LISTGRP (List group profile)
Purpose
Use the LISTGRP command to list details of specific RACF® group profiles. A group profile consists of a BASE segment and, optionally, other segments such as DFP and OMVS. The LISTGRP command provides you with the option of listing the information contained in the entire group profile (all segments), or listing the information contained only in a specific segment of the group profile.
- The superior group of the group
- The owner of the group
- The date the group was defined to RACF
- The terminal option of the group
- Whether or not the group is a universal group
- Any subgroups under the group
- Installation-defined data, as specified by the DATA operand of the ADDGROUP and ALTGROUP command
- The name of the data set model profile.
- The user ID
An exception to this is when the group is a UNIVERSAL group. When a UNIVERSAL group displayed with the LISTGRP command, not all members will be listed. Only users with authority higher than USE or with the attributes SPECIAL, OPERATIONS or AUDITOR at the group level will be shown in the member list. To view all members of a UNIVERSAL group, the Database Unload Utility (IRRDBU00) must be used. For more information on using the Database Unload Utility (IRRDBU00), see z/OS Security Server RACF Security Administrator's Guide.
- The user's level of authority in the group
- The number of times the user has entered the system using this group as the current connect group
- The user's default universal access authority
- The user's connect attributes (group-related user attributes)
- Any REVOKE or RESUME processing either in effect or pending, with the corresponding dates even if they have passed.
- The group's default data class
- The group's default management class
- The group's default storage class
- The data management data application for the group.
- The list of roles that refer to this group.
- The group's z/OS UNIX System Services group identifier.
- The list of custom fields that your installation has added to this group.
Issuing options
The following table identifies the eligible options for issuing the LISTGRP command:
As a RACF TSO command? | As a RACF operator command? | With command direction? | With automatic command direction? | From the RACF parameter library? |
---|---|---|---|---|
Yes | Yes | Yes | No | Yes |
For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.
For information on issuing this command as a RACF operator command, refer to RACF operator commands.
You must be logged on to the console to issue this command as a RACF operator command.
Related commands
- To list a user profile, see LISTUSER (List user profile).
- To list a data set profile, see LISTDSD (List data set profile).
- To list a general resource profile, see RLIST (List general resource profile). (General resources include terminals and other resources defined in the class descriptor table.)
- To obtain a list of group profiles, see SEARCH (Search RACF database).
Authorization required
When issuing this command as a RACF operator command, you might require sufficient authority to the proper resource in the OPERCMDS class. For details about OPERCMDS resources, see Controlling the use of operator commands in z/OS Security Server RACF Security Administrator's Guide.
To specify the AT keyword, you must have READ authority to the DIRECT.node resource in the RRSFDATA class and a user ID association must be established between the specified node.userid pair(s).
To specify the ONLYAT keyword you must have the SPECIAL attribute, the userid specified on the ONLYAT keyword must have the SPECIAL attribute, and a user ID association must be established between the specified node.userid pair(s) if the user IDs are not identical.
- You have the SPECIAL attribute.
- You have the group-SPECIAL attribute in each group to be listed, or each group to be listed is within the scope of a group in which you have the group-SPECIAL attribute.
- You have the AUDITOR or the ROAUDIT attribute.
- You have the group-AUDITOR attribute in each group to be listed, or each group to be listed is within the scope of a group in which you have the group-AUDITOR attribute.
- You are the owner of the group.
- You have JOIN or CONNECT authority in the group.
- You have the SPECIAL, AUDITOR, or ROAUDIT attribute.
- You have at least READ authority to the desired field through field-level access control.
Syntax
For the key to the symbols used in the command syntax diagrams, see Syntax of RACF commands and operands. The complete syntax of the LISTGRP command is:
|
For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.
For information on issuing this command as a RACF operator command, refer to RACF operator commands.
Parameters
- subsystem-prefix
- Specifies that the RACF subsystem
is the processing environment of the command. The subsystem prefix
can be either the installation-defined prefix for RACF (1 - 8 characters)
or, if no prefix has been defined, the RACF subsystem
name followed by a blank. If the command prefix was registered with
CPF, you can use the MVS command D OPDATA to display it or you can
contact your RACF security
administrator.
Only specify the subsystem prefix when issuing this command as a RACF operator command. The subsystem prefix is required when issuing RACF operator commands.
- group-name |
*
-
- group-name
- Specifies the name of one or more RACF-defined groups. If you specify more than one group name, you must enclose the names in parentheses.
- *
- Specifies that you want to list information contained in all RACF-defined
group profiles to which you have the required authority.
On a system with many groups defined, the use of
*
might result in a large amount of output and might not be useful to a user issuing the command. It might be more appropriate for the user to browse the output of IRRDBU00 (database unload utility) or to write a program to process the IRRDBU00 output and produce a report showing only the subset of information that is of interest to the user. The processing of output of LISTGRP by programs is not supported nor recommended by IBM®. If you want a listing of all the groups for use by a program you should instead have the program process the output from IRRDBU00, RACROUTE REQUEST=EXTRACT, or ICHEINTY.
If you specify a group name or
*
, it must be the first operand following LISTGRP.If you specify one or more group names (or
*
) without specifying an additional operand, RACF lists only the BASE segment information from the specified profiles.If you enter LISTGRP with no operands, RACF lists only the BASE segment information from your current connect group.
- AT | ONLYAT
- The AT and ONLYAT keywords are valid only when the command is
issued as a RACF TSO command.
- AT([node].userid ...)
- Specifies
that the command is to be directed to the node specified by node,
where it runs under the authority of the user specified by userid in
the RACF subsystem address
space.
If node is not specified, the command is directed to the local node.
- ONLYAT([node].userid ...)
- LISTGRP is not eligible for automatic command direction. If you specify the ONLYAT keyword, the effect is the same as if you specified the AT keyword.
- CSDATA
- Specifies that you
want to list custom field information for this group. The custom field information in the CSDATA
segment for this group was added using the ADDGROUP and ALTGROUP commands.
If you specify CSDATA you must also specify a group name or
*
.Usage for each custom field is defined using the CFDEF operand of the RDEFINE command for resource profiles in the CFIELD class. Contact your security administrator to see how custom fields are used at your installation. For more information about custom fields, see z/OS Security Server RACF Security Administrator's Guide.
- DFP
- Specifies
that you want to list the information contained in the DFP segment
of the group profile.
If you specify DFP you must also specify a group name or
*
. - NORACF
- Specifies
that you want to suppress the listing of base segment information
from the group profile. If you specify NORACF, you must also specify
one of the other segment names such as DFP or OMVS.
If you do not specify NORACF, RACF displays the information in the BASE segment of a group profile.
- OMVS
- Specifies that you want to list the information contained in the
OMVS segment of the group profile.
If you specify OMVS, you must also specify a group name or (
*
).If the group profile contains an OMVS segment but GID was not specified on a ADDGROUP or ALTGROUP command, the listing displays the field name followed by the word
NONE
. - OVM
- Specifies that you want to list the information contained in the
OVM segment of the group profile.
If you specify OVM, you must also specify a group name or an (
*
).If the group profile contains an OVM segment but GID was not specified on a ADDGROUP or ALTGROUP command, the listing displays the field name followed by the word
NONE
. - TME
- Specifies
that information for the Tivoli® Security
Management Application is to be listed.
If you specify TME you must also specify a group name or an asterisk (
*
).
Examples
|