LISTUSER (List User Profile)
System environment
This command applies to both z/OS® and z/VM® systems.
Purpose
Use the LISTUSER command to list the details of specific RACF® user profiles. A user profile consists of a RACF segment and, optionally, other segments such as TSO, OVM, or DFP. The LISTUSER command provides you with the option of listing the information contained in the entire user profile (all segments), or listing the information contained only in specific segments of the user profile.
Note: RACF interprets dates with 2 digit years in the
following way, YY represents the 2 digit year.
IF 70 < YY <= 99 THEN
The date is interpreted as 19YY
IF 00 <= YY <= 70 THEN
The date is interpreted as 20YYThe details RACF lists from the RACF segment for each user profile are:
- The user ID
- The user's name or UNKNOWN, if the user's name was not specified on the ADDUSER command
- The owner of the user's profile
- The date the user was defined to RACF
- The default group
- The date the user's password was last updated
- The date the user's password phrase was last updated
- The change interval (in number of days)
- Whether the user password or password phrase is enveloped Note: This line is only displayed if enveloping is active, or if an envelope exists. If a user does not have a password or password phrase, the corresponding line will not be displayed.
- The user's attributes
- The date and time the user last entered the system
- The classes in which the user is authorized to define profiles
- The installation-defined data Note: If an installation is configured to be a B1 environment, this information will not be listed in your output.
* SUPPRESSED *will appear under the installation data field. Only those with system SPECIAL will be allowed to list the field. - The name of default data set model profile
- Any REVOKEs or RESUMEs either in effect or pending, with the corresponding dates
- The security label, the security level, and category.
In addition, RACF lists the following information from the
RACF segment of the user profile for each group to which the
user is connected:
- The group name
- The user's authority in the group
- The user ID of the person who connected the user to this group
- The date the user was connected to this group
- The number of times the user has entered the system with this group as the current connect group
- The default universal access authority
- The date and time the user last entered the system using this group as the current connect group
- The connect attributes (group-related user attributes).
The details RACF lists from the TSO segment of the user's
profile are:
- The user's default account number when logging on from the TSO/E logon panel
- The destination ID for SYSOUT data sets
- The user's default HOLDCLASS
- The user's default JOBCLASS
- The user's default MSGCLASS
- The user's default SYSOUTCLASS
- The maximum region size
- The default region size
- The logon procedure name
- The unit name
- The optional user data
- The user's security label.
- MFA information: the level of detail is based on whether the MFA option is entered on input.
The details RACF lists from the DFP segment of the user's
profile are:
- The user's default data class
- The user's default management class
- The user's default storage class
- The data management data application for the user.
The details RACF lists from the CICS® segment of the user's profile are:
- The classes assigned to this operator to which BMS messages will be sent
- Whether the operator will be forced off when an XRFSOFF takeover occurs
- The operator identification
- The priority of the operator
- The time (in minutes) that the operator is allowed to be idle before being signed off.
The details RACF lists from the LANGUAGE segment of the
user's profile are:
- The user's primary language, if one has been specified
- The user's secondary language, if one has been specified.
The details RACF lists from the OPERPARM segment of the
user's profile are:
- The alternate console group (ALTGRP)
- The operator authority (AUTH)
- Whether the console receives messages which can be automated in a sysplex environment.
- The system name for commands from this console (CMDSYS)
- Whether, and what kind of, delete operator messages are received (DOM)
- The searching key (KEY)
- The message level information (LEVEL)
- Whether or not system command responses are logged (LOGCMDRESP)
- The message format (MFORM)
- Whether or not this console is assigned a migration ID (MIGID)
- Event information (MONITOR)
- The systems this console can receive undirected messages from (MSCOPE)
- Routing code information (ROUTCODE)
- Storage information (STORAGE)
- Whether or not this console receives undeliverable messages (UD).
The details RACF lists from the OVM segment of the user's
profile are:
- The user identifier
- The initial directory pathname
- The program pathname
- The file system root name.
RACF lists the following output
distribution information from the user's WORKATTR segment:
- The name of the user (WANAME)
- The building (WABLDG)
- The department (WADEPT)
- The room (WAROOM)
- Up to four additional lines of output distribution information (WAADDR1-4)
- An account number for APPC/MVS processing (WAACCNT).
