LDAP Server URL

BINDDN No Bind Distinguished Name
BINDPW No Bind Password
BINDPWKY No Bind Password Mask |
Encrypt Key

FACILITY - TME
Use the table in this topic to determine the fields in the FACILITY - TME segment
type.

Fieldname Repeats Description Command parameter

CHILDN No # TME child roles

CHILDREN Yes TME child roles
GROUPN No # TME associated groups
GROUPS Yes TME associated groups
PARENT No TME parent role
2RESN No # TME resource access
specs
RESOURCE Yes TME resource access specs
ROLEN No # TME role access specs
ROLES Yes TME role access specs

Chapter 8. Segment management 139

 LDAPBIND - EIM
Use this table to determine the fields in the LDAPBIND - EIM segment type.

Definition of the Enterprise Identity Mapping (EIM) domain.

Fieldname Repeats Description Command parameter

DOMAINDN No EIM Domain Distinguished

Name
OPTIONS No EIM options

LDAPBIND - ICTX
Use this table to determine the fields in the LDAPBIND - ICTX segment type.

The ICTX segment in the LDAPBIND class contains information regarding remote
resource management.

Fieldname Repeats Description Command parameter

USEMAP No USEMAP
DOMAP No DOMAP
MAPREQ No MAPREQUIRED
MAPTIMEO No MAPPINGTIMEOUT

LDAPBIND - PROXY
Use this table to determine the fields in the LDAPBIND - PROXY segment type.

The PROXY segment is used to store LDAP proxy server information.

Fieldname Repeats Description Command parameter

BINDDN No Bind information for LDAP

server being contacted
LDAPHOST No Host of LDAP server to
contact

MFADEF - MFPOLICY
Use this table to determine the fields in the MFADEF - MFPOLICY segment type.

The MFPOLICY segment is used to store MFADEF information.

Fieldname Repeats Description Command parameter

MFFCTRN No Number of MFA factors

MFREUSE No MFA token reusable
MFTIMEO No MFA token timeout in
seconds
MFFCTRS No MFA factor name

PROGRAM - SIGVER
Use this table to determine the fields in the PROGRAM - SIGVER segment type.

The SIGVER (SIGnature VERification) segment for PROGRAM class profiles contains
fields that are verify digital signatures of program modules.

140 Client Manual

Fieldname Repeats Description Command parameter

SIGREQD No Module must have a SIGREQUIRED

signature.
FAILLOAD No Loader failure conditions
SIGAUDIT No RACF audit condition

PTKTDATA - SSIGNON
Use this table to determine the fields in the PTKTDATA - SSIGNON segment type.

PTKTDATA - SSIGNON contains an encryption key only, so it only appears in

SegmentTypes, not in SegmentList or Segment Detail.

Fieldname Repeats Description Command parameter

SSKEY No Single Signon key

REALM - KERB
Use this table to determine the fields in the REALM - KERB segment type.

REALM - KERB/CURKEY, CURKEYV, ENCTYPE, PREVKEY, PREVKEYV, and SALT are read-only
fields, so they only exist in SegmentList, not in Segment Detail.

Fieldname Repeats Description Command parameter

CURKEY No Current Kerberos key

CURKEYV No Current Kerb key version
DEFTKTLF No Default ticket life
ENCTYPE No Kerberos encryption type
ENCRYPT No ed encryption types
KERBNAME No Kerberos name
MAXTKTLF No Maximum ticket life MAXTKTLFE
MINTKTLF No Minimum ticket life MINTKTLFE
PREVKEY No Previous Kerberos key
PREVKEYV No Previous Kerb key version
SALT No Seed for Kerberos
Randomizer

ROLE - TME
Use this table to determine the fields in the ROLE - TME segment type.

Fieldname Repeats Description Command parameter

CHILDN No # TME child roles

CHILDREN Yes TME child roles
GROUPN No # TME associated groups
GROUPS Yes TME associated groups
PARENT No TME parent role
2RESN No # TME resource access
specs
RESOURCE Yes TME resource access specs
ROLEN No # TME role access specs
ROLES Yes TME role access specs

Chapter 8. Segment management 141

 STARTED - STDATA
Use this table to determine the fields in the STARTED - STDATA segment type.

Fieldname Repeats Description Command parameter

FLAGPRIV No Privileged - any, nolog PRIVILEGED

FLAGTRAC No Trace - issue IRR812I TRACE
FLAGTRUS No Trusted - any, log all TRUSTED
STGROUP No Started task RACF group GROUP
STUSER No Started task RACF user ID USER

SYSMVIEW - SVFMR
Use this table to determine the fields in the SYSMVIEW - SVFMR segment type.

Fieldname Repeats Description Command parameter

PARMN No SVFMR parameter list PARMNAME

SCRIPTN No Default logon scripts SCRIPTNAME

Segments of group profiles

Use the field descriptions in this topic to determine the details of each segment in
a group profile.

This section describes the fields for the group segment types.
v “GROUP - CSDATA”
v “GROUP - DFP”
v “GROUP - OMVS”
v “GROUP - OVM” on page 143
v “GROUP - TME” on page 143

GROUP - CSDATA
The CSDATA segment of a GROUP profile is where custom fields of that profile are
added.

You can add fields using the RACF CFIELD class to define the new fields to GROUP
profiles and the labels you want to use for them. The fields of this segment are
installation defined.

GROUP - DFP
Use the table in this topic to determine the fields in the GROUP - DFP segment
type.

Fieldname Repeats Description Command parameter

DATAAPPL No DFP - Data Application

DATACLAS No DFP - Data Class
MGMTCLAS No MDFP - Management Class
STORCLAS No DFP - Storage Class

GROUP - OMVS
Use the table in this topic to determine the fields in the GROUP - OMVS segment
type.

142 Client Manual

 The OMVS segment contains logon information for OMVS. OMVS stands for z/OS
UNIX System Services. The OMVS segment provides a z/OS UNIX Security
context, which you need to log on to OMVS.

Fieldname Repeats Description Command parameter

GID No z/OS UNIX group (grpid) GID

GID The OMVS group identifier. To have the system assign an unused value, use
"auto." If you want more than one group to share the GID, add "s" at the
end of the GID value.

GROUP - OVM
Use the table in this topic to determine the fields in the GROUP - OVM segment
type.

The OVM segment is used to store UNIX System Services information.

Fieldname Repeats Description Command parameter

GID No UNIX group (gid)

GROUP - TME
Use the table in this topic to determine the fields in the GROUP - TME segment
type.

Fieldname Repeats Description Command parameter

ROLEN No # TME role access specs

ROLES Yes TME role access specs

Segments of user profiles

Use these field descriptions to determine the details of each segment in a user
profile.

This section describes the fields for the user segment types.
v “USER - CICS” on page 144
v “USER - CSDATA” on page 144
v “USER - DCE” on page 144
v “USER - DFP” on page 144
v “USER - EIM” on page 144
v “USER - KERB” on page 145
v “USER - LANGUAGE” on page 145
v “USER - LNOTES” on page 145
v “USER - NDS” on page 145
v “USER - NETVIEW” on page 145
v “USER - OMVS” on page 146
v “USER - OPERPARM” on page 146
v “USER - OVM” on page 147
v “USER - PROXY” on page 147
v “USER - TSO” on page 147
v “USER - WORKATTR” on page 148

Chapter 8. Segment management 143

 USER - CICS
Use this table to determine the fields in the USER - CICS segment type.

The CICS segments show information about CICS, an online transaction processing
system. CICS is used to handle large numbers of data transactions from large
computer or terminal networks. This topic shows the fields of the segment.

