LISTDSD (List data set profile)
Purpose
Use the LISTDSD command to list information included in tape and DASD data set profiles. A data set profile consists of a BASE segment and, optionally, a DFP or TME segment. The LISTDSD command provides you with the option of listing information contained in the entire data set profile (all segments), or listing the information contained only in a specific segment of the profile.
You can request the details for any number of profiles by giving the full name of each profile. You can also request the details for all profiles whose names are qualified by specific user IDs, group names, or character strings.
You can use the LISTDSD command to cause the changes to go into effect for the generic profiles after issuing the ADDSD, ALTDSD, or DELDSD commands. LISTDSD places a new copy of the profile in the user's address space.
- The level
- The owner
- The type of access attempts (as specified by the AUDIT operand on the ADDSD or ALTDSD command) that are being logged on the SMF data set
- The universal access authority
- Your highest level of access authority
- The group under which the profile was created
- The data set type (tape, VSAM, non-VSAM, or MODEL)
- The retention period for a tape data set
- The type of access attempts (as specified by the GLOBALAUDIT operand on the ALTDSD command) that are being logged on the SMF data set (for auditors only)
- The volume serial number (volser) of the volume on which the data
set resides.
For both a single volume and multivolume VSAM data set, the volser represents the volume containing the catalog entry for the data set.
For a non-VSAM data set, the volser represents the volume containing the data set itself. If it is a multivolume non-VSAM data set, a list of volsers is given. The list represents the volumes on which the protected data set resides. They are listed in the order in which they were defined.
- Unit information for the data set (if unit information had been specified in the UNIT operand on the ADDSD or ALTDSD command)
- Installation-defined data as specified on the DATA operand of
the ADDSD or ALTDSD
command. Note: If your installation is running with maximum security (that is, with SETROPTS MLSTABLE, MLS, MLACTIVE, and SECLABELCONTROL all active and the SECLABEL class active), this information is listed only for those with SPECIAL. If you are not SPECIAL, the following text appears in your output in the installation data field:
* SUPPRESSED *
- Historical data, such as the date the data set was:
- Defined to RACF
- Last referenced
- Last updated
For additional information, see the HISTORY operand.
- The number of times the data set was accessed by all users for
each of the following access authorities:
- ALTER, CONTROL, UPDATE, READ, EXECUTE.
For additional information, see the STATISTICS operand.
Note: These details are not meaningful if resource statistics gathering is bypassed at your installation. For a generic profile, RACF replaces any statistics line withNOT APPLICABLE FOR GENERIC PROFILE
. - The standard access list, which displays:
- All users and groups authorized to access the data set
- The level of authority for each user and group
- The number of times each user has accessed the data set
For additional information, see the AUTHUSER operand.
- The conditional access list, which displays the same fields as
the standard access list as well as the following fields:
- The class of the resource
- The entity name of the resource
For additional information, see the AUTHUSER operand.
- The following information:
- The user categories authorized to access the data set
- The security level required to access the data set
- The security label required to access the data set
For additional information, see the AUTHUSER operand.
- The details RACF lists
from the DFP segment of the profile:
- The user ID or group name of the data set resource owner
- The default CKDS label to associate with a data set at allocation time
- The details RACF lists
from the TME segment of the profile:
- The roles and associated access levels
- The details RACF lists from the CSDATA
segment of the data set profile:
- The list of custom fields that your installation has added to this data set.
- If
70 < yy <= 99
, the date is interpreted as19yy
. - If
00 <= yy <= 70
, the date is interpreted as20yy
.
Issuing options
The following table identifies the eligible options for issuing the LISTDSD command:
As a RACF TSO command? | As a RACF operator command? | With command direction? | With automatic command direction? | From the RACF parameter library? |
---|---|---|---|---|
Yes | Yes | Yes | No | Yes |
For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.
For information on issuing this command as a RACF operator command, refer to RACF operator commands.
You must be logged on to the console to issue this command as a RACF operator command.
Related commands
- To list a general resource profile, see RLIST (List general resource profile). (General resources include terminals and other resources defined in the class descriptor table.)
