|
Purpose Use the RLIST command to display
information on resources belonging to classes specified in the class
descriptor table. Note that the DATASET, USER, and GROUP classes are
not defined in the class descriptor table. Note: The RLIST command
might provide unpredictable results when searching on the DIGTCERT
and DIGTRING classes. Due to the lowercase characters in these classes,
the profile filter on the RLIST command might not function correctly.
RACF® uses the class descriptor
table to determine if a class is defined to RACF, the syntax of resource names within the
class, and whether the class is a resource grouping class.
Profiles
are listed in alphabetical order. Generic profiles are listed in the
same order as they are searched for a resource match. (This also applies
to the names in the global access table.)
RACF date handling: RACF interprets dates with
2-digit years as follows. (The yy value represents the 2-digit
year.) - If 70 < yy <= 99, the date is interpreted
as 19yy.
- If 00 <= yy <= 70, the date is interpreted
as 20yy.
Issuing options The following table identifies
the eligible options for issuing the RLIST command:
As a RACF TSO command? |
As a RACF operator command? |
With command direction? |
With automatic command direction? |
From the RACF parameter library? |
---|
Yes |
Yes |
Yes |
No |
Yes |
For information on issuing this command
as a RACF TSO command, refer
to RACF TSO commands.
For
information on issuing this command as a RACF operator command, refer to RACF operator commands.
You
must be logged on to the console to issue this command as a RACF operator command.
Details listed This command lists the information
in an existing profile for the resource or resource group.
Details
that are listed for each profile: - The resource class.
- The name of the resource.
- One of the following indicators, if applicable, displayed after
the resource name:
- (G) indicates a generic profile.
- (UNUSABLE) indicates a discrete profile with
a profile name containing generic characters that is defined in a
general resource class for which SETROPTS GENERIC or GENCMD is enabled.
RACF is unable to use this profile for authorization checking. Tip: Use
the RDELETE command with the NOGENERIC option to delete this profile.
- The cross-reference class name (that is, the member class name
for resource groups or the group name for non-group resources).
- If the resource named in the command (in the resource-name operand)
is a resource group, RACF lists
member resources.
- The level of the resource.
- The owner of the resource.
- The type of access attempts (as specified by the AUDIT operand
on the RDEFINE or RALTER command) that are being logged on the SMF
data set.
- The user, if any, to be notified when RACF uses this profile to deny access to the
resource.
- The universal access authority for the resource.
- Your highest level of access authority to the resource.
- The installation-defined data (information specified in the DATA
operand of the RALTER or RDEFINE commands).
If your z/OS® installation is configured to be a multilevel-secure
environment, this information is not listed in your output. *
SUPPRESSED * appears under the installation data field. Only
those with SPECIAL are allowed to list the field.
- The APPLDATA value, if any.
If your z/OS installation is configured to be a multilevel-secure
environment, this information is not listed in your output. *
SUPPRESSED * appears under the installation data field. Only
those with SPECIAL are allowed to list the field.
- The domain distinguished name, options and local registry for
the EIM segment.
- The type of access attempts (as specified by the GLOBALAUDIT operand
on the RALTER command) that RACF logs.
- The status of the WARNING/NOWARNING indicator.
- For resources in the TAPEVOL class:
- The volumes in a tape volume set,
- Whether the TAPEVOL profile is automatic or nonautomatic,
- Whether the volume can hold more than one data set, or
- Whether the volume contains a TVTOC.
Additional
details:
You can request the following details by using
the appropriate RLIST operands: - The security label, the security level and categories.
For
additional information, see the AUTHUSER operand.
- For member resources, RACF lists
the names of all resource group members in which the entity is a member.
For
additional information, see the RESGROUP operand.
- The number of times the resource was accessed by all users for
each of the following access authorities.
- ALTER, CONTROL, UPDATE, READ
For additional information, see the STATISTICS operand. This
detail is only meaningful when your installation is gathering resource
statistics and the class is not RACLISTed. For a generic profile, RACF replaces any statistics line
with NOT APPLICABLE FOR GENERIC PROFILE.
- Historical data, such as:
- Date the resource was defined to RACF,
- Date the resource was last referenced (this detail is only meaningful
when your installation is gathering resource statistics and the class
is not RACLISTed; for a generic profile, RACF replaces any statistics line with NOT APPLICABLE
FOR GENERIC PROFILE), or
- Date the resource was last accessed at the update level.
For additional information, see the HISTORY operand.
- The standard access list which displays:
- All users and groups authorized to access the resource,
- The level of authority for each user and group, or
- The number of times each user has accessed the resource. (This
detail is only meaningful when your installation is gathering resource
statistics. This detail is not included in the output for generic
profiles.)
For additional information, see the AUTHUSER operand.
