LISTUSER (List user profile)

Purpose

Use the LISTUSER command to list the details of specific RACF® user profiles. A user profile consists of a BASE segment and, optionally, other segments such as TSO and DFP. The LISTUSER command provides you with the option of listing the information contained in the entire user profile (all segments), or listing the information contained only in specific segments of the user profile.

You cannot use the LISTUSER command to list information about user ID associations; you must use the RACLINK command.

The details RACF lists from the BASE segment for each user profile are:
  • The user ID
  • The user's name or UNKNOWN, if the user's name was not specified on the ADDUSER command
  • The owner of the user's profile
  • The date the user was defined to RACF
  • The default group
  • The date the user's password was last updated
  • The date the user's password phrase was last updated
  • The change interval (in number of days)
  • Start of changeThe password phrase change interval (in number of days)End of change
  • Information about the user's password envelope and password phrase envelope, if any. (See Details about listing envelope information.)
  • The user's attributes
  • The date and time the user last entered the system
  • The classes in which the user is authorized to define profiles
  • The installation-defined data
    • If your z/OS® installation is configured as a multilevel-secure environment, this information is not listed in your output. The output line * SUPPRESSED * appears under the installation data field. Only those with SPECIAL will be allowed to list the field.
  • The name of default data set model profile
  • Any REVOKE or RESUME processing either in effect or pending, with the corresponding dates even if they have passed
  • The security label, the security level, and category
    • When you specify the user ID on the LISTUSER command, the default security label from the user profile in the RACF database is displayed in the output.
    • When you do not specify the user ID on the LISTUSER command, the security label you are currently logged on with (from the in-storage ACEE control blocks) is displayed in the output.
In addition, RACF lists the following information from the BASE segment of the user profile for each group to which the user is connected:
  • The group name
  • The user's authority in the group
  • The user ID of the person who connected the user to this group
  • The date the user was connected to this group
  • The number of times the user has entered the system with this group as the current connect group
  • The default universal access authority
  • The date and time the user last entered the system using this group as the current connect group
  • The connect attributes (group-related user attributes).
Details about listing a user's envelope information:
  • Listing information about password envelopes:
    • Information about a user's password envelope is displayed only if the user does not have the PROTECTED attribute.
    • If the user's password is enveloped (regardless of whether password enveloping is enabled), the PASSWORD ENVELOPED=YES line is displayed.
    • If the user's password is not enveloped and password enveloping is enabled, the PASSWORD ENVELOPED=NO line is displayed.
    • If the user's password is not enveloped and password enveloping is not enabled, no output line about password enveloping is displayed.
  • Listing information about password phrase envelopes:
    • Information about a user's password phrase envelope is displayed only if the user does not have the PROTECTED attribute.
    • If the user's password phrase is enveloped (regardless of whether password phrase enveloping is enabled), the PHRASE ENVELOPED=YES line is displayed.
    • If the user's password phrase is not enveloped and password phrase enveloping is enabled, the PHRASE ENVELOPED=NO line is displayed.
    • If the user's password phrase is not enveloped and password phrase enveloping is not enabled, or if the user has no password phrase, no output line about password phrase enveloping is displayed.

Start of changeDetails about listing the password and password phrase change interval: Users will always have a password interval but may or may not have a password phrase interval value. When a user does not have a password phrase interval value set the password interval value is used as both the password interval and password phrase interval. In this case, LISTUSER will not list the user’s PHRASE INTERVAL value.End of change

RACF date handling: RACF interprets dates with 2-digit years as follows. (The yy value represents the 2-digit year.)
  • If 70 <  yy <= 99, the date is interpreted as 19yy.
  • If 00 <= yy <= 70, the date is interpreted as 20yy.

Issuing options

The following table identifies the eligible options for issuing the LISTUSER command:

As a RACF TSO command? As a RACF operator command? With command direction? With automatic command direction? From the RACF parameter library?
Yes Yes Yes No Yes

For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.

For information on issuing this command as a RACF operator command, refer to RACF operator commands.

You must be logged on to the console to issue this command as a RACF operator command.

Related commands

Authorization required

When issuing this command as a RACF operator command, you might require sufficient authority to the proper resource in the OPERCMDS class. For details about OPERCMDS resources, see Controlling the use of operator commands in z/OS Security Server RACF Security Administrator's Guide.

To specify the AT keyword, you must have READ authority to the DIRECT.node resource in the RRSFDATA class and a user ID association must be established between the specified node.userid pair(s).

To specify the ONLYAT keyword you must have the SPECIAL attribute, the userid specified on the ONLYAT keyword must have the SPECIAL attribute, and a user ID association must be established between the specified node.userid pair(s) if the user IDs are not identical.

