If you are using generic profiles (and you are not using
resource group profiles), only the most specific profile is used.
For example,
if the following profiles exist:
**
C*
CE*
CEDA
CEDA is the profile that is used to control access to the CEDA
transaction. If you delete profile CEDA and refresh the in-storage copies,
CE* is used.
Note: This assumes CICS prefixing is not used and generic profile
checking is used. (That is, that the RACF command SETROPTS
GENERIC(class_name) has been issued for the class.)
If resource group profiles have been defined in the relevant class (for
example, profiles in the GCICSTRN class), it is possible that more than one
profile is used in determining a user's access. To determine which profiles
protect the resource, enter the RLIST command with the RESGROUP operand. Be
sure to specify the member class on the RLIST command.
For example:
RLIST TCICSTRN transaction-name RESGROUP
If prefixing
is in effect for this CICS region, include the prefix on the resource name
specified on the RLIST command:
RLIST TCICSTRN prefix.transaction-name RESGROUP
Note that these examples use the member class TCICSTRN, not the resource
group class GCICSTRN.
The AUDITOR attribute enables users to list all profiles that are defined,
but does not authorize them to change those profiles. We recommend you give
AUDITOR access to system programmers who need to see all profiles (for example,
those who are doing problem determination) instead of system-SPECIAL access.
As a result of issuing RLIST with RESGROUP, you might see:
A brief listing of the resource group profile that protects the resource.
See Figure 1.
A slightly longer listing showing the member profile as well as the resource
group profile. See Figure 2.
A “profile not found” message, if no profile is found that protects
the resource. See Figure 3.
A “not authorized” message, if If a profile exists, but you are
not authorized to list the profile. See Figure 4.
Note: When you are using resource group profiles, more than one
profile might be used at the same time. If the resource is protected by more
than one profile, you are strongly urged to delete all other occurrences of
the resource name. Use the DELMEM operand on the RALTER command to remove
the resource name from existing resource group profiles. Use the RDELETE command with care to delete profiles from the member class.
Note: If you get the “profile not found” message, make sure
that generic profile processing is in effect for the specified class. (SETROPTS
LIST will show this.) If, indeed, no profile exists, create a suitable profile
and ensure that the appropriate users and groups have access.
The “not authorized” message identifies the name of the profile
preventing you from having access. You can ask the RACF security administrator
(who has the system-SPECIAL attribute and can therefore list the profile)
to investigate the problem.
Some possible solutions are:
The profile is not needed and can be deleted.
You can be made OWNER of the profile.
A more specific generic profile can be created, and you or your group
can be made OWNER of the new profile.
If the profile is a discrete profile, you can be given ALTER access to
the profile.
You can be assigned the AUDITOR attribute.
For a description of the authority needed to list a general resource profile,
see the description of the RLIST command in the z/OS Security Server RACF Command Language Reference.