Which profile is used to protect the resource?

If you are using generic profiles (and you are not using resource group profiles), only the most specific profile is used.

For example, if the following profiles exist: 
**
C*
CE*
CEDA
CEDA is the profile that is used to control access to the CEDA transaction. If you delete profile CEDA and refresh the in-storage copies, CE* is used.
Note: This assumes CICS prefixing is not used and generic profile checking is used. (That is, that the RACF command SETROPTS GENERIC(class_name) has been issued for the class.)
If resource group profiles have been defined in the relevant class (for example, profiles in the GCICSTRN class), it is possible that more than one profile is used in determining a user's access. To determine which profiles protect the resource, enter the RLIST command with the RESGROUP operand. Be sure to specify the member class on the RLIST command. For example: 
RLIST TCICSTRN transaction-name RESGROUP
If prefixing is in effect for this CICS region, include the prefix on the resource name specified on the RLIST command: 
RLIST TCICSTRN prefix.transaction-name RESGROUP

Note that these examples use the member class TCICSTRN, not the resource group class GCICSTRN.

The AUDITOR attribute enables users to list all profiles that are defined, but does not authorize them to change those profiles. We recommend you give AUDITOR access to system programmers who need to see all profiles (for example, those who are doing problem determination) instead of system-SPECIAL access.

As a result of issuing RLIST with RESGROUP, you might see:
  • A brief listing of the resource group profile that protects the resource. See Figure 1.
  • A slightly longer listing showing the member profile as well as the resource group profile. See Figure 2.
  • A “profile not found” message, if no profile is found that protects the resource. See Figure 3.
  • A “not authorized” message, if If a profile exists, but you are not authorized to list the profile. See Figure 4.
Figure 1. Output of RLIST command with RESGROUP: resource group profile
rlist tcicstrn cemt resgroup
CLASS      NAME
-----      ----
TCICSTRN   CEMT
GROUP CLASS NAME
----- ----- ----
GCICSTRN
RESOURCE GROUPS
-------- ------
CAT2
Figure 2. Output of RLIST command with RESGROUP: several profiles
rlist tcicstrn cemt resgroup
 CLASS      NAME
 -----      ----
 TCICSTRN   CEMT
 GROUP CLASS NAME
 ----- ----- ----
 GCICSTRN
 RESOURCE GROUPS
 -------- ------
 CICSCAT2A
 LEVEL  OWNER      UNIVERSAL ACCESS  YOUR ACCESS  WARNING
 -----  --------   ----------------  -----------  -------
  00    PUB01           NONE              ALTER    NO
 INSTALLATION DATA
 -----------------
 NONE
 APPLICATION DATA
 ----------------
 NONE
 AUDITING
 --------
 FAILURES(READ)
 NOTIFY
 ------
 NO USER TO BE NOTIFIED
Note: When you are using resource group profiles, more than one profile might be used at the same time. If the resource is protected by more than one profile, you are strongly urged to delete all other occurrences of the resource name. Use the DELMEM operand on the RALTER command to remove the resource name from existing resource group profiles. Use the RDELETE command with care to delete profiles from the member class.
Figure 3. Output of RLIST command with RESGROUP: profile not found
rlist tcicstrn dfhcicsm.cemt resgroup
 ICH13003I DFHCICSM.CEMT NOT FOUND
Note: If you get the “profile not found” message, make sure that generic profile processing is in effect for the specified class. (SETROPTS LIST will show this.) If, indeed, no profile exists, create a suitable profile and ensure that the appropriate users and groups have access.
Figure 4. Output of RLIST command with RESGROUP: authorization message
rlist tcicstrn dfhcicsm.cemt resgroup
 ICH13002I NOT AUTHORIZED TO LIST DFH*

The “not authorized” message identifies the name of the profile preventing you from having access. You can ask the RACF security administrator (who has the system-SPECIAL attribute and can therefore list the profile) to investigate the problem.

Some possible solutions are:
  • The profile is not needed and can be deleted.
  • You can be made OWNER of the profile.
  • A more specific generic profile can be created, and you or your group can be made OWNER of the new profile.
  • If the profile is a discrete profile, you can be given ALTER access to the profile.
  • You can be assigned the AUDITOR attribute.

For a description of the authority needed to list a general resource profile, see the description of the RLIST command in the z/OS Security Server RACF Command Language Reference.