Fieldname Repeats Description Command parameter

OPCLASS Yes Operator class

OPCLASSN No Operator class values #
OPIDENT No Operator identification
OPPRTY No Operator priority
TIMEOUT No Terminal time-out value
XRFSOFF No XRF Re-signon option

USER - CSDATA
Use this table to determine the fields in the USER - CSDATA segment type.

The CSDATA segment of a USER profile is where custom fields of that profile are
added. You can add fields using the RACF CFIELD class to define the new fields to
USER profiles and the labels you want to use for them. The fields of this segment
are installation defined.

USER - DCE
Use this table to determine the fields in the USER - DCE segment type.

Fieldname Repeats Description Command parameter

DCEENCRY No DCE password encr. key

no.
DCEFLAGS No DCE Autologin AUTOLOGIN
DCENAME No DCE username
DPASSWDS No DCE password
HOMECELL No DCE homecell
HOMEUUID No DCE homecell UUID
UUID No DCE UUID

USER - DFP
Use this table to determine the fields in the USER - DFP segment type.

Fieldname Repeats Description Command parameter

DATAAPPL No DFP - Data Application

DATACLAS No DFP - Data Class
MGMTCLAS No DFP - Management Class
STORCLAS No DFP - Storage Class

USER - EIM
Use this table to determine the fields in the USER - EIM segment type.

Segment to store the name of an LDAPBIND class profile. This profile contains the
information needed to connect to the EIM domain on the LDAP host it resides on.

144 Client Manual

Fieldname Repeats Description Command parameter

LDAPPROF No LDAP Profile

USER - KERB
Use this table to determine the fields in the USER - KERB segment type.

USER - KERB/CURKEY, CURKEYV, DEFTKTLF, ENCTYPE, MINTKTLF, PREVKEY, PREVKEYV, and

SALT are read-only fields, so they only display in SegmentList, not in Segment
Detail.

Fieldname Repeats Description Command parameter

CURKEY No Current® Kerberos key

CURKEYV No Current Kerb key version
DEFTKTLF No Default ticket life DEFTKTLFE
ENCTYPE No Kerberos encryption type
ENCRYPT No ed encryption types
KERBNAME No Kerberos name
MAXTKTLF No Maximum ticket life MAXTKTLFE
MINTKTLF No Minimum ticket life MINTKTLFE
PREVKEY No Previous Kerberos key
PREVKEYV No Previous Kerb key version
SALT No Seed for Kerberos
Randomizer

USER - LANGUAGE
Use this table to determine the fields in the USER - LANGUAGE segment type.

Fieldname Repeats Description Command parameter

USERNL1 No Primary language of a user PRIMARY

USERNL2 No Secondary language of a SECONDARY
user

USER - LNOTES
Use this table to determine the fields in the USER - LNOTES segment type.

Fieldname Repeats Description Command parameter

SNAME No Lotus Notes short

username

USER - NDS
Use this table to determine the fields in the USER - NDS segment type.

Fieldname Repeats Description Command parameter

UNAME No NDS username

USER - NETVIEW
Use this table to determine the fields in the USER - NETVIEW segment type.

Fieldname Repeats Description Command parameter

CONSNAME No Default console name

Chapter 8. Segment management 145

 Fieldname Repeats Description Command parameter

CTL No Scope of control

DOMAINS Yes Cross-domain authority DOMAINS
DOMAINSN No # cross-domain authorities
IC No Initial command list
MSGRECVR No Receive undelivered
messages
NETVIEW No Admin auth Graphic Mon NGMFADMN
Fac
NGMFVSPN No View span opts
Graph.Mon.Fac.
OPCLASS Yes Operator class
OPCLASSN No Operator class values #

USER - OMVS
Use this table to determine the fields in the USER - OMVS segment type.

The OMVS segment contains logon information for OMVS. OMVS stands for z/OS
UNIX System Services. The OMVS segment provides a z/OS UNIX Security
context, which you need to log on to OMVS.

Fieldname Repeats Description Command parameter

ASSIZE No Max. address space size ASSIZEMAX

CPUTIME No Maximum CPU time CPUTIMEMAX
FILEPROC No Max. files open per proc FILEPROCMAX
HOME No z/OS UNIX home path
MMAPAREA No Max. data space for MMAPAREAMAX
mapping
PROCUSER No Max. nr. of active procs PROCUSERMAX
PROGRAM No Conditional access program
THREADS No Max. nr. of active threads THREADSMAX
UID No z/OS UNIX user (uid)

UID OMVS UID field with the user identifier. To have the system assign an
unused value, fill in "auto." If you want more than one user to share the
UID, add "s" at the end of the UID value.

USER - OPERPARM
Use this table to determine the fields in the USER - OPERPARM segment type.

Fieldname Repeats Description Command parameter

OPERALTG No Alternate console group ALTGRP

OPERAUTH No Console authority AUTH
OPERAUTO No Receive msgs automated by AUTO
MPF
OPERCMDS No System to send commands CMDSYS
to
OPERDOM No Delete operator messages OM
type
OPERKEY No KEY keyword of KEY
D,CONSOLES,KEY
OPERLEVL No LEVEL of msgs to be LEVEL
received
OPERLOGC No Command response logging LOGCMDRESP

146 Client Manual

Fieldname Repeats Description Command parameter

OPERMCNT No MSCOPE systems #

OPERMFRM No Message format MFORM
OPERMGID No Migration id to be assigned MIGID
OPERMON No Events to be monitored MONITOR
OPERMSCP Yes MSCOPE systems MSCOPE
OPERROUT No ROUTCODEs for msg ROUTCODE
reception
OPERSTOR No STORAGE in MB for msg STORAGE
queuing
OPERUD No Receive undelivered UD
messages

USER - OVM
Use this table to determine the fields in the USER - OVM segment type.

Fieldname Repeats Description Command parameter

FSROOT No OpenVM file system root

HOME No z/OS UNIX home path
ROGRAM No Conditional access program
UID No z/OS UNIX user (uid)

USER - PROXY
Use this table to determine the fields in the USER - PROXY segment type.

BINDPW and BINDPWKY are read-only fields, so they only exist in SegmentList, not in
Segment Detail.

Fieldname Repeats Description Command parameter

LDAPHOST No LDAP Server URL

BINDDN No Bind Distinguished Name
BINDPW No Bind Password
BINDPWKY No Bind Password Mask |
Encrypt Key

USER - TSO
Use this table to determine the fields in the USER - TSO segment type.

TSO is the abbreviation of Time Sharing Option, a specific way to communicate

with MVS™ by entering line commands, the mainframe equivalent of a DOS
prompt. The TSO segment contains information about how to log on to MVS.

USER - TSO/TCONS, TOPTION, TPERFORM, TRBA, and TUPT are read-only fields, so they
only exist in SegmentList, not in Segment Detail.

Fieldname Repeats Description Command parameter

TACCNT No Default account number ACCTNUM

TCOMMAND No Default command COMMAND
TCONS No Consoles support
TDEST No Destination identifier DEST
THCLASS No Default held sysout class HOLDCLASS
TJCLASS No Default job class JOBCLASS

Chapter 8. Segment management 147

 Fieldname Repeats Description Command parameter

TLPROC No Default logon procedure PROC

TLSIZE No Default logon region size SIZE
(KB)
TMCLASS No Default message class SGCLASS
TMSIZE No Maximum region size MAXSIZE
TOPTION No Mail/Notice/Recon/OID
options
TPERFORM No Performance group
TRBA No RBA of user broadcast area
TSCLASS No Default sysout class SYSOUTCLASS
TSOSLABL No Default logon SECLABEL SECLABEL
TUDATA No Site data TSO user (2 byte) USERDATA
TUNIT No Default unit name UNIT
TUPT No UPT control block data

USER - WORKATTR
Use this table to determine the fields in the USER - WORKATTR segment type.

