First of all, you should realize that OPERATIONS privilege is not intended for Operators. This privilege gives (you) the ability to delete (and move) data sets and also, due to the hierarchical access levels in RACF, to READ and UPDATE data sets that you have not been given explicit access to. And finally, to modify DISCRETE profiles.
This privilege can often be replaced with STGADMIN permissions, that do not allow reading or updating data sets.
Users with Group Operations can be found using RA.U, selecting the Attributes checkbox. This executes a report similar to
newlist type=racf
select GrpOp
sortlist profile("Userid",8) connects
Showing the data sets a single (or up to 6) user(s) can access is the scope report in RA.3.4. Chose option 3 and on the prompt panel you skip all access reasons except Group operations and Owner. This shows you the access via PERMIT, CONNECT and via Group Operations. And profiles OWNED by the user, which is not what you wanted, but there is a bug in REPORT SCOPE....
Now, can we combine these two reports? Yes. You store the following CARLa in a member of your private CARLa library. Go to CO.1 and make sure your library is in the list of data sets, and selected. Select the library with E and type an R in front of the member.
newlist type=racf nopage dd=ckr2pass
define once(nd) boolean where exists(complex)
define each(nd) count
select GrpOp
summary once,
'SUPPRESS REASON=( UACC ID(*) GLOBAL WARNING NOPROF SPECIAL AUDIT,',
/ 'GRPAUDIT GRPSPEC PWDCHANGE SELFCON ALTER-M CKGRACMAP,',
/ 'CKGRACDCERT CKGOWNER CREATE)',
/ 'N REQUIRED N=SCOPE0D T=:T1 TYPE=REPORT_SCOPE',
/ ' DEFINE HIGH_ACCESS("HighAcc") MAX(ACCESS)',
/ ' s class=dataset exists(via:supgroup)',
/ ' x access=(none,execute,read,update,control,alter)',
/ ' x access=(add-s,ad-read,d-read)',
/ ' d key(nondispl) class,',
/ ' proftype(detail) key(both,"Profile name") volser(detail),',
/ ' access_via_when(76),',
/ ' / key(0,d,wrap,firstonly,"Full profile name",header),',
/ ' / access_via_when(d,header,76)',
/ ' summary complex id * class count(8,"Profiles") HIGH_ACCESS'
summary each,
'report scope=' | key(0)
Running the CARLa program generates another CARLa program that looks like this:
SUPPRESS REASON=( UACC ID(*) GLOBAL WARNING NOPROF SPECIAL AUDIT,
GRPAUDIT GRPSPEC PWDCHANGE SELFCON ALTER-M CKGRACMAP,
CKGRACDCERT CKGOWNER CREATE)
N REQUIRED N=SCOPE0D T=:T1 TYPE=REPORT_SCOPE
DEFINE HIGH_ACCESS("HighAcc") MAX(ACCESS)
s class=dataset exists(via:supgroup)
x access=(none,execute,read,update,control,alter)
x access=(add-s,ad-read,d-read)
d key(nondispl) class,
proftype(detail) key(both,"Profile name") volser(detail),
access_via_when(76),
/ key(0,d,wrap,firstonly,"Full profile name",header),
/ access_via_when(d,header,76)
summary complex id * class count(8,"Profiles") HIGH_ACCESS
report scope=CRMQAN24
report scope=CRMQA002
report scope=CRMQA1O
report scope=Q303019D
Once you see this program, press F3 and type an R in front of the CKR2PASS dd name. This produces the list of users with group operations, and you can see the individual data set profiles by selecting each user.
#Support#SupportMigration#ZSecurity