Overview of zSecure Access Checks

Within zSecure it is possible to check what access different profiles have to one another.

This can include, but is not limited to, the following: --> Which datasets profiles a userID is permitted to access --> Which groups are on the Access Control List of a datasets profile

These checks can be made from the zSecure RACF options menu, as shown below:

Throughout this tutorial, we will first showcase how to check the access using zSecure, and then underneath will show you the alternative command you can issue, if you lack this ESM.

Navigating to zSecure:

To navigate to this area from the ISPF Primary Option Menu, you must enter the following into your command line (↵ represents pressing the Enter key):

TSO CKR  ↵  RA  ↵

Finding permissions to a dataset profile...

Quick check: A speedy method of checking if your user-ID can access a dataset, assuming you know the exact profile, is to use the command below:

TSO LISTDSD DATASET('profile.example')

Because you haven't used the 'ALL' operand, this command will not show any other access, but will say what level of access you have, from NONE all the way up to ALTER.

1) Enter the RACF Datasets area (RA.D) and search for a given dataset profile; If no results are coming through, we can change the search setting from '1 - EGN Mask' to '3 - Match' and the nearest profile that covers this resource will be shown.

1a) If we don't know what profile covers a given dataset, and what users and/or groups are permitted to access it, we can use the following commands:

[TSO] LISTDSD DATASET('profile.example') GENERIC ALL

This is illustrated below:

1b) We can also run a similar command besides an existing dataset, within the 'Utility - Dataset List' panel, via 3.4 from the ISPF Primary Option Menu.

LD DA(/) GEN

We can also reuse this command by putting '=' besides other datasets.

These commands are illustrated below:

2) In the example below, we have searched for the following: DATASET PROFILE = HLQ.USER.DSETS.*

3) By selecting the dataset profile (S) we can then reach the following screen:

4) As we can see in this image, the dataset profile of HLQ.USER.DSETS.* has three groups connected to it, with varying permit access-levels. These are hierarchical, with the each progressive layer having more access than the last. From most to least: ALTER, CONTROL, UPDATE, READ, EXECUTE NONE

5) Although relevant in this example, we would also see a column for 'When' the access may be allowed, which is a conditional variable that can be set for APPCPORT, CONSOLE, CRITERIA, JESINPUT, PROGRAM, SERVAUTH, SYSID or TERMINAL.

6) If we then PF3 out you can type 'AC' beside the dataset profile and press Enter (↵), we will be able to make an 'Access Check' against a single user-id or group-id.

Type in an ID and zSecure will tell you whether it is permitted to access the dataset profile:

CKG582I  00  <user-id>  has NONE / READ / UPDATE / etc...  access to DATASET profile.example

7) We can also type 'L' beside the dataset profile and press Enter (↵) to effectively run the LISTDSD command, or we can type 'LD' beside it and press Enter (↵) to see exactly which datasets are encompassed by that profile.

Another method to finding out whether a user is permitted to a dataset profile, involves running both of the commands below:

[TSO] LISTUSER user-id

[TSO] LISTDSD DATASET('profile.example') ALL

^ We can then compare results, to see if the user-ID (or any relevant groups that they are connected to) appear on the ACL of the dataset profile.

Additionally, we could run some JCL using the program below:

PGM=IRRUT100