ACFRPTRX - The Logonid Access Report

1
acf2src
1
The ACFRPTRX report generator produces a Logonid Access Report showing all rule sets that apply to a specific logonid (LID) mask or user identification string mask. For each logonid or UID processed, ACFRPTRX searches the online Rule or Infostorage database and compares the input logonid or UID against the UID of each rule entry. If they match, ACFRPTRX prints the rule key ($KEY) and the entire rule entry. ACFRPTRX also determines if the logonid or UID has authority to change (%CHANGE or %RCHANGE authority) any rule sets and prints this information as part of the report.
Additionally, a message line and an access reason code highlight all accesses permitted because of special CA ACF2 privileges, such as NON-CNCL, READALL, PREFIX, or SECURITY. However, if RULEVLD and RSRCVLD are specified in the user's logonid, accesses that are normally permitted because of the SECURITY privilege or data ownership (as defined in the PREFIX field) require explicit rule authorization. These particular logonids, therefore, do not show up on this report unless explicit rules permitting access are in place.
If a logonid or UID has no access authority or is suspended, ACFRPTRX indicates these conditions with a descriptive message line. For more information, see ACFRPTRX Reason Codes and Messages.
Checking Authorization
ACFRPTRX simulates normal CA ACF2 rule interpretation and checking, but does not attempt to simulate the actions of user validation exits. The user running the report must have the SECURITY, ACCOUNT, or AUDIT attribute to use the online data sets. Additionally, only those logonid records and rule records that the user normally has CA ACF2 access to are processed for that report. Rule and logonid information for rule records or logonid records outside the scope of the requester will never appear on the reports in ACF2 mode.
Running the Report Using the ISPF Panel
You can use the ACFRPTRX ISPF panel to create your input for the report. The following parameters can be found on the ACFRPTRX ISPF panel.
TITLE
Specifies a character string added to other title information at the top of the report. This character string can be up to 35 characters in length. If you do not specify this parameter, the report generator uses the first 35 characters in the PARM field of the EXEC statement. If this character string is longer than 35 characters, only the first 35 characters are used.
ACF2|NOACF2
ACF2 specifies that ACFRPTRX use the online CA ACF2 clusters. The CA ACF2 system must be active on this CPU for this type of processing.
Important! Running the ACFRPTRX report with ACF2 specified might affect performance. If you run this report against the online databases and you notice performance degradation, do not cancel this job. Serious system errors might result.
NOACF2 specifies that the report is based on alternate databases provided by the RULES, LOGONIDS, or INFOSTG input files. When alternate databases are specified as input, ACFRPTRX does not take scope records into consideration when access authorization checking is performed.
DEFROLE
Specifies that ACFRPTRX uses the active ROLE records defined on the active CA ACF2 system for reports run against the off-line databases. When the alternate databases are specified as input (NOACF2 parameter) and DEFROLE is not specified, ACFRPTRX does not take any ROLE records into consideration when access authorization checking is performed.
For reports run against the online databases (ACF2 parameter), the active CA ACF2 ROLE records are always utilized.
LOGONID MASK
Specifies invalid or logged data set accesses for a particular logonid or group of logonids. The default is all logonids.
NOUIDALL
Indicates that the rule lines specifying a UID(*), USER(-) or ROLE(-) will be suppressed. Use of the NOUIDALL report parameter filters the report output.
UID MASK
ACFRPTRX generates a Logonid Access Report for each UID that matches the mask pattern specified by this parameter. The UID parameter is optional when the LID parameter is specified. If both LID and UID are specified, they are processed using AND logic, which means that only logonids matching both the LID and UID mask patterns are processed. If SYSIDLST is used to supply input parameters, any UID specification is ignored. The default is all users.
TYPE
Specifies a three-character resource type. Only the specified resource type is included in the Logonid Access Report. TYPE is a valid, required parameter only when the RSRC parameter is also specified. The TYPE field cannot be masked when CLASS(D) is specified.
CLASS
Specifies a one-character storage class code of the infostorage records processed. The default is R (for resource rule sets). The storage class code for CA ACF2 for DB2 rule sets is D (for DB2). See CA ACF2 Option for DB2 for more information about CA ACF2 for DB2 rule sets.
RMASK
Specifies a mask for rule set keys. Use this parameter to produce a Logonid Access Report for a selected group of rule keys or a single rule key. When processing data set access rules (DSET parameter), RMASK is a data set rule key mask. For generalized resource and CA ACF2 for DB2 processing (RSRC parameter), RMASK is a resource name mask. When RMASK is specified, only those rule sets that match the specified mask are included in the report.