Listing the BASE segment of a user profile: You can always list the details of the BASE segment of your own user profile. To list details of the BASE segment of another user's profile, one of the following conditions must be true:
  • You are the owner of the user's profile.
  • You have the SPECIAL attribute.
  • The user's profile is within the scope of a group in which you have the group-SPECIAL attribute.
  • You have the AUDITOR or the ROAUDIT attribute.
  • The user's profile is within the scope of a group in which you have the group-AUDITOR attribute.
  • You have READ access to the IRR.LISTUSER resource in the FACILITY class and the user does not have the SPECIAL, AUDITOR, ROAUDIT, or OPERATIONS attribute.
  • You have READ access to an appropriate resource (IRR.LU.OWNER.owner or IRR.LU.TREE.owner) in the FACILITY class, and both of the following conditions are also true:
    • The user does not have the SPECIAL, AUDITOR, ROAUDIT, or OPERATIONS attribute. (You can list a PROTECTED user.)
    • You are not excluded from listing the user by the IRR.LU.EXCLUDE.excluded-user resource in the FACILITY class.
    For more information about the IRR.LU profiles, see z/OS Security Server RACF Security Administrator's Guide.
To list details of the BASE segment of all RACF-defined user profiles (by specifying the asterisk (*) operand), one of the following conditions must be true for each listed profile:
  • You are the owner of the user's profile. RACF lists the BASE segment for all the user profiles that you own.
  • You have the SPECIAL attribute. RACF lists the BASE segment for all user profiles.
  • The user's profile is within the scope of a group in which you have the group-SPECIAL attribute. RACF lists the BASE segment for all the user profiles within the scope of your group.
  • You have the AUDITOR or ROAUDIT attribute. RACF lists the BASE segment for all user profiles.
  • The user's profile is within the scope of a group in which you have the group-AUDITOR attribute. RACF lists the BASE segment for all the user profiles within the scope of your group.
  • You have READ access to the IRR.LISTUSER resource in the FACILITY class and the user does not have any of the SPECIAL, AUDITOR, ROAUDIT, or OPERATIONS attributes.
If you have the group-SPECIAL or group-AUDITOR attribute and your installation has assigned security levels and security categories to user profiles, you must have the following to be able to display the BASE segment of a user's profile:
  • A security level equal to, or greater than, that in the user profile you are trying to display
  • All security categories contained in the user profile you are trying to display contained in your own user profile.

If you have the AUDITOR or ROAUDIT attribute, or the profile is within the scope of a group in which you the group-AUDITOR attribute, RACF also lists the value of the UAUDIT/NOUAUDIT operand.

Listing the other segments of a user profile: To list information from segments other than the BASE segment for a user profile, including your own, one of the following conditions must be true:
  • You have the SPECIAL, AUDITOR or ROAUDIT attribute
  • You have at least READ authority to the desired field within the segment through field-level access checking.

Syntax

For the key to the symbols used in the command syntax diagrams, see Syntax of RACF commands and operands. The complete syntax of the LISTUSER command is:

For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.

For information on issuing this command as a RACF operator command, refer to RACF operator commands.

Parameters

subsystem-prefix
Specifies that the RACF subsystem is the processing environment of the command. The subsystem prefix can be either the installation-defined prefix for RACF (1 - 8 characters) or, if no prefix has been defined, the RACF subsystem name followed by a blank. If the command prefix was registered with CPF, you can use the MVS™ command D OPDATA to display it or you can contact your RACF security administrator.

Only specify the subsystem prefix when issuing this command as a RACF operator command. The subsystem prefix is required when issuing RACF operator commands.

userid | *
userid
Specifies the user ID of one or more RACF-defined users. If you specify more than one user ID, you must enclose the list of user IDs in parentheses.
*
Specifies that you want to list information contained in all RACF-defined user profiles to which you have the required authority.

Important: On a system with many users defined, the use of * might result in a large amount of output and might not be useful to a user issuing the command. It might be more appropriate for the user to browse the output of IRRDBU00 (database unload) or to write a program to process the IRRDBU00 output and produce a report showing only the subset of information that is of interest to the user. The processing of output of LISTUSER by programs is not supported nor recommended by IBM®. If you want a listing of all the groups for use by a program you should instead have the program process the output from IRRDBU00, RACROUTE REQUEST=EXTRACT, or ICHEINTY.

The userid value or an asterisk (*) must be specified if you specify any other operand in the LISTUSER command, and must be the first operand following LISTUSER.

If you enter LISTUSER and specify one or more user IDs, or an asterisk (*), without specifying an additional operand, RACF lists only the BASE segment information from the specified profiles.

If you enter only LISTUSER, RACF lists only the BASE segment information from your own user profile.

Note: You cannot use the LISTUSER command for user IDs that have mixed-case characters, such as irrcerta, irrsitec, and irrmulti (which are associated with digital certificates).
AT | ONLYAT
The AT and ONLYAT keywords are only valid when the command is issued as a RACF TSO command.
AT([node].userid ...)
Specifies that the command is to be directed to the node specified by node, where it runs under the authority of the user specified by userid in the RACF subsystem address space.

If node is not specified, the command is directed to the local node.

ONLYAT([node].userid ...)
LISTUSER is not eligible for automatic command direction. If you specify the ONLYAT keyword, the effect is the same as if you specified the AT keyword.
CICS
Specifies that you want to list the information contained in the CICS segment of the user's profile.
The details RACF lists from the CICS segment of the user's profile are:
  • The classes assigned to this operator to which BMS messages are sent.
    Note: The values of the classes are listed in a three digit format, even though a maximum of two digits are used to define the value.
  • Whether the operator are forced off when an XRFSOFF takeover occurs.
  • The operator identification.
  • The priority of the operator.
  • The time in hours and minutes that the operator is allowed to be idle before being signed off.
  • Resource security level (RSL) keys, if any are assigned to the user. If 99 is displayed, this indicates that all RSL keys are assigned to the user (1 - 24, inclusive). If 0 is displayed, no RSL keys are assigned to the user.
  • Transaction security level (TSL) keys, if any are assigned to the user. If 99 is displayed, this indicates that all TSL keys are assigned to the user (1 - 64, inclusive). If 0 is displayed, no TSL keys are assigned to the user.
CSDATA
Specifies that you want to list custom field information for this user. The custom field information in the CSDATA segment for this user was added using the ADDUSER and ALTUSER commands.