- The conditional access list which displays the same fields as
the standard access list, as well as the following additional fields:
- The class of the resource, or
- The entity name of the resource.
For additional information, see the AUTHUSER operand.
- For a tape volume that contains RACF-protected data sets, the
following information about each RACF-protected data set on the volume:
- The name used to create the data set,
- The internal RACF name
for the data set,
- The volumes on which the data set resides,
- The file sequence number for the data set,
- The date when the data set was created, or
- Whether the data set profile is discrete or generic.
For additional information, see the TVTOC operand.
- The contents of segments other than the base segment.
(See
the segment operands for details about the listed information.)
Authorization required When
issuing this command as a RACF operator
command, you might require sufficient authority to the proper resource
in the OPERCMDS class. For details about OPERCMDS resources, see "Controlling the use of operator commands" in z/OS Security Server RACF Security Administrator's Guide.
You
must have a sufficient level of authority for each resource or resource
group listed as the result of your request so that one of the following
conditions is met: - You have the SPECIAL attribute.
- The resource profile is within the scope of a group in which you
have the group-SPECIAL attribute.
- You have the OPERATIONS attribute.
- The resource profile is within the scope of a group in which you
have the group-OPERATIONS attribute.
- You have the AUDITOR attribute.
- The resource profile is within the scope of a group in which you
have the group-AUDITOR attribute.
- You are the owner of the resource.
- If the profile is in the FILE or DIRECTRY class, the second qualifier
of the profile name is your user ID.
- To list the contents of segments other than the base segment,
such as the DLFDATA segment, you must have the SPECIAL or AUDITOR
attribute, or your installation must permit you to do so through field-level
access checking.
- You are on the access list for the resource and you have at least
READ authority. (If your level of authority is NONE, the resource
is not listed.) If you specify ALL, RACF lists
only information pertinent to your user ID.
- Your current connect group (or, if list-of-groups checking is
active, any group to which you are connected) is in the access list
and has at least READ authority.
- The universal access authority of the resource is at least READ.
- You have at least read access for the profile name from the GLOBAL
ENTRY TABLE (if this table contains an entry for the profile).
You see the type of access attempts, as specified by
the GLOBALAUDIT operand, only if you have the AUDITOR attribute or
if the resource profile is within the scope of a group in which you
have the group-AUDITOR attribute.
To specify the AT keyword,
you must have READ authority to the DIRECT.node resource in
the RRSFDATA class and a user ID association must be established between
the specified node.userid pair(s).
To
specify the ONLYAT keyword you must have the SPECIAL attribute, the userid specified
on the ONLYAT keyword must have the SPECIAL attribute, and a user
ID association must be established between the specified node.userid pair(s)
if the user IDs are not identical.
Listing resource access
lists: When you are requesting to see the access list for
a resource with the AUTHUSER operand, your level of authority is checked
for each resource. Your level of authority must be such that one of
the following conditions is met: - You have the SPECIAL attribute.
- The resource profile is within the scope of a group in which you
have the group-SPECIAL attribute.
- You have the OPERATIONS attribute.
- The resource profile is within the scope of a group in which you
have the group-OPERATIONS attribute.
- You are the owner of the resource.
- You have the AUDITOR attribute.
- The resource profile is within the scope of a group in which you
have the group-AUDITOR attribute.
- You have alter access for the profile name from the GLOBAL ENTRY
TABLE (if this table contains an entry for the profile).
- If the profile is in the FILE or DIRECTRY class, the second qualifier
of the profile name is your user ID.
- For a discrete profile, you are on the access list for the resource
and you have ALTER authority. (If you have any other level of authority,
you cannot use the operand.)
- For a discrete profile, your current connect group (or, if list-of-groups
checking is active, any group to which you are connected) is in the
access list and has ALTER authority.
- For a discrete profile, the universal access authority of the
resource is ALTER.
Syntax For
the key to the symbols used in the command syntax diagrams, see Syntax of RACF commands and operands. The complete syntax of the RLIST
command is:
|
|
---|
[subsystem-prefix]{RLIST
| RL} |
|
class-name |
|
{(profile-name …)
| *} |
|
[ ALL ] |
|
[ AT([node].userid
…) | ONLYAT([node].userid
…) ] |
|
[ AUTHUSER ] |
|
[ CDTINFO ] |
|
[ CFDEF ] |
|
[ DLFDATA ] |
|
[ EIM ] |
|
[ {GENERIC | NOGENERIC} ] |
|
[ HISTORY ] |
|
[ ICSF ] |
|
[ ICTX ] |
|
[ KERB ] |
|
[ NORACF ] |
|
[ NOYOURACC ] |
|
[ PROXY] |
|
[ RESGROUP ] |
|
[ SESSION ] |
|
[ SIGVER ] |
|
[ SSIGNON ] |
|
[ STATISTICS ] |
|
[ STDATA ] |
|
[ SVFMR ] |
|
[ TME ] |
|
[ TVTOC ] |
For information on issuing this command
as a RACF TSO command, refer
to RACF TSO commands.
