The field USERID in RACF DATASET profiles contains the USERID and GROUP names from PERMITs issued for the profile. zSecure adds the ACL compound field to make more sense of the permits. The SUBSELECT ACL function can be used to suppress entries from the report, for example, the NONE and READ permits. ACL(RESOLVE) calculates how connect groups and user specific permits together arrive at the access level a user enjoys.
So, if you want to see the USER IDs that have access, you use
newlist type=racf pl=0 header=csv
define acl_update_users(resolve) subselect acl(access>read user=*)
select c=dataset s=base mask=sys1.** acl(access>read)
sortlist profile('dataset'),
acl_update_users(aclid,'userid'),
acl_update_users(aclaccess,'access'),
acl_update_users:Name,
acl_update_users:dfltgrp('user default group')
You will see the
dataset field filled in only seldomly. That is due to the way
repeated fields in profile reports are printed. The
non-repeated fields are printed once, at the beginning of the data about a profile, all but the first the value of the
repeated fields stand alone on the output line. You can have the
non-repeated fields on all lines by adding RETAIN on the NEWLIST command.
Also, you will see profiles WITHOUT obvious acl information. That could be due to the data set having no permits, or due to no users or groups having UPDATE. You cannot suppress these lines.
Finally, note that your
mask=ASG.OPS.** selects all profiles that match this mask. If you want ONLY one profile that matches this value EXACTLY, use
profile=ASG.OPS.** ------------------------------
Rob van Hoboken
------------------------------