INPUT DATA SET NANE: SYSIDLIST DSN PARAMETER
The SYSIDLIST file is an optional file and might be used to specify a list of LID or UID masks. Operation of ACFRPTRX for a single LID or UID might be specified in the parameter field.
SPECIFY INPUT FOR ACFRPTRX PARAMETER
Specifies how ACFRPTRX is instructed to process data set access rules and generalized resource rules.
Running the Report Using JCL
[ACF2|NOACF2]
CA ACF2 specifies that ACFRPTRX use the online CA ACF2 clusters. The CA ACF2 system must be active on this CPU for this type of processing.
Important! Running the ACFRPTRX report with ACF2 specified might affect performance. If you run this report against the online databases and you notice performance degradation, do not cancel this job. Serious system errors might result.
NOACF2 specifies that the report is based on alternate databases provided by the RULES, LOGONIDS, or INFOSTG input files. When alternate databases are specified as input, ACFRPTRX does not take scope records into consideration when access authorization checking is performed.
[DSET|RSRC]
DSET specifies that ACFRPTRX processes data set access rules (see also the RMASK parameter below). RSRC specifies that ACFRPTRX processes resource rule sets and CA ACF2 for DB2 rule sets (see the TYPE and RMASK parameters below). For information about CA ACF2 for DB2, see
CA ACF2 Option for DB2 Administrating
.
[LID(********|logonidmask)]
Generates a Logonid Access Report for each logonid that matches the mask pattern specified by this parameter. The LID parameter is required unless the UID parameter (described below) or the SYSIDLST file is used. If SYSIDLST is used to supply input parameters, any LID specification in the JCL parameter field is ignored. If neither the LID parameter nor the UID parameter is present in the JCL parameter field, ACFRPTRX expects to receive input from the SYSIDLST file.
[RMASK(access-rule-mask|resource-name-mask)]
Specifies a mask for rule set keys. Use this parameter to produce a Logonid Access Report for a selected group of rule keys or a single rule key. When processing data set access rules (DSET parameter), RMASK is a data set rule key mask. For generalized resource and CA ACF2 for DB2 processing (RSRC parameter), RMASK is a resource name mask. When RMASK is specified, only those rule sets that match the specified mask are included in the report.
[CLASS(R|class)]
Specifies a one-character storage class code of the infostorage records processed. The default is R (for resource rule sets). The storage class code for CA ACF2 for DB2 rule sets is D (for DB2). See
CA ACF2 Option for DB2 Administrating
for more information about CA ACF2 for DB2 rule sets.
[TYPE(type)]
Specifies a three-character resource type. Only the specified resource type is included in the Logonid Access Report. TYPE is a valid, required parameter only when the RSRC parameter is also specified. The TYPE field cannot be masked.
[UID(-|uidmask)]
ACFRPTRX generates a Logonid Access Report for each UID that matches the mask pattern specified by this parameter. The UID parameter is optional when the LID parameter is specified. If both LID and UID are specified, they are processed using AND logic, which means that only logonids matching both the LID and UID mask patterns are processed. If SYSIDLST is used to supply input parameters, any UID specification in the JCL parameter field is ignored. The default is all users.
[DEFROLE]
Specifies that ACFRPTRX uses the active ROLE records defined on the active CA ACF2 system for reports run against the off-line databases. When the alternate databases are specified as input (NOACF2 parameter) and DEFROLE is not specified, ACFRPTRX does not take any ROLE records into consideration when access authorization checking is performed.
For reports run against the online databases (ACF2 parameter), the active CA ACF2 ROLE records are always utilized.
[ROLE(single role or role mask)]
Introduced in CA ACF2 V16.0, ACFRPTRX generates an access report for each role that matches the mask pattern specified by this parameter. The role parameter is processed separately from any LID or UID value specified. Multiple role values may be specified in the SYSIDLST file. When a mask is specified, the roles processed are determined by the active Role records. DEFROLE has no impact on role parameter processing. (Optional)
Common Parameters
ACFRPTRX accepts the LINECNT and TITLE common parameters. ACFRPTRX accepts parameters from the JCL parameter field and the SYSIN file in combination.
Input and Output Files
ACFRPTRX accepts input from several sources. Use the standard SYSIN file to process one LID or UID mask pattern. The SYSUT1 and SYSUT2files define work space for ACFRPTRX processing. For processing multiple LID or UID mask patterns, use the SYSIDLST file. All output from ACFRPTRX is written to the SYSPRINT file.
