DISPLAY (Display signed-on-from list)

Background

Persistent verification allows users to sign on to a partner LU (logical unit) and have their authority persist. In other words, once a user has signed on, a password is not required for subsequent signon attempts.

APPC/MVS invokes RACF® to create and maintain a list called the signed-on-from list. If persistent verification is being used, the signed-on-from list consists of the users currently signed on with persistent verification authority.

Purpose

The RACF DISPLAY operator command displays information held in the signed-on-from list. Entries in the signed-on-from list possess the following information:

User ID
Group
APPL (the local LU name)
POE (the partner LU name from which the user is signed on)
SECLABEL

The DISPLAY command has operands which correspond to the items listed above. You can use these operands to select which user entries to display from the signed-on-from list.

The information is displayed as a list of entries sorted by local LU. If there are multiple entries for a given local LU, these entries are sorted by user ID.

Issuing options

The following table identifies the eligible options for issuing the DISPLAY command:

As a RACF TSO command?	As a RACF operator command?	With command direction?	With automatic command direction?	From the RACF parameter library?
No	Yes	No	No	Yes

For information on issuing this command as a RACF operator command, see RACF operator commands.

Related commands

Use the SIGNOFF command to remove users from the signed-on-from list.

Authorization required

You might require sufficient authority to the proper resource in the OPERCMDS class. For details about OPERCMDS resources, see "Controlling the use of operator commands" in z/OS Security Server RACF Security Administrator's Guide.

Syntax

For the key to the symbols used in the command syntax diagrams, see Syntax of RACF commands and operands. The complete syntax of the DISPLAY command is:


subsystem-prefixDISPLAY
	[ SIGNON ]
	[ APPL(local-luname \| `*`) ]
	[ POE(partner-luname \| `*`) ]
	[ USER(userid-name \| `*`) ]
	[ GROUP(group-name \| `*`) ]
	[ SECLABEL(security-label \| `*`) ]

For information on issuing this command as a RACF operator command, see Rules for entering RACF operator commands.

Parameters

subsystem-prefix: The subsystem prefix identifies that the RACF subsystem is the processing environment. The subsystem prefix can be either the installation-defined prefix for RACF (1 - 8 characters) or, if no prefix has been defined, the RACF subsystem name followed by a blank. If the command prefix was registered with CPF, you can use the MVS command D OPDATA to display it or you can contact your RACF security administrator.
Only specify the subsystem prefix when issuing this command as a RACF operator command. The subsystem prefix is required when issuing RACF operator commands.

SIGNON: This operand indicates that the information to be displayed is from the signed-on-from list. Because this is always the case, this operand is a default value and can be omitted from the command line.

The operands below allow the operator to select the necessary search criteria. These operands are all optional.

If none of the operands are specified, you receive an informational message, indicating the version, release and modification level for RACF.
If no local LU is currently active, you receive an informational message.
If you specify the APPL operand and at least one local LU is currently active, you receive an informational message with the names of the LU applications listed.

APPL(local-luname | *): The local-luname is a 1 - 8 character name of the local LU to be searched for. An asterisk can occupy the last position of the name in order to provide a partial generic selection capability. A character string consisting of a single asterisk is permitted as a full generic that matches any APPL name in the signed-on-from list. A single asterisk is the default value.

POE(partner-luname | *): The partner-luname is the name of the partner LU to be searched for. It can be a 1 - 8 character unqualified LU name or a 1 - 17 character network qualified LU name in the format netid.luname, where netid and luname are each 1 - 8 characters. If the netid is omitted, all partner LUs with the specified LU name portion is shown (POE(LU1) would show NET1.LU1 and NET2.LU1). An asterisk can occupy the last position of the partner-luname in order to provide a partial generic selection capability. For example, the partner-luname NW1.LU2 would match with *, N*, NW*, NW1*, NW1.*, NW1.L*, NW1.LU*, NW1.LU2*, L*, LU*, and LU2*. A character string consisting of a single asterisk is permitted as a full generic that matches any POE name in the signed-on-from list. A single asterisk is the default if another operand (besides SIGNON) is specified.

USER(userid-name | *): The userid-name is a 1 - 8 character name that represents the RACF user ID to be searched for. An asterisk can occupy the last position of the userid-name in order to provide a partial generic selection capability. A character string consisting of a single asterisk is permitted as a full generic that matches any user ID in the signed-on-from list. A single asterisk is the default value if either the GROUP operand or the SECLABEL operand is specified.

GROUP(group-name | *): The group-name is a 1 - 8 character name of the RACF group to be searched for. An asterisk can be in the last position of the group-name in order to provide a partial generic selection capability. A character string consisting of a single asterisk is permitted as a full generic that matches any group name in the signed-on-from list. A single asterisk is the default value if either the USER operand or the SECLABEL operand is specified. Note that entries in the signed-on-from list might not always be added to that list with a group-name value. Such entries have group-name values consisting of blanks.

SECLABEL(security-label | *): The security-label is a 1 - 8 character name which represents the RACF security label to be searched for. An asterisk can occupy the last position of the specification in order to provide a partial generic selection capability. A character string consisting of a single asterisk is permitted as a full generic that matches any security label in the signed-on-from list. A single asterisk is the default value if either the USER operand or the GROUP operand is specified.

