RLIST (List general resource profile)
Purpose
RACF® uses the class descriptor table to determine if a class is defined to RACF, the syntax of resource names within the class, and whether the class is a resource grouping class.
Profiles are listed in alphabetical order. Generic profiles are listed in the same order as they are searched for a resource match. (This also applies to the names in the global access table.)
- If
70 < yy <= 99
, the date is interpreted as19yy
. - If
00 <= yy <= 70
, the date is interpreted as20yy
.
Issuing options
The following table identifies the eligible options for issuing the RLIST command:
As a RACF TSO command? | As a RACF operator command? | With command direction? | With automatic command direction? | From the RACF parameter library? |
---|---|---|---|---|
Yes | Yes | Yes | No | Yes |
For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.
For information on issuing this command as a RACF operator command, refer to RACF operator commands.
You must be logged on to the console to issue this command as a RACF operator command.
Related commands
- To list a data set profile, see LISTDSD (List data set profile).
- To list a user profile, see LISTUSER (List user profile).
- To list a group profile, see LISTGRP (List group profile).
- To obtain a list of general resource profiles, see SEARCH (Search RACF database).
Details listed
This command lists the information in an existing profile for the resource or resource group.
- The resource class.
- The name of the resource.
- One of the following indicators, if applicable, displayed after
the resource name:
(G)
indicates a generic profile.(UNUSABLE)
indicates a discrete profile with a profile name containing generic characters that is defined in a general resource class for which SETROPTS GENERIC or GENCMD is enabled. RACF is unable to use this profile for authorization checking. Tip: Use the RDELETE command with the NOGENERIC option to delete this profile.
- The cross-reference class name (that is, the member class name for resource groups or the group name for non-group resources).
- If the resource named in the command (in the resource-name operand) is a resource group, RACF lists member resources.
- The level of the resource.
- The owner of the resource.
- The type of access attempts (as specified by the AUDIT operand on the RDEFINE or RALTER command) that are being logged on the SMF data set.
- The user, if any, to be notified when RACF uses this profile to deny access to the resource.
- The universal access authority for the resource.
- Your highest level of access authority to the resource.
- The installation-defined data (information specified in the DATA
operand of the RALTER or RDEFINE commands).
If your z/OS® installation is configured to be a multilevel-secure environment, this information is not listed in your output.
* SUPPRESSED *
appears under the installation data field. Only those with SPECIAL are allowed to list the field. - The APPLDATA value, if any.
If your z/OS installation is configured to be a multilevel-secure environment, this information is not listed in your output.
* SUPPRESSED *
appears under the installation data field. Only those with SPECIAL are allowed to list the field. - The domain distinguished name, options and local registry for the EIM segment.
- The type of access attempts (as specified by the GLOBALAUDIT operand on the RALTER command) that RACF logs.
- The status of the WARNING/NOWARNING indicator.
- For resources in the TAPEVOL class:
- The volumes in a tape volume set,
- Whether the TAPEVOL profile is automatic or nonautomatic,
- Whether the volume can hold more than one data set, or
- Whether the volume contains a TVTOC.
Additional details:
- The security label, the security level and categories.
For additional information, see the AUTHUSER operand.
- For member resources, RACF lists
the names of all resource group members in which the entity is a member.
For additional information, see the RESGROUP operand.
- The number of times the resource was accessed by all users for
each of the following access authorities.
- ALTER, CONTROL, UPDATE, READ
For additional information, see the STATISTICS operand. This detail is only meaningful when your installation is gathering resource statistics and the class is not RACLISTed. For a generic profile, RACF replaces any statistics line with NOT APPLICABLE FOR GENERIC PROFILE.
- Historical data, such as:
- Date the resource was defined to RACF,
- Date the resource was last referenced (this detail is only meaningful when your installation is gathering resource statistics and the class is not RACLISTed; for a generic profile, RACF replaces any statistics line with NOT APPLICABLE FOR GENERIC PROFILE), or
- Date the resource was last accessed at the update level.
For additional information, see the HISTORY operand.
- The standard access list which displays:
- All users and groups authorized to access the resource,
- The level of authority for each user and group, or
- The number of times each user has accessed the resource. (This detail is only meaningful when your installation is gathering resource statistics. This detail is not included in the output for generic profiles.)
For additional information, see the AUTHUSER operand.
- The conditional access list which displays the same fields as
the standard access list, as well as the following additional fields:
- The class of the resource, or
- The entity name of the resource.
For additional information, see the AUTHUSER operand.