Usage for each custom field is defined using the CFDEF operand of the RDEFINE command for resource profiles in the CFIELD class. Contact your security administrator to see how custom fields are used at your installation. For more information about custom fields, see z/OS Security Server RACF Security Administrator's Guide.

DCE
Specifies that you want to list the information contained in the DCE segment of the user's profile.
The details that RACF lists from the DCE segment are:
  • The DCE universal unique identifier
  • The DCE principal name
  • The DCE home cell name
  • The DCE home cell universal unique identifier
  • The DCE AUTOLOGIN indicator.

If there is no DCENAME or HOMECELL for this segment, the field name is not displayed. However, if UUID or HOMEUUID was not specified when the DCE segment was added to the user profile, the word NONE appears in the listing.

DFP
Specifies that you want to list the information contained in the DFP segment of the user's profile.
The details RACF lists from the DFP segment of the user's profile are:
  • The user's default data class
  • The user's default management class
  • The user's default storage class
  • The data management data application for the user.
EIM
Specifies that the Enterprise Identity Mapping (EIM) segment information should be listed.
KERB
Specifies that you want to list the information contained in the KERB segment of the user's profile.
The details that RACF lists from the KERB segment of the user's profile are:
  • The encryption value settings (ENCRYPT values or NOENCRYPT)
  • The local kerberos-principal-name (KERBNAME)
  • The max-ticket-life associated with this local principal (MAXTKTLFE)
  • The current z/OS Network Authentication Service key version (KEY VERSION)
  • The authenticator used to generate the current user's z/OS Network Authentication Service keys (KEY FROM)
    • When PASSWORD is displayed, the current keys were derived from the user's password.
    • When PHRASE is displayed, the current keys were derived from the user's password phrase.
LANGUAGE
Specifies that you want to list the information contained in the LANGUAGE segment of the user's profile.

The 3-character language code and, if defined, the 24-character language name, is displayed. NOT SPECIFIED indicates that no language has been specified.

If the code is displayed without a name, one of the following is true:
  • The MVS message service was not active
  • The language was not active.
If the language code equals the language name, one of the following is true:
  • There was no language name defined on your system
  • The language name was defined to be the same as the language code.
The details RACF lists from the LANGUAGE segment of the user's profile are:
  • The user's primary language, if one has been specified
  • The user's secondary language, if one has been specified.
LNOTES
Specifies that you want to list the information for the Lotus® Notes® for z/OS short-name, which is contained in the LNOTES segment of the user's profile.
MFA
Specifies that multi-factor authentication information should be listed for the user. The MFA keyword is ignored when NORACF is specified.
NDS
Specifies that you want to list the information for the Novell Directory Services for OS/390® user-name, which is contained in the NDS segment of the user's profile.
NETVIEW
Specifies that you want to list the information contained in the NETVIEW segment of the user's profile.
The details RACF lists from the NETVIEW segment of the user's profile are:
  • The command or command line to be processed by NetView® for this operator
  • The default MCS console identifier
  • Whether security checking should be done for this NetView operator
  • Whether this operator can receive unsolicited messages
  • The count of operator class values
  • The list of NetView scope classes for which this operator has authority
  • The number of domains this NetView operator controls
  • The list of identifiers of NetView programs in another NetView domain for which this operator has authority
  • Whether this operator has administrator authority to the NetView Graphic Monitor Facility (NGMF).

If there is no information in the fields of the NETVIEW segment, the field name is not displayed (with the exception of SIZE, MAXSIZE, and USERDATA).

NORACF
Specifies that you want to suppress the listing of BASE segment information from the user's profile.

If you specify NORACF, you must also specify at least one segment name.

The information displayed as a result of using the NORACF operand is dependent on other operands used in the command. For example, if you use NORACF with TSO or DFP also specified, only that information (TSO or DFP) is displayed. User profiles that do not have at least one of the specified segments appear in the command output.

The information displayed as a result of using the NORACF operand is dependent on other operands used in the command. For example, if you use NORACF with TSO or DFP also specified, only that information (TSO or DFP) is displayed.

When you specify an asterisk (*) in place of the user ID, only user profiles with at least one of the specified segments appear in the command output. (See userid for an important note about specifying an asterisk with the LISTUSER command.)

If you do not specify NORACF, RACF displays the information in the BASE segment of a user profile.

OMVS
Specifies that you want to list the information contained in the OMVS segment of the user's profile.
The details RACF lists from the OMVS segment are:
  • The user identifier
  • The initial directory path name
  • The program path name
  • The CPU time, in seconds, the user's processes can use
  • The address space region size, in bytes, the user's processes can use
  • The maximum number of active or open files the user can have
  • The maximum number of active processes the user can have
  • The maximum number of threads the user can have
  • The maximum amount of space, in pages, the user can map in storage.
Note: If CPUTIMEMAX, ASSIZEMAX, FILEPROCMAX, PROCUSERMAX, THREADSMAX, or MMAPAREAMAX is not specified, or is removed with the ALTUSER command, the word NONE appears in the listing. In such situations, z/OS UNIX uses its system level values for limit values.