For
information on issuing this command as a RACF operator command, refer to RACF operator commands.
Parameters - subsystem-prefix
- Specifies that the RACF subsystem
is the processing environment of the command. The subsystem
prefix can be either the installation-defined prefix for RACF (1 - 8 characters)
or, if no prefix has been defined, the RACF subsystem
name followed by a blank. If the command prefix was registered with
CPF, you can use the MVS command D OPDATA to display it or you can
contact your RACF security
administrator.
Only specify the subsystem prefix when issuing
this command as a RACF operator
command. The subsystem prefix is required when issuing RACF operator commands.
- class-name
- Specifies
the name of the class to which the resource belongs. Valid class names
are those specified in the class descriptor table. For
a list of general resource classes defined in the class descriptor
table supplied by IBM®, see Supplied RACF resource classes.
This operand is required
and must be the first operand following RLIST.
This command
is not intended to be used for profiles in the following classes:
- DCEUUIDS
- DIGTCERT
- DIGTNMAP
- DIGTRING
- IDIDMAP
- NDSLINK
- NOTELINK
- ROLE
- UNIXMAP
- (profile-name
…) | *
-
- (profile-name …)
- Specifies
the name of an existing discrete or generic profile about which information
is to be displayed. The
RLIST command can be used to display which profile will be used for
a specific resource.
The variable profile-name or
an asterisk (*) is required and must be the second
operand following RLIST.
If you specify more than one value
for profile-name, the list of names must
be enclosed in parentheses.
Mixed-case profile names are accepted
and preserved when class-name refers to
a class defined in the static class descriptor table with CASE=ASIS
or in the dynamic class descriptor table with CASE(ASIS).
If
the resource specified is a tape volume serial number that is a member
of a tape volume set, information on all the volumes in the set are
displayed.
RACF processes
each resource you specify independently. If an error occurs while
processing a resource, RACF issues
a message and continues processing with the next resource.
Note: Inactive
SECLABEL profiles and profiles that contain inactive security labels
may not be listed if SETROPTS SECLBYSYSTEM is active because only
users with SPECIAL or AUDITOR authority are allowed to view inactive
security labels.
- *
- Specifies that you want to display information for all resources
defined to the specified class for which you have the proper authority.
On a system with many profiles defined, the use of * may
result in a large amount of output that may not be useful to a user
issuing the command. It may be more appropriate for the user to browse
the output of IRRDBU00 (database unload) or to write a program to
process the IRRDBU00 output and produce a report showing only the
subset of information that is of interest to the user. The processing
of output of RLIST by programs is not supported nor recommended by IBM. If you want a listing of all
the profiles for use by a program you should instead have the program
process the output from IRRDBU00, RACROUTE REQUEST=EXTRACT, or ICHEINTY.
An
asterisk (*) or profile-name is
required and must be the second operand following RLIST.
RACF processes each resource independently
and displays information only for those resources for which you have
sufficient authority.
If you have the AUDITOR attribute, or
if the resource profile is within the scope of a group in which you
have the group-AUDITOR attribute, RACF displays
GLOBALAUDIT information for all resources in the class.
- ALL
- Specifies
that you want all information for the BASE segment of each resource
displayed.
The access list is included only if you have sufficient
authority to use the AUTHUSER operand. (See Authorization required.)
The type of access attempts (as specified by the GLOBALAUDIT operand)
that are being logged on the SMF data set is included only if you
have the AUDITOR attribute, or the resource profile is within the
scope of a group in which you have the group-AUDITOR attribute.
- AT
| ONLYAT
- The AT and ONLYAT keywords are only valid when the command is
issued as a RACF TSO command.
- AT([node].userid
…)
- Specifies
that the command is to be directed to the node specified by node,
where it runs under the authority of the user specified by userid in
the RACF subsystem address
space.
If node is not specified, the
command is directed to the local node.
- ONLYAT([node].userid
…)
- RLIST
is not eligible for automatic command direction. If you specify the
ONLYAT keyword, the effect is the same as if you specified the AT
keyword.
- AUTHUSER
- Specifies
that you want the following information included in the output:
- The user categories authorized to access the resource
- The security level required to access the resource
- The security label required to access the resource
- The standard access list. This includes the following:
- All users and groups authorized to access the resource
- The level of authority for each user and group
- The number of times the user has accessed the resource (This detail
is only meaningful when your installation is gathering resource statistics
and is not included in the output for generic profiles.)
- The conditional access list. This list consists of the same fields
as in the standard access list, as well as the following fields:
- The class of the resource through which each user and group in
the list can access the target resource of the command. For example,
if a user can access the target resource through terminal TERM01,
then TERMINAL would be the class listed.