- To list a user profile, see LISTUSER (List user profile).
- To list a group profile, see LISTGRP (List group profile).
- To obtain a list of data set profiles, see SEARCH (Search RACF database).
Authorization required
When issuing this command as a RACF operator command, you might require sufficient authority to the proper resource in the OPERCMDS class. For details about OPERCMDS resources, see Controlling the use of operator commands in z/OS Security Server RACF Security Administrator's Guide.
To specify the AT keyword, you must have READ authority to the DIRECT.node resource in the RRSFDATA class and a user ID association must be established between the specified node.userid pair(s).
To specify the ONLYAT keyword you must have the SPECIAL attribute, the userid specified on the ONLYAT keyword must have the SPECIAL attribute, and a user ID association must be established between the specified node.userid pair(s) if the user IDs are not identical.
- You have the SPECIAL attribute.
- The profile is within the scope of a group in which you have the group-SPECIAL attribute.
- You have the OPERATIONS attribute.
- The profile is within the scope of a group in which you have the group-OPERATIONS attribute.
- The high-level qualifier of the profile name (or the qualifier supplied by a command installation exit) is your user ID.
- You are the owner of the profile.
- You are on the profile's access list with at least READ authority. (If your level of authority is NONE, the data set is not listed.)
- Your current connect group (or, if list-of-groups checking is active, any group to which you are connected) is in the access list and has at least READ authority.
- The universal access authority is at least READ.
- You have at least READ access for the profile name from the GLOBAL ENTRY TABLE (if this table contains an entry for the profile).
- You have the AUDITOR or the ROAUDIT attribute.
- The data set profile is within the scope of a group in which you have the group-AUDITOR attribute.
To display the type of access attempts (as specified by the GLOBALAUDIT operand on the ALTDSD command) that are being logged on the SMF data set, either you must have the AUDITOR attribute, the ROAUDIT attribute or the profile must be within the scope of a group in which you have the group-AUDITOR attribute.
- You have the SPECIAL attribute.
- You have the OPERATIONS attribute.
- You have the AUDITOR or the ROAUDIT attribute.
- The profile is within the scope of a group in which you have the group-SPECIAL attribute.
- The profile is within the scope of a group in which you have the group-OPERATIONS attribute.
- The data set profile is within the scope of a group in which you have the group-AUDITOR attribute.
- The high-level qualifier of the profile name (or the qualifier supplied by a command installation exit) is your user ID.
- You are the owner of the profile.
- You have ALTER access for the profile name from the GLOBAL ENTRY TABLE (if this table contains an entry for the profile).
- For a discrete profile, you are on the profile's access list with ALTER authority. (If you have any other level of authority, you cannot use the operand.)
- For a discrete profile, your current connect group (or, if list-of-groups checking is active, any group to which you are connected) is in the access list and has ALTER authority.
- For a discrete profile, the universal access authority is ALTER.
Profiles that contain inactive security labels may not be listed if SETROPTS SECLBYSYSTEM is active because only users with SPECIAL, AUDITOR, or ROAUDIT authority are allowed to view inactive security labels.
- You have the SPECIAL, AUDITOR, or ROAUDIT attribute.
- You have at least READ authority to the desired field within the segment through field-level access control.
Syntax
For the key to the symbols used in the command syntax diagrams, see Syntax of RACF commands and operands. The complete syntax of the LISTDSD command is:
[subsystem-prefix]{LISTDSD | LD} |
[ ALL ]
|
[ AT([node].userid ...) | ONLYAT([node].userid ...) ]
|
[ AUTHUSER ]
|
[ CSDATA ]
|
[ { DATASET(profile-name ...) | ID(name ...) | PREFIX(char ...) } ] |
[ DFP ]
|
[ DSNS ]
|
[ GENERIC | NOGENERIC ]
|
[ HISTORY ]
|
[ NORACF ]
|
[ STATISTICS ]
|
[ TME ]
|
[ VOLUME(volume-serial ...) ]
|
For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.
For information on issuing this command as a RACF operator command, refer to RACF operator commands.