Related Commands
- To list a group profile, use the LISTGRP command as describedon page LISTGRP (List Group Profile).
- To list a data set profile, use the LISTDSD command as describedon page LISTDSD (List Data Set Profile).
- To list a general resource profile, use the RLIST command as described on page RLIST (List General Resource Profile). (General resources include terminals, minidisks, and other resources defined in the class descriptor table.)
- To list a file profile, use the LFILE command as described on page LFILE (List SFS File Profile). (A file profile protects files in the z/VM shared file system.)
- To list a directory profile, use the LDIRECT command as described on page LDIRECT (List SFS Directory Profile). (A directory profile protects directories in the z/VM shared file system.)
Authorization Required
Listing the RACF segment of a user profile
You can always list the details of the RACF segment of
your own user profile. To list details of the RACF segment of
another user's profile, one of the following conditions must be true:
- You are the owner of the user's profile.
- You have the SPECIAL attribute.
- The user's profile is within the scope of a group in which you have the group-SPECIAL attribute.
- You have the AUDITOR or ROAUDIT attribute.
- The user's profile is within the scope of a group in which you have the group-AUDITOR attribute.
- You have READ access to the IRR.LISTUSER resource in the FACILITY class and the user does not have the SPECIAL, AUDITOR, ROAUDIT, or OPERATIONS attribute.
- You have READ access to an appropriate resource (IRR.LU.OWNER.owner or IRR.LU.TREE.owner) in the
FACILITY class, and both of the following conditions are also true:
- The user does not have the SPECIAL, AUDITOR, ROAUDIT, or OPERATIONS attribute. (You can list a PROTECTED user.)
- You are not excluded from listing the user by the IRR.LU.EXCLUDE.excludeduser resource in the FACILITY class.
For more information about the IRR.LU profiles, see z/VM: RACF Security Server Security Administrator's Guide.
- You are the owner of the user's profile. RACF lists the RACF segment for all the user profiles that you own.
- You have the SPECIAL attribute. RACF lists the RACF segment for all user profiles.
- The user's profile is within the scope of a group in which you have the group-SPECIAL attribute. RACF lists the RACF segment for all the user profiles within the scope of your group.
- You have the AUDITOR or ROAUDIT attribute. RACF lists the RACF segment for all user profiles.
- The user's profile is within the scope of a group in which you have the group-AUDITOR attribute. RACF lists the RACF segment for all the user profiles within the scope of your group.
- You have READ access to the IRR.LISTUSER resource in the FACILITY class and the user does not have any of the SPECIAL, AUDITOR, ROAUDIT, or OPERATIONS attributes.
- A security level equal to, or greater than, that in the user profile you are trying to display
- All security categories contained in the user profile you are trying to display contained in your own user profile.
Listing the other segments of a user profile
To list information from segments other than the RACF
segment for a user profile, including your own, one of the following conditions must be true:
- You have the SPECIAL, AUDITOR, or ROAUDIT attribute.
- You have at least READ authority to the desired field within the segment through field level access checking.
Syntax
The following operands used with the LISTUSER command apply to z/OS systems only:
- CICS
- DFP
- LANGUAGE
- OPERPARM
- TSO
- WORKATTR
The complete syntax of the LISTUSER command is:
|
Parameters
- userid | *
-
- userid
- specifies the user ID of one or more RACF-defined users. If you specify more than one user ID, you must enclose the list of user IDs in parentheses.
- *
- specifies that you want to list information contained in all RACF-defined user profiles to which you have the required authority.
If you specify a user ID or asterisk (*), it must be the first operand following LISTUSER.
If you enter LISTUSER and specify one or more user IDs (or *) without specifying an additional operand, RACF lists only the RACF segment information from the specified profiles.
If you enter only LISTUSER, RACF lists only the RACF segment information from your own user profile.
- CICS
- Note:
This operand applies to z/OS systems only.
specifies that you want to list the information contained in the CICS segment of the user's profile.
If you specify CICS, you must also specify a user ID or *.