- The entity name of the resource through which each user and group
in the list can access the target resource of the command. In the
example above, TERM01 would be listed.
You must have sufficient authorization to use the AUTHUSER
operand. (See Authorization required.)
- CDTINFO
- Specifies that CDTINFO segment information
should be listed for profiles in the CDT class.
- CFDEF
- Specifies
that CFDEF segment information should be listed for profiles in the
CFIELD class. Use this operand to display the custom field names and
attributes, such as data type, that your installation has defined.
Contact
your security administrator to see how custom fields are used at your
installation. For more information about custom fields, see z/OS Security Server RACF Security Administrator's Guide.
- DLFDATA
- Lists
the contents of the DLFDATA segment for profiles in the DLFCLASS class.
- EIM
- Specifies that EIM segment information should be listed.
- GENERIC
| NOGENERIC
-
- GENERIC
- Specifies that you want RACF to
display information for the generic profile that most closely matches
a resource name. If you specify GENERIC, RACF ignores a discrete profile that protects
the resource. If asterisk (*) is specified instead
of the profile name, all generic profiles are listed.
- NOGENERIC
- Specifies
that you want RACF to display
information for the discrete profile that protects a resource. If
asterisk (*) is specified instead of the profile
name, all discrete profiles are listed.
If neither GENERIC nor NOGENERIC is specified, RACF lists information for the
discrete resource name that matches the resource name you specify.
If there is no matching discrete profile, RACF lists the generic profile that most closely
matches the resource name. If asterisk (*) is specified
instead of the profile name, all discrete and generic profiles are
listed.
The following list shows examples of using the GENERIC
and NOGENERIC operands:
Note: When searching for a generic profile that matches
the specified resource, RACF does
not examine members that are defined in a grouping class (through
the ADDMEM operand of the RDEFINE command). For example, suppose two
profiles had been defined by the following RDEFINE commands: RDEFINE TCICSTRN A*
RDEFINE GCICSTRN xxx ADDMEM(AB*)
The command:
RLIST TCICSTRN ABC
displays profile
A * in the TCICSTRN class, but it does not search
the GCICSTRN class and therefore does not display any AB * profile
of the GCICSTRN class. In addition, the command: RLIST GCICSTRN ABC
does
not find member AB* in the GCICSTRN class because
it does not look at the members in a grouping class.
If you
want to make use of RLIST to find the generic profile that protects
a specific resource, and the resource is in a class that has both
a grouping class and a member class, you should define the generic
profile as a profile in the member class.
To illustrate the
above RDEFINE example where ADDMEM(AB * ) had been
specified for a grouping class, the following command: RDEFINE TCICSTRN AB*
allows
the RLIST command to display AB * as the generic member
in the TCICSTRN class.
- HISTORY
- Specifies
that you want to list the following data:
- The date each profile was defined to RACF
- The date each profile was last referenced (this detail is only
meaningful when your installation is gathering resource statistics;
for a generic profile and profiles that are RACLISTed, RACF replaces any statistics line with NOT APPLICABLE
FOR GENERIC PROFILE)
- The date of last RACROUTE REQUEST=AUTH for UPDATE authority (this
detail is only meaningful when your installation is gathering resource
statistics; for a generic profile and profiles that are RACLISTed, RACF replaces any statistics line
with NOT APPLICABLE FOR GENERIC PROFILE)
- ICSF
- Specifies
that ICSF segment information should be listed for profiles in the
CSFKEYS, GCSFKEYS, XCSFKEY, or GXCSFKEY class.
- ICTX
- Specifies
that ICTX segment information should be listed.
- KERB
- Specifies
that you want to list the following z/OS Integrated Security Services Network Authentication
Service information:
- NORACF
- Specifies that you want to suppress the listing of RACF segment information. If you specify NORACF,
you must include either CDTINFO, DLFDATA, EIM, KERB, PROXY, SESSION,
SSIGNON, STDATA, SVFMR, TME, or a combination of operands.
If
you do not specify NORACF, RACF displays
the information in the base segment of a general resource profile.
The
information displayed as a result of using the NORACF operand is dependent
on other operands used in the command. For example, if you use NORACF
with SESSION also specified, only the SESSION information is displayed.
- NOYOURACC
- For
grouping and member classes, RLIST must do additional processing to
assure that the your access information field is accurate.
A SPECIAL user can use the NOYOURACC operand to bypass this processing,
for performance reasons. The your access field contains n/a in
this circumstance.
Note: This operand applies to SPECIAL users only.
It has no effect for other users.
