Character substitution in deployed security roles

The security role and display name in the deployment descriptor can contain any ASCII or Unicode character. The character set which can be used in deployed security roles is more restricted:
  • Profile names used in RACF are restricted to characters in EBCDIC code page 037.
  • Some characters — the asterisk (*) for example — have special meaning when used in RACF commands, and cannot be used in a profile name.
When Unicode characters in the security role and display name cannot be used directly in the deployed security role, they are replaced by the escape sequences shown in Table 1. Substitution occurs:
  • when the EJBROLE generator utility (dfhreg) processes the deployment descriptor to generate RACF commands
  • when CICS maps a security role to a RACF user ID
Table 1. Escape sequences used in security roles
Character Description ASCII/Unicode EBCDIC Codepage 037 Escape sequence
ASCII and Unicode values whose equivalent EBCDIC value cannot be used in a deployed security role name are replaced with a three-character escape sequence as follows:
  blank X'20' X'40' ¢
¢ cent X'A2' X'4A' \A2
\ back slash X'5C' X'E0' \5C
* asterisk X'2A' X'5C' \2A
& ampersand X'26' X'50' \26
% per cent X'25' X'6C' \25
, comma X'2C' X'6B' \2C
( left parethesis X'28' X'4D' \28
) right parenthesis X'29' X'5D' \29
; semicolon X'3B' X'5E' \3B
Unicode values which do not have an equivalent in EBCDIC Codepage 037 are replaced with the Unicode escape sequence: a character with a Unicode representation of X'yyyy' is replaced by \uyyyy. For example:
  Euro symbol X'20AC' not supported \u20AC
  Hiragana Ki X'304D' not supported \u304D
  alpha X'03B1' not supported \u03B1
Here are two examples that illustrate the way that characters are substituted:
Example 1
  • The EJBROLEPRFX has a value of test
  • The display name in the deployment descriptor has a value of year.end.processing
  • The security role in the deployment descriptor has a value of auditor 1
In this example, when the deployed security role is constructed:
  1. Each space is replaced with ¢
  2. The deployed security role is composed from the EJBROLEPRFX value, the display name, and the security role; a period is used as the delimiter.
The resulting deployed security role is:
test.year.end.processing.auditor¢1
Example 2
  • The EJBROLEPRFX has a value of test
  • The display name in the deployment descriptor has a value of αβ32. The Unicode encoding is X'03B1 03B2 0033 0034'.
  • The security role in the deployment descriptor has a value of auditor 1
In this example, when the deployed security role is constructed:
  1. Each Unicode character that has an equivalent in EBCDIC code page 037 is replaced accordingly: In the display name, X'0033 0034' is replaced by 34.
  2. Each Unicode character that does not have an equivalent in EBCDIC code page 037 is replaced with the corresponding escape sequence. In the display name, X'03B1 03B2' is replaced by \u03B1\u03B2
  3. Each space is replaced with ¢
  4. The deployed security role is composed from the EJBROLEPRFX value, the display name, and the security role; a period is used as the delimiter.
The resulting deployed security role is:
test.\u03B1\u03B234.auditor¢1