Subselect clauses

The subselect clauses described in this topic apply only to RACF systems. A subselect clause can be used to display only some entries from a repeated field. For example, you can use a subselect clause to display only those access list entries with UPDATE access or higher. The subselect clause is most useful when the repeat group has many instances, of which only a few are of interest.

Only the ACL, CONNECTS, CUSTOM_DATA, and USR fields can be used for a subselect clause. Only the subselect USR can be used on a LIST command. All subselect variables can be used on SORTLIST and DISPLAY commands. The EXPLODE, RESOLVE, EFFECTIVE, and TRUST modifiers can be used with the subselect ACL.

A subselect clause is like a SELECT, EXCLUDE, or WHERE clause in that it allows the following selection constructs: string match, pattern match, substring match, flag values, date values, authority level match, and access level match. Most tests can specify a single value or a list of values. However, a subselect clause tests on fields that occur within a single repeat group entry. The entire subselect clause is evaluated against each repeat group entry in isolation, so that, an AND condition matches only if there is an entry for which both of its parts are true simultaneously. The fields and subfields that can be used in a subselect clause are different from the fields that can be used in a SELECT statement. The subselect fields are described in Table 1.

Note: If a DEFINE SUBSELECT statement also contains a WHERE clause, the WHERE clause follows the normal rules for SELECT statements, not the rules for subselect clauses.

Some ACL and USR subselect clauses can also be used directly on the SELECT and EXCLUDE commands. See SELECT/EXCLUDE ACL(...) and SELECT USR(...).

Table 1 lists the fields that can be used with subselect ACL. The sample output following the table shows the ACL columns referenced in the table.

There are no subselect fields for ACF2.

There are no subselect fields for Top Secret.

Table 1. ACL subselect - available fields
Field	Type	Meaning
ACCESS	access level	Access level as shown in the 'Access' column. Defined for all repeat group entries.
GROUP	string	Group ID on an access list. For a normal (not exploded or resolved) access list, this is the ID as shown in the ACL id column, where the User column displays `-group-`. This field is not defined for those entries where the `ACL` ID is a user or is undefined.
ID	string	ID on an access list. This is the unexploded and unresolved ID, as shown in the ACL id column. This field is defined for all repeat group entries.
USER	string	User ID on an access list. For an exploded or resolved access list, this is the id as shown in the left column (User). This field is not defined for those entries where the `ACL` ID is a group or undefined.
WHENCLASS WHENCLAS	string	Class name used in a conditional access list. Only exists for those repeat group entries that have a conditional access list. Shown as part of the When column.
WHENPROF WHENPROFILE	string	Profile or program name used in a conditional access list. This entry only exists for those repeat group entries that have a conditional access list. Shown as part of the When column.

Because ID acts on the unresolved and unexploded access list, it cannot be used to select on operations access. To only view operations access–including group operations access–, specify a subselect on ACCESS=(ALTER-O,ALTER-Q).

The following sample output shows ACL fields and columns:

newlist
 s key=sysappl.cnracf.**
 sortlist key(20) acl(sort)

Profile key          User     Access  ACL id   When
SYSAPPL.CNRACF.**    -group-  READ    C##ACONF
                     -group-  READ    C##ARACF
                     -group-  READ    SYSBASE
                     -group-  READ    SYSSECUR
                     C##AINT  READ    C##AINT  PROGRAM  CNRACF
                     R##BDAG  UPDATE  R##BDAG  PROGRAM  CNRACF
                     R##PBRP  READ    R##PBRP
                     R##PROB  ALTER   R##PROB
                     R##PSEC  UPDATE  R##PSEC
                     R##PTST  READ    R##PTST  PROGRAM  CNRACF

The following table lists the fields that can be used with subselect CONNECTS.

Table 2. CONNECTS subselect - available fields
Field	Type	Meaning
GROUP	string	Group in a connect instance. For a CONNECTS instance that is part of a group profile, this is the profile key; for a CONNECTS instance that is part of a user profile, this is a group the user is connected to, as listed in the "User/Grp" column.
GRPADSP	flag	Group-ADSP attribute, as listed in the "AG" column.
GRPAUD	flag	Group-auditor attribute, as listed in the "SOA" column.
GRPAUTH	connect authority	The connect authority (JOIN, CONNECT, CREATE, USE), as listed in the "Auth" column.
GRPGRPACC	flag	Group-grpacc attribute, as listed in the "AG" column.
GRPOPER	flag	Group-operations attribute, as listed in the "SOA" column.
GRPRESUMEDT	date	Connect-resume date, as listed in the Resumedt column.
GRPREVOKE	flag	Indicates whether the connect is revoked, using the unload date as a reference. Listed in the 'R' column.
GRPREVOKEDT	date	Connect-revoke date, as listed in the Revokedt column.
GRPSPEC	flag	Group-special attribute, as listed in the "SOA" column.
GRPUACC	access level	Group-UACC, as listed in the "UACC" column.
USER	string	User in a connect instance. For a CONNECTS instance that is part of a user profile, this is the profile key; for a CONNECTS instance that is part of a group profile, this is one of the users connected to the group, as listed in the "User/Grp" column.

The following sample output shows the CONNECTS field and its columns referenced in Table 2:

newlist type=racf
 select key=ibmuser class=user
 sortlist connects

User/Grp Auth    R SOA AG Uacc    Revokedt    Resumedt

OMVGRP   USE              NONE
SYSCTLG  JOIN    R        READ
SYS1     JOIN      S      READ
VSAMDSET JOIN             READ    01 Jan 1996

Table 3 lists the fields that can be used with subselect USR. For more information about the USR field and its use by CKGRACF (only on z/OS), and possible values of USR fields values referenced in Table 3, see zSecure CARLa SELECT/LIST Fields.

Table 3. USR subselect - available fields
Field	Type	Meaning
CKGAUTHOR	char	Requesting user of a queued command, if the USR field is a CKGRACF queued command; undefined otherwise.
CKGCHGDATE	date	Last change date of a queued command. if the USR field is a CKGRACF queued command; undefined otherwise.
CKGMULTI	char	Multiple-authority setting, if the USR field is a CKGRACF multiple-authority setting; undefined otherwise.
CKGREQUEST	date	Request date of a queued command. if the USR field is a CKGRACF queued command; undefined otherwise.
CKGSCHED CKGSCHEDULE	char	Schedule name, if the USR field is a CKGRACF scheduled revoke/resume action; undefined otherwise.
CKGSTATUS	char	Status of a queued command, if the USR field is a CKGRACF queued command; undefined otherwise.
USRDATA	char	Contents/value of the USR field.
USRFLG	flag	Flag in the USR field. You can either specify a hexadecimal value, or a bit mask.
USRNM	char	Index of the USR field.

Table 4. CUSTOM_DATA subselect - available fields
Field	Type	Meaning
CSKEY	char	Custom field's name. Repeated field that can be found in CSDATA segment of user and group profiles.
CSTYPE	char	Custom field's type. Repeated field that can be found in CSDATA segment of user and group profiles.
CSVALUE	char	Custom field's value. Repeated field that can be found in CSDATA segment of user and group profiles.