- PROXY
- Specifies
that PROXY segment information should be listed. The following information
will be provided:
- the URL of the LDAP server to be contacted
- the BIND distinguished name
- information regarding the BIND password
The BINDPW password
values will not be listed. If a BINDPW password value is defined for
a general resource profile, RLIST will display YES for
the PROXY segment BINDPW attribute. If no BINDPW password value has
been defined, RLIST will display NO for the PROXY
segment BINDPW attribute.
- RESGROUP
- Requests
a list of all resource groups of which the resource specified by the profile-name operand
is a member.
If a profile does not exist for the specified
resource, RACF lists the names
of all resource groups of which the resource is a member and to which
the command user is authorized. To be authorized, the command user
must meet one of the authorization requirements listed in Authorization required.
If
a profile does exist for the specified resource and the command
user has ALTER authority to the resource, RACF lists the names of all groups of which
the resource is a member.
If a profile does exist for
the specified resource but the command user has less than ALTER authority
to the resource, RACF lists
the names of all groups of which the resource is a member and to which
the command user is authorized. To be authorized to the resource group,
the command user must meet one of the authorization requirements listed
in Authorization required.
However, the command issuer must have the authority to list the resource
specified on the command in order to list the member groups. If this
requirement is met, then the user must be also authorized to the resource
group. Otherwise, an error message is issued.
When profile-name is
the name of a protected resource (such as a terminal or DASD volume)
and class-name is a member class
(such as TERMINAL or DASDVOL), the RESGROUP operand lists the profiles
that protect the resource (for example, profiles in the GTERMINL or
GDASDVOL class).
If you define a profile and use generic characters
such as ( *) to add members to the profile, RLIST
RESGROUP will not return any of the matching profiles in its output
because it does not support generic matches. For example, you have:
RDEF GIMS GIMSGRP ADDMEM(ABC*)
and you are
looking for a specific member, so you enter: RLIST TIMS ABCD RESGROUP
The
GIMS profile GIMSGRP will not appear in the output.
Note: When
considering this example, if you are unable to define the profile
ABCD, it might be due to a generic definition somewhere in GIMS.
This
operand applies only to member classes for which resource group profiles
exist.
- SESSION
- Specifies
that the contents of the SESSION segment are to be listed for profiles
in the APPCLU class.
- SIGVER
- Specifies
that the contents of the SIGVER segment are to be listed for profiles
in the PROGRAM class.
- SSIGNON
- Specifies
that you want to display the secured signon information.
Note: The secured signon application
key value cannot be displayed. However, information is displayed that
describes whether the key value is masked or encrypted.
- STATISTICS
- Specifies that
you want to list the statistics for each resource. The list contains
the number of times the resource was accessed by users with READ,
UPDATE, CONTROL, and ALTER authorities. A separate total is given
for each authority level.
Note: This detail is only meaningful when
your installation is gathering resource statistics. For a generic
profile, RACF replaces any
statistics line with NOT APPLICABLE FOR GENERIC PROFILE.
- STDATA
- Specifies
that you want to list the contents of the STDATA segment for profiles
in the STARTED class.
- SVFMR
- Lists
the contents of the SVFMR segment for profiles in the SYSMVIEW class.
- TME
- Specifies
that information in the Tivoli® Security
Management Application is to be listed.
- TVTOC
- Specifies
that you want to see information about the data sets defined in the
TVTOC of a TAPEVOL profile. The output displays:
- The name used to create the data set
- The internal RACF name
for the data set
- The volumes on which the data set resides
- The file sequence number for the data set
- The date when the data set was created
- Whether the data set profile is discrete or generic.
Examples
|
|
|
---|
Example 1 |
Operation |
User RV2 wants to list all information about the
tape volume VOL001. |
Known |
User RV2 is the owner of tape volume VOL001. User
RV2 has the AUDITOR attribute.
User RV2 wants to issue the
command as a RACF TSO command.
|
Command |
RLIST TAPEVOL VOL001 ALL |
Defaults |
None. |
Output |
See Figure 1. |
Example 2 |
Operation |
User ADM1 wants to list information about the
generic profile T* in the TIMS class. |
Known |
User ADM1 has the SPECIAL and AUDITOR attributes.
User ADM1 wants to issue the command as a RACF TSO command.
|
Command |
RLIST TIMS T* |
Defaults |
None. |
Output |
See Figure 2. |
Example 3 |
Operation |
User IBMUSER wants to list information about the
profile TERM1 in the TERMINAL class. TERM1 is a member of four GTERMINL
class profiles: GTERM1, GTERM2, GTERM3, and GTERM4. TERM1 has a UACC
of NONE. |
Known |
User IBMUSER has the SPECIAL and AUDITOR attributes.