ACFRPTRX examines the access controls in place during a given time frame. Historical data is specified as input through the LOGONIDS, RULES, and INFOSTG files. To use this facility, the appropriate CA ACF2 databases must be built from SMF backup files or from backup copies of the CA ACF2 databases. The ACFRECVR utility is used to build these databases see ACFRECVR - The Recovery Utility. Scope records are not taken into consideration when ACFRPTRX processes input data from the LOGONIDS, RULES, or INFOSTG files.
SYSPRINT
Used for message and report output. If you run ACFRPTRX in a time sharing environment and this file is not allocated, the report output is directed to a TSO terminal. We do not recommend executing ACFRPTRX online under TSO, due to the amount of CA ACF2 database checking required.
SYSIN
Specifies input parameter information for ACFRPTRX. ACFRPTRX accepts all parameter input from the SYSIN file, the JCL parameter field, or both. The parameters specified in the SYSIN file supersede those specified in the JCL parameter field.
If ACFRPTRX is run in a TSO environment and the SYSIN file is not allocated to the TSO terminal, ACFRPTRX prompts for input parameter information at the terminal by the string “RX?”
SYSIDLST
Specifies a list of LID masks or UID masks. Operation of ACFRPTRX for a single LID or UID is specified in the JCL parameter field. The format of the SYSIDLST input statement is:
LID(lidmask) UID(uidmask)
Where:
  • LID(********|
    logonidmask
    )
    Specifies a logonid mask. ACFRPTRX generates a Logonid Access Report for each logonid that matches the mask pattern.
  • UID(-|
    uidmask
    )
    Specifies a UID string mask. ACFRPTRX generates a Logonid Access Report for each UID that matches the mask pattern.
You must specify a logonid or UID using the LID or UID parameters or using the SYSIDLST file. Otherwise, no listing is produced.
If ACFRPTRX is run in a TSO environment and the SYSIDLST file is not allocated or is allocated to a TSO terminal, ACFRPTRX prompts for input at the terminal with the string “ID?” Do not run ACFRPTRX online for large volume processing.
LOGONIDS
Directs ACFRPTRX to use the current online CA ACF2 databases to make its determinations. Alternately, other prebuilt VSAM clusters are provided to ACFRPTRX for this purpose. The LOGONIDS file should point to an alternate Logonid database. This is valid only when NOACF2 is specified.
RULES
Directs ACFRPTRX to use the RULES file with the LOGONIDS file to have ACFRPTRX operate on historical data. The RULES file is valid only when the DSET and NOACF2 parameters are specified. The RULES file should point to an alternate Rule database.
INFOSTG
Directs ACFRPTRX to use the INFOSTG file with the LOGONIDS file and directs ACFRPTRX to operate on historical data. INFOSTG is valid only when the RSRC and NOACF2 parameters are specified. The INFOSTG file should point to an alternate Infostorage database.
Field Descriptions
Format and Fields
The ACFRPTRX report has three sections: header, user information, and the Logonid Access Report.
Header Information
The header contains a standard <acf> report title line, the execution date and time, the input parameters specified in the JCL parameter field, the number of logonid records selected for processing, and the number of rules selected for processing. The report title is repeated on each page of the report.
<acf> UTILITY LIBRARY - ACFRPTRX - LOGONID ACCESS REPORT - PAGE 1 DATE 02/11/14 (14.042) TIME 09.52 INPUT PARAMETERS: DSET LID(DOCDLW) LID FILE PROCESSING COMPLETE, RECORDS SELECTED = 00001 RULE FILE PROCESSING COMPLETE, RECORDS SELECTED = 00227
User Information
For each logonid and UID processed ACFRPTRX prints a user information section. A sample user information section is illustrated in the following:
LID: DOCDLW UID: PAY99DOCDL NAME: JOHN DOE ROLES: DOC PAY
Each field is described as follows:
LID
Logonid processed.
UID
User identification string of the logonid processed.
NAME
Value stored in the NAME field of the LID processed. Usually, this is the user's name.
ROLE
Roles and role groups for the logonid processed.
Logonid Access Report Information
The Logonid Access Report is generated for each logonid (LID) and UID processed. This section details all access rules that apply to the LID or UID processed. Additionally, messages are printed at various points in the report. See the next section, ACFRPTRX Reason Codes and Messages, for more information.
A typical entry on the Logonid Access Report is illustrated in the following.