If there is no HOME or PROGRAM information, the field name is not displayed. However, the word NONE appears in the listing if the UID was not specified, or if the UID was removed using the NOUID operand on the ALTUSER command.

OPERPARM
Specifies that you want to list the information contained in the OPERPARM segment of the user's profile.
The details RACF lists from the OPERPARM segment of the user's profile are:
  • The alternate console group (ALTGRP)
  • The operator authority (AUTH)
  • Whether the console receives messages that can be automated in a sysplex environment.
  • The system name for commands from this console (CMDSYS)
  • Whether, and what kind of, delete operator messages are received (DOM)
  • The searching key (KEY)
  • The message level information (LEVEL)
  • Whether system command responses are logged (LOGCMDRESP)
  • The message format (MFORM)
  • Whether this console is assigned a migration ID (MIGID)
  • Event information (MONITOR)
  • The systems this console can receive undirected messages from (MSCOPE)
  • Routing code information (ROUTCODE)
  • Storage information (STORAGE)
  • Whether this console receives undeliverable messages (UD).

If there is no information in a field in the user's profile for this segment, the field name is not displayed. However, if no value was specified for STORAGE when the OPERPARM segment was added to the user profile, STORAGE=0 appears in the listing.

OVM
Specifies that you want to list the information contained in the OVM segment of the user's profile.
The details that RACF lists from the OVM segment are the z/OS UNIX System Services user's:
  • User identifier
  • Initial directory path name
  • Program path name
  • File system root name.

If there is no HOME, PROGRAM, or FSROOT information, the field name is not displayed. However, the word NONE appears in the listing if the UID was not specified, or if the UID was removed using the NOUID operand on the ALTUSER command.

PROXY
Specifies that PROXY segment information should be listed.

The BINDPW password value will not be listed. If a BINDPW password value is defined for a user, LISTUSER will display YES for the PROXY segment BINDPW attribute. If no BINDPW password value has been defined, LISTUSER will display NO for the PROXY segment BINDPW attribute.

TSO
Specifies that you want to list the information contained in the TSO segment of the user's profile.
The details RACF lists from the TSO segment of the user's profile are:
  • The user's default account number when logging on from the TSO/E logon panel
  • The destination ID for SYSOUT data sets
  • The user's default HOLDCLASS
  • The user's default JOBCLASS
  • The user's default MSGCLASS
  • The user's default SYS
  • The maximum region size
  • The default region size
  • The logon procedure name
  • The unit name
  • The optional user data
  • The user's security label
  • The default command to be run during the TSO/E logon.

If there is no information in the fields of the TSO segment, the field name is not displayed (with the exception of SIZE, MAXSIZE, and USERDATA).

WORKATTR
Specifies that you want to list the information contained in the WORKATTR segment of the user's profile.
The details RACF lists for the distribution information from the user's WORKATTR segment are:
  • The name of the user (WANAME)
  • The building (WABLDG)
  • The department (WADEPT)
  • The room (WAROOM)
  • Up to four additional lines of output distribution information (WAADDRn)
  • An account number for APPC/MVS processing (WAACCNT).
  • An e-mail address for the user (WAEMAIL).

Examples

Example Activity label Description
1 Operation User DAF0 wants to list the user attributes from the BASE segment of her user profile.
Known User DAF0 is RACF-defined. User DAF0 wants to issue the command as a RACF TSO command.
Command LISTUSER
Defaults DAF0 (userid)
Output See Figure 1.
2 Operation User CALTMANN wants to list the user attributes from the BASE segment of profiles for users IBMUSER, CALTMANN, and DAF0.
Known User CALTMANN has the SPECIAL and AUDITOR attributes. User CALTMANN wants to issue the command as a RACF TSO command.
Command LISTUSER (IBMUSER CALTMANN DAF0)
Defaults None.
Output See Figure 2.
3 Operation User ADM1 wants to list the user attributes from the BASE segment and TSO segment of the profile for user DAF0.
Known User ADM1 has the SPECIAL and AUDITOR attributes.

User DAF0 is defined to RACF with authority to use TSO.

User ADM1 wants to issue the command as a RACF TSO command.
Command LISTUSER DAF0 TSO
Defaults None.
Output See Figure 3.
4 Operation User ADM1 wants to list the user attributes from only the TSO segment of the profile for user DAF0.
Known User ADM1 has the SPECIAL and AUDITOR attributes.

User DAF0 is defined to RACF with authority to use TSO.

User ADM1 wants to issue the command as a RACF TSO command.
Command LISTUSER DAF0 NORACF TSO
Defaults None.
Output See Figure 4.
5 Operation User ADM1 wants to list the user attributes from the BASE segment and DFP segment of the profile for user DAF0.
Known User ADM1 has the SPECIAL and AUDITOR attributes.

User DAF0 is defined to RACF and DAF0's profile contains a DFP segment.

User ADM1 wants to issue the command as a RACF TSO command.
Command LISTUSER DAF0 DFP
Defaults None.
Output See Figure 5.
6 Operation User ADM1 wants to list the user attributes from only the DFP segment of the profile for user DAF0.
Known User ADM1 has the SPECIAL and AUDITOR attributes.

User DAF0 is defined to RACF and DAF0's profile contains a DFP segment.

