Purpose

RACF® uses the class descriptor table to determine if a class is defined to RACF, the syntax of resource names within the class, and whether the class is a resource grouping class.

Profiles are listed in alphabetical order. Generic profiles are listed in the same order as they are searched for a resource match. (This also applies to the names in the global access table.)

Issuing options

The following table identifies the eligible options for issuing the RLIST command:

For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.

For information on issuing this command as a RACF operator command, refer to RACF operator commands.

You must be logged on to the console to issue this command as a RACF operator command.

Related commands

• To list a data set profile, see LISTDSD (List data set profile).
• To list a user profile, see LISTUSER (List user profile).
• To list a group profile, see LISTGRP (List group profile).
• To obtain a list of general resource profiles, see SEARCH (Search RACF database).

Details listed

This command lists the information in an existing profile for the resource or resource group.

Additional details:

Authorization required

When issuing this command as a RACF operator command, you might require sufficient authority to the proper resource in the OPERCMDS class. For details about OPERCMDS resources, see "Controlling the use of operator commands" in z/OS Security Server RACF Security Administrator's Guide.

You see the type of access attempts, as specified by the GLOBALAUDIT operand, only if you have the AUDITOR attribute or if the resource profile is within the scope of a group in which you have the group-AUDITOR attribute.

To specify the AT keyword, you must have READ authority to the DIRECT.node resource in the RRSFDATA class and a user ID association must be established between the specified node.userid pair(s).

To specify the ONLYAT keyword you must have the SPECIAL attribute, the userid specified on the ONLYAT keyword must have the SPECIAL attribute, and a user ID association must be established between the specified node.userid pair(s) if the user IDs are not identical.

Parameters

subsystem-prefix

Specifies that the RACF subsystem is the processing environment of the command. The subsystem prefix can be either the installation-defined prefix for RACF (1 - 8 characters) or, if no prefix has been defined, the RACF subsystem name followed by a blank. If the command prefix was registered with CPF, you can use the MVS command D OPDATA to display it or you can contact your RACF security administrator.

Only specify the subsystem prefix when issuing this command as a RACF operator command. The subsystem prefix is required when issuing RACF operator commands.

class-name

Specifies the name of the class to which the resource belongs. Valid class names are those specified in the class descriptor table. For a list of general resource classes defined in the class descriptor table supplied by IBM®, see Supplied RACF resource classes.

This operand is required and must be the first operand following RLIST.

This command is not intended to be used for profiles in the following classes:

• DCEUUIDS
• DIGTCERT
• DIGTNMAP
• DIGTRING
• IDIDMAP
• NDSLINK
• NOTELINK
• ROLE
• UNIXMAP

(profile-name …) | *

(profile-name …)

Specifies the name of an existing discrete or generic profile about which information is to be displayed. The RLIST command can be used to display which profile will be used for a specific resource.

The variable profile-name or an asterisk (*) is required and must be the second operand following RLIST.

If you specify more than one value for profile-name, the list of names must be enclosed in parentheses.

Mixed-case profile names are accepted and preserved when class-name refers to a class defined in the static class descriptor table with CASE=ASIS or in the dynamic class descriptor table with CASE(ASIS).

If the resource specified is a tape volume serial number that is a member of a tape volume set, information on all the volumes in the set are displayed.

RACF processes each resource you specify independently. If an error occurs while processing a resource, RACF issues a message and continues processing with the next resource.

Note: Inactive SECLABEL profiles and profiles that contain inactive security labels may not be listed if SETROPTS SECLBYSYSTEM is active because only users with SPECIAL or AUDITOR authority are allowed to view inactive security labels.

*

Specifies that you want to display information for all resources defined to the specified class for which you have the proper authority.

On a system with many profiles defined, the use of * may result in a large amount of output that may not be useful to a user issuing the command. It may be more appropriate for the user to browse the output of IRRDBU00 (database unload) or to write a program to process the IRRDBU00 output and produce a report showing only the subset of information that is of interest to the user. The processing of output of RLIST by programs is not supported nor recommended by IBM. If you want a listing of all the profiles for use by a program you should instead have the program process the output from IRRDBU00, RACROUTE REQUEST=EXTRACT, or ICHEINTY.

An asterisk (*) or profile-name is required and must be the second operand following RLIST.

RACF processes each resource independently and displays information only for those resources for which you have sufficient authority.

If you have the AUDITOR attribute, or if the resource profile is within the scope of a group in which you have the group-AUDITOR attribute, RACF displays GLOBALAUDIT information for all resources in the class.

ALL

Specifies that you want all information for the BASE segment of each resource displayed.

The access list is included only if you have sufficient authority to use the AUTHUSER operand. (See Authorization required.) The type of access attempts (as specified by the GLOBALAUDIT operand) that are being logged on the SMF data set is included only if you have the AUDITOR attribute, or the resource profile is within the scope of a group in which you have the group-AUDITOR attribute.