Examples


Example 1	Operation	Display all the partner LUs associated with a particular local LU.
	Known	The local LU name is `locallu`. The RACF subsystem prefix is `@`.
	Command	`@display appl(locallu),poe(*)`
	Defaults	SIGNON
	Output	See Figure 1.
Example 2	Operation	Display all the users signed on for a particular LU pair.
	Known	The local LU is `locallu`, the partner LU is `prtnrlu1`. The RACF subsystem prefix is `@`.
	Command	`@display appl(locallu),poe(prtnrlu1),user(*)`
	Defaults	SIGNON, GROUP(``), and SECLABEL(``)
	Output	See Figure 2.
Example 3	Operation	Display each local LU and its associated partner LUs, and for each LU pair, display the users signed on.
	Known	The RACF subsystem prefix is `@`.
	Command	`@display appl(),poe(),user(*)`
	Defaults	SIGNON, GROUP(``), and SECLABEL(``)
	Output	See Figure 3. Important: In many instances, this command might generate large amounts of display output.
Example 4	Operation	Display each local LU and its associated partner LUs, and for each LU pair, display the users with userid_names beginning with `B`.
	Known	The RACF subsystem prefix is `@`.
	Command	`@display appl(),poe(),user(B),group()`
	Defaults	SIGNON and SECLABEL(`*`)
	Output	See Figure 4.
Example 5	Operation	Display all the LU pairs that users have signed on to using a particular group.
	Known	The RACF subsystem prefix is `@`. The group-name is `grp1`.
	Command	`@display group(grp1),appl(),poe(),user(*)`
	Defaults	SIGNON, SECLABEL(`*`)
	Output	See Figure 5.

Figure 1. Example 1: Output for the DISPLAY command

IRRD004I RACF 2.6.0 SUBSYSTEM 219
REMOTE LU NAME(S) ASSOCIATED WITH ACTIVE LOCAL LU NAME LOCALLU
LU NAME                LU NAME                    LU NAME
PRTNRLU1               PRTNRLU2                   PRTNRLU3
NETID1.PRTNRLU4

Figure 2. Example 2: Output for the DISPLAY command

IRRD004I RACF 2.6.0 SUBSYSTEM 239
LOCAL LU LOCALLU FOR REMOTE LU PRTNRLU1 HAS USER(S):
USER = BOB      GROUP = SYS1    SECLABEL =
USER = BRIAN    GROUP = SYS1    SECLABEL =
USER = JIM      GROUP = GRP1    SECLABEL =
USER = JOE      GROUP = GRP1    SECLABEL =

Figure 3. Example 3: Output for the DISPLAY command

IRRD004I RACF 2.6.0 SUBSYSTEM 245
LOCAL LU LOCALLU FOR REMOTE LU PRTNRLU1 HAS USER(S):
USER = BOB      GROUP = SYS1    SECLABEL =
USER = BRIAN    GROUP = SYS1    SECLABEL =
USER = JIM      GROUP = GRP1    SECLABEL =
USER = JOE      GROUP = GRP1    SECLABEL =
LOCAL LU LOCALLU FOR REMOTE LU PRTNRLU2 HAS USER(S):
USER = BRIAN    GROUP =         SECLABEL =
LOCAL LU LOCALLU FOR REMOTE LU PRTNRLU3 HAS USER(S):
USER = BRIAN    GROUP =         SECLABEL =
LOCAL LU LOCALLU FOR REMOTE LU PRTNRLU4 HAS USER(S):
USER = BRIAN    GROUP =         SECLABEL =
LOCAL LU LOCLLU2 FOR REMOTE LU PRTNRLU1 HAS USER(S):
USER = JIM      GROUP = GRP1    SECLABEL =
LOCAL LU LOCLLU3 FOR REMOTE LU PRTNRLU1 HAS USER(S):
USER = JIM      GROUP = GRP1    SECLABEL =

Figure 4. Example 4: Output for the DISPLAY command

IRRD004I RACF  2.6.0  SUBSYSTEM 647
LOCAL LU LOCALLU  FOR REMOTE LU PRTNRLU1 HAS USER(S):
USER = BOB      GROUP = SYS1     SECLABEL =
USER = BRIAN    GROUP = SYS1     SECLABEL =
LOCAL LU LOCALLU  FOR REMOTE LU PRTNRLU2 HAS USER(S):
USER = BRIAN    GROUP =          SECLABEL =
LOCAL LU LOCALLU  FOR REMOTE LU PRTNRLU3 HAS USER(S):
USER = BRIAN    GROUP =          SECLABEL =
LOCAL LU LOCALLU  FOR REMOTE LU PRTNRLU4 HAS USER(S):
USER = BRIAN    GROUP =          SECLABEL =

Figure 5. Example 5: Output for the DISPLAY command

IRRD004I RACF 2.6.0 SUBSYSTEM 251
LOCAL LU LOCALLU FOR REMOTE LU PRTNRLU1 HAS USER(S):
USER = JIM      GROUP = GRP1    SECLABEL =
USER = JOE      GROUP = GRP1    SECLABEL =
LOCAL LU LOCLLU2 FOR REMOTE LU PRTNRLU1 HAS USER(S):
USER = JIM      GROUP = GRP1    SECLABEL =
LOCAL LU LOCLLU3 FOR REMOTE LU PRTNRLU1 HAS USER(S):
USER = JIM      GROUP = GRP1    SECLABEL =