- DFP
- Note:
This operand applies to z/OS systems only.
specifies that you want to list the information contained in the DFP segment of the user's profile.
If you specify DFP, you must also specify a user ID or *.
- LANGUAGE
- Note:
This operand applies to z/OS systems only.
specifies that you want to list the information contained in the LANGUAGE segment of the user's profile.
The 3-character language code and, if defined, the 24-character language name, will be displayed.
NOT SPECIFIEDindicates that no language has been specified.If the code is displayed without a name, one of the following is true:- RACF was not running under z/OS 4.1 or later releases
- The z/OS message service was not active
- The language was not active.
If the language code equals the language name, one of the following is true:- There was no language name defined on your system
- The language name was defined to be the same as the language code.
If you specify LANGUAGE, you must also specify a user ID or *.
- MFA
- specifies that you want the IBM Multi-Factor Authentication (MFA) attributes listed. Messages
will be displayed stating whether MFA is enabled for the user and (if enabled) whether password
fallback is allowed.
If MFA is not specified and the user is an MFA user, the message "MULTIFACTOR AUTHENTICATION DATA EXISTS. USE THE MFA KEYWORD TO DISPLAY IT" will be displayed at the bottom of the LISTUSER output.
- NORACF
-
specifies that you want to suppress the listing of RACF segment information from the user's profile.
If you specify NORACF, you must also specify one or more of these segments: WORKATTR, TSO, DFP, LANGUAGE, CICS, OPERPARM, or OVM.
If you do not specify NORACF, RACF displays the information in the RACF segment of a user profile.
The information displayed as a result of using the NORACF operand is dependent on other operands used in the command. For example, if you use NORACF with TSO or DFP also specified, only that information (TSO or DFP) will be displayed.
- OPERPARM
- Note:
This operand applies to z/OS systems only.
specifies that you want to list the information contained in the OPERPARM segment of the user's profile.
If you specify this operand you must also specify a user ID or an asterisk (*).
If there is no information in a field in the user's profile for this segment, the field name will not be displayed. However, if no value was specified for STORAGE when the OPERPARM segment was added to the user profile,
STORAGE=0will appear in the listing. - OVM
- specifies that you want to list the information contained in the OVM segment of the user's
profile.
If you specify this operand, you must also specify a user ID or an asterisk (*).
If there is no HOME, PROGRAM, or FSROOT information, the field name is not displayed. However, the word “NONE” will appear in the listing if the UID was not specified, or if the UID was removed using the NOUID operand on the ALTUSER command.
- TSO
- Note:
This operand applies to z/OS systems only.
specifies that you want to list the information contained in the TSO segment of the user's profile.
If you specify TSO, you must also specify a user ID or *.
If there is no information in the fields of the TSO segment, the field name is not displayed (with the exception of SIZE, MAXSIZE, and USERDATA).
- WORKATTR
- Note:
This operand applies to z/OS systems only.
specifies that you want to list the information contained in the WORKATTR segment of the user's profile.
If you specify WORKATTR, you must also specify a user ID or an asterisk (*).