Parameters
- subsystem-prefix
- Specifies that the RACF subsystem
is the processing environment of the command. The subsystem
prefix can be either the installation-defined prefix for RACF (1 - 8 characters)
or, if no prefix has been defined, the RACF subsystem
name followed by a blank. If the command prefix was registered with
CPF, you can use the MVS command D OPDATA to display it or you can
contact your RACF security
administrator.
Only specify the subsystem prefix when issuing this command as a RACF operator command. The subsystem prefix is required when issuing RACF operator commands.
- ALL
- Specifies that you want
RACF to display all information for each data set.
The access list is included only if you have sufficient authority to use the AUTHUSER operand (see Authorization required). The type of access attempts (as specified by the GLOBALAUDIT operand on the ALTDSD command) that are being logged on the SMF data set is included only if you have the AUDITOR, ROAUDIT, or group-AUDITOR attribute.
The DFP and TME segments must be requested explicitly.
- AT | ONLYAT
- The AT and ONLYAT keywords are only valid when the command is
issued as a RACF TSO command.
- AT([node].userid ...)
- Specifies
that the command is to be directed to the node specified by node,
where it runs under the authority of the user specified by userid in
the RACF subsystem address
space.
If node is not specified, the command is directed to the local node.
- ONLYAT([node].userid ...)
- LISTDSD is not eligible for automatic command direction. If you specify the ONLYAT keyword, the effect is the same as if you specified the AT keyword.
- AUTHUSER
- Specifies that you
want the following information included in the output:
- The user categories authorized to access the data set
- The security level required to access the data set
- The security label required to access the data set
- The standard access list. This contains the following:
- All users and groups authorized to access the data set
- The level of authority for each user and group
- The number of times each user has accessed the data set. This detail is only meaningful when your installation is gathering resource statistics. This detail is not included in the output for generic profiles.
- The conditional access list. This list consists of the same fields as in the standard access
list, as well as the following fields:
- The class of the resource through which each user and group can access the data set. For example, if a user can access the data set through terminal TERM01, then TERMINAL would be the class listed.
- The entity name of the resource through which each user and group can access the data set. In the preceding example, TERM01 would be listed.
You must have sufficient authorization to use the AUTHUSER operand (see Authorization required).
- CSDATA
- Specifies that you want to list custom field information for this data set profile. The custom
field information in the CSDATA segment for this data set profile was added using the ADDSD and
ALTDSD commands.
If you specify CSDATA you must also specify a data set profile or *.
Usage for each custom field is defined using the CFDEF operand of the RDEFINE command for resource profiles in the CFIELD class. Contact your security administrator to see how custom fields are used at your installation. For more information about custom fields, see z/OS Security Server RACF Security Administrator's Guide.
- DATASET | ID | PREFIX
-
- DATASET(profile-name ...)
- Specifies
the names of one or more data sets whose profiles RACF is to list. If a specified name appears
more than once in the RACF database,
LISTDSD displays information about all the profiles with that name
to which you have proper authority.
The data set name you specify must be enclosed in single quotation marks unless it is your own data set.
Because RACF uses the RACF database and not the catalog when searching for data set profiles, you cannot use alias data set names.
Note that if you are using naming convention processing, either through the naming convention table or an exit, the name you type might not be the same as the name that appears in the output.
- ID(name ...)
- Specifies
one or more user IDs or group names. All users and groups must be
defined to RACF. Details are
listed for all discrete and generic profiles that have the specified
user IDs or group names as the high-level qualifier name (or as the
qualifier supplied by a command installation exit).
If you do not specify DATASET, PREFIX, or ID, RACF uses your user ID as the default value for the ID operand.
- PREFIX(char ...)
- Specifies
one or more character strings. Details are listed for all profiles
whose names begin with the specified character strings.
Note that comparison between the character strings and the profile names is not limited to the high-level qualifier. For example, if you specify PREFIX(A.B.C), RACF would display information for profiles such as
A.B.C
,A.B.CAD
, andA.B.C.X
.