User IBMUSER wants to issue the command as a RACF TSO command. |
Command |
RLIST TERMINAL TERM1 RESGROUP |
Defaults |
None. |
Output |
See Figure 3. |
Example 4 |
Operation |
The security administrator wants to display secured signon key
information for profile name TSOR001 in the PTKTDATA class to be certain
that the application key is masked instead of encrypted. |
Known |
ELVIS1 is the user ID of the security administrator
and has the SPECIAL attribute. The security administrator wants to
issue the command as a RACF TSO
command. |
Command |
RLIST PTKTDATA TSOR001 SSIGNON |
Defaults |
None. |
Output |
See Figure 4. |
Example 5 |
Operation |
The security administrator wants to display secured signon key
information for profile name TSOR004 in the PTKTDATA class and to
be certain that the application key is encrypted instead of masked. |
Known |
NONNEL is the user ID of the security administrator
and has the SPECIAL attribute. The security administrator wants to
issue the command as a RACF operator
command, and the RACF subsystem
prefix is @. |
Command |
@RLIST PTKTDATA TSOR004 SSIGNON |
Defaults |
None. |
Output |
See Figure 5. |
Example 6 |
Operation |
The security administrator wants to display the
contents of the STDATA segments for profiles in the STARTED class
with the generic profile name (VTAM®.*). |
Known |
SYSUSER is the user ID of the security administrator
and has the SPECIAL attribute. The security administrator wants to
issue the command as a RACF TSO
command. |
Command |
RLIST STARTED VTAM.* STDATA NORACF |
Defaults |
None. |
Output |
See Figure 6. |
Example 7 |
Operation |
The security administrator wants to list the contents
of the KERBDFLT profile in the REALM class. |
Known |
The administrator has access to the KERBDFLT profile
in the REALM class. |
Command |
RLIST REALM KERBDFLT KERB NORACF |
Defaults |
None. |
Output |
See Figure 7. |
Example 8 |
Operation |
The administrator wants to list the contents of
a profile (TSOIM13) in the PTKTDATA class. This particular PassTicket
profile indicates that replay protection is to be bypassed. |
Known |
The administrator has access to the PTKTDATA class. |
Command |
RLIST PTKTDATA TSOIM13
|
Defaults |
None. |
Output |
See Figure 8. |
Example 9 |
Operation |
The administrator wants to list the contents
of a profile (IRR.PROXY.DEFAULTS) in the FACILITY class and the contents
of the EIM segment. This particular PROXY profile indicates that a
BINDPW has been defined. |
Known |
The administrator has access to the FACILITY
class. |
Command |
RLIST FACILITY IRR.PROXY.DEFAULTS EIM PROXY NORACF
|
Defaults |
None. |
Output |
See Figure 9. |
Example 10 |
Operation |
The security administrator wants to list class
descriptor table (CDT) information of the TSTCLAS8 in the CDT class. |
Known |
The administrator has the SPECIAL attribute. |
Command |
RLIST CDT TSTCLAS8 NORACF CDTINFO
|
Defaults |
None. |
Output |
See Figure 10. |
Example 11 |
Operation |
The security administrator Rui wants to list
the contents of the IRR.ICTX.DEFAULTS profile in the LDAPBIND class
and the contents of the ICTX segment. |
Known |
Rui has READ access to the LDAPBIND class. |
Command |
RLIST LDAPBIND IRR.ICTX.DEFAULTS ICTX NORACF
|
Defaults |
None. |
Output |
See Figure 11. |
Example 12 |
Operation |
Rui wants to list the access list for the DSN.ZHAOHUI.TABLE.ALTER
resource in the MDSNTB class. |
Known |
Rui has the SPECIAL attribute. |
Command |
RLIST MDSNTB DSN.ZHAOHUI.TABLE.ALTER AUTHUSER
|
Defaults |
None. |
Output |
See Figure 12. |
Example 13 |
Operation |
The security administrator uses the custom field
named EMPSER for employee serial numbers. She wants to list the attributes
