LISTGRP (List group profile)

Purpose

Use the LISTGRP command to list details of specific RACF® group profiles. A group profile consists of a BASE segment and, optionally, other segments such as DFP and OMVS. The LISTGRP command provides you with the option of listing the information contained in the entire group profile (all segments), or listing the information contained only in a specific segment of the group profile.

The details RACF lists from the BASE segment of each group profile are:

The superior group of the group
The owner of the group
The date the group was defined to RACF
The terminal option of the group
Whether or not the group is a universal group
Any subgroups under the group
Installation-defined data, as specified by the DATA operand of the ADDGROUP and ALTGROUP command
The name of the data set model profile.

RACF lists the following information from the BASE segment of the group profile for each user connected to the group:

The user ID
An exception to this is when the group is a UNIVERSAL group. When a UNIVERSAL group displayed with the LISTGRP command, not all members will be listed. Only users with authority higher than USE or with the attributes SPECIAL, OPERATIONS or AUDITOR at the group level will be shown in the member list. To view all members of a UNIVERSAL group, the Database Unload Utility (IRRDBU00) must be used. For more information on using the Database Unload Utility (IRRDBU00), see z/OS Security Server RACF Security Administrator's Guide.
The user's level of authority in the group
The number of times the user has entered the system using this group as the current connect group
The user's default universal access authority
The user's connect attributes (group-related user attributes)
Any REVOKE or RESUME processing either in effect or pending, with the corresponding dates even if they have passed.

The details RACF lists from the DFP segment of the group profile are:

The group's default data class
The group's default management class
The group's default storage class
The data management data application for the group.

The details RACF lists from the TME segment of the group profile are:

The list of roles that refer to this group.

The details RACF lists from the OMVS or OVM segment of the group profile are:

The group's z/OS UNIX System Services group identifier.

The details RACF lists from the CSDATA segment of the group profile are:

The list of custom fields that your installation has added to this group.

Issuing options

The following table identifies the eligible options for issuing the LISTGRP command:

As a RACF TSO command?	As a RACF operator command?	With command direction?	With automatic command direction?	From the RACF parameter library?
Yes	Yes	Yes	No	Yes

For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.

For information on issuing this command as a RACF operator command, refer to RACF operator commands.

You must be logged on to the console to issue this command as a RACF operator command.

Related commands

To list a user profile, see LISTUSER (List user profile).
To list a data set profile, see LISTDSD (List data set profile).
To list a general resource profile, see RLIST (List general resource profile). (General resources include terminals and other resources defined in the class descriptor table.)
To obtain a list of group profiles, see SEARCH (Search RACF database).

Authorization required

When issuing this command as a RACF operator command, you might require sufficient authority to the proper resource in the OPERCMDS class. For details about OPERCMDS resources, see Controlling the use of operator commands in z/OS Security Server RACF Security Administrator's Guide.

To specify the AT keyword, you must have READ authority to the DIRECT.node resource in the RRSFDATA class and a user ID association must be established between the specified node.userid pair(s).

To specify the ONLYAT keyword you must have the SPECIAL attribute, the userid specified on the ONLYAT keyword must have the SPECIAL attribute, and a user ID association must be established between the specified node.userid pair(s) if the user IDs are not identical.

Listing the BASE segment of a group profile: To list the details of the BASE segment of a group profile, one of the following conditions must be true:

You have the SPECIAL attribute.
You have the group-SPECIAL attribute in each group to be listed, or each group to be listed is within the scope of a group in which you have the group-SPECIAL attribute.
You have the AUDITOR or the ROAUDIT attribute.
You have the group-AUDITOR attribute in each group to be listed, or each group to be listed is within the scope of a group in which you have the group-AUDITOR attribute.
You are the owner of the group.
You have JOIN or CONNECT authority in the group.

Listing the other segments of a group profile: To list information from segments other than the BASE segment for a group profile, one of the following conditions must be true:

You have the SPECIAL, AUDITOR, or ROAUDIT attribute.
You have at least READ authority to the desired field through field-level access control.

Syntax

For the key to the symbols used in the command syntax diagrams, see Syntax of RACF commands and operands. The complete syntax of the LISTGRP command is:

[subsystem-prefix]{LISTGRP | LG}

[ {(group-name ...) | *}]

[ AT([node].userid ...) | ONLYAT([node].userid ...) ]

[ CSDATA ]

[ DFP ]

[ NORACF ]

[ OMVS ]

[ OVM ]

[ TME ]

For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.

For information on issuing this command as a RACF operator command, refer to RACF operator commands.