Examples
| Example 1 | Operation | User DAF0 wants to list her user attributes from the RACF segment of her user profile. |
| Known | DAF0 is a RACF-defined user with a password and password phrase. Both are enveloped. | |
| Command | LISTUSER |
|
| Defaults | DAF0 (userid) | |
| Output | See Figure 1. | |
| Example 2 | Operation | User DAF0 wants to list her user attributes from the RACF segment of her user profile. |
| Known | DAF0 is a RACF-defined password-only user. The password is enveloped. | |
| Command | LISTUSER |
|
| Defaults | DAF0 (userid) | |
| Output | See Figure 2. | |
| Example 3 | Operation | User DAF0 wants to list her user attributes from the RACF segment of her user profile. |
| Known | DAF0 is a RACF-defined phrase-only user. The password phrase is not enveloped. | |
| Command | LISTUSER |
|
| Defaults | DAF0 (userid) | |
| Output | See Figure 3. | |
| Example 4 | Operation | User DAF0 wants to list user attributes from the RACF segment of the SERVER1 user profile. |
| Known | SERVER1 is a RACF-defined user with no password or password phrase. | |
| Command | LISTUSER SERVER1 |
|
| Defaults | DAF0 (userid) | |
| Output | See Figure 4. | |
| Example 5 | Operation | User ADM1 wants to list the user attributes from the RACF segment of profiles for users IBMUSER, CALTMANN, and DAF0. |
| Known | User ADM1 has the SPECIAL and AUDITOR attributes. User CALTMANN's password was recently reset and is expired, so his password change date appears as "00.000". Neither the password nor the password phrase is enveloped. | |
| Command | LISTUSER (IBMUSER CALTMANN DAF0) |
|
| Defaults | None | |
| Output | See Figure 5. | |
| Example 6 | Operation | User ADM1 wants to list the user attributes from the OVM segment of the profile for user CJWELLS. |
| Known | User ADM1 has the SPECIAL attribute. User CJWELLS is defined to RACF and CJWELLS' profile contains an OVM segment. |
|
| Command | LISTUSER CJWELLS OVM NORACF |
|
| Defaults | None | |
| Output | See Figure 7. | |
| Example 7 | Operation | User ADM1 wants to list the user attributes from the OVM segment of the profile for user CBAKER. |
| Known | User ADM1 has the SPECIAL attribute. User CBAKER is defined to RACF and CBAKER's profile contains an OVM segment, but there was no value specified for HOME, PROGRAM, or FSROOT in the OVM segment for this profile. Defaults were used. |
|
| Command | LISTUSER CBAKER OVM NORACF |
|
| Defaults | None | |
| Output | See Figure 8. | |
LISTUSER
USER=DAF0 NAME=D.M.BROWN OWNER=IBMUSER CREATED=05.228
DEFAULT-GROUP=RESEARCH PASSDATE=05.228 PASS-INTERVAL= 30 PHRASEDATE=05.231
ATTRIBUTES=PASSPHRASE
PASSWORD ENVELOPED=YES
PHRASE ENVELOPED=YES
REVOKE DATE=NONE RESUME DATE=NONE
LAST-ACCESS=05.228/13:31:11
CLASS AUTHORIZATIONS=NONE
NO-INSTALLATION-DATA
NO-MODEL-NAME