of this custom field for user profiles. |
Known |
The security administrator has the SPECIAL attribute. |
Command |
RLIST CFIELD USER.CSDATA.EMPSER CFDEF NORACF
|
Defaults |
None. |
Output |
See Figure 13. |
Example 14 |
Operation |
The security administrator wants to list the
settings related to digital signature verification for the program
called XYZLIB64. |
Known |
The security administrator has the SPECIAL attribute. |
Command |
RLIST PROGRAM XYZLIB64 SIGVER NORACF
|
Defaults |
None. |
Output |
See Figure 14. |
Example 15 |
Operation |
The security administrator wants to list ICSF
segment information for all profiles in the XCSFKEY class. |
Known |
The security administrator has the SPECIAL attribute. |
Command |
RLIST XCSFKEY * ICSF NORACF
|
Defaults |
None. |
Output |
See Figure 15. |
Figure 1. Example
1: Output for the RLIST command RLIST TAPEVOL VOL001 ALL
CLASS NAME
----- ----
TAPEVOL VOL001
LEVEL OWNER UNIVERSAL ACCESS YOUR ACCESS WARNING
----- ----- ---------------- ----------- -------
00 RV2 READ ALTER NO
INSTALLATION DATA
-----------------
NONE
APPLICATION DATA
----------------
NONE
SECLEVEL
----------------
NO SECLEVEL
CATEGORIES
----------------
NO CATEGORIES
SECLABEL
----------------
NO SECLABEL
AUDITING
--------
SUCCESS(READ),FAILURES(UPDATE)
GLOBALAUDIT
-----------
ALL(CONTROL)
AUTOMATIC SINGLE DATA SET
--------- ---------------
NO NO
NOTIFY
------
NO USER TO BE NOTIFIED
CREATION DATE LAST REFERENCE DATE LAST CHANGE DATE
(DAY) (YEAR) (DAY) (YEAR) (DAY) (YEAR)
------------- ------------------- ----------------
146 82 146 82 146 82
ALTER COUNT CONTROL COUNT UPDATE COUNT READ COUNT
----------- ------------- ------------ ----------
000000 000000 000005 000000
USER ACCESS ACCESS COUNT
---- ------ ------------
RV2 ALTER 000000
ESH25 READ 000000
ID ACCESS ACCESS COUNT CLASS ENTITY NAME
-- ------ ------------ ----- -----------
NO ENTRIES IN CONDITIONAL ACCESS LIST
NO TVTOC INFORMATION AVAILABLE
Figure 2. Example
2: Output for the RLIST command RLIST TIMS T*
CLASS NAME
----- ----
TIMS T* (G)
GROUP CLASS NAME
----- ----- ----
GIMS
RESOURCE GROUPS
-------- ------
NONE
LEVEL OWNER UNIVERSAL ACCESS YOUR ACCESS WARNING
----- ------- ---------------- ----------- -------
00 ADM1 NONE ALTER NO
INSTALLATION DATA
-----------------
NONE
APPLICATION DATA
----------------
REVERIFY
AUDITING
--------
NONE
GLOBALAUDIT
-----------
SUCCESS(UPDATE),FAILURES(READ)
NOTIFY
------
NO USER TO BE NOTIFIED
Figure 3. Example
3: Output for the RLIST command with RESGROUP option RLIST TERM1
CLASS NAME
----- ----
TERMINAL TERM1
GROUP CLASS NAME
----- ----- ----
GTERMINL
RESOURCE GROUPS
-------- ------
GTERM1 GTERM2 GTERM3 GTERM4
LEVEL OWNER UNIVERSAL ACCESS YOUR ACCESS WARNING
----- -------- ---------------- ----------- -------
00 IBMUSER NONE ALTER NO
INSTALLATION DATA
-----------------
NONE
APPLICATION DATA
----------------
NONE
AUDITING
--------
FAILURES(READ)
TIMEZONE LOGON ALLOWED (DAYS) (TIME)
-------- ---------------------------------------------
CPU TIME ANYDAY ANYTIME
NOTIFY
------
NO USER TO BE NOTIFIED
Figure 4. Example
4: Output for RLIST command with masked application key SSIGNON INFORMATION
---------------------
KEYMASKED DATA NOT DISPLAYABLE
Figure 5. Example
5: Output for RLIST command with encrypted application key SSIGNON INFORMATION
---------------------
KEYENCRYPTED DATA NOT DISPLAYABLE
Figure 6. Example
6: Output for RLIST command for the STDATA segment STDATA INFORMATION
------ -----------
USER= SYSUSER
GROUP= SYSGROUP
TRUSTED= YES
PRIVILEGED= NO
TRACE= NO
Figure 7. Example
7: Output for RLIST command for the KERB segment CLASS NAME
----- ----
REALM KERBDFLT
KERB INFORMATION