Parameters

subsystem-prefix

Specifies that the RACF subsystem is the processing environment of the command. The subsystem prefix can be either the installation-defined prefix for RACF (1 - 8 characters) or, if no prefix has been defined, the RACF subsystem name followed by a blank. If the command prefix was registered with CPF, you can use the MVS command D OPDATA to display it or you can contact your RACF security administrator.

Only specify the subsystem prefix when issuing this command as a RACF operator command. The subsystem prefix is required when issuing RACF operator commands.

group-name | *

group-name: Specifies the name of one or more RACF-defined groups. If you specify more than one group name, you must enclose the names in parentheses.
*: Specifies that you want to list information contained in all RACF-defined group profiles to which you have the required authority.
On a system with many groups defined, the use of * might result in a large amount of output and might not be useful to a user issuing the command. It might be more appropriate for the user to browse the output of IRRDBU00 (database unload utility) or to write a program to process the IRRDBU00 output and produce a report showing only the subset of information that is of interest to the user. The processing of output of LISTGRP by programs is not supported nor recommended by IBM®. If you want a listing of all the groups for use by a program you should instead have the program process the output from IRRDBU00, RACROUTE REQUEST=EXTRACT, or ICHEINTY.

If you specify a group name or *, it must be the first operand following LISTGRP.

If you specify one or more group names (or *) without specifying an additional operand, RACF lists only the BASE segment information from the specified profiles.

If you enter LISTGRP with no operands, RACF lists only the BASE segment information from your current connect group.

AT | ONLYAT

The AT and ONLYAT keywords are valid only when the command is issued as a RACF TSO command.

AT([node].userid ...): Specifies that the command is to be directed to the node specified by node, where it runs under the authority of the user specified by userid in the RACF subsystem address space.
If node is not specified, the command is directed to the local node.
ONLYAT([node].userid ...): LISTGRP is not eligible for automatic command direction. If you specify the ONLYAT keyword, the effect is the same as if you specified the AT keyword.

CSDATA

Specifies that you want to list custom field information for this group. The custom field information in the CSDATA segment for this group was added using the ADDGROUP and ALTGROUP commands.

If you specify CSDATA you must also specify a group name or *.

Usage for each custom field is defined using the CFDEF operand of the RDEFINE command for resource profiles in the CFIELD class. Contact your security administrator to see how custom fields are used at your installation. For more information about custom fields, see z/OS Security Server RACF Security Administrator's Guide.

DFP

Specifies that you want to list the information contained in the DFP segment of the group profile.

If you specify DFP you must also specify a group name or *.

NORACF

Specifies that you want to suppress the listing of base segment information from the group profile. If you specify NORACF, you must also specify one of the other segment names such as DFP or OMVS.

If you do not specify NORACF, RACF displays the information in the BASE segment of a group profile.

OMVS

Specifies that you want to list the information contained in the OMVS segment of the group profile.

If you specify OMVS, you must also specify a group name or (*).

If the group profile contains an OMVS segment but GID was not specified on a ADDGROUP or ALTGROUP command, the listing displays the field name followed by the word NONE.

OVM

Specifies that you want to list the information contained in the OVM segment of the group profile.

If you specify OVM, you must also specify a group name or an (*).

If the group profile contains an OVM segment but GID was not specified on a ADDGROUP or ALTGROUP command, the listing displays the field name followed by the word NONE.

TME

Specifies that information for the Tivoli® Security Management Application is to be listed.

If you specify TME you must also specify a group name or an asterisk (*).

Examples

Example	Activity label	Description
1	Operation	User IA0 wants to display the information contained in the BASE segment of the profile for group RESEARCH.
	Known	User IA0 has CONNECT authority to group RESEARCH. User IA0 wants to issue the command as a RACF TSO command.
	Command	`LISTGRP RESEARCH`
	Defaults	None.
	Output	See Figure 1.
2	Operation	User ADM1 wants to display the information contained in the BASE segment of the profiles for all groups.
	Known	User ADM1 has the SPECIAL and AUDITOR attributes. User ADM1 wants to issue the command as a RACF TSO command.
	Command	`LISTGRP *`
	Defaults	None.
	Output	See Figure 2.
3	Operation	User ADM1 wants to display the information contained in the BASE segment and DFP segment of the profile for group DFPADMN.
	Known	User ADM1 has the SPECIAL and AUDITOR attributes. Group DFPADMN is defined to RACF, and DFPADMN's profile contains a DFP segment. User ADM1 wants to issue the command as a RACF TSO command.
	Command	`LISTGRP DFPADMN DFP`
	Defaults	None.
	Output	See Figure 3.
4	Operation	User ADM1 wants to display the information contained in only the DFP segment of the profile for group DFPADMN.
	Known	User ADM1 has the SPECIAL and AUDITOR attributes. Group DFPADMN is defined to RACF, and DFPADMN's profile contains a DFP segment. User ADM1 wants to issue the command as a RACF TSO command.
	Command	`LISTGRP DFPADMN DFP NORACF`
	Defaults	None.
	Output	See Figure 4.
5	Operation	User ADM1 requests the listing of the OMVS segment for the group OMVSG1.
	Known	User ADM1 has the SPECIAL attribute. User ADM1 wants to issue the command as a RACF TSO command.
	Command	`LISTGRP OMVSG1 OMVS NORACF`
	Defaults	None.
	Output	See Figure 5.
6	Operation	User NETADM requests the listing of the UNIVERSAL group NETGROUP.
	Known	NETGROUP is a UNIVERSAL group and only users with authority higher than USE or users with SPECIAL, OPERATIONS and AUDITOR at the GROUP level will be displayed in the member list. User NETADM has the SPECIAL attribute to the group NETGROUP. User NETADM wants to issue the command as a RACF TSO command.
	Command	`LISTGRP NETGROUP`
	Defaults	None.
	Output	See Figure 6.

