Overview of zSecure Access Checks

Within zSecure it is possible to check what access different profiles have to one another.

This can include, but is not limited to, the following: --> All of the resource profiles that a user-ID has access to

These checks can be made from the zSecure RACF options menu, as shown below:

Navigating to zSecure:

To navigate to this area from the ISPF Primary Option Menu, you must enter the following into your command line (↵ represents pressing the Enter key):

TSO CKR  ↵  RA  ↵

Which resource profiles does a user-ID have access to?

1) Enter the RACF Users area (RA.U) and search for a given user.

2) This may involve searching for a specific userID, or searching for users with the same name / installation data / owner / default group.

3) In the example below, we have searched for USERID = USER

4) By typing 'A' besides the user and pressing Enter (↵) we will reach the following screen:

5) As we can see in the image above, a search will be made for the different types and levels of authorisation that 'USER' has to different resource profiles.

6) Under the "Specify type of authorisation" area, we can use option 1 for direct permits (only showing results where the user-id is on the ACL) or we can use option 2 for 'indirect' permits (where the user-id or the group-id are on the ACL). Generally, it's worth using Option 2 for a broader search.

7) We will then be met with a screen similar to the one shown below:

8) We will see above that this shows the following information: --> The user-id (USER) that the Scope/Permit check was made against --> Exactly how many individual profiles the user-id is permitted to access (1387) --> The highest level of access you have across those profiles (ALTER)

9) The results will then be filtered by class. Similar to Step 8, for each class we will see the following: --> The name of each given class (e.g. SDSF) --> How many profiles within that class the user-id is permitted to access (e.g. 31) --> The highest level of access you have across profiles within that class (e.g. UPDATE)

9) We can 'select' any class (S) to see exactly which profiles within this user-id is on the ACL for. This will then tell us the exact profile and whether the permissions to access this are via a group connection, or via the user-id itself.

10) If we selected the "Show resources covered by profile" field in Step 6, then we will also see every resource (not just the RACF profile) that the user-id is permitted to access, however it will require a CKFREEZE input file.

11) If we then PF3 out to when we typed 'A' during Step 4, but instead type 'AC' beside user-id and press Enter (↵), we will be able to make an 'Access Check' for any specific resource profile against this single user-id. This is illustrated below: