Access list display modes - reference material
This section describes more advanced zSecure options that you might want to skip until you have mastered basic operation of IBM® Security zSecure.
When RACF® shows an access
list, it only shows the RACF IDs
and access levels. Finding out the access each user has can be difficult
if the user is connected to many groups. IBM Security
zSecure can display the access
list in the following ways so you can investigate each user access: exploded, resolved, effective, and trust.
In addition, you can further customize the access lists using the SCOPE
and NOSCOPE
and the UNIVERSAL
and NOUNIVERSAL
commands.
The display mode can be changed interactively with the ACL
command
or specified as an output modifier.
An exploded access list shows every way in which a user has access to a profile. All group
access list entries are expanded by entries for each user in the group. If a user is connected to
multiple groups on the access list, the userid
is shown
multiple times. Access due to a GROUP-OPERATIONS or OPERATIONS is shown as
well. In addition, administrative access through GROUP-SPECIAL or ownership
is shown as OWNER
and administrative access through a High-level qualifier is
displayed as QUALOWN
. You can remove this access information from the view by
issuing a NOSCOPE
. You can also sort the access list to view access by level,
group, or userid. An exploded access list is especially helpful if you want to remove a user or
group from an access list and you are unsure how many ways that access is granted.
A resolved access list shows the actual access that a user has to a profile. If a user is on the access list, that entry is displayed. If a user is not on the access list but some of the connect groups for the user are on the access list, the highest access that the user has through any of the connect groups is displayed. Administrative authority can be taken into account by using the scope toggle. In that case, administrative access is considered higher than normal access through the access list.
An effective access lists shows the effective access that a user has to a profile. The
effective access list is the resolved access list extended with entries for users that are not
explicitly on the access list but have access due to a GROUP-OPERATIONS or
OPERATIONS attribute, these show the access level ALTER-O and the group concerned, or
- oper -
, respectively. Administrative authority can be taken into account by using
the scope toggle. In that case, administrative access is considered higher than normal access
through the access list.
A trust access list shows the actual access that a user has to a profile, as well as the
administrative access. It shows all ways in which the user currently has data
access. In addition to this data access, administrative authority through GROUP-SPECIAL or ownership is displayed as OWNER
and administrative
access through a High-level qualifier is displayed as QUALOWN
. The trust
access list shows exactly the trust relations that are considered for the
TRUSTED
report types if the profile protects a sensitive
resource.
The effect of the SCOPE
and NOSCOPE
toggle is visible for all types of access lists except normal access lists.
SCOPE
shows administrative access through GROUP-SPECIAL or ownership as OWNER
and administrative access through a
High-level qualifier as QUALOWN
, NOSCOPE
eliminates the administrative access. The default effect is NOSCOPE
for
output modifiers EXPLODE
, RESOLVE
, and
EFFECTIVE
, as well as for ISPF ACL
commands
ACL NORMAL
, ACL RESOLVE
, and ACL
EFFECTIVE
. The default is SCOPE
for the ISPF
ACL
commands ACL EXPLODE
and ACL
TRUST
.
The effect of the UNIVERSAL
and NOUNIVERSAL
toggle is the same
for all types of access list. If UNIVERSAL
is specified, default
connections to universal groups – that is, connections with USE
authority
and without group SPECIAL, OPERATIONS, or AUDITOR attributes – are taken
into account, as well as the access granted by system-wide OPERATIONS, if
applicable to the type of access list shown. If NOUNIVERSAL
is specified
neither default connects to universal groups nor system-wide OPERATIONS
users are included in the access list.
The following tables show examples of exploded and resolved access
lists. It uses five users (USER1
, USER2
, USER3
, USER4
, and USER5
) and two groups. GROUP12
consists of USER1
and USER2
. GROUP234
consists
of USER2
, USER3
, and USER4
.
The following table shows the actual access list. All the following
examples assume that the UNIVERSAL
and NOUNIVERSAL
toggle is set to UNIVERSAL
.
The normal access list as displayed after an ACL NORMAL
command which sets the
scope attribute to NOSCOPE
.
User | Access | Access List id |
---|---|---|
USER1 | READ | USER1 |
USER2 | UPDATE | USER2 |
USER3 | NONE | USER3 |
-group- | CONTROL | GROUP12 |
-group- | READ | GROUP234 |
The following table shows the exploded access list as
it would be after an ACL EXPLODE
command.
An ACL EXPLODE
command turns
on SCOPE
automatically. It
shows every way the user might have access. Note that the groups are
no longer included in the leftmost column.