Figure 1. Example 1: Output for LISTGRP RESEARCH

LISTGRP RESEARCH
INFORMATION FOR GROUP RESEARCH
    SUPERIOR GROUP=SYS1         OWNER=IBMUSER   CREATED=06.123 
    NO INSTALLATION DATA
    NO MODEL DATA SET
    TERMUACC
    SUBGROUP(S)= PAYROLLB
    USER(S)=      ACCESS=      ACCESS COUNT=     UNIVERSAL ACCESS=
    IBMUSER         JOIN          000000              ALTER
       CONNECT   ATTRIBUTES=NONE
       REVOKE DATE=NONE                 RESUME DATE=NONE
    DAF0            JOIN          000002              READ
      CONNECT    ATTRIBUTES=NONE
      REVOKE DATE=NONE                  RESUME DATE=NONE
    IA0             CONNECT       000004              READ
      CONNECT    ATTRIBUTES=ADSP SPECIAL OPERATIONS
      REVOKE DATE=NONE                  RESUME DATE=NONE
    ESH25           USE           000000              READ
      CONNECT    ATTRIBUTES=NONE
      REVOKE DATE=NONE                  RESUME DATE=NONE
    PROJECTB        USE           000000              READ
      CONNECT    ATTRIBUTES=NONE
      REVOKE DATE=NONE                  RESUME DATE=NONE
    RV2             CREATE        000000              READ
      CONNECT    ATTRIBUTES=NONE
      REVOKE DATE=NONE                  RESUME DATE=NONE
    RV3             CREATE        000000              READ
      CONNECT    ATTRIBUTES=NONE
      REVOKE DATE=NONE                  RESUME DATE=NONE
    ADM1            JOIN          000000              READ
      CONNECT    ATTRIBUTES=OPERATIONS
      REVOKE DATE=NONE                  RESUME DATE=NONE
    AEH0            USE           000000              READ
      CONNECT    ATTRIBUTES=REVOKED
      REVOKE DATE=NONE                  RESUME DATE=NONE

Figure 2. Example 2: Output for LISTGRP *

LISTGRP *
INFORMATION FOR GROUP PAYROLLB
    SUPERIOR GROUP=RESEARCH     OWNER=IBMUSER   CREATED=06.123
    NO INSTALLATION DATA
    NO MODEL DATA SET
    TERMUACC
    NO SUBGROUPS
    USER(S)=      ACCESS=      ACCESS COUNT=      UNIVERSAL ACCESS=
      IBMUSER       JOIN          000000               ALTER
         CONNECT ATTRIBUTES=NONE
         REVOKE DATE=NONE                  RESUME DATE=NONE
      DAF0          CREATE        000000               READ
         CONNECT ATTRIBUTES=NONE
         REVOKE DATE=NONE                  RESUME DATE=NONE
      IA0           CREATE        000000               READ
         CONNECT ATTRIBUTES=ADSP SPECIAL OPERATIONS
         REVOKE DATE=NONE                  RESUME DATE=NONE
      AEH0          CREATE        000000               READ
         CONNECT ATTRIBUTES=NONE
         REVOKE DATE=NONE                  RESUME DATE=NONE
INFORMATION FOR GROUP RESEARCH
    SUPERIOR GROUP=SYS1         OWNER=IBMUSER   CREATED=06.123 
    NO INSTALLATION DATA
    NO MODEL DATA SET
    TERMUACC
    SUBGROUP(S)= PAYROLLB
    USER(S)=      ACCESS=      ACCESS COUNT=      UNIVERSAL ACCESS=
      IBMUSER       JOIN          000000               ALTER
         CONNECT ATTRIBUTES=NONE
         REVOKE DATE=NONE                  RESUME DATE=NONE
      DAF0          JOIN          000002               READ
         CONNECT ATTRIBUTES=NONE
         REVOKE DATE=NONE                  RESUME DATE=NONE
      IA0           CONNECT       000004               READ
         CONNECT ATTRIBUTES=ADSP SPECIAL OPERATIONS
         REVOKE DATE=NONE                  RESUME DATE=NONE
      ESH25         USE           000000               READ
         CONNECT ATTRIBUTES=NONE
         REVOKE DATE=NONE                  RESUME DATE=NONE
      PROJECTB      USE           000000               READ
         CONNECT ATTRIBUTES=NONE
         REVOKE DATE=NONE                  RESUME DATE=NONE
      RV2           CREATE        000002               READ
         CONNECT ATTRIBUTES=NONE
         REVOKE DATE=NONE                  RESUME DATE=NONE
      RV3           CREATE        000000               READ
         CONNECT ATTRIBUTES=NONE
         REVOKE DATE=NONE                  RESUME DATE=NONE
      ADM1          JOIN          000001               READ
         CONNECT ATTRIBUTES=OPERATIONS
         REVOKE DATE=NONE                  RESUME DATE=NONE
      AEH0          USE           000000               READ
         CONNECT ATTRIBUTES=NONE
         REVOKE DATE=NONE                  RESUME DATE=NONE