User ADM1 wants to issue the command as a RACF TSO command.
Command LISTUSER DAF0 NORACF DFP
Defaults None.
Output See Figure 6.
7 Operation User ADM1 wants to list the user attributes from only the CICS segment of the profile for user DAF0.
Known User DAF0 is defined to RACF and DAF0's profile contains a CICS segment.

User running CICS in a distributed environment.

User ADM1 wants to issue the command as a RACF TSO command.
Command LISTUSER DAF0 NORACF CICS
Defaults None.
Output See Figure 7.
8 Operation User ADM1 wants to list the user attributes from only the LANGUAGE segment of the profile for user DAF0.
Known User ADM1 has the SPECIAL and AUDITOR attributes.

User DAF0 is defined to RACF and DAF0's profile has American English (language code ENU) defined as her primary language and German (language code DEU) defined as her secondary language.

User ADM1 wants to issue the command as a RACF TSO command.
Command LISTUSER DAF0 NORACF LANGUAGE
Defaults None.
Output See Figure 8.
9 Operation User ADM1 wants to list the user attributes from only the OPERPARM segment of the profile for user DAF0.
Known User ADM1 has the SPECIAL and AUDITOR attributes.

User DAF0 is defined to RACF and DAF0's profile contains an OPERPARM segment.

User ADM1 wants to issue the command as a RACF TSO command.
Command LISTUSER DAF0 NORACF OPERPARM
Defaults None.
Output See Figure 9.
10 Operation User ADM1 wants to list the user attributes from the OMVS segment of the profile for user CSMITH.
Known User ADM1 has the SPECIAL attribute.

User CSMITH is defined to RACF and CSMITH's profile contains an OMVS segment.

User ADM1 wants to issue the command as a RACF TSO command.
Command LISTUSER CSMITH OMVS NORACF
Defaults None.
Output See Figure 10.
11 Operation User ADM1 wants to list the user attributes from the OMVS segment of the profile for user CSMITH.
Known User ADM1 has the SPECIAL attribute.

User CSMITH is defined to RACF and CSMITH's profile contains an OMVS segment, but there was no value specified for HOME or PROGRAM in the OMVS segment for this profile. Defaults were used.

User ADM1 wants to issue the command as a RACF TSO command.