AT | ONLYAT

The AT and ONLYAT keywords are only valid when the command is issued as a RACF TSO command.

AT([node].userid …)

Specifies that the command is to be directed to the node specified by node, where it runs under the authority of the user specified by userid in the RACF subsystem address space.

If node is not specified, the command is directed to the local node.

ONLYAT([node].userid …)

RLIST is not eligible for automatic command direction. If you specify the ONLYAT keyword, the effect is the same as if you specified the AT keyword.

AUTHUSER

Specifies that you want the following information included in the output:

• The user categories authorized to access the resource
• The security level required to access the resource
• The security label required to access the resource
• The standard access list. This includes the following:
  • All users and groups authorized to access the resource
  • The level of authority for each user and group
  • The number of times the user has accessed the resource (This detail is only meaningful when your installation is gathering resource statistics and is not included in the output for generic profiles.)
• The conditional access list. This list consists of the same fields as in the standard access list, as well as the following fields:
  • The class of the resource through which each user and group in the list can access the target resource of the command. For example, if a user can access the target resource through terminal TERM01, then TERMINAL would be the class listed.
  • The entity name of the resource through which each user and group in the list can access the target resource of the command. In the example above, TERM01 would be listed.

You must have sufficient authorization to use the AUTHUSER operand. (See Authorization required.)

CDTINFO

Specifies that CDTINFO segment information should be listed for profiles in the CDT class.

CFDEF

Specifies that CFDEF segment information should be listed for profiles in the CFIELD class. Use this operand to display the custom field names and attributes, such as data type, that your installation has defined.

Contact your security administrator to see how custom fields are used at your installation. For more information about custom fields, see z/OS Security Server RACF Security Administrator's Guide.

DLFDATA

Lists the contents of the DLFDATA segment for profiles in the DLFCLASS class.

EIM

Specifies that EIM segment information should be listed.

GENERIC | NOGENERIC

GENERIC

Specifies that you want RACF to display information for the generic profile that most closely matches a resource name. If you specify GENERIC, RACF ignores a discrete profile that protects the resource. If asterisk (*) is specified instead of the profile name, all generic profiles are listed.

NOGENERIC

Specifies that you want RACF to display information for the discrete profile that protects a resource. If asterisk (*) is specified instead of the profile name, all discrete profiles are listed.

If neither GENERIC nor NOGENERIC is specified, RACF lists information for the discrete resource name that matches the resource name you specify. If there is no matching discrete profile, RACF lists the generic profile that most closely matches the resource name. If asterisk (*) is specified instead of the profile name, all discrete and generic profiles are listed.

The following list shows examples of using the GENERIC and NOGENERIC operands:

• If you enter the following command, RACF lists all discrete and generic profiles in the DASDVOL class.

  RLIST DASDVOL *

• If you enter the following command, RACF lists information for all the generic profiles in the DASDVOL class.

  RLIST DASDVOL * GENERIC

• If you enter the following command, RACF lists all discrete profiles in the JESSPOOL class.

  RLIST JESSPOOL * NOGENERIC

• If you enter the following command, RACF displays the best-fit generic profile that protects the resource ABC.DEF. RACF ignores discrete profile ABC.DEF if it exists.

  RLIST APPCLU ABC.DEF GENERIC

Note: When searching for a generic profile that matches the specified resource, RACF does not examine members that are defined in a grouping class (through the ADDMEM operand of the RDEFINE command). For example, suppose two profiles had been defined by the following RDEFINE commands:

RDEFINE TCICSTRN A*
RDEFINE GCICSTRN xxx ADDMEM(AB*)

The command:

RLIST TCICSTRN ABC

displays profile A* in the TCICSTRN class, but it does not search the GCICSTRN class and therefore does not display any AB* profile of the GCICSTRN class. In addition, the command:

RLIST GCICSTRN ABC

does not find member AB* in the GCICSTRN class because it does not look at the members in a grouping class.

If you want to make use of RLIST to find the generic profile that protects a specific resource, and the resource is in a class that has both a grouping class and a member class, you should define the generic profile as a profile in the member class.

To illustrate the above RDEFINE example where ADDMEM(AB* ) had been specified for a grouping class, the following command:

RDEFINE TCICSTRN AB*

allows the RLIST command to display AB* as the generic member in the TCICSTRN class.

HISTORY

Specifies that you want to list the following data:

• The date each profile was defined to RACF
• The date each profile was last referenced (this detail is only meaningful when your installation is gathering resource statistics; for a generic profile and profiles that are RACLISTed, RACF replaces any statistics line with NOT APPLICABLE FOR GENERIC PROFILE)
• The date of last RACROUTE REQUEST=AUTH for UPDATE authority (this detail is only meaningful when your installation is gathering resource statistics; for a generic profile and profiles that are RACLISTed, RACF replaces any statistics line with NOT APPLICABLE FOR GENERIC PROFILE)

ICSF

Specifies that ICSF segment information should be listed for profiles in the CSFKEYS, GCSFKEYS, XCSFKEY, or GXCSFKEY class.

ICTX

Specifies that ICTX segment information should be listed.

KERB

Specifies that you want to list the following z/OS Integrated Security Services Network Authentication Service information:

• The local kerberos-realm-name (KERBNAME)
• The encryption value settings (ENCRYPT values or NOENCRYPT)
• The min-ticket-life value for the local realm (MINTKTLFE)
• The def-ticket-life value for the local realm (DEFTKTLFE)
• The max-ticket-life value for the local realm (MAXTKTLFE)
• The current key version (KEY VERSION)

  Note: If KEY VERSION is not displayed, there is no z/OS Network Authentication Service key associated with this realm definition.

• Whether the Kerberos server validates addresses in tickets as part of ticket validation processing (CHECKADDRS)

NORACF

Specifies that you want to suppress the listing of RACF segment information. If you specify NORACF, you must include either CDTINFO, DLFDATA, EIM, KERB, PROXY, SESSION, SSIGNON, STDATA, SVFMR, TME, or a combination of operands.

If you do not specify NORACF, RACF displays the information in the base segment of a general resource profile.

The information displayed as a result of using the NORACF operand is dependent on other operands used in the command. For example, if you use NORACF with SESSION also specified, only the SESSION information is displayed.

NOYOURACC

For grouping and member classes, RLIST must do additional processing to assure that the your access information field is accurate. A SPECIAL user can use the NOYOURACC operand to bypass this processing, for performance reasons. The your access field contains n/a in this circumstance.

Note: This operand applies to SPECIAL users only. It has no effect for other users.

PROXY

Specifies that PROXY segment information should be listed. The following information will be provided:

• the URL of the LDAP server to be contacted
• the BIND distinguished name
• information regarding the BIND password

  The BINDPW password values will not be listed. If a BINDPW password value is defined for a general resource profile, RLIST will display YES for the PROXY segment BINDPW attribute. If no BINDPW password value has been defined, RLIST will display NO for the PROXY segment BINDPW attribute.

RESGROUP

Requests a list of all resource groups of which the resource specified by the profile-name operand is a member.

If a profile does not exist for the specified resource, RACF lists the names of all resource groups of which the resource is a member and to which the command user is authorized. To be authorized, the command user must meet one of the authorization requirements listed in Authorization required.

If a profile does exist for the specified resource and the command user has ALTER authority to the resource, RACF lists the names of all groups of which the resource is a member.

If a profile does exist for the specified resource but the command user has less than ALTER authority to the resource, RACF lists the names of all groups of which the resource is a member and to which the command user is authorized. To be authorized to the resource group, the command user must meet one of the authorization requirements listed in Authorization required. However, the command issuer must have the authority to list the resource specified on the command in order to list the member groups. If this requirement is met, then the user must be also authorized to the resource group. Otherwise, an error message is issued.

When profile-name is the name of a protected resource (such as a terminal or DASD volume) and class-name is a member class (such as TERMINAL or DASDVOL), the RESGROUP operand lists the profiles that protect the resource (for example, profiles in the GTERMINL or GDASDVOL class).

If you define a profile and use generic characters such as (*) to add members to the profile, RLIST RESGROUP will not return any of the matching profiles in its output because it does not support generic matches. For example, you have:

RDEF GIMS GIMSGRP ADDMEM(ABC*)

and you are looking for a specific member, so you enter:

RLIST TIMS ABCD RESGROUP

The GIMS profile GIMSGRP will not appear in the output.

Note: When considering this example, if you are unable to define the profile ABCD, it might be due to a generic definition somewhere in GIMS.

This operand applies only to member classes for which resource group profiles exist.

SESSION

Specifies that the contents of the SESSION segment are to be listed for profiles in the APPCLU class.

SIGVER

Specifies that the contents of the SIGVER segment are to be listed for profiles in the PROGRAM class.

SSIGNON

Specifies that you want to display the secured signon information.

Note: The secured signon application key value cannot be displayed. However, information is displayed that describes whether the key value is masked or encrypted.

STATISTICS

Specifies that you want to list the statistics for each resource. The list contains the number of times the resource was accessed by users with READ, UPDATE, CONTROL, and ALTER authorities. A separate total is given for each authority level.

Note: This detail is only meaningful when your installation is gathering resource statistics. For a generic profile, RACF replaces any statistics line with NOT APPLICABLE FOR GENERIC PROFILE.

STDATA

Specifies that you want to list the contents of the STDATA segment for profiles in the STARTED class.

SVFMR

Lists the contents of the SVFMR segment for profiles in the SYSMVIEW class.

TME

Specifies that information in the Tivoli® Security Management Application is to be listed.

TVTOC

Specifies that you want to see information about the data sets defined in the TVTOC of a TAPEVOL profile. The output displays:

• The name used to create the data set
• The internal RACF name for the data set
• The volumes on which the data set resides
• The file sequence number for the data set
• The date when the data set was created
• Whether the data set profile is discrete or generic.