Figure 3. Example 3: Output for LISTGRP DFPADMIN DFP

LISTGRP DFPADMN DFP
INFORMATION FOR GROUP DFPADMN
    SUPERIOR GROUP=SYSADMN      OWNER=SYSADMN   CREATED=06.123 
    NO INSTALLATION DATA
    NO MODEL DATA SET
    TERMUACC
    SUBGROUP(S)= DFPGRP1, DFPGRP2
    USER(S)=      ACCESS=      ACCESS COUNT=     UNIVERSAL ACCESS=
    IBMUSER         JOIN          000000              ALTER
       CONNECT   ATTRIBUTES=NONE
       REVOKE DATE=NONE                 RESUME DATE=NONE
    DSMITH          JOIN          000002              READ
      CONNECT    ATTRIBUTES=NONE
      REVOKE DATE=NONE                  RESUME DATE=NONE
    HOTROD          CONNECT       000004              READ
      CONNECT    ATTRIBUTES=ADSP SPECIAL OPERATIONS
      REVOKE DATE=NONE                  RESUME DATE=NONE
    ESHAW           USE           000000              READ
      CONNECT    ATTRIBUTES=NONE
      REVOKE DATE=NONE                  RESUME DATE=NONE
    PROJECTB        USE           000000              READ
      CONNECT    ATTRIBUTES=NONE
      REVOKE DATE=NONE                  RESUME DATE=NONE
    ADM1            JOIN          000000              READ
      CONNECT    ATTRIBUTES=OPERATIONS
      REVOKE DATE=NONE                  RESUME DATE=NONE
    AEHALL          USE           000000              READ
      CONNECT    ATTRIBUTES=REVOKED
      REVOKE DATE=NONE                  RESUME DATE=NONE
 DFP INFORMATION
    MGMTCLAS= DFP2MGMT
    STORCLAS= DFP2STOR
    DATACLAS= DFP2DATA
    DATAAPPL= DFP2APPL

Figure 4. Example 4: Output for LISTGRP DFPADMIN DFP NORACF

LISTGRP DFPADMN DFP NORACF
INFORMATION FOR GROUP DFPADMN
 DFP INFORMATION
    MGMTCLAS= DFP2MGMT
    STORCLAS= DFP2STOR
    DATACLAS= DFP2DATA
    DATAAPPL= DFP2APPL

Figure 5. Example 5: Output for LISTGRP OMVSG1 OMVS NORACF

LISTGRP OMVSG1 OMVS NORACF
INFORMATION FOR GROUP OMVSG1
 OMVS INFORMATION
    GID= 0000003243

Figure 6. Example 6: Output for LISTGRP NETGROUP

LISTGRP NETGROUP
INFORMATION FOR GROUP NETGROUP
      SUPERIOR GROUP=SYS1       OWNER=IBMUSER   CREATED=06.123 
      NO INSTALLATION DATA
      NO MODEL DATA SET
      TERMUACC  
      UNIVERSAL 
      NO SUBGROUPS
    USER(S)=      ACCESS=      ACCESS COUNT=      UNIVERSAL ACCESS= 
    IBMUSER         JOIN          00000000             NONE
        CONNECT ATTRIBUTES= NONE
        REVOKE DATE= NONE                RESUME DATE= NONE
    NETADM        CREATE          00000000             READ
        CONNECT ATTRIBUTES= SPECIAL
        REVOKE DATE= NONE                RESUME DATE= NONE