Fieldname Repeats Description Command parameter

WAACCNT No Account number

WAADDR1 No SYSOUT address line 1
WAADDR2 No SYSOUT address line 2
WAADDR3 No SYSOUT address line 3
WAADDR4 No SYSOUT address line 4
WABLDG No Building for delivery
WADEPT No Department for delivery
WAEMAIL No User's fully qualified email
address
WANAME No User name for SYSOUT
WAROOM No Room for delivery

148 Client Manual

Chapter 9. Running REXX scripts
zSecure Visual can be customized to allow running site-defined REXX scripts.

When the Visual Server has been configured to access site-defined REXX scripts,
you can use the Visual Client to select and run a REXX script. You can find more
information in the following topics.
“Prerequisites for running REXX scripts on the Visual Server”
Before you can run site-defined REXX scripts from a Visual Client, an
association file must be created in the Visual Server.
“Running a REXX script in the Visual Client”
Use the Visual Client interface to run a REXX script that is configured on the
Visual Server. The procedure is described in this section.

Prerequisites for running REXX scripts on the Visual Server

Before you can run site-defined REXX scripts from a Visual Client, an association
file must be created in the Visual Server.

Use the instructions in "Site-defined REXX scripts" in the Installation and Deployment
Guide to configure an association file for site-specific REXX scripts. You can then
use the Visual Client to select and run a REXX script at the local server node.
Running REXX scripts from remote nodes is not supported.

Scripts will only show when such an association file was defined on the server. If
an association file was not defined on the server, the client will not provide a
message indicating that no REXX scripts have been defined.

Running a REXX script in the Visual Client

Use the Visual Client interface to run a REXX script that is configured on the
Visual Server. The procedure is described in this section.

Before you begin

A REXX script must be defined in the Visual Server before the Visual Client can be
used to run the script. See “Prerequisites for running REXX scripts on the Visual
Server.”

Note: Visual Client shows the configured description for the script, not the actual
name of the script.

Procedure

To run a REXX script in Visual Client, use one of these methods:

v Right-click a profile that belongs to the class for which you want to run a REXX
script. For example, use Navigate, Find, and Class: User. Right-click a profile to
view the list of the available actions, navigation options, and the description of
the REXX scripts that are defined on the Visual Server. Click a description to run
the script. This option works for all classes for which REXX scripts have been
defined on the Visual Server such as User, Group, and Dataset, or a specific class
such as XFACILIT.

© Copyright IBM Corp. 1998, 2017 149

 v Select Navigate in the main client window to view a list of descriptions of the
available REXX scripts. Then click the listed description to run the script. This
option is available only for scripts that are defined to be run against the class
User.

150 Client Manual

Chapter 10. Managing client definitions
You can use this information to manage client definitions that are required for
communication between the Visual server and client.

To access the server, a zSecure Visual client needs a local server definition and a
corresponding client definition on the server. With these definitions, a safe
communication channel is created. To set up a new, previously unused channel, an
initial password is needed once. The client definition contains more information
than the server definition; otherwise they are similar.

The mainframe provides limited support for managing client definitions. For more
information, see the section about configuring zSecure Visual clients in the server
in the IBM Security zSecure CARLa-Driven Components: Installation and Deployment
Guide.

PC Mainframe

zSecure Visual zSecure Visual

client server

Server definition Client definition

Server ID Server ID
Server IP address or name Server IP address or name
Server TCP Port Server TCP Port
Client ID Client ID
Local Port Local Port
- -
- Status
Initial password Remarks
Initial password

Figure 75. Server and client definitions needed for communication between the server and a
client

Maintaining client definitions

The maintenance tasks allow you to create, edit, and delete client definitions for
zSecure Visual.

About this task

The Maintain Client window enables you to:

v Create client definitions
v Edit or delete existing client definitions
v Generate initial passwords

© Copyright IBM Corp. 1998, 2017 151

 Procedure
v To open the Maintain Client window, select Maintenance > Client from the
main menu. The Maintain Client window lists all existing client definitions for
an instance of the zSecure Visual server.

Figure 76. Maintain Client window

The client fields are:

Client ID
Optional. Must be unique to the server. If left empty, the server
generates one for you. This field is also known as Agent ID on the
server.
Remarks
Optional. Stores any notes for the client definition.
Status Read only. Shows deleted or active. You cannot use a deleted client
definition to log on.
Initial password
Read only. Required to initiate communication for a new client. It is
generated by the server. The validity is limited to seven days or the
length of the server run, whichever ends first.

Note: The initial password is displayed only after being generated and
only as long as the window remains open. Newly created client
definitions are automatically assigned an initial password.
The server attributes are shown at the top of the window: Server ID, IP address
or name, and TCP Port. For information about server fields and creating server
definitions on the client, see “Server definition parameters” on page 7.
v Select the Add button to add a single definition.
v Select the Edit button to edit a single definition.
v To delete one or more definitions, select the entries and click Delete.
v Use the Undelete button to activate a deleted definition.
v To generate one or more new passwords, select the definitions and click Initial
password.

152 Client Manual

Batch mode to add multiple client definitions
Use the Batch add dialog to create multiple client definitions for zSecure Visual in
a batch run.

Use the Batch Add dialog to create multiple client definitions using a single action.

Figure 77. Batch add client definitions dialog

The following fields are displayed:

Client ID base number
Optional. Specifies the value to start with when generating the Client IDs.
Remarks
Optional. Text that identifies the purpose of the batch of IDs.
Number of definitions
Specifies the total number of Client IDs to generate. You can specify a
value up to 100.

When the batch run finishes, the Maintain Client window is displayed showing
the new entries with initial passwords. See Figure 76 on page 152.

Client definition attributes

Specify these attributes to create a corresponding server definition in zSecure
Visual.

After you create a client definition, you must specify these attributes for the client:
v Server IP address or name
v Server TCP port number
v Client ID
v Initial password

These attributes are used to create the corresponding server definition. The client
and server definitions enable the client to log on to the server. See “Server
definition parameters” on page 7 for more information.

Copying a client definition to the clipboard

Use the copy-client procedure to select and distribute specific Visual client
definitions to users.

About this task

From the Maintain Client window, you can copy selections of client IDs and initial
passwords to the clipboard and mail them to your users.

Chapter 10. Managing client definitions 153

 Procedure

To copy client definitions to the clipboard, complete these steps:

1. Open the Maintain Client window.
2. Generate the client definitions and initial passwords needed for distribution.
3. Select the client definitions that you want to distribute.
4. Copy the selected definitions to the clipboard. The server attributes are added
at the top as a header. The client information is laid out in tabbed columns. You
can paste to a spreadsheet to retain the column spacing, or to an email. The
email layout does not retain the equally spaced tabbed alignment.
Clipboard example:
Server
IP address or name: test
TCP Port: 8000

Client ID Remarks Status Initial password

12.1.100 secadmin HTR active 63F693FF96
12.1.101 generic 100 active 99F239EF6F
12.1.102 generic 100 active 01E671F0A6

154 Client Manual

Notices
This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document in
other countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual property right may
be used instead. However, it is the user's responsibility to evaluate and verify the
operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not give you
any license to these patents. You can send license inquiries, in writing, to:

IBM Director of Licensing

IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBM
Intellectual Property Department in your country or send inquiries, in writing, to:

Intellectual Property Licensing

Legal and Intellectual Property Law
IBM Japan, Ltd.
1623-14, Shimotsuruma, Yamato-shi
Kanagawa 242-8502 Japan

The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law:

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS

PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE.

Some states do not allow disclaimer of express or implied warranties in certain

transactions, therefore, this statement might not apply to you.

This information could include technical inaccuracies or typographical errors.

Changes are periodically made to the information herein; these changes will be
incorporated in new editions of the publication. IBM may make improvements
and/or changes in the product(s) and/or the program(s) described in this
publication at any time without notice.

Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web

© Copyright IBM Corp. 1998, 2017 155

 sites. The materials at those Web sites are not part of the materials for this IBM
product and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged, should contact:

IBM Corporation
2Z4A/101
11400 Burnet Road
Austin, TX 78758 U.S.A.

Such information may be available, subject to appropriate terms and conditions,

including in some cases payment of a fee.

The licensed program described in this document and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement or any equivalent agreement
between us.

Any performance data contained herein was determined in a controlled

environment. Therefore, the results obtained in other operating environments may
vary significantly. Some measurements may have been made on development-level
systems and there is no guarantee that these measurements will be the same on
generally available systems. Furthermore, some measurement may have been
estimated through extrapolation. Actual results may vary. Users of this document
should verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers of

those products, their published announcements or other publicly available sources.
IBM has not tested those products and cannot confirm the accuracy of
performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products.

All statements regarding IBM's future direction or intent are subject to change or
withdrawal without notice, and represent goals and objectives only.

This information contains examples of data and reports used in daily business
operations. To illustrate them as completely as possible, the examples include the
names of individuals, companies, brands, and products. All of these names are
fictitious and any similarity to the names and addresses used by an actual business
enterprise is entirely coincidental.

COPYRIGHT LICENSE:

This information contains sample application programs in source language, which

illustrate programming techniques on various operating platforms. You may copy,
modify, and distribute these sample programs in any form without payment to
IBM, for the purposes of developing, using, marketing or distributing application
programs conforming to the application programming interface for the operating
platform for which the sample programs are written. These examples have not

156 Client Manual

 been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or
imply reliability, serviceability, or function of these programs. You may copy,
modify, and distribute these sample programs in any form without payment to
IBM for the purposes of developing, using, marketing, or distributing application
programs conforming to IBM‘s application programming interfaces.

If you are viewing this information in softcopy form, the photographs and color
illustrations might not be displayed.

Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of
International Business Machines Corp., registered in many jurisdictions worldwide.
Other product and service names might be trademarks of IBM or other companies.
A current list of IBM trademarks is available on the Web at “Copyright and
trademark information” at www.ibm.com/legal/copytrade.shtml.

Adobe, the Adobe logo, Acrobat, PostScript, and the PostScript logo are either
registered trademarks or trademarks of Adobe Systems Incorporated in the United
States, and/or other countries.

IT Infrastructure Library is a registered trademark of the Central Computer and

Telecommunications Agency which is now part of the Office of Government
Commerce.

Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo,
Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or
registered trademarks of Intel Corporation or its subsidiaries in the United States
and other countries.

Linux is a registered trademark of Linus Torvalds in the United States, other

countries, or both.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of
Microsoft Corporation in the United States, other countries, or both.

ITIL is a registered trademark, and a registered community trademark of the Office

of Government Commerce, and is registered in the U.S. Patent and Trademark
Office.

UNIX is a registered trademark of The Open Group in the United States and other
countries.

Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the

United States, other countries, or both and is used under license therefrom.

Linear Tape-Open, LTO, the LTO Logo, Ultrium and the Ultrium Logo are
trademarks of HP, IBM Corp. and Quantum in the U.S. and other countries.

Other company, product, and service names may be trademarks or service marks
of others.

Notices 157
158 Client Manual
Glossary
CKG profile processing is bypassed. The list is stored
A number of profiles in the XFACILIT in the DATASET profile of the GLOBAL
class control access to the CKGRACF class.
commands. The profile names start with
HLQ High Level Qualifier or first qualifier. The
"CKG." Note: If the Site Module general
left-most part of a data set name; the
resource class name is customized during
string of letters before the first period.
the server setup, as described in the IBM
Security zSecure CARLa-Driven Components: ID User ID or group name.
Installation and Deployment Guide, the class
Member
with the specified name controls access to
Profile members are used to create a list
the CKGRACF commands, rather than the
of entries associated with a profile.
XFACILIT class.
MVS A mainframe operating system.
Access authority
The authority a user needs to access a Owner
protected resource. The higher the Every profile has an owner. The user or
authority, the more a user is ed to do. group that owns the profile can view,
change, and delete that profile.
Class All RACF entities, such as, users and
resources, are categorized into classes. Permit
The Class Descriptor Table contains a Permitted accessability of a user or group
description of all classes except USER, to specified resources.
GROUP, and DATASET.
Profile
Class Descriptor Table A description of the security-relevant
An assembled RACF table that contains characteristics of one or more users,
entries for all general resource classes. groups, or resources. A profile is divided
into segments.
CKGRACF
Short mainframe program name for a Proftype
utility that issues authority-sensitive Profile type. For general resources, it can
RACF commands. Component of IBM be discrete or generic. For data sets, it can
Security zSecure. be generic, nonvsam, vsam, tapedsn, or
model.
CKRCARLA
Short mainframe program name for the RACF Resource Access Control Facility. A
IBM Security zSecure application. security program that provides access
control on an MVS or a VM environment
Connect
by user identification, access
A profile that connects a user to a group.
authorization, etc. Renamed to SecureWay
Depending on the attributes of the
Security Server.
connect, a user has different
authorizations. RRSF RACF Remote Sharing Facility. The IBM
RRSF allows RACF to communicate with
General Resource
other IBM z/OS systems that use RACF,
Anything that RACF can protect except
allowing you to maintain remote RACF
users, groups, and data sets. For example,
databases. An RRSF node is an MVS
by default the CKG profiles reside in the
system image, or a group of MVS system
XFACILIT class, which is a general
images sharing a RACF database.
resource class.
Schedule
Global Access Table (GAT)
Schedules enable you to set and run
A fast way to allow access to all users,
timed commands, such as revoke
except restricted users, to a list of
intervals. For example, the administrator
resources. Most RACF authority
can define a future interval for the period
© Copyright IBM Corp. 1998, 2017 159
 that a user is on vacation. On the
specified start date of the vacation, the
user is revoked automatically. At the end
of the specified period, the user is
resumed by the system.
Segment
Part of a profile that contains a specific
part of the identification.
Setropts
A command to set system-wide z/OS
options related to resource protection (Set
RACF Options).
Setropts erase
RACF command.
Subgroup
A group becomes a subgroup of the
group is has as a superior group.
Supgroup
Every group except SYS1 has one superior
group. The hierarchy created this way
plays an important role in the way access
is granted.
Universal Access Authority (UACC)
Part of a data set or resource profile that
defines the default access that is granted
if a user or group is not granted explicit
access (except restricted users, which have
no access through UACC). Note that for
sensitive resources, the UACC is usually
set to NONE.
Userid
User ID, unique identification for a RACF
user.
z/OS A mainframe operating system,
containing MVS as a component.

