Subselect clauses
The subselect clauses described in this topic apply only to RACF systems. A subselect clause can be used to display only some entries from a repeated field. For example, you can use a subselect clause to display only those access list entries with UPDATE access or higher. The subselect clause is most useful when the repeat group has many instances, of which only a few are of interest.
Only the ACL, CONNECTS, CUSTOM_DATA, and USR fields can be used for a subselect clause. Only the subselect USR can be used on a LIST command. All subselect variables can be used on SORTLIST and DISPLAY commands. The EXPLODE, RESOLVE, EFFECTIVE, and TRUST modifiers can be used with the subselect ACL.
Some ACL and USR subselect clauses can also be used directly on the SELECT and EXCLUDE commands. See SELECT/EXCLUDE ACL(...) and SELECT USR(...).
Table 1 lists the fields that can be used with subselect ACL. The sample output following the table shows the ACL columns referenced in the table.
There are no subselect fields for ACF2.
There are no subselect fields for Top Secret.
Field | Type | Meaning |
---|---|---|
ACCESS | access level | Access level as shown in the 'Access' column. Defined for all repeat group entries. |
GROUP | string | Group ID on an access list. For a normal (not exploded or resolved) access list,
this is the ID as shown in the ACL id column, where the
User column displays -group- . This field is not defined for
those entries where the ACL ID is a user or is undefined. |
ID | string | ID on an access list. This is the unexploded and unresolved ID, as shown in the ACL id column. This field is defined for all repeat group entries. |
USER | string | User ID on an access list. For an exploded or resolved access list, this is the
id as shown in the left column (User). This field is not defined for those
entries where the ACL ID is a group or undefined. |
WHENCLASS
WHENCLAS |
string | Class name used in a conditional access list. Only exists for those repeat group entries that have a conditional access list. Shown as part of the When column. |
WHENPROF
WHENPROFILE |
string | Profile or program name used in a conditional access list. This entry only exists for those repeat group entries that have a conditional access list. Shown as part of the When column. |
Because ID acts on the unresolved and unexploded access list, it cannot be used
to select on operations access. To only view operations access–including group operations access–,
specify a subselect on ACCESS=(ALTER-O,ALTER-Q)
.
The following sample output shows ACL fields and columns:
newlist
s key=sysappl.cnracf.**
sortlist key(20) acl(sort)
Profile key User Access ACL id When
SYSAPPL.CNRACF.** -group- READ C##ACONF
-group- READ C##ARACF
-group- READ SYSBASE
-group- READ SYSSECUR
C##AINT READ C##AINT PROGRAM CNRACF
R##BDAG UPDATE R##BDAG PROGRAM CNRACF
R##PBRP READ R##PBRP
R##PROB ALTER R##PROB
R##PSEC UPDATE R##PSEC
R##PTST READ R##PTST PROGRAM CNRACF
The following table lists the fields that can be used with subselect CONNECTS.
Field | Type | Meaning |
---|---|---|
GROUP | string | Group in a connect instance. For a CONNECTS instance that is part of a group profile, this is the profile key; for a CONNECTS instance that is part of a user profile, this is a group the user is connected to, as listed in the "User/Grp" column. |
GRPADSP | flag | Group-ADSP attribute, as listed in the "AG" column. |
GRPAUD | flag | Group-auditor attribute, as listed in the "SOA" column. |
GRPAUTH | connect authority | The connect authority (JOIN, CONNECT, CREATE, USE), as listed in the "Auth" column. |
GRPGRPACC | flag | Group-grpacc attribute, as listed in the "AG" column. |
GRPOPER | flag | Group-operations attribute, as listed in the "SOA" column. |
GRPRESUMEDT | date | Connect-resume date, as listed in the Resumedt column. |
GRPREVOKE | flag | Indicates whether the connect is revoked, using the unload date as a reference. Listed in the 'R' column. |
GRPREVOKEDT | date | Connect-revoke date, as listed in the Revokedt column. |
GRPSPEC | flag | Group-special attribute, as listed in the "SOA" column. |
GRPUACC | access level | Group-UACC, as listed in the "UACC" column. |
USER | string | User in a connect instance. For a CONNECTS instance that is part of a user profile, this is the profile key; for a CONNECTS instance that is part of a group profile, this is one of the users connected to the group, as listed in the "User/Grp" column. |
newlist type=racf
select key=ibmuser class=user
sortlist connects
User/Grp Auth R SOA AG Uacc Revokedt Resumedt
OMVGRP USE NONE
SYSCTLG JOIN R READ
SYS1 JOIN S READ
VSAMDSET JOIN READ 01 Jan 1996
Table 3 lists the fields that can be used with subselect USR. For more information about the USR field and its use by CKGRACF (only on z/OS), and possible values of USR fields values referenced in Table 3, see zSecure CARLa SELECT/LIST Fields.
Field | Type | Meaning |
---|---|---|
CKGAUTHOR | char | Requesting user of a queued command, if the USR field is a CKGRACF queued command; undefined otherwise. |
CKGCHGDATE | date | Last change date of a queued command. if the USR field is a CKGRACF queued command; undefined otherwise. |
CKGMULTI | char | Multiple-authority setting, if the USR field is a CKGRACF multiple-authority setting; undefined otherwise. |
CKGREQUEST | date | Request date of a queued command. if the USR field is a CKGRACF queued command; undefined otherwise. |
CKGSCHED
CKGSCHEDULE |
char | Schedule name, if the USR field is a CKGRACF scheduled revoke/resume action; undefined otherwise. |
CKGSTATUS | char | Status of a queued command, if the USR field is a CKGRACF queued command; undefined otherwise. |
USRDATA | char | Contents/value of the USR field. |
USRFLG | flag | Flag in the USR field. You can either specify a hexadecimal value, or a bit mask. |
USRNM | char | Index of the USR field. |
Field | Type | Meaning |
---|---|---|
CSKEY | char | Custom field's name. Repeated field that can be found in CSDATA segment of user and group profiles. |
CSTYPE | char | Custom field's type. Repeated field that can be found in CSDATA segment of user and group profiles. |
CSVALUE | char | Custom field's value. Repeated field that can be found in CSDATA segment of user and group profiles. |