Access list display modes - reference material

This section describes more advanced zSecure options that you might want to skip until you have mastered basic operation of IBM® Security zSecure.

When RACF® shows an access list, it only shows the RACF IDs and access levels. Finding out the access each user has can be difficult if the user is connected to many groups. IBM Security zSecure can display the access list in the following ways so you can investigate each user access: exploded, resolved, effective, and trust. In addition, you can further customize the access lists using the SCOPE and NOSCOPE and the UNIVERSAL and NOUNIVERSAL commands.

The display mode can be changed interactively with the ACL command or specified as an output modifier.

An exploded access list shows every way in which a user has access to a profile. All group access list entries are expanded by entries for each user in the group. If a user is connected to multiple groups on the access list, the userid is shown multiple times. Access due to a GROUP-OPERATIONS or OPERATIONS is shown as well. In addition, administrative access through GROUP-SPECIAL or ownership is shown as OWNER and administrative access through a High-level qualifier is displayed as QUALOWN. You can remove this access information from the view by issuing a NOSCOPE. You can also sort the access list to view access by level, group, or userid. An exploded access list is especially helpful if you want to remove a user or group from an access list and you are unsure how many ways that access is granted.

A resolved access list shows the actual access that a user has to a profile. If a user is on the access list, that entry is displayed. If a user is not on the access list but some of the connect groups for the user are on the access list, the highest access that the user has through any of the connect groups is displayed. Administrative authority can be taken into account by using the scope toggle. In that case, administrative access is considered higher than normal access through the access list.

An effective access lists shows the effective access that a user has to a profile. The effective access list is the resolved access list extended with entries for users that are not explicitly on the access list but have access due to a GROUP-OPERATIONS or OPERATIONS attribute, these show the access level ALTER-O and the group concerned, or - oper -, respectively. Administrative authority can be taken into account by using the scope toggle. In that case, administrative access is considered higher than normal access through the access list.

A trust access list shows the actual access that a user has to a profile, as well as the administrative access. It shows all ways in which the user currently has data access. In addition to this data access, administrative authority through GROUP-SPECIAL or ownership is displayed as OWNER and administrative access through a High-level qualifier is displayed as QUALOWN. The trust access list shows exactly the trust relations that are considered for the TRUSTED report types if the profile protects a sensitive resource.

The effect of the SCOPE and NOSCOPE toggle is visible for all types of access lists except normal access lists. SCOPE shows administrative access through GROUP-SPECIAL or ownership as OWNER and administrative access through a High-level qualifier as QUALOWN, NOSCOPE eliminates the administrative access. The default effect is NOSCOPE for output modifiers EXPLODE, RESOLVE, and EFFECTIVE, as well as for ISPF ACL commands ACL NORMAL, ACL RESOLVE, and ACL EFFECTIVE. The default is SCOPE for the ISPF ACL commands ACL EXPLODE and ACL TRUST.

The effect of the UNIVERSAL and NOUNIVERSAL toggle is the same for all types of access list. If UNIVERSAL is specified, default connections to universal groups – that is, connections with USE authority and without group SPECIAL, OPERATIONS, or AUDITOR attributes – are taken into account, as well as the access granted by system-wide OPERATIONS, if applicable to the type of access list shown. If NOUNIVERSAL is specified neither default connects to universal groups nor system-wide OPERATIONS users are included in the access list.

The following tables show examples of exploded and resolved access lists. It uses five users (USER1, USER2, USER3, USER4, and USER5) and two groups. GROUP12 consists of USER1 and USER2. GROUP234 consists of USER2, USER3, and USER4. The following table shows the actual access list. All the following examples assume that the UNIVERSAL and NOUNIVERSAL toggle is set to UNIVERSAL.

The normal access list as displayed after an ACL NORMAL command which sets the scope attribute to NOSCOPE.

Table 1. Normal Access List
User	Access	Access List id
USER1	READ	USER1
USER2	UPDATE	USER2
USER3	NONE	USER3
-group-	CONTROL	GROUP12
-group-	READ	GROUP234

The following table shows the exploded access list as it would be after an ACL EXPLODE command. An ACL EXPLODE command turns on SCOPE automatically. It shows every way the user might have access. Note that the groups are no longer included in the leftmost column.

Table 2. Exploded Access List (EXPLODE, SCOPE modifiers or ACL EXPLODE)
User	Access	Access List id
USER1	OWNER	USER1
USER1	CONTROL	GROUP12
USER1	READ	USER1
USER2	CONTROL	GROUP12
USER2	UPDATE	USER2
USER2	READ	GROUP234
USER3	READ	GROUP234
USER3	NONE	USER3
USER4	READ	GROUP234
USER4	ALTER-O	`- oper -`
USER5	ALTER-O	`- oper -`

The Resolved Access List table shows the actual way the user has access when using the RESOLVE modifier or the ISPF command ACL RESOLVE. A user ID on the access list overrides any group access. If several group accesses are included, the highest is used.