160 Client Manual

Index
Special characters add (continued)
segment
attributes (continued)
gAud 104
? 34 from Segment Detail gOper 104
$DELETE 70 window 130, 132 group 91
schedules, user 79 to profile 132 gSpec 104
* (asterisk) character, filtering 38 server definition 7 audit, system report 52
* option subgroup 89 AuditF
Scope dialog 46 user 66 Add resource profile 113
% (percentage) character, filtering 38 When 120 Properties of resource profile 116
Add member dialog 124 Resources table 110
add MFA Factor 59 Auditor attribute, User properties 62
A add MFA policy 61 AuditS
About.log 23 Add resource profile Add resource profile 113
Access Appldata 113 Properties of resource profile 116
add to access list 120 AuditF 113 Resources table 110
edit access list 121 AuditS 113 Auth values
Access column, access list 118 Class 113 Connects table 97
access conditions, via 46, 50 Erase 113 Author column
access list InstData 113 Schedules 80
Access 118 Notify 113 authority
Add Owner 113 Connect properties 99
Access 120 Profile 113 Authority
ID 120 Refresh 113 Connect properties 99
When 120 UACC 113 Create connect 102
administration level 27 Warning 113 authorization
Alter 118 Add resource profile dialog 113 dependent on connect 97
Control 118 Add schedule interval dialog 81 interface
delete entry 122 Add Segment dialog 132 Access list 27
edit Add subgroup dialog 89 Automatic 27
Access 121 Add to access list dialog 120 Connect 27
ID 121 Add/Remove option, Visual client 5 Full 27
When 121 administration Group 27
effective 50 manage overhead 122 Helpdesk 27
Execute 118 multiple server definitions 9 User 27
ID 118 profile members 122 levels 27
None 118 Advanced option in search 38 automate upgrade path 15
printing 33 alias automated 10
Read 118 define for new user 66 automated setup
Scope dialog 46 define for subgroup 89 configuration file 10
Update 118 Also resume Automatic
viewing 53 Set password 76 administration level 27
When 118 Alter column, access list 118
accessibility xi alternative ID dropdown 36
ACL 118 Ambiguous Class selection message 42
APPCLU - SESSION 135
C
ACLCount c2racvn.cfg text file 22
Properties of resource profile 116 Appldata
Categories attribute
Resources table 110 Add resource profile 113
User properties 62
activate MFA Factor 59 Resources table 110
CD, installing client from 2
add Application data
CDT - CDTINFO 135
Access 120 Properties of resource profile 116
CDTINFO 135
access list 120 application segments 128
centralized administration, schedules 79
client definitions, batch 153 association file 149
CERTDATA 137, 138
connect 102 asterisk (*) character, filtering 38
CFDEF 136
field to segment 130 AT option 36
CFIELD - CFDEF 136
group 91 Attempts
change
ID 120 User table 55
column sequence 31
interval to schedule 81 attributes
date format 25
member list entry 124 Connect properties for group 99
default password 76
multiple server definitions 9 Connect properties for user 99
font for dialogs 25
Connects table 97
font for table 25
Create connect 102
member 125

© Copyright IBM Corp. 1998, 2017 161

change (continued) Communication window 24, 32 create (continued)
member list 124 communication with mainframe, dialog
password 19 viewing 24 Batch add client definitions 153
Visual client components 5 complete installation, Visual client 2 group 91
Changed completion status, verifying for resource profile 115
Segment Detail 130 actions 37 user 66
CICS 144 Complex Create
CKG profile 19, 27 Group table 85 authority 97, 99, 102
CKGPRINT.log 23 User table 55 connect
CKGRACF 19 complex selection dialog 44 copy and paste 104
information 33 configuration dialog 102
SYSPRINT output 24 automated 10 drag and drop 104
viewing commands 24 configuration file limitations 12 Created column
CKRCARLA target configuration file 12 Schedules 80
date format 29 Visual client 1, 6 Created field
information 33 configuration file Connect properties 99
SYSPRINT output 24 configuring on target 12 Group properties 87
viewing commands 24 examples 13 Group table 85
class guidelines 13 Resources table 110
ambiguous selection 42 layout 11 User properties 62
description 42 limitations 12 User table 55
descriptor table 122 modify existing 12 CSDATA 142, 144
groupings 122 running on target 12 CSFKEYS - ICSF 136
name 42 Configuration in export mode dialog 10 CSV format, exporting 32
refresh 126 Configure dialog 6 custom installation, Visual client 2
related segments 128 connect
status 42 add 102
view active 42
view all 42
attribute 97
Auth 97
D
data set profile
view authorized 42 changing 98
Add subgroup 89
Class copy and paste 30
generic 66, 91
Active 42 create 102
group
Add resource profile 113 default owner 25
create 91
All 42 defining names 31
enforce creation 91
authorizations, User properties 62 delete 105
user
Authorized 42 management 97
create 66
Find dialog 38 properties 99
enforce creation 66
Properties of resource profile 116 RACF users 97
databases, navigating RACF 35
Resources table 110 unintended 98
DATASET - DFP 137
Scope * dialog 50 viewing 21, 43
DATASET - TME 137
Scope dialog 46 Connect
dataset profile 45
client administration level 27
DATASET profile 110
attributes 1, 153 authority 97, 99, 102
date format
installation 1 properties for group dialog 99
change 25
requirements 1 properties for user dialog 99
CKRCARLA 29
setup 1 Connect Revoked
customizing 29
client definition Connect properties 99
ISO 29
add batch mode 153 Connects table 97
Windows long 29
copying 153 attributes 97
Windows short 29
delete 151 example of 97
Date format dialog 29
edit 151 gAud 97
DCE 144
maintaining 151 gOper 97
DCE UUID
maintenance 151 gSpec 97
Duplicate user 66
undelete 151 printing 33
decentralized administration,
uploading 153 Control column, access list 118
schedules 79
Client ID copy
default
base number 153 resource profile 115
connect owner 25
batch add client definitions 153 server definition 10
password, remove 79
Maintain Client 151 copy and paste 30
password, set 76
Server definition 7 Create connect 104
Default Group
Client ID client attribute 1, 153 create
Duplicate user 66
column Batch add client definitions
User table 55
change sequence 31 dialog 153
Default password
sort by entry 17 client definitions, batch 153
Duplicate user 66
command line configuration file 10
Set password 75
option to automate upgrade 15 connect 102
DefaultGrp
commands, accessing on mainframe 19 data set profile 89, 91
User table 55

162 Client Manual

DefaultGrp attribute dialogs (continued) edit (continued)
User properties 62 Select class 42 access list (continued)
Define Alias 91 Select Node for group tree 44 When 121
Add subgroup 89 Select Nodes 36 client definition 151
Duplicate user 66 Server definition 7 member 125
defining names, rules 31 Server Information 33 member list 124
delete Set password 74 resource profile 116
access list entry 122 User properties 62 Segment Detail window
client definition 151 DIGTCERT - CERTDATA 137 Add Field 130
connect 105 DIGTRING - CERTDATA 138 Add Segment 130
group 94 directory Apply 130
member 125 configuration file 12 Delete Segment 130
resource profile 118 log files 23 Refresh 130
segment 130 Visual client program 2 segment type 127
server definition 6 disable MFA Factor 59 server definition 7
undo, user 70 Disable password Edit access list dialog 121
user 70 Set password or passphrase 73 Edit Default Passphrase
Delete function, schedules 82 disable user 70, 71 User properties 62
Delete group dialog 94 Disable user dialog 71 Edit Default Password
delete MFA Factor 59 display unauthorized functions 27 User properties 62
delete MFA policy 61 DLFCLASS - DLFDATA 138 Edit default password dialog 78
Delete resource profile dialog 118 DLFDATA 138, 139 Edit member dialog 125
Delete schedule interval dialog 82 documentation edit MFA Factor tags 59
Description obtain licensed publications vi education xi
Segment Detail 130 drag and drop effective access list 50
DFP 137, 142, 144 Create connect 104 printing 33
diagnosing silent installation 14 DSN field, adding member 124 viewing 53
diagnostic messages, add to print 25 duplicate EIM 139, 140, 144
dialog group 91 EJBROLE - TME 138
change font 25 group segments 91 enable user 72
dialogs resource profile 115 Enable user dialog 72
Add member 124 user 66 End column
Add resource profile 113 user segments 66 Schedules 80
Add schedule interval 81 Duplicate group End field
Add Segment 132 dialog 91 Add schedule interval 81
Add subgroup 89 OMVS segment Enforce creation of data set profile
Add to access list 120 GID 91 Add subgroup 89
Configuration in export mode 10 z/OS UNIX group (grpid) 91 Duplicate group 91
Configure 6 Duplicate resource profile dialog 115 Duplicate user 66
Connect properties for group 99 Duplicate user Enterprise Identity Mapping
Connect properties for user 99 DCE segment domain 140
Create connect 102 UUID 66 Erase
Date format 29 dialog 66 Add resource profile 113
Delete group 94 KERB segment Properties of resource profile 116
Delete resource profile 118 Kerberos name 66 Resources table 110
Delete schedule interval 82 KERBNAME 66 errors, viewing in Communication
Disable user 71 LNOTES segment window 24
Duplicate group 91 Lotus Notes short username 66 Exact option in search 38
Duplicate resource profile 115 SNAME 66 examples of configuration files 13
Duplicate user 66 NDS segment Excel format, exporting 32
Edit access list 121 NDS username 66 Execute column, access list 118
Edit default password 78 UNAME 66 exit
Edit member 125 OMVS segment confirm exit option 25
Enable user 72 Initial program 66 Visual client 22
Find 38 OMVS HOME 66 expired password
Find for groups 85 OMVS UNIX home path 66 Set password or passphrase 73
Find users 55 PROGRAM 66 Expired status
Group properties 87 UID 66 User properties 62
Logon 19 UNIX user (uid) 66 export
Member list 123 configuration file 10
Node Selection 20 messages and return codes 24
Options 25
Permits 45
E RTF format. 32
server definition 6
Eclipse Help System 1
Properties of resource profile 116 table 32
edit
Schedules 80 extra fields
access list
Scope 46 User table 55
Access 121
Scope * 50
ID 121