- DFP
- Specifies that for a DFP-managed data set, you want to list the user ID or group name designated as the data set resource owner and the default CKDS label to be associated with a data set at allocation time. (The data set resource owner, or RESOWNER, is distinguished from the OWNER, which represents the user or group that owns the data set profile.)
- DSNS
- Specifies that you want to list the cataloged data sets protected
by the profile specified by the DATASET, ID, or PREFIX operand.
Only data sets cataloged in an Integrated Catalog Facility (ICF) catalog are listed.
Affected tape data sets are listed, regardless of what is specified for SETROPTS TAPEDSN, or whether the TAPEVOL class is active.
When data and index components of VSAM clusters are listed, they are followed by
(D)
or(I)
, respectively.This operand might give unpredictable results if one of the following is true:- You are using naming convention processing, either through the naming convention table or an exit, to modify data set names so they are protected by different profiles.
- You are using the PREFIX operand of SETROPTS to provide a high-level qualifier for data sets that have only one level in their names.
- There are migrated items in the list and either information about
the item cannot be obtained from the migration facility or the migration
facility is not available. In these cases, RACF cannot verify that the item is protected by the input profile and the migrated item is included in the list and is followed by the
?
character. Whenever these items are included in the list, the following message appears at the end of the list to explain the?
character.? = Migrated and unable to verify protection
Note:- If a migrated cluster name appears in the list, but it has an
alternate index or path, information on its data or index names is
unavailable without recalling the cluster. This message appears after
the cluster name:
** Migrated cluster component information ** not available without recall.
- If a migrated cluster name appears in the list and LISTDSD cannot
obtain the index and data names due to a migration facility error,
this message appears after the cluster name:
** Migrated cluster component information ** not available.
- If the name of a non-migrated cluster appears in the list and RACF is unable to obtain the data
and index names specifically through this item, this message appears
after the cluster name:
** Cluster component information ** not available.
- If the LISTDSD processor could not obtain all the information
on one of the data sets potentially protected by the input profile,
it includes the data set in the command output, but follow it with
this message:
** Data set information not available.(x)
It is likely that this condition occurred because the data set was deleted between the time the LISTDSD DSNS processor first found the names of all the data sets potentially protected by the input profile and the time it processed that particular data set. If that is the case, ignore that data set entry. If that is not the case, issue the LISTDSD command again and if the additional message still appears, contact IBM® support; (x) is a numeric value that denotes diagnostic information used by IBM support.
- The LISTDSD command processor does not include the following items
in the output list of protected data sets:
- master catalog
- alternate index (AIX®) and its components
- catalogs
- If a migrated cluster name appears in the list, but it has an
alternate index or path, information on its data or index names is
unavailable without recalling the cluster. This message appears after
the cluster name:
- GENERIC | NOGENERIC
-
- GENERIC
- Specifies
that RACF is to list only information
for the generic profiles. If you specify GENERIC with DATASET, RACF lists information for generic
profiles whose names most closely match the data set names you specify.
GENERIC, when specified with DATASET, causes changes to take effect after adding, changing, or deleting generic profiles. It places a fresh copy of the profile in the command user's address space.
- NOGENERIC
- Specifies that RACF is to list only information for discrete profiles.
Note:- If you specify ID or PREFIX but omit GENERIC and NOGENERIC, RACF lists information for all
discrete and generic profiles of the data sets owned or represented
by the names specified in the command. For example, if you enter the following command:
RACF lists all data set profiles for user ID SMITH.LISTDSD ID(SMITH)
- If you specify the DATASET operand but omit GENERIC and NOGENERIC, RACF lists information for the
discrete profile, if it exists, and the fully qualified generic profile
if it exists, or the generic profile that is not fully qualified,
if its name, including all its qualifiers, matches the name specified
on the command. For example, if you enter the following command:
RACF lists information for the discrete profile XXX.YYY, if it exists, the fully qualified generic profile XXX.YYY if it exists, and the generic profile AA.LISTDSD DATASET('XXX.YYY','AA.*')
*
if it exists. - If you specify DATASET with a fully qualified name for a data
set that is protected by a generic profile that is not fully qualified,
information for this profile can be listed only when GENERIC is specified.