----------------
KERBNAME= KRB2000.IBM.COM
MINTKTLFE= 0000000300
MAXTKTLFE= 0000086400
DEFTKTLFE= 0000036000
KEY VERSION= 001
KEY ENCRYPTION TYPE= DES DES3 DESD AES128 AES256
CHECK ADDRESSES= NO
------------------
CLASS NAME
----- ----
REALM /.../KERB390.ENDICOTT.IBM.COM/KRBTGT/KER2000.ENDICOTT.IBM.COM
…
Figure 8. Example
8: Output for RLIST command in the PTKTDATA classCLASS NAME
-------- ----
PTKTDATA TSOIM13
LEVEL OWNER UNIVERSAL ACCESS YOUR ACCESS WARNING
----- ------- ---------------- ----------- -------
00 IBMUSER NONE NONE NO
INSTALLATION DATA
-----------------
NONE
APPLICATION DATA
--------------------
NO REPLAY PROTECTION
AUDITING
--------------
FAILURES(READ)
NOTIFY
----------------------
NO USER TO BE NOTIFIED
Figure 9. Example
9: Output for RLIST command for the EIM segmentRLIST FACILITY IRR.PROXY.DEFAULTS EIM NORACF
CLASS NAME
----- ----
FACILITY IRR.PROXY.DEFAULTS
EIM INFORMATION
---------------
EIM OPTIONS= ENABLE
LOCALREGISTRY= SYS1SAF
KERBREGISTRY= MYCOMPANYREALM
X509REGISTRY= MYCOMPANYCERTS
Figure 10. Example
10: Output for RLIST command for the CDTINFO segmentRLIST CDT TSTCLAS8 NORACF CDTINFO
CLASS NAME
----- ----
CDT TSTCLAS8
CDTINFO INFORMATION
------- -----------
CASE = UPPER
DEFAULTRC = 004
DEFAULTUACC = NONE
FIRST = ALPHA
GENERIC= DISALLOWED
GENLIST = DISALLOWED
GROUP =
KEYQUALIFIERS = 0000000000
MACPROCESSING = NORMAL
MAXLENGTH = 042
MAXLENX = NONE
MEMBER =
OPERATIONS = YES
OTHER = ALPHA NUMERIC SPECIAL
POSIT = 0000000303
PROFILESALLOWED = YES
RACLIST = REQUIRED
SECLABELSREQUIRED = YES
SIGNAL = NO
Figure 11. Example
11: Output for RLIST of the ICTX segmentRLIST LDAPBIND IRR.ICTX.DEFAULTS ICTX NORACF
CLASS NAME
----- ----
LDAPBIND IRR.ICTX.DEFAULTS
ICTX INFORMATION
----------------
USEMAP = NO
DOMAP = YES
MAPREQUIRED = YES
MAPPINGTIMEOUT = 01800
Figure 12. Example
12: Output for RLIST of the AUTHUSER segmentRLIST MDSNTB DSN.ZHAOHUI.TABLE.ALTER AUTHUSER
CLASS NAME
----- ----
MDSNTB DSN.ZHAOHUI.TABLE.ALTER
LEVEL OWNER UNIVERSAL ACCESS YOUR ACCESS WARNING
----- -------- ---------------- ----------- -------
00 ADMRUI NONE ALTER NO
INSTALLATION DATA
-----------------
NONE
APPLICATION DATA
----------------
NONE
SECLEVEL
--------
NO SECLEVEL
CATEGORIES
----------
NO CATEGORIES
SECLABEL
--------
NO SECLABEL
AUDITING
--------
FAILURES(READ)
NOTIFY
------
NO USER TO BE NOTIFIED
USER ACCESS ACCESS COUNT
---- ------ ------------
ADMRUI ALTER 000000
ID ACCESS ACCESS COUNT CLASS ENTITY NAME
-------- ------- ------------ -------- --------------------------------
JEAN READ 000000 CRITERIA SQLROLE=TELLER
Figure 13. Example
13: Output for RLIST of the CFDEF segmentRLIST CFIELD USER.CSDATA.EMPSER CFDEF NORACF
CLASS NAME
----- ----
CFIELD USER.CSDATA.EMPSER
CFDEF INFORMATION
-----------------
TYPE = NUM
MAXLENGTH = 00000008
MAXVALUE = 0099999999
MINVALUE = 0000100000
FIRST = NUMERIC
OTHER = NUMERIC
MIXED = NO
HELP = EMPLOYEE SERIAL NUMBER, 6-8 DIGITS
LISTHEAD = EMPLOYEE SERIAL =
Figure 14. Example
14: Output for RLIST of the SIGVER segmentRLIST PROGRAM XYZLIB64 SIGVER NORACF
CLASS NAME
----- ----
PROGRAM XYZLIB64
SIGVER INFORMATION
------------------
SIGREQUIRED = YES
FAILLOAD = ANYBAD
SIGAUDIT = ANYBAD
Figure 15. Example
15: Output for RLIST of the ICSF segmentRLIST XCSFKEY * ICSF NORACF
CLASS NAME
----- ----
XCSFKEY ATEST
ICSF INFORMATION
------------------
SYMEXPORTABLE = BYLIST
SYMEXPORTCERTS = DENICE/CertForDenice KEN/Cert for Ken
ASYMUSAGE = HANDSHAKE SECUREEXPORT
SYMCPACFWRAP = NO
CLASS NAME
----- ----
XCSFKEY BTEST
ICSF INFORMATION
------------------
SYMEXPORTABLE = BYLIST
SYMEXPORTCERTS = *
SYMEXPORTKEYS = PKDS.LABEL1 PKDS.LABEL2
ASYMUSAGE = HANDSHAKE SECUREEXPORT
SYMCPACFWRAP = YES
|