Hi Linnea
Command Verifier was originally designed to prevent administrators from making (dangerous or non-compliant) changes to (selected) profiles. This is reflected by the field names in the policy profiles, that allow/restrict changes
those fields in the target profiles. At the time there was no need to restrict the ability to list information.
Controlled privilege (special and auditor) requires the presence of profiles related to the parameters on the RACF command issued, and authority for the issuer on those profiles. However, there are no policy profiles to prevent issuing LIST commands.
Consequently, permitting a user on the C4R.RLIST.=CTLAUD profile simply allows all RLIST commands, irrespective of class or profile key. Same applies to =CTLSPEC. You may want to raise an RFE to have class specification for LISTxxxx and RLIST in a policy profile added. Or a combination of class and profile (mask).
------------------------------
Rob van Hoboken
------------------------------