|
Guidelines: - Using the SEARCH command might slow the system's performance.
Therefore, avoid using the SEARCH command during busy system times.
- Investigate using the database unload utility for some of your
profile searches. The database unload utility need not slow the system's
performance and, in some cases, provides the same information as the
SEARCH command.
- Question:
- How can I tell whether (or how) a data set is protected?
- Answer:
- The answer is complicated by a number of factors, including the
presence of discrete and generic data set profiles, whether the data
set is RACF-indicated, and the setting of such system-wide options
as SETROPTS GENERIC(DATASET) and SETROPTS PROTECTALL. For more information,
see Protecting data sets.
- Question:
- How can I tell if (or how) a resource (other than a data set)
is protected?
- Answer:
- Use the RLIST command, omitting both the GENERIC and NOGENERIC
operands:
RLIST classname resource-name
For
resources that have grouping classes (such as terminals, DASD volumes,
and certain IMS™ and CICS® classes), specify the related "member class"
and the RESGROUP operand on the RLIST command: RLIST member-class resource-name RESGROUP
For
example, for terminal T1: RLIST TERMINAL T1 RESGROUP
This
lists the profiles in the GTERMINL class that protect terminal T1.
This
example does not work for terminals protected by a generic member
in the GTERMINL class.
- Question:
- How can I find the data sets that a user can access?
- Answer:
- Perform the following steps:
- Find the names of the profiles the user has access
to:
SEARCH USER(userid) NOMASK
The
name of a discrete profile identifies which data set it protects.
- For each generic profile listed in Step 1,
list the cataloged data sets protected by the profile (assumes that
the SETROPTS CATDSNS option is in effect):
LISTDSD DATASET(generic-profile-name) DSNS NORACF
Note: To
find out how a user can access a particular data set (READ,
UPDATE, and so forth), analyze the profile protecting the data set
to determine how RACF® authorization
processing would respond to an access request.
- Find the entries in the global access checking table for the DATASET
class:
RLIST GLOBAL DATASET
These entries
allow all users access to data sets that match.
- Question:
- How can I find the general resources that a user can access?
- Answer:
- This must be done one class at a time. For each class, perform
the following steps (which are similar to the steps for data sets):
- Find the names of the profiles the user has access to:
SEARCH CLASS(classname) USER(userid)
The
name of a discrete profile identifies which resource it protects.
Tips:
- If the resource is in a class for which there can be resource
group profiles (such as GTERMINL, GDASDVOL, and so forth), issue the
SEARCH command twice, once for the member class and once for the grouping
class.
For example, for terminals: SEARCH CLASS(TERMINAL) USER(userid)
SEARCH CLASS(GTERMINL) USER(userid)
- If the SEARCH command shows a profile that contains a RACF variable (indicated
by one or more ampersands (&) in the name), you
must list the RACFVARS profile that defines the variable. For example,
if you see a profile named SAMPLE.&X.DATA, use
the RLIST command to list the RACFVARS profile that defines the variable:
RLIST RACFVARS &X
- RACF provides no direct
way to determine which resources a particular general resource profile
protects, as in issuing the LISTDSD command with the DSNS operand.
This is because there is not generally a list, stored on the system,
of the various existing resources that RACF can
check. There would have to be such a list for each general resource
class, and there are well over 50 resource classes (from terminals
to JES input devices to tape volumes). Thus, for any particular class,
an auditor or administrator would have to consult with the profile
owners (or system support) to determine exactly which resources a
generic profile protects.
- Find the entries in the global access checking table for the class:
RLIST GLOBAL classname
These
entries allow all users access to data sets that match.
- Question:
- How can I find the user or group profiles a user can list or alter?
- Answer:
- Enter one of the following commands.
SEARCH CLASS(USER) USER(userid)
SEARCH CLASS(GROUP) USER(userid)
- Question:
- How can I find out the members of a RACF group?
- Answer:
- Enter the following command.
LISTGRP groupname
- Question:
- How can I find out what groups a user belongs to?
- Answer:
- Enter the following command.
LISTUSER userid
See z/OS Security Server RACF Command Language Reference for
more detail on the output of these commands.
|