XDS Commands involving z/OS RACF schema attributes are processed by the Subscriber channel subject to the limitations of RACF. If operations that do not conform to the RACF design are specified, the results are unpredictable. For detailed information about the processing of RACF commands, see your RACF documentation.
Some RACF command parameters and values, or combinations of parameters and values can produce results that cannot be directly codified in the events generated by the Publisher channel. Other RACF processing, such as a user being revoked because of an excessive number of invalid password attempts, does not cause an event. Changes made directly to the RACF database, such as those made using ICHEINTY, do not cause events.
Changes made in eDirectory or RACF cannot always be sent round trip through the driver into the other and then back again unchanged because not all mapped attributes correspond precisely.
Certain combinations of RACF command parameters, and other RACF processing, can result in an inconsistent state between the RACF database and the z/OS RACF schema attributes stored in the auxiliary classes.
The following sections describe the handling of certain special cases by the driver.
RACF maintains a future REVOKE date (which can be not-specified), a future RESUME date (which can be not-specified), and a revoked state for each user in the RACF database. Setting and unsetting the revoked state clears both date fields. If RACF revokes a user due to inactivity or due to excessive invalid password attempts, it clears both date fields.
DirXML-RACF-revoked, DirXML-RACF-revokedate, and DirXML-RACF-resumedate are processed by the Subscriber channel using the REVOKE and RESUME parameters of the ALTUSER RACF command.
The Publisher channel publishes changes to DirXML-RACF-revoked, DirXML-RACF-revokedate, and DirXML-RACF-resumedate when a RACF ALTUSER command with a REVOKE or RESUME parameter is issued. It also provides these attributes when requested by a query operation. Changes that occur as a side effect of some action, such as the revoking of a user because of excessive invalid password attempts, do not generate events to be published.
The following sections describe the processing of XDS modify command elements for these schema attributes by the Subscriber channel.
Except as noted, XDS modify commands that contain changes for these attributes in combination produce unpredictable results.
Assume the following modify command.
<modify class-name="User" event-id="27" src-dn="\DigitalAirLines\users\mei"> <association>USER/MEI</association> <modify-attr attr-name="DirXML-RACF-revoked"> <remove-all-values/> <add-value> <value>true</value> </add-value> </modify-attr> </modify>
The Subscriber channel treats a remove-all-values followed by an add-value as a replace operation for the attribute value.
ALTUSER (MEI) REVOKE
RACF processes a REVOKE without a date to take effect immediately. Any pending REVOKE date or RESUME date is cleared. If REVOKE is already in effect for the user, RACF ignores the REVOKE parameter and issues a message. This message appears in the status document returned by the Subscriber channel.
Assume the following modify command.
<modify class-name="User" event-id="27" src-dn="\DigitalAirLines\users\mei"> <association>USER/MEI</association> <modify-attr attr-name="DirXML-RACF-revoked"> <remove-all-values/> <add-value> <value>false</value> </add-value> </modify-attr> </modify>
The Subscriber channel treats a remove-all-values followed by an add-value as a replace operation for the attribute value.
ALTUSER (MEI) RESUME
RACF processes a RESUME without a date to take effect immediately. Any pending REVOKE date or RESUME date is cleared. If no REVOKE or pending REVOKE is in effect for the user, RACF ignores the RESUME parameter.
Assume the following modify command.
<modify class-name="User" event-id="27" src-dn="\DigitalAirLines\users\mei"> <association>USER/MEI</association> <modify-attr attr-name="DirXML-RACF-revoked"> <remove-all-values/> </modify-attr> </modify>
The Subscriber channel treats a remove-all-values for DirXML-RACF-revoked as a RESUME.
ALTUSER (MEI) RESUME
Assume the following modify command.
<modify class-name="User" event-id="27" src-dn="\DigitalAirLines\users\mei"> <association>USER/MEI</association> <modify-attr attr-name="DirXML-RACF-revokedate"> <remove-all-values/> <add-value> <value>08/13/18</value> </add-value> </modify-attr> </modify>
The Subscriber channel treats a remove-all-values followed by an add-value as a replace operation for the attribute value.
ALTUSER (MEI) REVOKE(08/13/18)
RACF establishes a pending REVOKE for the user that will take effect on August 13, 2018. If REVOKE is already in effect for the user, RACF ignores the REVOKE parameter and issues a message. This message appears in the status document returned by the Subscriber channel.