Index 163
F group (continued)
auditor attribute
Helpdesk administration level 27
hide unauthorized functions 27
F1 key 17 Scope dialog 46 high level qualifier (HLQ) 45
FACILITY - DLFDATA 139 delete 94 HLQ (high level qualifier) 45
FACILITY - EIM 139 designing structure 122 HOME segment, Duplicate user 66
FACILITY - PROXY 139 display as resource profile 42
FACILITY - TME 139 Extra Selection Fields Find Dialog 85
fields
group profile segments 142
finding 38
list scope 46
I
user profile segments 143 IBM
management 85
Fieldvalue Software Support xi
operations attribute
Segment Detail 130 Support Assistant xi
Scope dialog 46
Filter option IBM Eclipse Help System 1
profile segments
Scope dialog 46 ICSF 136
GROUP - CSDATA 142
search 38 ICTX 140
GROUP - DFP 142
find 38 ID
GROUP - OMVS 143
Advanced option 38 add to access list 120
GROUP - OVM 143
Exact option 38 edit access list 121
GROUP - TME 143
extra fields for users 55 ID * option, Scope * dialog 50
properties 87
Filter option 38 ID column, access list 118
properties, viewing 21
Find window always on top ID options
purpose 122
option 25 Scope dialog 46
remove connects 94
group 38 IDIDMAP profile 82, 112
remove permits 94
Mask option 38 import server definition 6
special attribute
resource 38 Inactive
Scope dialog 46
Segments option 38 User table 55
table 85
user 38 Inactive status
wrong display 42
Find dialog 38 User properties 62
Group
Extra Selection Fields Groups 85 Initial password
Add subgroup 89
Installation data 110 Maintain Client 151
administration level 27
Owner 110 Server definition 7
Connect properties 99
Segment 110 initial password client attribute 1, 153
Duplicate group 91
Find users dialog 55 Initial program segment
extra fields in find dialog 85
folder, Visual client program 2 Duplicate user 66
properties 87
font installation
table 85
change font dialogs 25 complete 2
GROUP - CSDATA 142
change font table 25 custom 2
GROUP - DFP 142
format, date 29 methods, Visual client 2
GROUP - OMVS 143
forms, Status of ... 37 requirements 1
GROUP - OVM 143
Full administration level 27 setup program 2
GROUP - TME 143
silent 14
Group properties dialog 87
software requirements 1
Group table
G printing 33
uninstallation 5
Visual client
GAT, refresh 126 group tree
hardware requirements 1
gAud 97 change font 25
Visual client, prerequisites 1
Connect properties 99 Load Complete option 44
Installation data
Create connect 102 scope 44
Add subgroup 89
option, Scope dialog 46 viewing 44
Duplicate group 91
GCSFKEYS - ICSF 136 grouping class 122
Duplicate user 66
generic data set profile gSpec
Group properties 87
group 91 Connect properties 99
Group table 85
user 66 Connects table 97
Properties of resource profile 116
Generic Resource profile 110 Create connect 102
Resources table 110
GID option, Scope dialog 46
User properties 62
Duplicate group 91 GXCSFKEY - ICSF 136
User table 55
OMVS group identifier 143 InstData
Global Access Table Add resource profile 113
option, Scope dialog 46 H Group table 85
refresh 126 HasPassword Resources table 110
gOper User table 55 User table 55
Connect properties 99 HasPhrase interface authorization levels 27
Connects table 97 User table 55 interface level, setting 25
Create connect 102 help interval
option, Scope dialog 46 installation 2 add to schedule 81
group requirements for using 1 delete schedule 82
Add subgroup 89 viewing information 17 in schedule 79
HelpContact, Server definition 7 repeat schedule 81

164 Client Manual

Interval column log off Visual client 22 multi-system
User table 55 logon selecting mode 18
IP address, server attributes 151 attempts 55 use multi-system services option 25
ISO date format 29 dialog 19 multiple
iso file RACF 19 databases, selecting 36
obtain licensed publications vi selecting mode 18 server definitions 9
Lotus Notes short username segment system actions, verifying 37
Duplicate user 66 MYACCESS, SHOW command 89
J
Join authority 97, 99, 102
M N
mainframe name
K communication with client 24
logon 19
mapping profile 82
rules for defining 31
KERB 141, 145
Maintain Client window 151 server attributes 151
Kerberos name
maintenance Name
Duplicate user 66
client definition 151 Add schedule interval 81
KERBNAME segment
repair Visual client files 5 Duplicate user 66
Duplicate user 66
uninstallation 5 Server definition 7
management User table 55
connect 97 Name attribute
L group 85 User properties 62
Label resource 109 Name column
IDIDMAP profile 112 segments 127 Schedules 80
Mapping information 82 user 55 NDS 145
LAN directory, installing client from 2 Manual setup NDS username segment
LANGUAGE 145 Setup parameters 10 Duplicate user 66
Last connect mapping NETVIEW 145
Connect properties 99 information, IDIDMAP profile 112 New group
User properties 62 profiles 82 Duplicate group 91
Last logon viewing 82 New password
User properties 62 Mapping information window 82 Set password 75
Last passphrase change Mappings count New userid
User properties 62 User properties 62 Duplicate user 66
Last password change MappingsCount Node Selection dialog 20
User properties 62 User table 55 nodes
LastConnect Mask option in search 38 RRSF 20
User table 55 member search all 38
LastPhrChange delete 125 selected search 38
User table 55 list 122 selecting 20
LastPwdChange add entry 124 zSecure 20
User table 55 changing 125 None column, access list 118
LDAPBIND - EIM 140 deleting entry 125 Notify
LDAPBIND - ICTX 140 editing 125 Add resource profile 113
LDAPBIND - PROXY 140 viewing 123 Properties of resource profile 116
licensed documentation list, viewing 54 Resources table 110
obtain .iso file vi printing 33 Number of definitions
limitations to Visual client profile 122 Batch add client definitions 153
configuration 12 profile, exceptional uses 123
List resources Member list dialog 123
Scope dialog 46
List users and groups
messages, viewing in Communication
window 24
O
OMVS 143, 146
Scope dialog 46 MFA Factor management 59
Initial program 66
list, view segment 130 MFA policy management 61
UNIX home path 66
LNOTES 145 MFADEF - MFPOLICY 140
UNIX user ID 66
Load Complete feature 44 MFPOLICY 140
online
Local port Microsoft Excel
publications v, vi, viii
Server definition 7 CSV 32
terminology v
log files RTF 32
ONLYAT option 36
About.log 23 mode
ONLYAT option for Select Nodes 36
CKGPRINT.log 23 local, selecting 18
operating systems, supported for Visual
directory 23 multi-system, selecting 18
client 1
Requests.log 23 Mode selection listbox 38
Operations attribute
silent installation 14 Modify option, Visual client 5
User properties 62
SYSPRINT.log 23 move, connects 106
OPERPARM 146
SYSTERM.log 23 multi-node, limitations on actions 118
viewing 23

Index 165
options Previous password properties (continued)
add diagnostic messages to print 25 Set password 75 Group 87
change font dialogs 25 printing Inactive 62
change font table 25 menus 32 Installation data 62
confirm exit 25 messages and return codes 24 Installation Data 87
date format 25 preview 33 Last connect 62
default connect owner 25 tables 33 Last logon 62
Find window always on top 25 problem-determination xi Last password change 62
include access due to group profile Mappings count 62
operations 25 add segment 130, 132 Name 62
include access due to system CKG 27 Operations 62
operations 25 DATASET 110 Owner 62, 87
include profiles 25 delete resource 118 Password attempts 62
interface level 25 edit resource 116 Password interval 62
use multi-system services 25 generic 110 resource profile 116
Options dialog 25 group segments 142 Revoked 62
OVM 143, 147 IDIDMAP 82, 112 Security label 62
Owner mapping 82 Security level 62
Add resource profile 113 members 122 Special 62
Connect properties 99 members, exceptional uses 123 SubGroups 87
Duplicate user 66 resource 110 SupGroup 87
Group properties 87 resource, duplicate 115 TermUACC 87
Group table 85 Segment Detail, Changed Universal 87
Properties of resource profile 116 column 130 user 55
Resources table 110 segments of resource 134 User 62
User table 55 user segments 143 user ID 62
Owner attribute view properties 130 viewing 21
User properties 62 view Segment Detail window 130 Properties of resource profile dialog 116
warning mode 46 Protected
Profile User properties 62
P Add resource profile 113
Properties of resource profile 116
User table 55
PROXY 139, 140, 147
PADCHK field, adding member 124
Resources table 110 PTKDATA - SSIGNON 141
passphrase
Profile filter publications
setting 73
Scope * dialog 50 accessing online v, vi, viii
Passphrase expired
Scope dialog 46 list of for this product v, vi, viii
User properties 62
Profile in Warning obtain licensed publications vi
password
Scope dialog 46 obtaining licensed v
changing 19
Profile type PwdExpireDate
default 75
Properties of resource profile 116 User table 55
new 75
ProfType
remove 79
Resources table 110
resetting 75
resume 76
PROGRAM
Duplicate user 66
Q
set default 76 question mark, used in tables 34
PROGRAM - SIGVER 140
set to previous 75 quit 22
PROGRAM class, adding member 124
setting 73
program folder, Visual client 2
Password
properties
Duplicate user 66
Password attempts
Auditor 62 R
Categories 62 RACF 70, 97
User properties 62
Class authorizations 62 limitations on multi-node actions 118
Password interval attribute
connect logon 19
User properties 62
Authority 99 navigating databases 35
paste special 30
Connect Revoked 99 selecting multiple databases 36
percentage (%) character, filtering 38
Created 99 SETROPTS settings 52
permits 45
gAud 99 SYSPRINT output 24
printing 33
gOper 99 verifying changes 37
remove user 105
Group 99 Read column, access list 118
Permits dialog 45
gSpec 99 REALM- KERB 141
PhrExpired
Last connect 99 Reason
User table 55
Owner 99 Add schedule interval 81
PhrExpireDate
Resume Date 99 Schedules 80
User table 55
Revoke Date 99 Set password 76
Port conflict
User 99 refresh
avoid 7
Created 62, 87 class 126
prerequisites for Visual client
DefaultGrp 62 GAT 126
installation 1
Expired 62 segment 130

166 Client Manual

Refresh 115 resource profile (continued) schedules (continued)
Add resource profile 113 Generic Resource 110 revoke user 79
Registry name refresh 115, 118 viewing user 80
IDIDMAP profile 112 Resources table Schedules dialog 80
Mapping information 82 ACLCount 110 scope
reinstallation Appldata 110 description 46
Repair option 5 AuditF 110 fields in tables 34
Remarks AuditS 110 Scope *
Batch add client definitions 153 Class 110 Class 50
Maintain Client 151 Created 110 printing 33
remove Erase 110 Profile filter 50
Connect 105 InstData 110 UACC 50
default password 79 Notify 110 Scope * dialog 50
group 94 Owner 110 * 50
resource profile 118 printing 33 Alter-M 50
undo, user 70 Profile 110 Alter-Operations 50
user 70 ProfType 110 Alter-P 50
user permits from group UACC 110 Auditor 50
resources 105 UserIDcount 110 CKGList 50
Visual client program 5 Volser 110 CKGOwner 50
Repair option, reinstallation 5 Warning 110 Class field 50
Repeat function, schedules 81 resume deactivated options 50
requests issued by client, viewing 24 password 76 displayed results fields 50
Requests.log 23 user 71 Global 50
required operating system, installation 1 Resume Date ID * option 50
requirements for installation 1 Connect properties 99 Operations 50
Reset Password Create connect 102 Owner 50
Set password 75 return codes Profile filter field 50
resource viewing in Communication QualOwner 50
finding 38 window 24 SCP.G 50
management 109 revoke a user 70 SCP.ID 50
permit 45 Revoke Date SCP.U 50
profile 45 Connect properties 99 UACC 50
profile segments Create connect 102 UACC option 50
APPCLU - SESSION 135 Revoke status Via 50
CDT - CDTINFO 135 User table 55 Warning 50
CFIELD - CFDEF 136 Revoked When 50
CSFKEYS, GCSFKEYS, XCSFKEY, User table 55 Scope dialog 46
GXCSFKEY - ICSF 136 Revoked status * on access list 46
DATASET - DFP 137 User properties 62 * option 46
DATASET - TME 137 REXX script Access 46
DIGTCERT - CERTDATA 137 association file 149 Alter-M 46
DIGTRING - CERTDATA 138 run script 149 Alter-Operations 46
DLFCLASS - DLFDATA 138 rich text format (RTF) 24 Alter-P 46
EJBROLE - TME 138 right mouse button 31 Auditor 46
FACILITY - DLFDATA 139 ROLE - TME 141 CKGList 46
FACILITY - EIM 139 RRSF node 20 CKGOwner 46
FACILITY - PROXY 139 alternative ID dropdown 36 Class 46
FACILITY - TME 139 AT option 36 Filter 46
LDAPBIND - EIM 140 ONLYAT option 36 gAud option 46
LDAPBIND - ICTX 140 RRSF Nodes option 36 Global 46
LDAPBIND - PROXY 140 RTF (rich text format) 24 Global Access Table option 46
MFADEF - MFPOLICY 140 gOper option 46
PROGRAM - SIGVER 140 gSpec option 46
PTKDATA - SSIGNON 141
REALM- KERB 141
S ID options 46
List resources 46
schedules
ROLE - TME 141 List users and groups 46
$DELETE 70, 79
STARTED - STDATA 142 Operations 46
add interval 81
SYSMVIEW - SVFMR 142 Owner 46
administration
remove user permits 105 Profile filter 46
centralized 79
resource profile Profile in Warning option 46
decentralized 79
add 113 QualOwner 46
delete interval 82
copy 115 SCP.G 46
dialog fields 80
DATASET 110 SCP.ID 46
disable 71
delete 118 SCP.U 46
enable 72
duplicate 115 UACC 46
intervals 79
edit properties 116 Via 46
repeat function 81

