Request Format

RACFu provides the following standardized JSON schema for issuing security requests to RACF.

📥 Parameters (JSON Keys)

 

  • "operation"
    A string value describing the Security Management Function to perform. The following table describes all of the valid values for "operation".

     

    Only the "alter" and "extract" Operations are allowed for the "racf-options" Admin Type.

     

    Only the "alter", "extract", and "delete" Operations are allowed for the "permission" Admin Type.

     

    Operation Description
    "add" Add/Create a new security profile.
    "alter" Alter an existing security profile.
    "extract" Extract a security profile’s data.
    "delete" Delete a security profile.

  • "admin_type"
    A string value describing the type of Security Administration Request to issue. The following table describes all of the valid values for "admin_type".

     

    The "permission" Admin Type is NOT allowed for "extract" Operations.

     

    Admin Type Description
    "user" Used for User administration.
    "group" Used for Group administration.
    "group-connection" Used for Group Connection administration.
    "resource" Used for General Resource Profile administration.
    "data-set" Used for Data Set administration.
    "racf-options" Used for RACF Options administration.
    "permission" Used for Permission administration.

  • "profile_name"
    A string value identifying a Security Profile to Add, Alter, Extract, or Delete.

     

    "profile_name" is NOT allowed to be used with the "racf-options" Admin Type due to RACF Options being a Singleton for which there is NO concept of multiple discrete “profiles” that can be created, deleted, and managed.

     

    "class_name" MUST be used to indicate which Class Name the specified Security Profile is associated with for the "resource" and "permission" Admin Types.

     

  • "traits"
    An object describing the Traits/Attributes to Add/Modify in "add" and "alter" Operations. See Traits for more detail about how to specify Traits for "add" and "alter" Operations, and what Traits are supported for each Admin Type.

     

    "traits" is NOT allowed to be used with "extract" and "delete" Operations.

     

  • "class_name"
    A string value identifying a Class Name that the specified Security Profile is associated with.

     

    "class_name" is required for and only allowed for the "resource" and "permission" Admin Types.

     

  • "volume"
    A string value identifying a Volume.

     

    Only the "data-set" and "permission" Admin Types can be used with "volume", and only for "add", "alter", and "delete" Operations.

     

    Note that for the "permission" Admin Type, this parameter will only take effect if the "class_name" parameter is set to "DATASET".

     

  • "generic"
    A string value identifying a Security Profile as Generic or Not Generic.

     

    Only the "data-set" and "permission" Admin Types can be used with "generic", and only for "add", "alter", and "delete" Operations.

     

    Note that for the "permission" Admin Type, this parameter will only take effect if the "class_name" parameter is set to "DATASET".

     

    "generic" may only be set to "yes" or "no".

     

  • "run_as_userid"
    A string value identifying a z/OS Userid to perform the Security Operation as.

     

    In order to use "run_as_userid", the caller must have at least UPDATE access to the <userid>.IRRSMO00 General Resource Profile in the SURROGAT Class, where <userid> represents the z/OS Userid to perform Security Operations as. More information about IRRSMO00 Authorizations can be found here.

     

    "run_as_userid" is NOT allowed for "extract" Operations.

💻 Request Examples

 

These examples are NOT comprehensive and are primarily meant to show users the general structure of "add", "alter", "extract" and "delete" requests.

 

The following RACFu Request JSON creates new new z/OS Userid called SQUIDWRD with the following Traits:

  • A Name of "Squidward".
  • An OMVS UID of 24.
  • An OMVS Home Directory of "/u/squidwrd".
JSON 
{
  "operation": "add",
  "admin_type": "user",
  "profile_name": "SQUIDWRD",
  "traits": {
    "base:name": "Squidward",
    "omvs:uid": 24,
    "omvs:home_directory": "/u/squidwrd"
  }
}

The following RACFu Request JSON alters an exsting z/OS Userid called SQUIDWRD by Changing/Setting the Name Trait to "Squilliam".

JSON 
{
  "operation": "alter",
  "admin_type": "user",
  "profile_name": "SQUIDWRD",
  "traits": {
    "base:name": "Squilliam"
  }
}

The following RACFu Request JSON deletes an exsting z/OS Userid called SQUIDWRD.

JSON 
{
  "operation": "delete",
  "admin_type": "user",
  "profile_name": "SQUIDWRD"
}

The following RACFu Request JSON extracts the Profile Data for a z/OS Userid called SQUIDWRD.

JSON 
{
  "operation": "extract",
  "admin_type": "user",
  "profile_name": "SQUIDWRD"
}