- For a tape volume that contains RACF-protected data sets, the
following information about each RACF-protected data set on the volume:
- The name used to create the data set,
- The internal RACF name for the data set,
- The volumes on which the data set resides,
- The file sequence number for the data set,
- The date when the data set was created, or
- Whether the data set profile is discrete or generic.
For additional information, see the TVTOC operand.
- The contents of segments other than the base segment.
(See the segment operands for details about the listed information.)
Authorization required
When issuing this command as a RACF operator command, you might require sufficient authority to the proper resource in the OPERCMDS class. For details about OPERCMDS resources, see Controlling the use of operator commands in z/OS Security Server RACF Security Administrator's Guide.
- You have the SPECIAL attribute.
- The resource profile is within the scope of a group in which you have the group-SPECIAL attribute.
- You have the OPERATIONS attribute.
- The resource profile is within the scope of a group in which you have the group-OPERATIONS attribute.
- You have the AUDITOR or ROAUDIT attribute.
- The resource profile is within the scope of a group in which you have the group-AUDITOR attribute.
- You are the owner of the resource.
- If the profile is in the FILE or DIRECTRY class, the second qualifier of the profile name is your user ID.
- To list the contents of segments other than the base segment, such as the DLFDATA segment, you must have the SPECIAL, AUDITOR, or ROAUDIT attribute, or your installation must permit you to do so through field-level access checking.
- You are on the access list for the resource and you have at least READ authority. (If your level of authority is NONE, the resource is not listed.) If you specify ALL, RACF lists only information pertinent to your user ID.
- Your current connect group (or, if list-of-groups checking is active, any group to which you are connected) is in the access list and has at least READ authority.
- The universal access authority of the resource is at least READ.
- You have at least read access for the profile name from the GLOBAL ENTRY TABLE (if this table contains an entry for the profile).
Inactive SECLABEL profiles and profiles that contain inactive security labels may not be listed if SETROPTS SECLBYSYSTEM is active because only users with SPECIAL, AUDITOR, or ROAUDIT authority are allowed to view inactive security labels.
You see the type of access attempts, as specified by the GLOBALAUDIT operand, only if you have the AUDITOR attribute, or ROAUDIT attribute, or if the resource profile is within the scope of a group in which you have the group-AUDITOR attribute.
To specify the AT keyword, you must have READ authority to the DIRECT.node resource in the RRSFDATA class and a user ID association must be established between the specified node.userid pair(s).
To specify the ONLYAT keyword you must have the SPECIAL attribute, the userid specified on the ONLYAT keyword must have the SPECIAL attribute, and a user ID association must be established between the specified node.userid pair(s) if the user IDs are not identical.
- You have the SPECIAL attribute.
- The resource profile is within the scope of a group in which you have the group-SPECIAL attribute.
- You have the OPERATIONS attribute.
- The resource profile is within the scope of a group in which you have the group-OPERATIONS attribute.
- You are the owner of the resource.
- You have the AUDITOR or ROAUDIT attribute.
- The resource profile is within the scope of a group in which you have the group-AUDITOR attribute.
- You have alter access for the profile name from the GLOBAL ENTRY TABLE (if this table contains an entry for the profile).
- If the profile is in the FILE or DIRECTRY class, the second qualifier of the profile name is your user ID.
- For a discrete profile, you are on the access list for the resource and you have ALTER authority. (If you have any other level of authority, you cannot use the operand.)
- For a discrete profile, your current connect group (or, if list-of-groups checking is active, any group to which you are connected) is in the access list and has ALTER authority.
- For a discrete profile, the universal access authority of the resource is ALTER.
Syntax
For the key to the symbols used in the command syntax diagrams, see Syntax of RACF commands and operands. The complete syntax of the RLIST command is:
|
For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.
For information on issuing this command as a RACF operator command, refer to RACF operator commands.
Parameters
- subsystem-prefix
- Specifies that the RACF subsystem
is the processing environment of the command. The subsystem
prefix can be either the installation-defined prefix for RACF (1 - 8 characters)
or, if no prefix has been defined, the RACF subsystem
name followed by a blank. If the command prefix was registered with
CPF, you can use the MVS command D OPDATA to display it or you can
contact your RACF security
administrator.
Only specify the subsystem prefix when issuing this command as a RACF operator command. The subsystem prefix is required when issuing RACF operator commands.
- class-name
- Specifies the name of the class to which the resource belongs. Valid
class names are those specified in the class descriptor table. For a list of general resource classes defined in the class descriptor table
supplied by IBM®, see Supplied RACF resource classes.