Note: If the user also has no user limits because the defaults were taken, CPUTIMEMAX, ASSIZEMAX, FILEPROCMAX, PROCUSERMAX, THREADSMAX, and MMAPAREAMAX will display NONE as their value.
Command LISTUSER CSMITH OMVS NORACF
Defaults None.
Output See Figure 11.
12 Operation User ADM1 wants to list the DCE segment for user CSMITH.
Known User ADM1 has the SPECIAL attribute.
Command LISTUSER CSMITH NORACF DCE
Defaults None.
Output See Figure 12.
13 Operation A security administrator lists the KERB segment of the altered RACF user profile for RONTOMS.
Known The administrator wants to list the information contained in the KERB segment of the altered RACF user profile.
Command LISTUSER RONTOMS NORACF KERB
Defaults None.
Output See Figure 13.
14 Operation A security administrator lists the PROXY segment of the altered RACF user profile for MRSERVER.
Known The administrator wants to list the information contained in the PROXY segment of the altered RACF user profile.
Command LISTUSER MRSERVER PROXY NORACF
Defaults None.
Output See Figure 14.
15 Operation A security administrator lists the EIM segment of the RACF user profile for KCROVE.
Known User ADM1 has the SPECIAL attribute.
Command LISTUSER KCROVE EIM NORACF
Defaults None.
Output See Figure 15.
16 Operation User ADM1 wants to list the status of the RACF user profile for UPWENV who has an enveloped password and an enveloped password phrase.
Known User ADM1 has the SPECIAL attribute. User UPWENV does not have the PROTECTED attribute.
Command LISTUSER UPWENV
Defaults None.
Output See Figure 16.
17 Operation User SECADM wants to list the custom field information for user ANDREW.
Known User SECADM has the SPECIAL attribute.
Command LISTUSER ANDREW CSDATA NORACF
Output See Figure 17.
18 Operation User ADM1 wants to list the factor tags for user USER01.
Known User ADM1 has the SPECIAL attribute.
Command LISTUSER USER01 MFA
Output See Figure 18.
Figure 1. Example 1: Output for LISTUSER
 LISTUSER
USER=DAF0     NAME=D.M.BROWN  OWNER=IBMUSER  CREATED=05.228
 DEFAULT-GROUP=RESEARCH  PASSDATE=05.228  PASS-INTERVAL= 30 PHRASEDATE=05.231
 Start of changePHRASE-INTERVAL=00365End of change
 PASSWORD ENVELOPED=NO
 ATTRIBUTES=ADSP
 ATTRIBUTES=PASSPHRASE
 REVOKE DATE=NONE   RESUME DATE=NONE
 LAST-ACCESS=05.228/13:31:11
 CLASS AUTHORIZATIONS=NONE
 NO-INSTALLATION-DATA
 NO-MODEL-NAME
 LOGON ALLOWED   (DAYS)          (TIME)
 --------------------------------------------
 ANYDAY                          ANYTIME
   GROUP=RESEARCH AUTH=JOIN    CONNECT-OWNER=IBMUSER   CONNECT-DATE=05.228
     CONNECTS=    01  UACC=READ    LAST-CONNECT=05.228/13:31:11
     CONNECT ATTRIBUTES=NONE
     REVOKE DATE=NONE   RESUME DATE=NONE
   GROUP=PAYROLLB AUTH=CREATE  CONNECT-OWNER=IBMUSER  CONNECT-DATE=05.228
     CONNECTS=   00  UACC=READ    LAST-CONNECT=UNKNOWN
     CONNECT ATTRIBUTES=NONE
     REVOKE DATE=NONE   RESUME DATE=NONE
 SECURITY-LEVEL=NONE SPECIFIED
 CATEGORY-AUTHORIZATION
  NONE SPECIFIED
Figure 2. Example 2: Output for LISTUSER (IBMUSER CALTMAN DAF0)
 LISTUSER (IBMUSER CALTMANN DAF0)
USER=IBMUSER  NAME=G. SMITH OWNER=IBMUSER  CREATED=05.163
 DEFAULT-GROUP=SYS1  PASSDATE=05.220  PASS-INTERVAL=N/A  PHRASEDATE=05.231
 PASSWORD ENVELOPED=NO
 ATTRIBUTES=SPECIAL OPERATIONS
 ATTRIBUTES=PASSPHRASE AUDITOR
 REVOKE DATE=NONE   RESUME DATE=NONE
 LAST-ACCESS=05.146/15:45:23
 CLASS AUTHORIZATIONS=NONE
 NO-INSTALLATION-DATA
 NO-MODEL-NAME
 LOGON ALLOWED   (DAYS)          (TIME)
 --------------------------------------------
 ANYDAY                          ANYTIME
  GROUP=SYS1      AUTH=JOIN    CONNECT-OWNER=IBMUSER  CONNECT-DATE=04.263
    CONNECTS=   456  UACC=READ    LAST-CONNECT=05.146/15:45:23
    CONNECT ATTRIBUTES=NONE
    REVOKE DATE=NONE   RESUME DATE=NONE
 SECURITY-LEVEL=NONE SPECIFIED
 CATEGORY-AUTHORIZATION
  NONE SPECIFIED
 SECURITY-LABEL=NONE SPECIFIED
USER=CALTMANN  NAME=C. ALTMANN  OWNER=IBMUSER   CREATED=05.144
 DEFAULT-GROUP=RESEARCH  PASSDATE=00.000 PASS-INTERVAL=254 PHRASEDATE=05.231
 PASSWORD ENVELOPED=NO
 ATTRIBUTES=SPECIAL
 ATTRIBUTES=PASSPHRASE AUDITOR
 REVOKE DATE=NONE   RESUME DATE=NONE
 LAST-ACCESS=05.146/16:16:14
 CLASS AUTHORIZATIONS=USER
 NO-INSTALLATION-DATA
