Overview of zSecure Access Checks

Within zSecure it is possible to check what access different profiles have to one another.

This can include, but is not limited to, the following: --> Which general resource profiles a userID is permitted to access --> Which groups are on the Access Control List of a general resource profile

These checks can be made from the zSecure RACF options menu, as shown below:

Throughout this tutorial, we will first showcase how to check the access using zSecure, and then underneath will show you the alternative command you can issue, if you lack this ESM.

Navigating to zSecure:

To navigate to this area from the ISPF Primary Option Menu, you must enter the following into the command line (↵ represents pressing the Enter key):

TSO CKR  ↵  RA  ↵

Which general resource profiles is a userID is permitted to access?

Quick check: A speedy method of checking if your user-ID can access a dataset, assuming you know the exact profile, is to use the command below:

[TSO] RLIST CLASS profile.example

Because you haven't used the 'ALL' operand, this command will not show any other access, but will say what level of access you have, from NONE all the way up to ALTER.

1) Enter the RACF Resources area (RA.R) and search for a given resource profile; If no results are coming through, we can change the search setting from '1 - EGN Mask' to '3 - Match' and the nearest profile that covers this resource will be shown.

1a) If we don't know what profile covers a given general resource, and what users and/or groups are permitted to access it, you can use the following commands:

[TSO] RLIST CLASS profile.example GENERIC ALL

This is illustrated below:

2) In the example below, we have searched for the following: RESOURCE PROFILE = ISFCMD.*

3) By selecting the General Resource profile (S) we can then reach the following screen:

4) As we can see in this image, the general resource profile of ISFCMD.* has three groups connected to it, with varying permit access-levels. These are hierarchical, with the each progressive layer having more access than the last. From most to least: ALTER, CONTROL, UPDATE, READ, EXECUTE NONE

5) Although relevant in this example, we would also see a column for 'When' the access may be allowed, which is a conditional variable that can be set for APPCPORT, CONSOLE, CRITERIA, JESINPUT, PROGRAM, SERVAUTH, SYSID or TERMINAL.

6) If we then PF3 out you can type 'AC' beside the profile and press Enter (↵), we will be able to make an 'Access Check' against a single user-id or group-id.

Type in an ID and zSecure will tell us whether it is permitted to access the dataset profile:

CKG582I  00  <id>  has NONE / READ / UPDATE / etc...  access to CLASS profile.example

CKG582I  00  OTHERGRP  has  READ  access to  SDSF  ISFCMD.*

7) You can also type 'L' beside the resource profile to effectively run the RLIST command.

Another method to finding out whether a user is permitted to a general resource profile, involves running the commands below, to see if the user-ID (or any relevant groups that they are connected to) appear on the ACL of the resource profile:

[TSO] LISTUSER user-id

[TSO] RLIST CLASS profile.example ALL