This operand is required and must be the first operand following RLIST.
This command is not intended to be used for profiles in the following classes:- DCEUUIDS
- DIGTCERT
- DIGTNMAP
- DIGTRING
- IDIDMAP
- NDSLINK
- NOTELINK
- ROLE
- UNIXMAP
- (profile-name
...) |
*
-
- (profile-name ...)
- Specifies the name of an existing
discrete or generic profile about which information is to be displayed.
The RLIST command can be used to display which profile will be used for
a specific resource.
The variable profile-name or an asterisk (
*
) is required and must be the second operand following RLIST.If you specify more than one value for profile-name, the list of names must be enclosed in parentheses.
Mixed-case profile names are accepted and preserved when class-name refers to a class defined in the static class descriptor table with CASE=ASIS or in the dynamic class descriptor table with CASE(ASIS).
If the resource specified is a tape volume serial number that is a member of a tape volume set, information on all the volumes in the set are displayed.
RACF processes each resource you specify independently. If an error occurs while processing a resource, RACF issues a message and continues processing with the next resource.
- *
- Specifies that you want to display information for all resources
defined to the specified class for which you have the proper authority.
On a system with many profiles defined, the use of
*
may result in a large amount of output that may not be useful to a user issuing the command. It may be more appropriate for the user to browse the output of IRRDBU00 (database unload) or to write a program to process the IRRDBU00 output and produce a report showing only the subset of information that is of interest to the user. The processing of output of RLIST by programs is not supported nor recommended by IBM. If you want a listing of all the profiles for use by a program you should instead have the program process the output from IRRDBU00, RACROUTE REQUEST=EXTRACT, or ICHEINTY.An asterisk (
*
) or profile-name is required and must be the second operand following RLIST.RACF processes each resource independently and displays information only for those resources for which you have sufficient authority.
If you have the AUDITOR attribute, the ROAUDIT attribute, or if the resource profile is within the scope of a group in which you have the group-AUDITOR attribute, RACF displays GLOBALAUDIT information for all resources in the class.
- ALL
- Specifies that you want
all information for the BASE segment of each resource displayed.
The access list is included only if you have sufficient authority to use the AUTHUSER operand. (See Authorization required.) The type of access attempts (as specified by the GLOBALAUDIT operand) that are being logged on the SMF data set is included only if you have the AUDITOR attribute, the ROAUDIT attribute, or the resource profile is within the scope of a group in which you have the group-AUDITOR attribute.
- AT | ONLYAT
- The AT and ONLYAT keywords are only valid when the command is
issued as a RACF TSO command.
- AT([node].userid ...)
- Specifies
that the command is to be directed to the node specified by node,
where it runs under the authority of the user specified by userid in
the RACF subsystem address
space.
If node is not specified, the command is directed to the local node.
- ONLYAT([node].userid ...)
- RLIST is not eligible for automatic command direction. If you specify the ONLYAT keyword, the effect is the same as if you specified the AT keyword.
- AUTHUSER
- Specifies that you
want the following information included in the output:
- The user categories authorized to access the resource
- The security level required to access the resource
- The security label required to access the resource
- The standard access list. This includes the following:
- All users and groups authorized to access the resource
- The level of authority for each user and group
- The number of times the user has accessed the resource (This detail is only meaningful when your installation is gathering resource statistics and is not included in the output for generic profiles.)
- The conditional access list. This list consists of the same fields as in the standard access
list, as well as the following fields:
- The class of the resource through which each user and group in the list can access the target resource of the command. For example, if a user can access the target resource through terminal TERM01, then TERMINAL would be the class listed.
- The entity name of the resource through which each user and group in the list can access the target resource of the command. In the preceding example, TERM01 would be listed.
You must have sufficient authorization to use the AUTHUSER operand. (See Authorization required.)
- CDTINFO
- Specifies that CDTINFO segment information should be listed for profiles in the CDT class.
- CFDEF
- Specifies that CFDEF segment
information should be listed for profiles in the CFIELD class. Use this operand to display the
custom field names and attributes, such as data type, that your installation has defined.
Contact your security administrator to see how custom fields are used at your installation. For more information about custom fields, see z/OS Security Server RACF Security Administrator's Guide.
- CSDATA
- Specifies that you want to list custom field information for this general resource profile. The
custom field information in the CSDATA segment for this general resource profile was added using the
RDEFINE and RALTER commands.
