IBM Mainframe Forum

Is it possible for users to list the high-level qualifiers they have access to, with the associated permissions?

Is your site using RACF? If so, you may -- or may not, depending upon site security limitations -- be able to use the LISTUSER <userid> command in TSO (not TSO / ISPF) to get the requested information. Typically, however, users are assigned to groups and data set access is assigned through groups, so all you could see would be the groups your user id is a member of.

Realistically and practically, the BEST and most well supported method for accomplishing what you asked is to talk to your site security group to get that information. Especially since, if you don't have access to data sets you have a business need to access, they would be the group to provide you that access, anyway.

These users thanked the author Robert Sample for the post:

dja2 (Thu Jul 19, 2012 7:18 pm)

Thank you for your reply - I will take your advice, and ask the RACF security guys and gals.

For the general case you have proposed, no. There are several reasons.

• By "high level qualifiers" I presume you mean dataset names like high-level-qualifier.xxx. While it is true most dataset access is controlled by RACF profiles oriented towards the high level qualifier, not all access is controlled this way. Just knowing you have "access to the datasets with a specific high level qualifier dies not mean you have access to all the datasets in the high level qualifier.
• Just exactly what do you mean by "access?" RACF recognizes 5 types of "access" privilege: NONE, READ, UPDATE, CONTROL, and ALTER. Well, of course, NONE implies no access, which is alnost certainly not what you're looking for, but the other four imply some kind of "access." Which do you want?
• There are at least four ways you can get "access."
  • "Universal" access, or UACC, which is used when RACF had no more direct way to determine access.
  • Access by your userid in an access list.
  • Access by your inclusion in a RACF "group" that is specified in an access list.
  • Access by your userid having the OPERATIONS attribute. OPERATIONS is intended for users performing data management functions. OPERATIONS is not all powerful; users with OPERATIONS can be blocked, though this is uncommon.
  The main reason there is no general way to determine access for all posssible high level qualifiers is because there are so many ways to get access.

You can check access yourself, at least to a limited degree, by using the RACF LISTDSD command:

LISTDSD DA('high-level-qualifier.*'') AUTHUSER

or

LISTDSD DA('high-level-qualifier.**'') AUTHUSER

If LISTDSD responds with NOT AUTHORIZED TO LIST xxx you almost certainly do not have any sort of access to the resource group. If the response is many lines of RACF gibberish, you probably have at least READ access to the resource group. Remember that access to a resource group does not mean you have access to all the resources in the group.

These users thanked the author steve-myers for the post:

dja2 (Mon Jul 23, 2012 12:57 pm)

Thanks very much for the comprehensive explanation, it has convinced me to ask the RACF group to list any accesses I may have, (and then ask them to grant me acceses to those I actually need). Thanks again.