 MODEL-NAME=ALLENA
 LOGON ALLOWED   (DAYS)          (TIME)
 --------------------------------------------
 ANYDAY                          ANYTIME
  GROUP=RESEARCH  AUTH=JOIN    CONNECT-OWNER=IBMUSER  CONNECT-DATE=05.144
    CONNECTS=    01  UACC=READ    LAST-CONNECT=05.146/16:16:14
    CONNECT ATTRIBUTES=OPERATIONS
    REVOKE DATE=NONE   RESUME DATE=NONE
 SECURITY-LEVEL=NONE SPECIFIED
 CATEGORY-AUTHORIZATION
  NONE SPECIFIED
 SECURITY-LABEL=NONE SPECIFIED
USER=DAF0     NAME=D.M.BROWN  OWNER=IBMUSER  CREATED=05.144
 DEFAULT-GROUP=RESEARCH  PASSDATE=00.000 PASS-INTERVAL=254 PHRASEDATE=05.231
 PASSWORD ENVELOPED=NO
 ATTRIBUTES=ADSP
 ATTRIBUTES=PASSPHRASE
 REVOKE DATE=NONE   RESUME DATE=NONE
 LAST-ACCESS=05.146/15:11:31
 CLASS AUTHORIZATIONS=NONE
 NO-INSTALLATION-DATA
 NO-MODEL-NAME
 LOGON ALLOWED   (DAYS)          (TIME)
 --------------------------------------------
 ANYDAY                          ANYTIME
  GROUP=RESEARCH  AUTH=JOIN    CONNECT-OWNER=IBMUSER  CONNECT-DATE=05.144
    CONNECTS=    02  UACC=READ    LAST-CONNECT=05.146/15:11:31
    CONNECT ATTRIBUTES=NONE
    REVOKE DATE=NONE   RESUME DATE=NONE
 SECURITY-LEVEL=NONE SPECIFIED
 CATEGORY-AUTHORIZATION
  NONE SPECIFIED
 SECURITY-LABEL=NONE SPECIFIED
Figure 3. Example 3: Output for LISTUSER DAF0 TSO
 LISTUSER DAF0 TSO
USER=DAF0     NAME=D.M.BROWN  OWNER=IBMUSER  CREATED=05.228
 DEFAULT-GROUP=RESEARCH  PASSDATE=05.231 PASS-INTERVAL=30  PHRASEDATE=05.231
 PASSWORD ENVELOPED=NO
 ATTRIBUTES=ADSP
 ATTRIBUTES=PASSPHRASE
 REVOKE DATE=NONE   RESUME DATE=NONE
 LAST-ACCESS=05.228/13:31:11
 CLASS AUTHORIZATIONS=NONE
 NO-INSTALLATION-DATA
 NO-MODEL-NAME
 LOGON ALLOWED   (DAYS)          (TIME)
 --------------------------------------------
 ANYDAY                          ANYTIME
   GROUP=RESEARCH AUTH=JOIN    CONNECT-OWNER=IBMUSER   CONNECT-DATE=05.228
     CONNECTS=    01  UACC=READ    LAST-CONNECT=05.228/13:31:11
     CONNECT ATTRIBUTES=NONE
     REVOKE DATE=NONE   RESUME DATE=NONE
   GROUP=PAYROLLB AUTH=CREATE  CONNECT-OWNER=IBMUSER  CONNECT-DATE=05.228
     CONNECTS=   00  UACC=READ    LAST-CONNECT=UNKNOWN
     CONNECT ATTRIBUTES=NONE
     REVOKE DATE=NONE   RESUME DATE=NONE
 SECURITY-LEVEL=NONE SPECIFIED
 CATEGORY-AUTHORIZATION
  NONE SPECIFIED
 SECURITY-LABEL=NONE SPECIFIED
 TSO INFORMATION
 ---------------
  ACCTNUM= P00F1V
  HOLDCLASS= H
  JOBCLASS= I
  MSGCLASS= A
  PROC= V0LOGON
  SIZE= 00001024
  MAXSIZE= 00002048
  SYSOUTCLASS = A
  UNIT= SYSDA
  USERDATA= 0000
Figure 4. Example 4: Output for LISTUSER NORACF TSO
 LISTUSER DAF0 NORACF TSO
USER=DAF0
 TSO INFORMATION
  ACCTNUM= P00F1V
  HOLDCLASS= H
  JOBCLASS= I
  MSGCLASS= A
  PROC= V0LOGON
  SIZE= 00001024
  MAXSIZE= 00002048
  SYSOUTCLASS = A
  UNIT= SYSDA
  USERDATA= 0000
Figure 5. Example 5: Output for LISTUSER DAF0 DFP
 LISTUSER DAF0 DFP
USER=DAF0     NAME=D.M.BROWN  OWNER=IBMUSER  CREATED=05.228 
 DEFAULT-GROUP=RESEARCH  PASSDATE=05.228  PASS-INTERVAL=30 PHRASEDATE=05.231
 PASSWORD ENVELOPED=NO
 ATTRIBUTES=ADSP
 ATTRIBUTES=PASSPHRASE
 REVOKE DATE=NONE   RESUME DATE=NONE
 LAST-ACCESS=05.228/13:31:11
 CLASS AUTHORIZATIONS=NONE
 NO-INSTALLATION-DATA
 NO-MODEL-NAME
 LOGON ALLOWED   (DAYS)          (TIME)
 --------------------------------------------
 ANYDAY                          ANYTIME
   GROUP=RESEARCH AUTH=JOIN    CONNECT-OWNER=IBMUSER   CONNECT-DATE=05.228
     CONNECTS=    01  UACC=READ    LAST-CONNECT=05.228/13:31:11
     CONNECT ATTRIBUTES=NONE
     REVOKE DATE=NONE   RESUME DATE=NONE
   GROUP=PAYROLLB AUTH=CREATE  CONNECT-OWNER=IBMUSER  CONNECT-DATE=05.228
     CONNECTS=   00  UACC=READ    LAST-CONNECT=UNKNOWN
     CONNECT ATTRIBUTES=NONE
     REVOKE DATE=NONE   RESUME DATE=NONE
 SECURITY-LEVEL=NONE SPECIFIED
 CATEGORY-AUTHORIZATION
  NONE SPECIFIED
 SECURITY-LABEL=NONE SPECIFIED
 DFP INFORMATION
 ---------------
  MGMTCLAS= DFP5MGMT
  STORCLAS= DFP5STOR
  DATACLAS= DFP5DATA
  DATAAPPL= DFP5APPL
Figure 6. Example 6: Output for LISTUSER DAF0 NORACF DFP
 LISTUSER DAF0 NORACF DFP
USER=DAF0
DFP INFORMATION
---------------
 MGMTCLAS= DFP5MGMT
 STORCLAS= DFP5STOR
 DATACLAS= DFP5DATA
 DATAAPPL= DFP5APPL
Figure 7. Example 7: Output for LISTUSER DAF0 NORACF CICS
 LISTUSER DAF0 NORACF CICS