If you specify CSDATA you must also specify a profile name or *.
Usage for each custom field is defined using the CFDEF operand of the RDEFINE command for resource profiles in the CFIELD class. Contact your security administrator to see how custom fields are used at your installation. For more information about custom fields, see z/OS Security Server RACF Security Administrator's Guide.
- DLFDATA
- Lists the contents of the DLFDATA segment for profiles in the DLFCLASS class.
- EIM
- Specifies that EIM segment information should be listed.
- GENERIC | NOGENERIC
-
- GENERIC
- Specifies that you want RACF to
display information for the generic profile that most closely matches
a resource name. If you specify GENERIC, RACF ignores a discrete profile that protects
the resource. If asterisk (
*
) is specified instead of the profile name, all generic profiles are listed. - NOGENERIC
- Specifies
that you want RACF to display
information for the discrete profile that protects a resource. If
asterisk (
*
) is specified instead of the profile name, all discrete profiles are listed.
If neither GENERIC nor NOGENERIC is specified, RACF lists information for the discrete resource name that matches the resource name you specify. If there is no matching discrete profile, RACF lists the generic profile that most closely matches the resource name. If asterisk (
*
) is specified instead of the profile name, all discrete and generic profiles are listed.The following list shows examples of using the GENERIC and NOGENERIC operands:- If you enter the following command, RACF lists
all discrete and generic profiles in the DASDVOL class.
RLIST DASDVOL *
- If you enter the following command, RACF lists
information for all the generic profiles in the DASDVOL class.
RLIST DASDVOL * GENERIC
- If you enter the following command, RACF lists
all discrete profiles in the JESSPOOL class.
RLIST JESSPOOL * NOGENERIC
- If you enter the following command, RACF displays
the best-fit generic profile that protects the resource ABC.DEF. RACF ignores discrete profile ABC.DEF
if it exists.
RLIST APPCLU ABC.DEF GENERIC
Note: When searching for a generic profile that matches the specified resource, RACF does not examine members that are defined in a grouping class (through the ADDMEM operand of the RDEFINE command). For example, suppose two profiles had been defined by the following RDEFINE commands:RDEFINE TCICSTRN A* RDEFINE GCICSTRN xxx ADDMEM(AB*)
The command:RLIST TCICSTRN ABC
displays profile A*
in the TCICSTRN class, but it does not search the GCICSTRN class and therefore does not display any AB*
profile of the GCICSTRN class. In addition, the command:RLIST GCICSTRN ABC
does not find member AB
*
in the GCICSTRN class because it does not look at the members in a grouping class.If you want to make use of RLIST to find the generic profile that protects a specific resource, and the resource is in a class that has both a grouping class and a member class, you should define the generic profile as a profile in the member class.
To illustrate the preceding RDEFINE example where ADDMEM(AB*
) had been specified for a grouping class, the following command:
allows the RLIST command to display ABRDEFINE TCICSTRN AB*
*
as the generic member in the TCICSTRN class. - HISTORY
- Specifies
that you want to list the following data:
- The date each profile was defined to RACF
- The date each profile was last referenced (this detail is only meaningful when your installation is gathering resource statistics; for a generic profile and profiles that are RACLISTed, RACF replaces any statistics line with NOT APPLICABLE FOR GENERIC PROFILE)
- The date of last RACROUTE REQUEST=AUTH for UPDATE authority (this detail is only meaningful when your installation is gathering resource statistics; for a generic profile and profiles that are RACLISTed, RACF replaces any statistics line with NOT APPLICABLE FOR GENERIC PROFILE)
- ICSF
- Specifies that ICSF segment information should be listed for profiles in the CSFKEYS, GCSFKEYS, XCSFKEY, or GXCSFKEY class.
- ICTX
- Specifies that ICTX segment information should be listed.
- KERB
- Specifies
that you want to list the following z/OS Integrated Security Services Network Authentication
Service information:
- The local kerberos-realm-name (KERBNAME)
- The encryption value settings (ENCRYPT values or NOENCRYPT)
- The min-ticket-life value for the local realm (MINTKTLFE)
- The def-ticket-life value for the local realm (DEFTKTLFE)
- The max-ticket-life value for the local realm (MAXTKTLFE)
- The current key version (KEY VERSION)
Note: If KEY VERSION is not displayed, there is no z/OS Network Authentication Service key associated with this realm definition.
- Whether the Kerberos server validates addresses in tickets as part of ticket validation processing (CHECKADDRS)
- MFA
- Specifies that MFA segment information should be listed for profiles in the MFADEF class.
