RA CF Requirements
Use the CONNECT command to connect a user to a group, modify a user's connection to a group, or assign the group-related user attributes. If a connection is being created, defaults are available as stated for each operand. If an existing connection is being modified, no defaults apply.
The specified users and group must already be defined to RACF.
To use the CONNECT command, you must:
have the SPECIAL attribute, or
have the group-SPECIAL attribute in the group, or be the owner of the group, or
have JOIN or CONNECT authority in the group.
You may not give a user a higher level of authority in the group than you have.
{~~NNECT}
(userid . . . )[GROUP(group-name)]
[OWNER(userid or group-name)]
[AUTHORITY(group-authority)]
userid
[UACC[(access-authority)]
[GRPACC NOGRPACC
J
[~g!~sp]
[SPECIAL
J
NOSPECIAL rAUDITOR ] LNOAUDITOR [OPERATIONS ]
NOOPERATIONS_
rREvoKEl LRESUMEJ
specifies the RACF-defined user to be connected to or modified in the group specified in the GROUP operand. If you are specifying more than one user, the userids must be enclosed in parentheses.
The approximate number of groups you can specify is 2950. Refer to SPL:
RACF for information about how to determine the exact maximum number of groups.
This operand is required and must be the first operand following CONNECT.
CONNECT Command 61
GROUP(group~name)
specifies a RACF-defined group. If you omit this operand, the user will be connected to or modified in your current connect group.
OWNER(userid or group-name)
specifies a RACF-defined user or group to be assigned as the owner of the connect profile. If a connection is being created and you do not specify an owner, you are defined as the owner of the connect profile.
AUTHORITY(group-authority )
specifies the level of authority the user is to have in the group. The valid group authority values are USE, CREATE, CONNECT, and JOIN. If a connection is being created and this keyword is omitted or entered without a value, the default value is USE.
You may not give a user a higher level of authority in the group than you have.
UACC[ (access-authority)]
specifies the default value for the universal access authority for all new resources the user defines while connected to the specified group. The universal access authorities are ALTER, CONTROL, UPDATE, READ, and NONE. If a connection is being created and this operand is omitted or entered without a value, the default is NONE.
This option is group-related. The user can have a different default universal access authority in each of the groups to which the user is connected.
Note: When a user (who has the ADSP attribute or specifies the PROTECT parameter on a JCL DD statement) enters the system using the group specified in the GROUP operand as the current connect group, any data set or tape volume RACF profiles the user defines will be assigned this default universal access authority value.
GRPACC
specifies that any group data sets defined by the user, when connected to this group, will be automatically accessible to other users in the group. The group whose name is used as the first-level qualifier of the data set name (or the qualifier supplied by a command installation exit) will have UPDATE access authority to the data set.
NOGRPACC
ADSP
62 RACF Command Language Reference
specifies that the user will not have the GRPACC attribute. If a c~}1nection is being created, this is the default value if both GRP ACC and NOGRP ACe are omitted. A user attribute of GRPACC specified on the ADDUSER or ALTUSER command will override NOGRP ACC as a connect attribute.
specifies that all permanent DASD data sets created by the user, when connected to this group, will automatically be RACF-protected by discrete profiles.
The ADSP attribute is ignored at LOGON/job initiation if SETROPTS NOADSP is in effect.
NOADSP
specifies that the user is not to have the ADSP attribute. If a connection is being created, this is the default value if both ADSP and NOADSP are omitted. A user attribute of ADSP specified on the ADDUSER or AL TUSER command will override NOADSP as a connect attribute.
SPECIAL
specifies that the user will have the group-SPECIAL attribute when
connected to this group. To enter the SPECIAL operand, you must have the SPECIAL attribute or the group-SPECIAL attribute in the group to which you are connecting or modifying the user's profile.
NOSPECIAL
specifies that the user is not to have the group-SPECIAL attribute. If a connection is being created, this is the default value if both SPECIAL and NOSPECIAL are omitted. If an existing connection is being modified, you must have the SPECIAL attribute or the group-SPECIAL attribute in the group to which you are modifying the user's profile.
A user attribute of SPECIAL specified on the ADDUSER or AL TUSER command will override NOSPECIAL as a connect attribute.
AUDITOR
specifies that the user will have the group-AUDITOR attribute when connected to this group.
To enter the AUDITOR operand, you must have either the SPECIAL attribute or the group-SPECIAL attribute in the group to which you are connecting or modifying the user's profile.
NOAUDITOR
specifies that the user is not to have the group-AUDITOR attribute when connected to this group. When a connection is being created, this is the default value if both AUDITOR and NOAUDITOR are omitted. If an existing connection is being modified, you must have either the SPECIAL attribute or the group-SPECIAL attribute in the group to which you are modifying the user's profile.
A user attribute of AUDITOR specified on the ADDUSER or ALTUSER command will override NOAUDITOR as a connect attribute.
OPERATIONS
specifies that the user will have the group-OPERATIONS attribute when connected to this group. The user will have authorization to do maintenance operations on all RACF-protected DASD data sets, tape volumes, and DASD volumes within the scope of the group except those where the access list specifically limits the OPERATIONS user to an access authority that is less than the operation requires. (This limitation is accomplished via the PERMIT command.)
To enter the OPERATIONS keyword, you must have the SPECIAL attribute or the group-SPECIAL attribute in the group to which you are connecting or modifying the user's profile.
CONNECT Command 63