z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Using the LIST and SEARCH commands effectively

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

Guidelines:
  • Using the SEARCH command might slow the system's performance. Therefore, avoid using the SEARCH command during busy system times.
  • Investigate using the database unload utility for some of your profile searches. The database unload utility need not slow the system's performance and, in some cases, provides the same information as the SEARCH command.
Question:
How can I tell whether (or how) a data set is protected?
Answer:
The answer is complicated by a number of factors, including the presence of discrete and generic data set profiles, whether the data set is RACF-indicated, and the setting of such system-wide options as SETROPTS GENERIC(DATASET) and SETROPTS PROTECTALL. For more information, see Protecting data sets.
Question:
How can I tell if (or how) a resource (other than a data set) is protected?
Answer:
Use the RLIST command, omitting both the GENERIC and NOGENERIC operands: 
RLIST classname resource-name
For resources that have grouping classes (such as terminals, DASD volumes, and certain IMS™ and CICS® classes), specify the related "member class" and the RESGROUP operand on the RLIST command: 
RLIST member-class resource-name RESGROUP
For example, for terminal T1: 
RLIST TERMINAL T1 RESGROUP

This lists the profiles in the GTERMINL class that protect terminal T1.

This example does not work for terminals protected by a generic member in the GTERMINL class.

Question:
How can I find the data sets that a user can access?
Answer:
Perform the following steps:
  1. Find the names of the profiles the user has access to: 
    SEARCH USER(userid) NOMASK

    The name of a discrete profile identifies which data set it protects.

  2. For each generic profile listed in Step 1, list the cataloged data sets protected by the profile (assumes that the SETROPTS CATDSNS option is in effect): 
    LISTDSD DATASET(generic-profile-name) DSNS NORACF
    Note: To find out how a user can access a particular data set (READ, UPDATE, and so forth), analyze the profile protecting the data set to determine how RACF® authorization processing would respond to an access request.
  3. Find the entries in the global access checking table for the DATASET class: 
    RLIST GLOBAL DATASET

    These entries allow all users access to data sets that match.

Question:
How can I find the general resources that a user can access?
Answer:
This must be done one class at a time. For each class, perform the following steps (which are similar to the steps for data sets):
  1. Find the names of the profiles the user has access to: 
    SEARCH CLASS(classname) USER(userid)

    The name of a discrete profile identifies which resource it protects.

    Tips:

    1. If the resource is in a class for which there can be resource group profiles (such as GTERMINL, GDASDVOL, and so forth), issue the SEARCH command twice, once for the member class and once for the grouping class.
      For example, for terminals: 
      SEARCH CLASS(TERMINAL) USER(userid)
SEARCH CLASS(GTERMINL) USER(userid)
    2. If the SEARCH command shows a profile that contains a RACF variable (indicated by one or more ampersands (&) in the name), you must list the RACFVARS profile that defines the variable. For example, if you see a profile named SAMPLE.&X.DATA, use the RLIST command to list the RACFVARS profile that defines the variable: 
      RLIST RACFVARS &X
  2. RACF provides no direct way to determine which resources a particular general resource profile protects, as in issuing the LISTDSD command with the DSNS operand. This is because there is not generally a list, stored on the system, of the various existing resources that RACF can check. There would have to be such a list for each general resource class, and there are well over 50 resource classes (from terminals to JES input devices to tape volumes). Thus, for any particular class, an auditor or administrator would have to consult with the profile owners (or system support) to determine exactly which resources a generic profile protects.
  3. Find the entries in the global access checking table for the class: 
    RLIST GLOBAL classname

    These entries allow all users access to data sets that match.

Question:
How can I find the user or group profiles a user can list or alter?
Answer:
Enter one of the following commands. 
SEARCH CLASS(USER) USER(userid)
SEARCH CLASS(GROUP) USER(userid)
Question:
How can I find out the members of a RACF group?
Answer:
Enter the following command. 
LISTGRP groupname
Question:
How can I find out what groups a user belongs to?
Answer:
Enter the following command. 
LISTUSER userid

See z/OS Security Server RACF Command Language Reference for more detail on the output of these commands.

Parent topic: Tools for the security administrator

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014