- MFPOLICY
- Specifies that MFPOLICY segment information should be listed for profiles in the MFADEF class.
- NORACF
- Specifies that you want to suppress the listing of BASE segment
information. If you specify NORACF, you must include either CDTINFO,
DLFDATA, EIM, KERB, PROXY, SESSION, SSIGNON, STDATA, SVFMR, TME, or
a combination of operands.
If you do not specify NORACF, RACF displays the information in the base segment of a general resource profile.
The information displayed as a result of using the NORACF operand is dependent on other operands used in the command. For example, if you use NORACF with SESSION also specified, only the SESSION information is displayed.
- NOYOURACC
- For
grouping and member classes, RLIST must do additional processing to
assure that the your access information field is accurate.
A SPECIAL user can use the NOYOURACC operand to bypass this processing,
for performance reasons. The your access field contains
n/a
in this circumstance.Note: This operand applies to SPECIAL users only. It has no effect for other users. - PROXY
- Specifies
that PROXY segment information should be listed. The following information
will be provided:
- the URL of the LDAP server to be contacted
- the BIND distinguished name
- information regarding the BIND password
The BINDPW password values will not be listed. If a BINDPW password value is defined for a general resource profile, RLIST will display
YES
for the PROXY segment BINDPW attribute. If no BINDPW password value has been defined, RLIST will displayNO
for the PROXY segment BINDPW attribute.
- RESGROUP
- Requests a list of
all resource groups of which the resource specified by the profile-name
operand is a member.
If a profile does not exist for the specified resource, RACF lists the names of all resource groups of which the resource is a member and to which the command user is authorized. To be authorized, the command user must meet one of the authorization requirements listed in Authorization required.
If a profile does exist for the specified resource and the command user has ALTER authority to the resource, RACF lists the names of all groups of which the resource is a member.
If a profile does exist for the specified resource but the command user has less than ALTER authority to the resource, RACF lists the names of all groups of which the resource is a member and to which the command user is authorized. To be authorized to the resource group, the command user must meet one of the authorization requirements listed in Authorization required. However, the command issuer must have the authority to list the resource specified on the command in order to list the member groups. If this requirement is met, then the user must be also authorized to the resource group. Otherwise, an error message is issued.
When profile-name is the name of a protected resource (such as a terminal or DASD volume) and class-name is a member class (such as TERMINAL or DASDVOL), the RESGROUP operand lists the profiles that protect the resource (for example, profiles in the GTERMINL or GDASDVOL class).
If you define a profile and use generic characters such as (*
) to add members to the profile, RLIST RESGROUP will not return any of the matching profiles in its output because it does not support generic matches. For example, you have:
and you are looking for a specific member, so you enter:RDEF GIMS GIMSGRP ADDMEM(ABC*)
RLIST TIMS ABCD RESGROUP
The GIMS profile GIMSGRP will not appear in the output.
Note: When considering this example, if you are unable to define the profile ABCD, it might be due to a generic definition somewhere in GIMS.This operand applies only to member classes for which resource group profiles exist.
- SESSION
- Specifies that the contents of the SESSION segment are to be listed for profiles in the APPCLU class.
- SIGVER
- Specifies that the contents of the SIGVER segment are to be listed for profiles in the PROGRAM class.
- SSIGNON
- Specifies
that you want to display the secured signon information.
Note: The secured signon application key value cannot be displayed. However, information is displayed that describes whether the key value is masked or encrypted.
- STATISTICS
- Specifies that
you want to list the statistics for each resource. The list contains
the number of times the resource was accessed by users with READ,
UPDATE, CONTROL, and ALTER authorities. A separate total is given
for each authority level. Note: This detail is only meaningful when your installation is gathering resource statistics. For a generic profile, RACF replaces any statistics line with NOT APPLICABLE FOR GENERIC PROFILE.
- STDATA
- Specifies that you want to list the contents of the STDATA segment for profiles in the STARTED class.
- SVFMR
- Lists the contents of the SVFMR segment for profiles in the SYSMVIEW class.
- TME
- Specifies that information in the Tivoli® Security Management Application is to be listed.
- TVTOC
- Specifies
that you want to see information about the data sets defined in the
TVTOC of a TAPEVOL profile. The output displays:
- The name used to create the data set
- The internal RACF name for the data set
- The volumes on which the data set resides
- The file sequence number for the data set
- The date when the data set was created
- Whether the data set profile is discrete or generic.
Examples
|