Assume the following modify command.
<modify class-name="User" event-id="27" src-dn="\DigitalAirLines\users\mei"> <association>USER/MEI</association> <modify-attr attr-name="DirXML-RACF-revokedate"> <remove-all-values/> </modify-attr> </modify>
There is no RACF command to explicitly clear the RACF REVOKE date. The Subscriber channel does not process remove-all-values for DirXML-RACF-revokedate.
Assume the following modify command.
<modify class-name="User" event-id="27" src-dn="\DigitalAirLines\users\mei"> <association>USER/MEI</association> <modify-attr attr-name="DirXML-RACF-resumedate"> <remove-all-values/> <add-value> <value>09/11/25</value> </add-value> </modify-attr> </modify>
The Subscriber channel treats a remove-all-values followed by an add-value as a replace operation for the attribute value.
ALTUSER (MEI) RESUME(09/11/25)
RACF establishes a pending RESUME for the user that will take effect on September 11, 2025. If no REVOKE or pending REVOKE is in effect for the user, RACF ignores the RESUME parameter.
Assume the following modify command.
<modify class-name="User" event-id="27" src-dn="\DigitalAirLines\users\mei"> <association>USER/MEI</association> <modify-attr attr-name="DirXML-RACF-resumedate"> <remove-all-values/> </modify-attr> </modify>
There is no RACF command to explicitly clear the RACF RESUME date. The Subscriber channel does not process remove-all-values for DirXML-DirXML-RACF-resumedate.
The Subscriber channel processes modify commands for combinations of DirXML-RACF-revoked, DirXML-RACF-revokedate, and DirXML-RACF-resume the same way it processes these attributes individually, as described in the preceding sections.
The Subscriber channel constructs RACF commands using the values provided in the XDS documents that it receives. It is important to note that some combinations are not meaningful.
If you omit the PASSWORD parameter or specify a PASSWORD parameter with no value on a RACF ADDUSER command, RACF sets the default password the same as the name of the user's default group. If you specify a PASSWORD parameter with no value on a RACF ALTUSER command, RACF sets the password the same as the name of the user's default group. The driver publishes a password with the value of the default group in these cases.
If you enter an ALTUSER command for a user with a DFLTGRP parameter and a PASSWORD parameter with no value, RACF sets the password value to the name of the previous default group. It is not possible to determine the name of the previous default group. The driver does not publish a password in this case.
User IDs with NOPASSWORD and NOOIDCARD are known to RACF as protected user IDs. Protected user IDs cannot access the system by any means that requires a password and cannot be revoked by excessive invalid password attempts. Protected user IDs are used for started tasks, production batch processing, and other similar purposes. Protected user IDs are not intended for end users or other systems.
The Publisher channel does not publish events for protected user IDs. The Subscriber channel rejects commands for protected user IDs.
If you specify the OIDCARD parameter on an ADDUSER or ALTUSER RACF command, the system prompts you to enter the operator identification card at the terminal reader. No other method is provided for entering the OIDCARD data. NOOIDCARD is the default for users when they are created.
No z/OS RACF schema attribute is provided for the NOPASSWORD, OIDCARD, and NOOIDCARD parameters of the ADDUSER and ALTUSER RACF commands
For more information about protected user IDs and operator identification cards, see your RACF documentation.
The driver does not publish events for protected user IDs.
ADDUSER (JES2) NOPASSWORD
No event is published.
If an existing user is altered to become protected, the driver removes its association.
ALTUSER (PROC) NOPASSWORD
<remove-association>USER\PROC</remove-association>
If you specify the OIDCARD or NOOIDCARD parameter on an ADDUSER or ALTUSER command, the Publisher channel does not represent the parameter in the event document.
ADDUSER (KIRSTEN) NAME(’KIRSTEN WAGNER’) OIDCARD
<add class-name="User" event-id="2764" src-dn="\KIRSTEN"> <association>USER\KIRSTEN</association> <add-attr attr-name="RACF-userid"> <value type="string">KIRSTEN</value> </add-attr> <add-attr attr-name="RACF-name"> <value type="string">KIRSTEN WAGNER</value> </add-attr> </add>