LOGON ALLOWED (DAYS) (TIME)
--------------------------------------------
ANYDAY ANYTIME
GROUP=RESEARCH AUTH=JOIN CONNECT-OWNER=IBMUSER CONNECT-DATE=05.228
CONNECTS= 01 UACC=READ LAST-CONNECT=05.228/13:31:11
CONNECT ATTRIBUTES=NONE
REVOKE DATE=NONE RESUME DATE=NONE
GROUP=PAYROLLB AUTH=CREATE CONNECT-OWNER=IBMUSER CONNECT-DATE=05.228
CONNECTS= 00 UACC=READ LAST-CONNECT=UNKNOWN
CONNECT ATTRIBUTES=NONE
REVOKE DATE=NONE RESUME DATE=NONE
SECURITY-LEVEL=NONE SPECIFIED
CATEGORY-AUTHORIZATION
NONE SPECIFIED LISTUSER
USER=DAF0 NAME=D.M.BROWN OWNER=IBMUSER CREATED=05.228
DEFAULT-GROUP=RESEARCH PASSDATE=05.228 PASS-INTERVAL= 30 PHRASEDATE=N/A
ATTRIBUTES=NONE
PASSWORD ENVELOPED=YES
REVOKE DATE=NONE RESUME DATE=NONE
LAST-ACCESS=05.228/13:31:11
CLASS AUTHORIZATIONS=NONE
NO-INSTALLATION-DATA
NO-MODEL-NAME
LOGON ALLOWED (DAYS) (TIME)
--------------------------------------------
ANYDAY ANYTIME
GROUP=RESEARCH AUTH=JOIN CONNECT-OWNER=IBMUSER CONNECT-DATE=05.228
CONNECTS= 01 UACC=READ LAST-CONNECT=05.228/13:31:11
CONNECT ATTRIBUTES=NONE
REVOKE DATE=NONE RESUME DATE=NONE
GROUP=PAYROLLB AUTH=CREATE CONNECT-OWNER=IBMUSER CONNECT-DATE=05.228
CONNECTS= 00 UACC=READ LAST-CONNECT=UNKNOWN
CONNECT ATTRIBUTES=NONE
REVOKE DATE=NONE RESUME DATE=NONE
SECURITY-LEVEL=NONE SPECIFIED
CATEGORY-AUTHORIZATION
NONE SPECIFIED LISTUSER
USER=DAF0 NAME=D.M.BROWN OWNER=IBMUSER CREATED=05.228
DEFAULT-GROUP=RESEARCH PASSDATE=N/A PASS-INTERVAL= 30 PHRASEDATE=05.231
ATTRIBUTES=NOPASSWORD PASSPHRASE
PHRASE ENVELOPED=NO
REVOKE DATE=NONE RESUME DATE=NONE
LAST-ACCESS=05.228/13:31:11
CLASS AUTHORIZATIONS=NONE
NO-INSTALLATION-DATA
NO-MODEL-NAME
LOGON ALLOWED (DAYS) (TIME)
--------------------------------------------
ANYDAY ANYTIME
GROUP=RESEARCH AUTH=JOIN CONNECT-OWNER=IBMUSER CONNECT-DATE=05.228
CONNECTS= 01 UACC=READ LAST-CONNECT=05.228/13:31:11
CONNECT ATTRIBUTES=NONE
REVOKE DATE=NONE RESUME DATE=NONE
GROUP=PAYROLLB AUTH=CREATE CONNECT-OWNER=IBMUSER CONNECT-DATE=05.228
CONNECTS= 00 UACC=READ LAST-CONNECT=UNKNOWN
CONNECT ATTRIBUTES=NONE
REVOKE DATE=NONE RESUME DATE=NONE
SECURITY-LEVEL=NONE SPECIFIED
CATEGORY-AUTHORIZATION
NONE SPECIFIED LISTUSER SERVER1
USER=SERVER1 NAME=APP SERVER 1 OWNER=IBMUSER CREATED=05.228
DEFAULT-GROUP=SYS1 PASSDATE=N/A PASS-INTERVAL= 30 PHRASEDATE=N/A
ATTRIBUTES=PROTECTED
REVOKE DATE=NONE RESUME DATE=NONE
LAST-ACCESS=05.228/13:31:11
CLASS AUTHORIZATIONS=NONE
NO-INSTALLATION-DATA
NO-MODEL-NAME
LOGON ALLOWED (DAYS) (TIME)
--------------------------------------------
ANYDAY ANYTIME
GROUP=SYS1 AUTH=USE CONNECT-OWNER=IBMUSER CONNECT-DATE=05.228
CONNECTS= 01 UACC=READ LAST-CONNECT=05.228/13:31:11
CONNECT ATTRIBUTES=NONE
REVOKE DATE=NONE RESUME DATE=NONE
SECURITY-LEVEL=NONE SPECIFIED
CATEGORY-AUTHORIZATION
NONE SPECIFIED LISTUSER (IBMUSER CALTMANN DAF0)
USER=IBMUSER NAME=G. SMITH OWNER=IBMUSER CREATED=05.163