$KEY(DOC) STORED: 04/20/14-14:28 BY: DOCMGR $MODE(ABORT) $PREFIX(DOCDATA) $USERDATA(PRODFILE) %CHANGE *****DOCMGR %RCHANGE *****DOCS
Field Descriptions
A description of each report field follows:
$KEY
The high-level index name of the access rule or the resource name of the rule set. The $KEY line can also contain the following two fields:
  • TYPE-this field appears for resource rule sets and CA ACF2 for DB2 rule sets. It is the three-character type code of the rule set. This field identifies the type of resources that this rule set is protecting.
  • SYSID-this field appears only for CA ACF2 for DB2 rule sets. It identifies the one- to four-character subsystem ID for which the rule set is written.
For information about CA ACF2 for DB2 rule sets, see
CA ACF2 Option for DB2 Administrating
.
STORED
Date and time the rule was last stored. The format of this field is MM/DD/YY, DD/MM/YY, or YY/MM/DD, depending on CA ACF2 generation options.
BY
Logonid of the user that last stored the rule.
$MODE
This line appears only when a $MODE control statement is stored with the rule set. The $MODE value is also displayed.
$NOSORT
This line appears only when a $NOSORT control statement is stored with the rule set.
$PREFIX
This line appears only when a $PREFIX control statement is stored with the rule set. The $PREFIX value is also displayed.
$USERDATA
The line appears only when a $USERDATA control statement is stored with the rule set. The $USERDATA value is also displayed.
%CHANGE
This line appears only when the logonid or UID processed is permitted to change the rule control statements and rule entries for the rule key ($KEY). Also, see ACFRPTRX Reason Codes and Messages next.
%RCHANGE
This line appears only when the logonid or UID processed is permitted to change the rule entries for the rule key ($KEY). Also, see ACFRPTRX Reason Codes and Messages next.
rule entry
Each rule entry in the rule set that applies to the logonid or UID processed. Possible fields that appear in a data set rule entry are:
dsn VOLUME(volser-mask) UID(uidmask) - ROLE(role) USER(logonid) SOURCE(sourceid) SHIFT(shift-name) - LIBRARY(lib-mask) PGM(pgm-mask)|PROGRAM(pgmmask) - DDNAME(ddname-mask) UNTIL(date)|FOR(days) ACTIVE(date) - DATA(text) READ(Allow|Log|Prevent) Write(Allow|Log|Prevent) - Allocate(Allow|Log|Prevent) Execute(Allow|Log|Prevent) - Nextkey(next-key)
Possible fields that appear in a resource rule entry are:
UID(uid-mask) SOURCE(source-id) SHIFT(shift-name) - ROLE(role) USER(logonid) SERVICE(Read,Update,Add,Delete) DATA(text) - UNTIL(date)|FOR(days) ACTIVE(date) VERIFY Allow|Log|Prevent
Possible fields that appear in a CA ACF2 for DB2 rule entry are:
UID(uid-mask) SHIFT(shift-name) UNTIL(date)|FOR(days) ACTIVE(date) - SERVICE(keyword1,...,keywordn) COLUMN(column1,...,columnn) - DATA(text) Allow|Log|Prevent
Sample Output
The following provides sample JCL and report output for data set logonid access and resource logonid access.
Data Set Logonid Access
The following JCL produces the sample Data Set Logonid Access Report shown in the next section.
//* THIS JOB PRODUCES A DATA SET LOGONID ACCESS REPORT FOR //* LOGONID TLC001 //* //REPORT EXEC PGM=ACFRPTRX, // PARM='DSET,LID(TLC001)' //* //SYSPRINT DD SYSOUT=A
Be sure to run the report with BUFNO=30 (the default is 5). You must do this because if the buffer is not large enough to handle the number of records in the database, it wraps over itself, causing the output to be truncated.
The report shows all data set access rules that apply to the logonid TLC001.
