DISPLAY (Display signed-on-from list)
Background
Persistent verification allows users to sign on to a partner LU (logical unit) and have their authority persist. In other words, once a user has signed on, a password is not required for subsequent signon attempts.
APPC/MVS invokes RACF® to create and maintain a list called the signed-on-from list. If persistent verification is being used, the signed-on-from list consists of the users currently signed on with persistent verification authority.
Purpose
- User ID
- Group
- APPL (the local LU name)
- POE (the partner LU name from which the user is signed on)
- SECLABEL
The DISPLAY command has operands which correspond to the preceding items listed. You can use these operands to select which user entries to display from the signed-on-from list.
The information is displayed as a list of entries sorted by local LU. If there are multiple entries for a given local LU, these entries are sorted by user ID.
Issuing options
The following table identifies the eligible options for issuing the DISPLAY command:
As a RACF TSO command? | As a RACF operator command? | With command direction? | With automatic command direction? | From the RACF parameter library? |
---|---|---|---|---|
No | Yes | No | No | Yes |
For information on issuing this command as a RACF operator command, see RACF operator commands.
Related commands
Use the SIGNOFF command to remove users from the signed-on-from list.
Authorization required
You might require sufficient authority to the proper resource in the OPERCMDS class. For details about OPERCMDS resources, see "Controlling the use of operator commands" in z/OS Security Server RACF Security Administrator's Guide.
Syntax
For the key to the symbols used in the command syntax diagrams, see Syntax of RACF commands and operands. The complete syntax of the DISPLAY command is:
subsystem-prefixDISPLAY | |
[ SIGNON ] | |
[ APPL(local-luname | *) ] | |
[ POE(partner-luname | *) ] | |
[ USER(userid-name | *) ] | |
[ GROUP(group-name | *) ] | |
[ SECLABEL(security-label | *) ] |
For information on issuing this command as a RACF operator command, see Rules for entering RACF operator commands.
Parameters
- subsystem-prefix
- The
subsystem prefix identifies that the RACF subsystem
is the processing environment. The subsystem prefix can be either
the installation-defined prefix for RACF (1 - 8 characters)
or, if no prefix has been defined, the RACF subsystem
name followed by a blank. If the command prefix was registered with
CPF, you can use the MVS command D OPDATA to display it or you can
contact your RACF security
administrator.
Only specify the subsystem prefix when issuing this command as a RACF operator command. The subsystem prefix is required when issuing RACF operator commands.
- SIGNON
- This operand indicates that the information to be displayed is from the signed-on-from list. Because this is always the case, this operand is a default value and can be omitted from the command line.
- If none of the operands are specified, you receive an informational message, indicating the version, release and modification level for RACF.
- If no local LU is currently active, you receive an informational message.
- If you specify the APPL operand and at least one local LU is currently active, you receive an informational message with the names of the LU applications listed.
- APPL(local-luname | *)
- The local-luname is a 1 - 8 character name of the local LU to be searched for. An asterisk can occupy the last position of the name in order to provide a partial generic selection capability. A character string consisting of a single asterisk is permitted as a full generic that matches any APPL name in the signed-on-from list. A single asterisk is the default value.
- POE(partner-luname | *)
- The partner-luname is the name of the partner LU to be searched for. It can be a 1 - 8 character unqualified LU name or a 1 - 17 character network qualified LU name in the format netid.luname, where netid and luname are each 1 - 8 characters. If the netid is omitted, all partner LUs with the specified LU name portion is shown (POE(LU1) would show NET1.LU1 and NET2.LU1). An asterisk can occupy the last position of the partner-luname in order to provide a partial generic selection capability. For example, the partner-luname NW1.LU2 would match with *, N*, NW*, NW1*, NW1.*, NW1.L*, NW1.LU*, NW1.LU2*, L*, LU*, and LU2*. A character string consisting of a single asterisk is permitted as a full generic that matches any POE name in the signed-on-from list. A single asterisk is the default if another operand (besides SIGNON) is specified.
- USER(userid-name | *)
- The userid-name is a 1 - 8 character name that represents the RACF user ID to be searched for. An asterisk can occupy the last position of the userid-name in order to provide a partial generic selection capability. A character string consisting of a single asterisk is permitted as a full generic that matches any user ID in the signed-on-from list. A single asterisk is the default value if either the GROUP operand or the SECLABEL operand is specified.
- GROUP(group-name | *)
- The group-name is a 1 - 8 character name of the RACF group to be searched for. An asterisk can be in the last position of the group-name in order to provide a partial generic selection capability. A character string consisting of a single asterisk is permitted as a full generic that matches any group name in the signed-on-from list. A single asterisk is the default value if either the USER operand or the SECLABEL operand is specified. Note that entries in the signed-on-from list might not always be added to that list with a group-name value. Such entries have group-name values consisting of blanks.
- SECLABEL(security-label | *)
- The security-label is a 1 - 8 character name which represents the RACF security label to be searched for. An asterisk can occupy the last position of the specification in order to provide a partial generic selection capability. A character string consisting of a single asterisk is permitted as a full generic that matches any security label in the signed-on-from list. A single asterisk is the default value if either the USER operand or the GROUP operand is specified.
Examples
Example | Activity label | Description |
---|---|---|
1 | Operation | Display all the partner LUs associated with a particular local LU. |
Known | The local LU name is locallu. The RACF subsystem prefix is @. | |
Command | @display appl(locallu),poe(*) | |
Defaults | SIGNON | |
Output | See Figure 1. | |
2 | Operation | Display all the users signed on for a particular LU pair. |
Known | The local LU is locallu, the partner LU is prtnrlu1. The RACF subsystem prefix is @. | |
Command | @display appl(locallu),poe(prtnrlu1),user(*) | |
Defaults | SIGNON, GROUP(*), and SECLABEL(*) | |
Output | See Figure 2. | |
3 | Operation | Display each local LU and its associated partner LUs, and for each LU pair, display the users signed on. |
Known | The RACF subsystem prefix is @. | |
Command | @display appl(*),poe(*),user(*) | |
Defaults | SIGNON, GROUP(*), and SECLABEL(*) | |
Output | See Figure 3.
Important: In many instances, this command might generate large amounts of display output. |
|
4 | Operation | Display each local LU and its associated partner LUs, and for each LU pair, display the users with userid_names beginning with B. |
Known | The RACF subsystem prefix is @. | |
Command | @display appl(*),poe(*),user(B*),group(*) | |
Defaults | SIGNON and SECLABEL(*) | |
Output | See Figure 4. | |
5 | Operation | Display all the LU pairs that users have signed on to using a particular group. |
Known | The RACF subsystem prefix is @. The group-name is grp1. | |
Command | @display group(grp1),appl(*),poe(*),user(*) | |
Defaults | SIGNON, SECLABEL(*) | |
Output | See Figure 5. |
IRRD004I RACF 2.6.0 SUBSYSTEM 219
REMOTE LU NAME(S) ASSOCIATED WITH ACTIVE LOCAL LU NAME LOCALLU
LU NAME LU NAME LU NAME
PRTNRLU1 PRTNRLU2 PRTNRLU3
NETID1.PRTNRLU4
IRRD004I RACF 2.6.0 SUBSYSTEM 239
LOCAL LU LOCALLU FOR REMOTE LU PRTNRLU1 HAS USER(S):
USER = BOB GROUP = SYS1 SECLABEL =
USER = BRIAN GROUP = SYS1 SECLABEL =
USER = JIM GROUP = GRP1 SECLABEL =
USER = JOE GROUP = GRP1 SECLABEL =
IRRD004I RACF 2.6.0 SUBSYSTEM 245
LOCAL LU LOCALLU FOR REMOTE LU PRTNRLU1 HAS USER(S):
USER = BOB GROUP = SYS1 SECLABEL =
USER = BRIAN GROUP = SYS1 SECLABEL =
USER = JIM GROUP = GRP1 SECLABEL =
USER = JOE GROUP = GRP1 SECLABEL =
LOCAL LU LOCALLU FOR REMOTE LU PRTNRLU2 HAS USER(S):
USER = BRIAN GROUP = SECLABEL =
LOCAL LU LOCALLU FOR REMOTE LU PRTNRLU3 HAS USER(S):
USER = BRIAN GROUP = SECLABEL =
LOCAL LU LOCALLU FOR REMOTE LU PRTNRLU4 HAS USER(S):
USER = BRIAN GROUP = SECLABEL =
LOCAL LU LOCLLU2 FOR REMOTE LU PRTNRLU1 HAS USER(S):
USER = JIM GROUP = GRP1 SECLABEL =
LOCAL LU LOCLLU3 FOR REMOTE LU PRTNRLU1 HAS USER(S):
USER = JIM GROUP = GRP1 SECLABEL =
IRRD004I RACF 2.6.0 SUBSYSTEM 647
LOCAL LU LOCALLU FOR REMOTE LU PRTNRLU1 HAS USER(S):
USER = BOB GROUP = SYS1 SECLABEL =
USER = BRIAN GROUP = SYS1 SECLABEL =
LOCAL LU LOCALLU FOR REMOTE LU PRTNRLU2 HAS USER(S):
USER = BRIAN GROUP = SECLABEL =
LOCAL LU LOCALLU FOR REMOTE LU PRTNRLU3 HAS USER(S):
USER = BRIAN GROUP = SECLABEL =
LOCAL LU LOCALLU FOR REMOTE LU PRTNRLU4 HAS USER(S):
USER = BRIAN GROUP = SECLABEL =
IRRD004I RACF 2.6.0 SUBSYSTEM 251
LOCAL LU LOCALLU FOR REMOTE LU PRTNRLU1 HAS USER(S):
USER = JIM GROUP = GRP1 SECLABEL =
USER = JOE GROUP = GRP1 SECLABEL =
LOCAL LU LOCLLU2 FOR REMOTE LU PRTNRLU1 HAS USER(S):
USER = JIM GROUP = GRP1 SECLABEL =
LOCAL LU LOCLLU3 FOR REMOTE LU PRTNRLU1 HAS USER(S):
USER = JIM GROUP = GRP1 SECLABEL =