DEFAULT-GROUP=SYS1 PASSDATE=05.220 PASS-INTERVAL=N/A PHRASEDATE=05.231
ATTRIBUTES=SPECIAL OPERATIONS
ATTRIBUTES=PASSPHRASE AUDITOR
PASSWORD ENVELOPED=NO
PHRASE ENVELOPED=NO
REVOKE DATE=NONE RESUME DATE=NONE
LAST-ACCESS=05.146/15:45:23
CLASS AUTHORIZATIONS=NONE
NO-INSTALLATION-DATA
NO-MODEL-NAME
LOGON ALLOWED (DAYS) (TIME)
--------------------------------------------
ANYDAY ANYTIME
GROUP=SYS1 AUTH=JOIN CONNECT-OWNER=IBMUSER CONNECT-DATE=84.263
CONNECTS= 456 UACC=READ LAST-CONNECT=05.146/15:45:23
CONNECT ATTRIBUTES=NONE
REVOKE DATE=NONE RESUME DATE=NONE
GROUP=VSAMDSET AUTH=JOIN CONNECT-OWNER=IBMUSER CONNECT-DATE=84.263
CONNECTS= 00 UACC=NONE LAST-CONNECT=UNKNOWN
CONNECT ATTRIBUTES=NONE
REVOKE DATE=NONE RESUME DATE=NONE
GROUP=SYSCTLG AUTH=JOIN CONNECT-OWNER=IBMUSER CONNECT-DATE=84.263
CONNECTS= 00 UACC=READ LAST-CONNECT=UNKNOWN
CONNECT ATTRIBUTES=NONE
REVOKE DATE=NONE RESUME DATE=NONE
SECURITY-LEVEL=NONE SPECIFIED
CATEGORY-AUTHORIZATION
NONE SPECIFIED
SECURITY-LABEL=NONE SPECIFIEDUSER=CALTMANN NAME=C. ALTMANN OWNER=IBMUSER CREATED=05.144
DEFAULT-GROUP=RESEARCH PASSDATE=00.000 PASS-INTERVAL=254 PHRASEDATE=05.231
ATTRIBUTES=SPECIAL
ATTRIBUTES=PASSPHRASE AUDITOR
PASSWORD ENVELOPED=NO
PHRASE ENVELOPED=NO
REVOKE DATE=NONE RESUME DATE=NONE
LAST-ACCESS=05.146/16:16:14
CLASS AUTHORIZATIONS=USER
NO-INSTALLATION-DATA
MODEL-NAME=ALLENA
LOGON ALLOWED (DAYS) (TIME)
--------------------------------------------
ANYDAY ANYTIME
GROUP=RESEARCH AUTH=JOIN CONNECT-OWNER=IBMUSER CONNECT-DATE=05.144
CONNECTS= 01 UACC=READ LAST-CONNECT=05.146/16:16:14
CONNECT ATTRIBUTES=OPERATIONS
REVOKE DATE=NONE RESUME DATE=NONE
GROUP=VSAMDSET AUTH=CREATE CONNECT-OWNER=IBMUSER CONNECT-DATE=05.144
CONNECTS= 00 UACC=READ LAST-CONNECT=UNKNOWN
CONNECT ATTRIBUTES=OPERATIONS
REVOKE DATE=NONE RESUME DATE=NONE
SECURITY-LEVEL=NONE SPECIFIED
CATEGORY-AUTHORIZATION
NONE SPECIFIED
SECURITY-LABEL=NONE SPECIFIED
USER=DAF0 NAME=D.M.BROWN OWNER=IBMUSER CREATED=05.144
DEFAULT-GROUP=RESEARCH PASSDATE=00.000 PASS-INTERVAL=254 PHRASEDATE=N/A
ATTRIBUTES=NONE
PASSWORD ENVELOPED=NO
REVOKE DATE=NONE RESUME DATE=NONE
LAST-ACCESS=05.146/15:11:31
CLASS AUTHORIZATIONS=NONE
NO-INSTALLATION-DATA
NO-MODEL-NAME
LOGON ALLOWED (DAYS) (TIME)
--------------------------------------------
ANYDAY ANYTIME
GROUP=RESEARCH AUTH=JOIN CONNECT-OWNER=IBMUSER CONNECT-DATE=05.144
CONNECTS= 02 UACC=READ LAST-CONNECT=05.146/15:11:31
CONNECT ATTRIBUTES=NONE
REVOKE DATE=NONE RESUME DATE=NONE
SECURITY-LEVEL=NONE SPECIFIED
CATEGORY-AUTHORIZATION
NONE SPECIFIED
SECURITY-LABEL=NONE SPECIFIED LISTUSER CJWELLS OVM NORACF
USER=CJWELLS
OVM INFORMATION
----------------
UID= 0000000024
HOME= /u/CJWELLS
PROGRAM= /u/CJWELLS/bin/myshell
FSROOT= /../VMBFS:SERVER8.CJWELLS/ LISTUSER CBAKER OVM NORACF
USER=CBAKER
OVM INFORMATION
----------------
UID= 0000000024