Overview of access-checks for RACF Groups

Within zSecure it is possible to check what access different profiles have to one another.

This can include, but is not limited to, the following: --> Which groups a userID is connected to --> Which userIDs are connected to a group

These checks can be made from the zSecure RACF options menu, as shown below:

Throughout this tutorial, we will first showcase how to check the access using zSecure, and then underneath will show you the alternative command you can issue, if you lack this ESM.

Navigating to zSecure:

To navigate to this area from the ISPF Primary Option Menu, you must enter the following into your command line (↵ represents pressing the Enter key):

TSO CKR  ↵  RA  ↵

Which groups is a specified user connected to?

1) Enter the RACF Users area (RA.U) and search for a given user.

2) This may involve searching for a specific userID, or searching for users with the same name / installation data / owner / default group.

3) In the example below, we have searched for USERID = EXAMPLE

4) By selecting the user (S) we can then reach the following screen:

5) As we can see in this image, the user is connected with USE authority to 5 different groups, with one connection also featuring a Revoke Date attribute.

6) If relevant, we would also see whether the user is currently revoked, whether they are connected with group-attributes including Special, Operations, or Auditor, and whether they have an upcoming Resume Date.

If you then type 'P' next to the group and press Enter, you will be able to immediately view the group profile, and find more information about this (such as who else is connected). Alternatively, you can type 'L' next to the group to list this group, effectively using the LISTGRP command.

Another method to finding out which groups a user is connected to, involves running the command below:

[TSO] LISTUSER user-id

Which userIDs are connected to a specified group?

1) Enter the RACF Groups area (RA.G) and search for a given group.

2) This may involve searching for a specific groupID, or searching for groups with the same owner / subgroup(s) / installation data.

3) In the example below, we have searched for GROUP ID = EXGROUP

4) By selecting the group (S) we can then reach the following screen:

5) As we can see in the image above, the group of EXGROUP has three users connected to it, all with USE authority and one connection with a Revoke Date attribute.

6) If relevant, we would also see whether the user is currently revoked, whether they are connected with group-attributes including Special, Operations, or Auditor, and whether they have an upcoming Resume Date.

If you then type 'P' next to the user/group and press Enter, you will be able to immediately view the group profile, and find more information about this (such as who else is connected). Alternatively, you can type 'L' next to the user to list this group, effectively using the LISTUSER command.

Another method to finding out which groups a user is connected to, involves running the command below:

[TSO] LISTGRP group-id