USER=TEST
CICS INFORMATION
----------------
 OPCLASS=001 
 OPIDENT= ID2
 OPPRTY= 00010
 TIMEOUT= 02:30 (HH:MM)
 XRFSOFF= NOFORCE
 RSLKEYS= 00001 00003 00005 00007 00009 00011 00002
 00018 00016 00014 00012 00023 00021 00019
 00017 00015 00013
 TSLKEYS= 00001 00003 00005 00007 00009 00011 00002
 00004 00006 00008 00010 00024 00022 00020
 00018 00016 00014 00012 00023 00021 00019
 00038 00035 00036 00032 00064 00041 00063
 00043 00048 00051 00042 00055 00062 00044
 00061 00060 00059 00058
Figure 8. Example 8: Output for LISTUSER DAF0 NORACF LANGUAGE
 LISTUSER DAF0 NORACF LANGUAGE
USER=DAF0
LANGUAGE INFORMATION
--------------------
 PRIMARY LANGUAGE: ENU
 SECONDARY LANGUAGE: DEU
READY
Figure 9. Example 9: Output for LISTUSER DAF0 NORACF OPERPARM
  LU DAF0 NORACF OPERPARM
 USER=DAF0
 OPERPARM INFORMATION
 --------------------
  STORAGE= 00002
  AUTH= IO
  ROUTCODE= ALL
  LEVEL= ALL
  MFORM= T J M
  MONITOR= JOBNAMEST SESST
  MIGID= YES
  DOM= NORMAL
  KEY= MCS2
  CMDSYS= SYS1
  MSCOPE= *ALL
  UD= YES
  HC= YES
  INTIDS= YES
  UNKNIDS= YES
READY
Note: With the exception of the STORAGE operand, if a field has no value in the OPERPARM segment, no value appears for the field in the listing. If there is an OPERPARM segment and the storage is not specified, 00000 appears in the listing. When an extended MCS console session is established, the values for STORAGE is 1.
Figure 10. Example 10: Output for listing OMVS user information
LISTUSER CSMITH OMVS NORACF
USER = CSMITH
OMVS INFORMATION
----------------
 UID= 0000000024
 HOME= /u/CSMITH
 PROGRAM= /u/CSMITH/bin/myshell
 CPUTIMEMAX= 0010000000
 ASSIZEMAX= NONE
 FILEPROCMAX= 0000050000
 PROCUSERMAX= NONE
 THREADSMAX= NONE
 MMAPAREAMAX= 0016777216
Figure 11. Example 11: Output for LISTUSER CSMITH OMVS NORACF (Using Defaults)
 LISTUSER CSMITH OMVS NORACF
 USER=CSMITH
 OMVS INFORMATION
 ----------------
  UID= 0000000024
  CPUTIMEMAX= NONE
  ASSIZEMAX= NONE
  FILEPROCMAX= NONE
  PROCUSERMAX=NONE
  THREADSMAX= NONE
  MMAPAREAMAX= NONE
Figure 12. Example 12: Output for LISTUSER CSMITH NORACF DCE
 LISTUSER CSMITH NORACF DCE
 USER=CSMITH
 DCE INFORMATION
 ---------------
  UUID= 004386ea-ebb6-lec3-bcae-10005ac90feb
  DCENAME= charlie
  HOME CELL UUID= 003456aab-ecb7-7de3-ebda-95531ed63dae
  HOME CELL= /.../hootie.scarol.ibm.com
  DCE AUTOLOGIN= NO
Figure 13. Example 13: Output for LISTUSER RONTOMS NORACF KERB
LISTUSER RONTOMS NORACF KERB
USER=RONTOMS
KERB INFORMATION
----------------
 KERBNAME= KerberizedUser
 KEY FROM= PASSWORD
 KEY VERSION= 001
 KEY ENCRYPTION TYPE= DES DES3 DESD AES128 AES256 AES128SHA2 AES256SHA2
Figure 14. Example 14: Output for LISTUSER MRSERVER PROXY NORACF
LISTUSER MRSERVER PROXY NORACF
USER=MRSERVER
PROXY INFORMATION
-----------------
 LDAPHOST= LDAP://SOME.LDAP.HOST:389 
 BINDDN= cn=Joe User,ou=Poughkeepsie,o=IBM,c=US 
 BINDPW= YES
Figure 15. Example 15: Output for LISTUSER KCROVE EIM NORACF
LISTUSER KCROVE EIM NORACF
USER=MRSERVER 
EIM INFORMATION
---------------
 LDAPPROF= EIMDOMAINALOOKUP
Figure 16. Example 16: Output for LISTUSER indicating that the user's password and password phrase are each enveloped
 LISTUSER UPWENV
USER=UPWENV  NAME=GREGOR  OWNER=IBMUSER   CREATED=05.161
 DEFAULT-GROUP=SYS1      PASSDATE=00.000  PASS-INTERVAL=254 PHRASEDATE=05.231
 PASSWORD ENVELOPED=YES
 PHRASE ENVELOPED=YES
 ATTRIBUTES=PASSPHRASE
⋮
Figure 17. Example 17: Output for listing CSDATA user information
 LISTUSER ANDREW CSDATA NORACF
USER=ANDREW 
CSDATA INFORMATION 
-------------------------------------- 
 ACTIVE= NO
 HOME ADDRESS= 14 Main Street, Anywhere, IL 01234 
 EMPLOYEE CODE= FC01B2D8
 EMPLOYEE SERIAL= 0000256400
 HOME PHONE= 555-555-5555
Figure 18. Example 18: Output for LISTUSER MFA when MFA information exists
LISTUSER USER01 MFA
USER=USER01
---------------------------------------
MULTIFACTOR AUTHENTICATION INFORMATION:
---------------------------------------
PASSWORD FALLBACK IS NOT ALLOWED
PASSWORD FALLBACK IS NOT ALLOWED
AUTHENTICATION POLICIES =
  RSAANDPASS
  TTANDPASS
FACTOR = AZFSIDP1
  STATUS = ACTIVE
  FACTOR TAGS =
    SIDUSERID:joeyuser
FACTOR = AZFTOTP1
  STATUS = ACTIVE
  FACTOR TAGS =
    REGSTATE:PROVISIONED