Index 167
Scope dialog (continued) server SNAME
Warning 46 definition name, turn off 22 Duplicate user 66
When 46 edit definition 7 software installation requirements 1
scope of group tree 44 information 33 sort column by entry 17
search name client attribute 153 Special user attribute 62
all nodes 38 TCP port number client attribute 1, SSIGNON 141
class 38 153 Start column
filtering 38 test connection 7 Schedules 80
Find window always on top 38 server definition Start field
segment option 38 add 7 Add schedule interval 81
selected nodes 38 add multiple 9 STARTED - STDATA 142
selected nodes, advanced 38 copy 10 Status field
view each node in a separate Delete 6 Maintain Client 151
table 38 Export 6 Status of ... form 37
Security label attribute Import 6 status, verifying completion 37
User properties 62 settings 1 STDATA 142
Security level attribute Server definition dialog 7 subgroup, add 89
User properties 62 Server ID SubGroups
segment client attribute 1, 153 Group properties 87
access 127 server attributes 151 Group table 85
add 130, 132 Server definition 7 superior group in group tree 44
add field 130 Server Information dialog 33 Supgroup
application 128 server IP address client attribute 1, 153 Add subgroup 89
authorities 127 Server IP address or name Duplicate group 91
delete 130 Server definition 7 SupGroup
edit 130 Server Port Group properties 87
exceptions to editing 133 Server definition 7 Group table 85
fields, viewing 134 SESSION 135 support
list, viewing 130 session, establishing with server 18 Visual client versions 6
management 127 set SVFMR 142
related classes 128 default password 76 SYS1 group 44
resource profiles 134 password or passphrase 73 SYSMVIEW - SVFMR 142
Segment Detail Set Passphrase SYSPRINT, view output 24
Description 130 User properties 62 SYSPRINT.log 23
Fieldvalue 130 Set password dialog 74 system audit report 52
settings 127 Set password to expired SYSTERM, view messages 24
types Set password 76 SYSTERM.log 23
edit 127 set up Visual client 1
view 127 Set user as protected
view 127
Segment
Set password or passphrase 73
Set user as Protected
T
tables
detail window 130 Duplicate user 66
change font 25
Duplicate group 91 SETROPTS settings report 52
Connects 97
Duplicate user 66 settings, configuration file 11
exporting 32
Group table 85 setup
fields out of scope 34
list table 130 automated 10
group 85
option in search 38 configuration file 10
Installation data 85
Resources table 110 configuration file examples 13
InstData 85
types table 127 configuration file limitations 12
member 123
User table 55 create configuration file 10
Owner 85
Segmenttypes list 127 Modify option 5
Resources 110
Select class dialog 42 repair client files 5
Segment 85
Activate 42 uninstallation 5
Segment list 130
Active Classes 42 upgrade 6
Segment type 127
All Classes 42 Visual client, prerequisites 1
Segmenttypes 127
Authorized Classes 42 SHOW MYACCESS command 89
SubGroup 85
Class 42 ShowHost=No option 22
SupGroup 85
Description 42 SIGVER 140
types to print 33
Select Node for group tree dialog 44 silent installation
User 55
Select Nodes dialog 36 diagnostics 14
Users 85
alternative ID dropdown 36 log files 14
Visual client compatibility 6
AT option 36 steps 14
TCP Port, server attributes 151
ONLYAT option 36 site-specific columns and fields 31
terminology v
RRSF Nodes 36 site-specific fields
TermUACC
zSecure Nodes 36 Find dialog 38
Group properties 87
sequence, change column 31 User properties 62
Test connection
User table 55
Server definition 7

168 Client Manual

test server connection 7 user (continued) usr (continued)
TME 137, 138, 139, 141, 143 profile segments (continued) DefaultGrp 62
toolbar 30 USER - EIM 144 Expired 62
training xi USER - KERB 145 Inactive 62
troubleshooting xi USER - LANGUAGE 145 Installation data 62
TSO 147 USER - LNOTES 145 Last connect 62
Type column USER - NDS 145 Last logon 62
Schedules 80 USER - NETVIEW 145 Last password change 62
Type field USER - OMVS 146 Mappings count 62
Add schedule interval 81 USER - OPERPARM 146 Name 62
USER - OVM 147 Operations 62
USER - PROXY 147 Owner 62
U USER - TSO 147
USER - WORKATTR 148
Password attempts 62
Password interval 62
UACC
properties 55, 62 Revoked 62
Add resource profile 113
properties, viewing 21 Security label 62
Properties of resource profile 116
resource 97 Security level 62
Resources table 110
resume 71 Special 62
Scope * dialog 50
revoke 70 User 62
Scope dialog 46
revoked 55 user ID 62
UID
schedules 79 UUID segment
Duplicate user 66
set password or passphrase 73 Duplicate user 66
UNAME
to revoke or resume 79
Duplicate user 66
wrong display 42
unauthorized functions
displaying 27
User
administration level 27
V
hiding 27 version support, Visual client 6
Connect properties 99
undelete client definition 151 via access conditions 46
table 55
undo delete user 70 view
USER - CICS 144
uninstallation of Visual client 5 member list 123, 124
USER - CSDATA 144
unintended connect 98 schedule, user 80
USER - DCE 144
Universal segment 127
USER - DFP 144
Add subgroup 89 segment type 127
USER - EIM 144
Duplicate group 91 Visual client
USER - KERB 145
Group properties 87 communication with mainframe 24
USER - LANGUAGE 145
Group table 85 configuration 1
USER - LNOTES 145
UNIX home path automated 10
USER - NDS 145
Duplicate user 66 configuration file 10
USER - NETVIEW 145
UNIX user ID segment limitations 12
USER - OMVS 146
Duplicate user 66 mainframe requirements 1
USER - OPERPARM 146
Update column, access list 118 overview 6
USER - OVM 147
upgrade target machine 12
USER - PROXY 147
automation of path 15 customization 17
USER - TSO 147
compatibility table 6 exit 22
USER - WORKATTR 148
copy server definition 10 help system requirements 1
user ID
Visual client, overview 6 installation 1
User table 55
upload client definitions 153 methods 2
User ID
Use authority 97, 99, 102 modify 5
IDIDMAP profile 112
user program folder 2
user ID attribute
access 97 repair 5
User properties 62
add 66 silent 14
User ID count
copy and paste 30 types 2
Properties of resource profile 116
create 66 uninstallation 5
User Name Filter
delete 70 log off 22
Mapping information 82
disable 70, 71 logon dialog 19
User properties dialog 62
display as resource profile 42 operating procedures 17
User table
duplicate 66 primary tasks 17
printing 33
enable 72 server definition settings 1
user-defined fields 31
inactive 55 software requirements 1
UserIDcount
list scope 46 upgrade
Resources table 110
management 55 compatibility table 6
Users
mapping 82 overview 6
Group table 85
names 31 Visual server
usr
profile segments communication with client 24
Auditor 62
USER - CICS 144 Volser
Categories 62
USER - CSDATA 144 Resources table 110
Class authorizations 62
USER - DCE 144 Volumes
Created 62
USER - DFP 144 Properties of resource profile 116

Index 169
W
Warning
Add resource profile 113
Properties of resource profile 116
Resources table 110
warning mode, profile 46
When
add to access list 120
edit access list 121
field, access list 118
windows
Communication 24
Maintain Client 151
Mapping information 82
Segment detail 130
Windows long date format 29
Windows short date format 29
WORKATTR 148

X
XCSFKEY - ICSF 136

Z
z/OS UNIX group (grpid) 91
z/OS, supported release 1
zSecure Nodes option 36
zSecure server, logon 19
zSecure-defined node 20

170 Client Manual

IBM®

Printed in USA

SC27-5647-04