Security for printing check output from the message buffer

Users accessing check output from the message buffer, must have authorization to the QUERY and MESSAGES service resources using RACF® profiles. The way you define RACF profiles depends on:

The way users specify the check name and check owner in the HZSPRINT EXEC PARM= statement.
The level of access you wish to give to the user.

Specifying check name and owner in the HZSPRINT EXEC PARM= statement: Depending on what access level they have and what check output they want, users can specify the exact check name and check owner in the EXEC statement to get output from one check or they can use wildcard characters to get output for multiple checks.

The syntax for the HZSPRINT EXEC statement for printing check output from the message buffer is as follows:

//  EXEC PGM=HZSPRNT,PARM='CHECK(check_owner,check_name)'

See What is a check? for how to find the check owner and check name for checks.

The following HZSPRINT EXEC statement examples show different ways users can specify the check name and the check owner to get different output:

To get check output for all active checks, use the following EXEC statement:
```
//  EXEC PGM=HZSPRNT,PARM='CHECK(*,*)'
```
To get check output for all the checks owned by IBMGRS, use the following EXEC statement:
```
//  EXEC PGM=HZSPRNT,PARM='CHECK(IBMGRS,*)'
```
To get check output for just one check, IBMGRS check GRS_Mode, use the following EXEC statement:
```
//  EXEC PGM=HZSPRNT,PARM='CHECK(IBMGRS,GRS_Mode)'
```
To get check output for all the checks named TRY_ME by any check owner, use the following EXEC statement:
```
//  EXEC PGM=HZSPRNT,PARM='CHECK(*,TRY_ME)'
```

See Working with check output for complete information about using HZPRINT.

Determining the access level required for check name and owner specification on the HZSPRINT EXEC statement: The table below shows the access required for different user specifications of the check name and owner in the HZSPRINT EXEC PARM= statement, including the resource name or names that must be defined in the XFACILIT class for that particular specification. You must also RACLIST the XFACILIT class in order for HZSPRINT to work, as shown in the examples below the table.

Where we show two possible resource names you can define for a service resource, the system accepts a match on either.

Table 1. Access required for printing check output from the message buffer using HZSPRINT
Check specification	Access required for service resource	Resource names
`CHECK(,checkname) CHECK(,*)`	QUERY: Read access to all checks	HZS.`sysname`.QUERY
`CHECK(,checkname) CHECK(,*)`	MESSAGES: Read access to individual check	HZS.`sysname`.`check_owner`.MESSAGES HZS.`sysname`.`check_owner`.`check_name`.MESSAGES
`CHECK(checkowner,*)`	QUERY: Read access to all checks for a specific owner	HZS.`sysname`.`check_owner`.QUERY
`CHECK(checkowner,*)`	MESSAGES: Read access to individual check	HZS.`sysname`.`check_owner`.MESSAGES HZS.`sysname`.`check_owner`.`check_name`.MESSAGES
`CHECK(checkowner, checkname)`	QUERY: Read access to individual check	HZS.`sysname`.`check_owner`.QUERY HZS.`sysname`.`check_owner`.`check_name`.QUERY
`CHECK(checkowner, checkname)`	MESSAGES: Read access to individual check	HZS.`sysname`.`check_owner`.MESSAGES HZS.`sysname`.`check_owner`.`check_name`.MESSAGES

Defining RACF profiles for QUERY and MESSAGE service resources: For each resource name identified in the first table, issue:

RDEFINE XFACILIT resourcename UACC(NONE) 
PERMIT resourcename CLASS(XFACILIT) ID(hcprintid) ACCESS(READ)

Then, issue the following for the XFACILIT class:

SETROPTS CLASSACT(XFACILIT) 
SETROPTS RACLIST(XFACILIT)

If you already RACLISTed the XFACILIT or FACILITY class, the very last statement in the example above would have to be:

SETROPTS RACLIST(XFACILIT) REFRESH

Profile definition examples:

The following table shows examples of defining access profiles for the QUERY and MESSAGES service resources in the XFACILIT class to allow a user ID to access check output in HZSPRINT.

In these examples, hcprintid is the user ID of either a user or group you're giving access to.

Access to output from all checks:

RDEFINE XFACILIT  HZS.sysname.QUERY UACC(NONE)
PERMIT  HZS.sysname.QUERY CLASS(XFACILIT) ID(hcprintid) ACCESS(READ)
RDEFINE XFACILIT HZS.sysname.check_owner.MESSAGES UACC(NONE)
PERMIT  HZS.sysname.check_owner.MESSAGES CLASS(XFACILIT) ID(hcprintid) ACCESS(READ)
SETROPTS CLASSACT(XFACILIT)
SETROPTS RACLIST(XFACILIT)

Access to output from a specified check owner:

RDEFINE XFACILIT HZS.sysname.check_owner.QUERY UACC(NONE)
PERMIT HZS.sysname.check_owner.QUERY CLASS(XFACILIT) ID(hcprintid) ACCESS(READ)
RDEFINE XFACILIT HZS.sysname.check_owner.check_name.MESSAGES UACC(NONE)
PERMIT HZS.sysname.check_owner.check_name.MESSAGES CLASS(XFACILIT) ID(hcprintid) ACCESS(READ)
SETROPTS CLASSACT(XFACILIT)
SETROPTS RACLIST(XFACILIT)

Access to output from a particular check:

RDEFINE XFACILIT HZS.sysname.check_owner.check_name.QUERY UACC(NONE)
PERMIT  HZS.sysname.check_owner.check_name.QUERY CLASS(XFACILIT) ID(hcprintid) ACCESS(READ)
RDEFINE XFACILIT HZS.sysname.check_owner.check_name.MESSAGES UACC(NONE)
PERMIT  HZS.sysname.check_owner.check_name.MESSAGES CLASS(XFACILIT) ID(hcprintid) ACCESS(READ)
SETROPTS CLASSACT(XFACILIT)
SETROPTS RACLIST(XFACILIT)

For more information, see:

z/OS Security Server RACF Security Administrator's Guide and z/OS UNIX System Services Planning .
The PERMIT, RDEFINE and SETROPTS sections of z/OS Security Server RACF Command Language Reference.
Using the HZSPRINT utility for information on using HZSPRINT.