On the sample report, three rule IDs ($KEY) and one message line are displayed. According to the sample report, the logonid TLC001 has access to all data sets stored under the rule ID of
TLC001 as the owner (O). Additionally, two rule entries stored under the key of TLCPAY permit TLC001 to access the data set TLCPAY.LIB.TEXT and one rule entry stored under the rule key of TLCADM permits TLC001 to access the data set TLCADM.PAYSLIB.TEXT. CA ACF2 UTILITY LIBRARY - ACFRPTRX - LOGONID ACCESS REPORT - PAGE 1 DATE 02/11/14 (14.042) TIME 09.53 DSET,LID(TLC001) INPUT PARAMETERS: DSET LID(TLC001) LID FILE PROCESSING COMPLETE, RECORDS SELECTED = 00001 RULE FILE PROCESSING COMPLETE, RECORDS SELECTED = 00009 ------------------------------------------------------------------- LID: TLC001 UID: TLC99TLC001 NAME: JOHN DOE $KEY(TLC001) **** USER HAS ACCESS TO ALL DATA SETS FOR THIS KEY AS: O STORED: 08/01/13-09:14 BY: TLC001 AVL0024.TEXT UID(AD******001) READ(A) EXEC(A) DEESLIB.TEXT UID(AD******001) READ(A) WRITE(A) EXEC(A) DEESLIB.TEXT UID(AD) READ(A) EXEC(A) $KEY(TLCPAY) STORED: 09/06/13-09:09 BY: TLCPAY LIB.TEXT UID(AD******001) READ(A) WRITE(A) EXEC(A) LIB.TEXT UID(AD) READ(A) EXEC(A) $KEY(TLCADM) STORED: 10/01/13-15:35 BY: TLCADM PAYSLIB.TEXT UID(AD******001) READ(A) WRITE(A) EXEC(A)
Other Processing Options
You can specify input parameters in a number of ways. For example, the following parameter statement causes ACFRPTRX to produce a Logonid Access Report for all rule entries stored under the SYS1 key that apply to any logonid beginning with TLC:
// PARM='DSET,LID(TLC-),RMASK(SYS1-)' . . . To process a list of logonids and UIDs, use the SYSIDLST input file. The following example combines SYSIDLST and the JCL parameter field to process three different logonid and UID patterns: // PARM='DSET' . . . //SYSIDLST DD *,DCB=BLKSIZE=80 LID(TLCTMS) UID(***1) LID(TLCTRD) UID(***2) LID(NPD***) UID(***3)
Resource Logonid Access
The following JCL produces the sample Resource Logonid Access Report shown in the following for the logonid TLC001.
//SAMPLE JOB 1,'ACFRPTRX REPORT',MSGCLASS=A //* //* THIS JOB PRODUCES A GENERALIZED RESOURCE LOGONID ACCESS //* REPORT FOR LOGONID TLC001 //* //REPORT EXEC PGM=ACFRPTRX, // PARM='RSRC,LID(TLC001),TYPE(CKC)' //* //SYSPRINT DD SYSOUT=A
: Be sure to run the report with BUFNO=30 (the default is 5). You must do this because if the buffer is not large enough to handle the number of records in the database, it wraps over itself, causing the output to be truncated.
According to the sample report, the logonid TLC001 has access authority for two TYPE(CKC) resources.
CA ACF2 ACF2 UTILITY LIBRARY - ACFRPTRX - LOGONID ACCESS REPORT - PAGE 1 DATE 02/11/14 (14.042) TIME 13.34 INPUT PARAMETERS: RSRC LID(TLC001) TYPE(CKC) LID FILE PROCESSING COMPLETE, RECORDS SELECTED = 00001 RULE FILE PROCESSING COMPLETE, RECORDS SELECTED = 00008 ------------------------------------------------------------------- LID: TLC001 UID: ADM99TLC001 NAME: JOHN DOE $KEY(ABC*) TYPE(CKC) STORED: 08/12/13-22:42 BY: CICSADM UID(AD) ALLOW $KEY(C1C2C3**) TYPE(CKC) STORED: 09/13/13-15:28 BY: CICSADM UID(AD) ALLOW
Data Set Role Access
The report shows all data set access rules that apply to the Role ROL001.
On the sample report, three rule IDs ($KEY) and one message line are displayed. According to the sample report, the role ROL001 has access to all data sets stored under the rule TLCADM. Additionally, two rule entries stored under the key of TLCPAY permit ROL001 to access the data set TLCPAY.LIB.TEXT and one rule entry stored under the rule key of TLCDEB permits ROL001 to access the data set TLCDEB.SLIB.TEXT.