If you specified DATASET without GENERIC and NOGENERIC and you received an informational message (
No RACF description found.
) for one of the specified fully qualified names, you might want to retry the command on this name using GENERIC, because it is possible that this data set is protected by a generic profile that is not fully qualified.For example, data set BBB.CCC is protected by a generic profile BBB.*
. If you enter the following command:
RACF lists information only if there is a discrete profile BBB.CCC, or a fully qualified generic profile BBB.CCC, or both. But if you enter the following command:LISTDSD DATASET('BBB.CCC')
RACF lists information for the fully qualified generic profile BBB.CCC if it exists, or the generic profile that most closely matches BBB.CCC. In this example, the generic profile BBB.LISTDSD DATASET('BBB.CCC') GENERIC
*
is listed. - If generic profile command processing is inactive, only discrete profiles are listed. RACF does not search for generic profiles.
- HISTORY
- Specifies
that you want to list the following data:
- The date each profile was defined to RACF
- The date each data set was last referenced
- The date of the last authorization check for UPDATE authority
- NORACF
- Specifies that you want to suppress the listing of BASE segment
information from the specified data set's profile. If you specify
NORACF, you must include one or more of the following operands: DSNS,
DFP, TME.
If you do not specify NORACF, RACF displays the information in the BASE segment of a data set.
The information displayed as a result of using the NORACF operand is dependent on other operands used in the command. For example, if you use NORACF with DSNS, DFP, or TME also specified, only that information (DSNS, DFP, or TME) is displayed.
- STATISTICS
- Specifies that
you want to list the statistics for each profile. The list includes
the number of times the profile was accessed by users with READ, UPDATE,
CONTROL, and ALTER authorities, as well as a separate total for each
authority level. These details are meaningful only when your installation
is gathering resource statistics. For generic profiles, RACF replaces any statistics line with
NOT APPLICABLE FOR GENERIC PROFILE
. - TME
- Specifies that information for the Tivoli® Security Management Application is to be listed.
- VOLUME(volume-serial ...)
- Limits the profiles listed to those found on the specific volume or list of volumes identified by volume serial number. RACF does not list profiles with the same name found on other volumes. If you do not specify NOGENERIC, RACF lists any generic profiles as well.
Examples
Example | Activity label | Description |
---|---|---|
1 | Operation | User DAF0 wants to list all information for his own data set profiles. |
Known | User DAF0 is RACF-defined, and does not have the AUDITOR attribute. User DAF0 wants to issue the command as a RACF TSO command. | |
Command | LISTDSD ALL |
|
Defaults | ID(DAF0) | |
Output | See Figure 1. | |
2 | Operation | User IA0 wants to list the users authorized to data set SYS1.PLIBASE. |
Known | User IA0 has ALTER authority to SYS1.PLIBASE, and does not have the AUDITOR attribute. User IA0 wants to issue the command as a RACF TSO command. | |
Command | LISTDSD DATASET('SYS1.PLIBASE') AUTHUSER |
|
Defaults | None. | |
Output | See Figure 2. | |
3 | Operation | User ADM1 wants to list a generic profile SALES.*. ABC. |
Known | User ADM1 is the owner of the generic profile, and generic profile command processing is enabled. User ADM1 has the group-AUDITOR attribute in group SALES. User ADM1 wants to issue the command as a RACF TSO command. | |
Command | LISTDSD DATASET('SALES.*.ABC') |
|
Defaults | None. | |
Output | See Figure 3. | |
4 | Operation | User JADAMS wants to display the discrete profile for the DFP-managed data set RESEARCH.TEST.DATA. JADAMS also wants to display the user or group who is the data set resource owner. |
Known | User JADAMS is the owner of the profile protecting data set RESEARCH.TEST.DATA.
User JADAMS has field-level access of at least READ for the DFP segment. User JADAMS wants to issue the command as a RACF TSO command. |
|
Command | LISTDSD DATASET('RESEARCH.TEST.DATA') DFP |
|
Defaults | None. | |
Output | See Figure 4. |