Table 3. Resolved Access List (RESOLVE modifier or ACL RESOLVE)
User	Access	Access List id
USER1	READ	USER1
USER2	UPDATE	USER2
USER3	NONE	USER3
USER4	READ	GROUP234

The Effective Access List table is like the Resolved access list with the exception that system-wide OPERATIONS and GROUP-OPERATIONS are taken into account.

Table 4. Effective Access List (EFFECTIVE modifier or ACL EFFECTIVE)
User	Access	Access List id
USER1	READ	USER1
USER2	UPDATE	USER2
USER3	NONE	USER3
USER4	READ	GROUP234
USER5	ALTER-O	`- oper -`

Table 5 shows the resolved access list with scope activated, as it would be when changing from explode to resolve):

Table 5. Resolved Access List with scope (RESOLVE, SCOPE modifiers or ACL RESOLVE SCOPE)
User	Access	Access List id
USER1	OWNER	USER1
USER2	UPDATE	USER2
USER3	NONE	USER3
USER4	READ	GROUP234

Table 6. Effective Access List with scope (EFFECTIVE, SCOPE modifiers or ACL EFFECTIVE SCOPE)
User	Access	Access List id
USER1	OWNER	USER1
USER1	READ	USER1
USER2	UPDATE	USER2
USER3	NONE	USER3
USER4	READ	GROUP234
USER5	ALTER-O	`- oper -`

Table 7. Exploded Access List without scope (EXPLODE modifier or ACL EXPLODE NOSCOPE)
User	Access	Access List id
USER1	CONTROL	GROUP12
USER1	READ	USER1
USER2	CONTROL	GROUP12
USER2	UPDATE	USER2
USER2	READ	GROUP234
USER3	READ	GROUP234
USER3	NONE	USER3
USER4	READ	GROUP234
USER4	ALTER-O	`- oper -`
USER5	ALTER-O	`- oper -`

Table 8. Trust Access List (ACL TRUST)
User	Access	Access List id
USER1	OWNER	USER1
USER1	CONTROL	GROUP12
USER1	READ	USER1
USER2	CONTROL	GROUP12
USER2	UPDATE	USER2
USER2	READ	GROUP234
USER3	READ	GROUP234
USER3	NONE	USER3
USER4	READ	GROUP234
USER5	ALTER-O	`- oper -`

An access list can be sorted in three ways:

by access level (from ALTER to NONE
by userid
by access list id (that is, the id on the access list, not the resolved or exploded userid).

In the examples, the access list is sorted by user ID. The ACL display format shown is determined by the combination of the sort order and the access list format, which are independent settings.

The default access list layout can be set on the Setup View Panel (Figure 1) and using the SET primary command. On a display like the User or Data set overview display that has an access list or a connect overview, the layout can also be changed using one of the following ACL primary commands.

ACL NORMAL, or ASIS: Shows the actual access list. That is, the list is not exploded, resolved, or effective with no administrative authorities regardless of whether you add SCOPE or NOSCOPE to the command.
ACL RESOLVE: Shows a resolved access list. It omits administrative authorities unless you add SCOPE to the command.
ACL EXPLODE: Shows an exploded access list. It adds administrative authorities unless you add NOSCOPE to the command.
ACL EFFECTIVE: Shows an effective access list. It omits administrative authorities unless you add SCOPE to the command.
ACL TRUST: Shows the trust relations of the profile. This command shows all ways in which the user currently has data access as well as administrative access. These access entries are the same as the trust relations that are considered for the TRUSTED report types if the profile protects a sensitive resource.
ACL SCOPE: Activates display of administrative authorities as part of the access list display. This command includes GROUP-SPECIAL authority, and ownership authority through owner and High-level qualifiers. The command is honored only if the access list is not displayed in ACL NORMAL mode.
ACL NOSCOPE: Deactivates display of administrative authorities as part of the access list display.
ACL SORT ID: Sort access list by id
ACL SORT USER: Sort access list by user (with resolve/explode)
ACL SORT ACCESS: Sort access list from OWNER to NONE
ACL UNIVERSAL: Takes system-wide OPERATIONS and users with a default connection to a universal group into consideration when building the access list. It has no effect on the current SCOPE or NOSCOPE and NORMAL, EXPLODE, RESOLVE or EFFECTIVE settings. The command is refused if only a part of the RACF database has been read.
ACL NOUNIVERSAL: This deactivates the UNIVERSAL option. It has no effect on the current SCOPE or NOSCOPE and NORMAL, EXPLODE, RESOLVE or EFFECTIVE settings.

You can use abbreviations for the ACL commands. For example, you can issue the command ACL S AC for ACL SORT ACCESS.

If you want to change an access list by typing over the values in the fields, the access list must be in normal mode, ACL NORMAL , for example). It can be in any sort order.