User | Access | Access List id |
---|---|---|
USER1 | OWNER | USER1 |
USER1 | CONTROL | GROUP12 |
USER1 | READ | USER1 |
USER2 | CONTROL | GROUP12 |
USER2 | UPDATE | USER2 |
USER2 | READ | GROUP234 |
USER3 | READ | GROUP234 |
USER3 | NONE | USER3 |
USER4 | READ | GROUP234 |
USER4 | ALTER-O | - oper - |
USER5 | ALTER-O | - oper - |
The Resolved Access List table shows the actual way the user has
access when using the RESOLVE
modifier or the ISPF command ACL
RESOLVE
. A user ID on the access list overrides any
group access. If several group accesses are included, the highest
is used.
User | Access | Access List id |
---|---|---|
USER1 | READ | USER1 |
USER2 | UPDATE | USER2 |
USER3 | NONE | USER3 |
USER4 | READ | GROUP234 |
The Effective Access List table is like the Resolved access list with the exception that system-wide OPERATIONS and GROUP-OPERATIONS are taken into account.
User | Access | Access List id |
---|---|---|
USER1 | READ | USER1 |
USER2 | UPDATE | USER2 |
USER3 | NONE | USER3 |
USER4 | READ | GROUP234 |
USER5 | ALTER-O | - oper - |
Table 5 shows the resolved access list with scope activated, as it would be when changing from explode to resolve):
User | Access | Access List id |
---|---|---|
USER1 | OWNER | USER1 |
USER2 | UPDATE | USER2 |
USER3 | NONE | USER3 |
USER4 | READ | GROUP234 |
User | Access | Access List id |
---|---|---|
USER1 | OWNER | USER1 |
USER1 | READ | USER1 |
USER2 | UPDATE | USER2 |
USER3 | NONE | USER3 |
USER4 | READ | GROUP234 |
USER5 | ALTER-O | - oper - |
User | Access | Access List id |
---|---|---|
USER1 | CONTROL | GROUP12 |
USER1 | READ | USER1 |
USER2 | CONTROL | GROUP12 |
USER2 | UPDATE | USER2 |
USER2 | READ | GROUP234 |
USER3 | READ | GROUP234 |
USER3 | NONE | USER3 |
USER4 | READ | GROUP234 |
USER4 | ALTER-O | - oper - |
USER5 | ALTER-O | - oper - |
User | Access | Access List id |
---|---|---|
USER1 | OWNER | USER1 |
USER1 | CONTROL | GROUP12 |
USER1 | READ | USER1 |
USER2 | CONTROL | GROUP12 |
USER2 | UPDATE | USER2 |
USER2 | READ | GROUP234 |
USER3 | READ | GROUP234 |
USER3 | NONE | USER3 |
USER4 | READ | GROUP234 |
USER5 | ALTER-O | - oper - |
- by access level (from ALTER to NONE
- by userid
- by access list id (that is, the id on the access list, not the resolved or exploded userid).
- ACL NORMAL, or ASIS
- Shows the actual access list. That is, the list is not exploded,
resolved, or effective with no administrative authorities regardless
of whether you add
SCOPE
orNOSCOPE
to the command. - ACL RESOLVE
- Shows a resolved access list. It omits administrative
authorities unless you add
SCOPE
to the command. - ACL EXPLODE
- Shows an exploded access list. It adds administrative
authorities unless you add
NOSCOPE
to the command. - ACL EFFECTIVE
- Shows an effective access list. It omits administrative
authorities unless you add
SCOPE
to the command. - ACL TRUST
- Shows the trust relations of the profile. This command shows all ways in which the user currently has data access as well as administrative access. These access entries are the same as the trust relations that are considered for the TRUSTED report types if the profile protects a sensitive resource.
- ACL SCOPE
- Activates display of
administrative authorities as part of the access list display. This command includes GROUP-SPECIAL authority, and ownership authority through owner and High-level
qualifiers. The command is honored only if the access list is not displayed in
ACL NORMAL
mode. - ACL NOSCOPE
- Deactivates display of administrative authorities as part of the access list display.
- ACL SORT ID
- Sort access list by id
- ACL SORT USER
- Sort access list by user (with resolve/explode)
- ACL SORT ACCESS
- Sort access list from
OWNER
toNONE
- ACL UNIVERSAL
- Takes system-wide OPERATIONS and users with a default connection to a universal group into
consideration when building the access list. It has no effect on the current
SCOPE
orNOSCOPE
andNORMAL
,EXPLODE
,RESOLVE
orEFFECTIVE
settings. The command is refused if only a part of the RACF database has been read. - ACL NOUNIVERSAL
- This deactivates the
UNIVERSAL
option. It has no effect on the currentSCOPE
orNOSCOPE
andNORMAL
,EXPLODE
,RESOLVE
orEFFECTIVE
settings.
You can use abbreviations for the ACL commands. For example, you
can issue the command ACL S AC
for ACL SORT ACCESS
.
If you want to change an access list by typing over the values
in the fields, the access list must be in normal mode, ACL NORMAL
,
for example). It can be in any sort order.