CA ACF2 UTILITY LIBRARY - ACFRPTRX - LOGONID ACCESS REPORT - PAGE 1 DATE 04/23/15 (15.113) TIME 09.53 INPUT PARAMETERS: DSET ROLE(ROL001) ROLE FILE PROCESSING COMPLETE, RECORDS SELECTED = 00001 RULE FILE PROCESSING COMPLETE, RECORDS SELECTED = 00003 ------------------------------------------------------------------- ROLE: ROLE001 $KEY(TLCADM) STORED: 08/01/14-09:14 BY: USER01 PROD.FILEX ROLE(ROL001) READ(A) EXEC(A) TEST.FILEY ROLE(ROL001) READ(A) WRITE(A) EXEC(A) $KEY(TLCPAY) STORED: 09/06/14-09:09 BY: USER01 LIB.TEXT ROLE(ROL001) READ(A) WRITE(A) EXEC(A) LIB.HELP ROLE(GRP002) READ(A) EXEC(A) $KEY(TLCDEB) STORED: 10/01/14-15:35 BY: USER01 SLIB.TEXT ROLE(ROL001) READ(A) WRITE(A) EXEC(A)
Reason Codes and Messages
ACFRPTRX prints messages when access to a data set or resource is allowed because of special <acf> access authorization. Each message appears with an access code indicating the reason access is allowed. Messages are also generated if the logonid or UID processed has been suspended, canceled, or cannot access any data sets or resources.
Reason Codes
The access reason codes are explained in the following, followed by a description of each possible message:
NC
Non-cancelable. <acf> cannot cancel this logonid. (This user has the NON-CNCL privilege in his logonid record.)
O
Owner. The user's PREFIX matches the high-level index for the data set in question and RULEVLD is not specified. This code is valid only for data set processing.
RA
Read-only/non-cancelable. This logonid has the READALL privilege and cannot is not cancelable by <acf> as long as the data set is being opened for input (read only). This code is valid only for data set access processing.
SC
Scoped security administrator. The logonid is that of a scoped security administrator. The DSN field of the logonid's scope record matches the high-level index of the data set and RULEVLD is not specified. This user has SECURITY or SCPLIST in his or her logonid record.)
SE
Security administrator (Unscoped). The logonid is that of an unrestricted security officer who does not have RULEVLD specified. (This user has the SECURITY attribute and no SCPLIST limits in his or her logonid record.)
Messages
ACFRPTRX can issue the following messages:
**** USER HAS ACCESS TO ALL DATA SETS AS: SE, NC
Appears
After the NAME line in DSET mode.
Means
User is an unrestricted security officer, has the NON-CNCL privilege, or both.
**** USER HAS READ ACCESS TO ALL DATA SETS AS: RA
Displays
After the NAME line in DSET mode.
Means
User has the READALL privilege.
**** USER HAS ACCESS TO NO DATA SETS
Displays
After the NAME line in DSET mode.
Means
The user did not match any rules or %CHANGE entries and does not have any special <acf> access authority. This user cannot access any data sets.
**** USER HAS ACCESS TO ALL DATA SETS FOR THIS KEY AS: O, SC
Displays
After display of $KEY for the rule set.
Means
User's PREFIX matched the rule key or the user's scope matched the rule key.
**** USER HAS ACCESS TO ALL RESOURCES AS: SE, NC
Displays
After the NAME line in RSRC mode.
Means
User is either an unrestricted security administrator or has the NON-CNCL attribute.
**** USER HAS ACCESS TO NO RESOURCES
Displays
After the NAME line in RSRC mode.
Means
The user did not match any rules or %CHANGE entries and does not have any special <acf> access authority. This user cannot access any resources.
**** USER HAS ACCESS TO ALL RESOURCES FOR THIS KEY AS: SC
Displays
After display of $KEY for the rule set.
Means
User's scope matched the rule key.
**** USER CAN CHANGE RULE
Displays
After display of a %CHANGE entry.
Means
User's UID matched one or more masks in the %CHANGE entry, which gives the user authority to change the control statements and rule entries in the rule set.
**** USER HAS %CHANGE, BUT ALSO HAS NO-STORE
Displays
After display of a %CHANGE statement.
Means
User's UID matched the change mask, but the user also has the NO-STORE privilege preventing him or her from storing any changes or deleting the access or resource rule set.
**** LID: lid UID: uid * CANCELED
Displays
After LID/UID line for the user being processed.
Means
This LID/UID has been canceled.
**** LID: lid UID: uid * SUSPENDED
Displays
After display of SYSIDLST parameters.
Means
This ID/UID has been suspended.
**** USER CAN CHANGE ANY OF THE RULE ENTRIES
Displays
After display of %RCHANGE control statement.
Means
User's UID matched one or more masks in the %RCHANGE entry, which gives the user authority to change all rule entries in the rule set. However, the user cannot change any of the control statements in the rule set.
Displays
After LID/UID line for the user being processed.
Means
This LID/UID has been suspended.
**** NO LID/UID FOUND TO MATCH SYSIDLST PARMS