WHOHAS Function—Display ACID's Resource Access

Command Functions › WHOHAS Function—Display ACID's Resource Access

WHOHAS Function—Display ACID's Resource Access

Valid on z/OS, z/VSE, and z/VM.

Use the WHOHAS command function to display:

All ACIDs, within the administrator's scope, that have access (using the ADDTO or PERMIT function) to a specified resource.
All ACIDs, within the administrator's scope, that have access (using the ADDTO function) to a specified facility, field, or attribute.

Only one resource keyword and prefix may be specified per command. Attributes and non‑resource fields, however, may be specified on a command. If several attributes, fields, or facilities are specified, all attributes, fields, or facilities must be simultaneously present.

The administrators must have:

RESOURCE(INFO) authority, via the ADMIN function, to obtain access information for resources or job ACIDs owned within their scope
FACILITY(facname) or FACILITY(ALL) authority, via the ADMIN function, to obtain access information for FACILITY for ACIDs within their scope
MISC9(MODE) authority, via the ADMIN function, to obtain access information for MODES for ACIDs within their scope
ACID(INFO) authority, via the ADMIN function, to obtain access information for job submission ACIDs to another ACID with their scope

Note: If mixed case is used for an FDT field or the HFSSEC resource class, when issuing a TSS WHOHAS for the FDT field or HFSSEC resource class, the case on the WHOHAS command must match the case in the FDT data or HFSSEC resource name on the acid in order for that data to be displayed.

This command function has the following format:

TSS WHOHAS keyword(value|*) [DATA(MASK|NOPREFIX|LITERAL)]

For queries on:

A resource class, use the RDT RESCLASS
A field in the FDT, use the FDTNAME.
An CA Top Secret attribute, use the attribute name
An CA Top Secret facility, use the keyword FACILITY

Enter the specific resource prefix, field value, attribute value (if applicable) or facility name for which access information is required or enter the data that must be contained in that field.

Optionally, limit the type of matching used for resource queries (LITERAL, MASK, NOPREFIX).

To display all permitted access to a maskable resource type, enter an asterisk (*) with DATA(MASK).

WHOHAS Applicable Keywords

This command function uses:

All resources defined in the RDT. Additional resource keywords may be used by an installation that has defined new resource classes in the RDT record.
Attributes and keyword(value) applicable keywords.
Any field name defined to the FDT, both user‑defined and predefined.
The attributes that appear in the following lists.

List the FDT, to obtain FDT field names.

Use the following attributes, which take no value, with the TSS WHOHAS command:

ASUSPEND	MRO	NOOMVSDF	NOVOLCHK
AUDIT	MULTIPW	NOPWCHG	RSTDACC
CONSOLE	NOADSP	NORESCHK	SUSPEND
DUFUPD	NOATS	NOSUBCHK	TRACE
DUFXTR	NODSNCHK	NOSUSPEND	TSOMPW
GAP	NOLCFCHK	NOVMDCHK

You must specify the following attributes with a value with the TSS WHOHAS command:

FACILITY (If specified with another field/attribute)	SMSAPPL	TSOLACCT	WAADDR1
FACILITY (If specified with another field/attribute)	SMSDATA	TSOLPROC	WAADDR2
LANGUAGE	SMSMGMT	TSOLSIZE	WAADDR3
LTIME	SMSSTOR	TSOMCLASS	WAADDR4
OPCLASS	SNAME	TSOMSIZE	WABLDG
OPIDENT	SOURCE	TSOSCLASS	WADEPT
OPPRTY	TSOCOMMAND	TSOUDATA	WANAME
PHYSKEY	TSODEFPRFG	TSOUNIT	WAROOM
SCTYKEY	TSODEST	TZONE
SITRAN	TSOHCLASS	UNAME
	TSOJCLASS	WAACCNT

Resource Access Information

Resource access information can be obtained by specifying a prefix, fully qualified name (within quotes), or a pattern containing masking characters. Not all resources support masking characters.

The amount of information displayed by the WHOHAS function can be voluminous depending upon the number of PERMITs defined. The DATA(option) keyword can be used to limit the display.

If you issue the WHOHAS command for DSNAME(SYS), it will return the OWNER for SYS1, then all of the authorizations under the owner. Next, you will get the owner for SYS2 and all of those authorizations until the list is complete.

Facility, Attribute, and Data Field Access Information

Facility access information can be obtained by specifying a fully qualified facility name; no prefix or masking is supported. Attribute information can be obtained by entering one or more attribute names. Data field information can be obtained by specifying the full data name.

Because facility information is not maintained as a resource, the amount of work required to obtain this information is dependent on the scope of the administrator requesting it. For a ZCA or lower, it is reasonably quick; however, for an SCA or an LSCA, it can require much longer to complete. Consider using batch processing to execute this command as an SCA. The amount of time required is greater than the time required to execute the TSS LIST(ACIDS) DATA(BASIC) command.

Examples: the WHOHAS function

This example lists all ACIDs that have the facility CICSPROD:

TSS WHOHAS FACILITY(CICSPROD)

This example lists all ACIDs that have the NODSNCHK attribute and simultaneously have the TSO procedure PROC999 as their default logon procedure:

TSS WHOHAS NODSNCHK
           TSOLPROC(PROC999)

This example displays all permitted access to the resource type dataset:

TSS WHOHAS DSN(*) DATA(MASK)

Administrative Authority Information

To obtain administrative authority information use the AUTHADM keyword and specify any of the administrative authorities that are specified with the TSS ADMIN command.

Because facility, field and attribute information is not maintained in the SECFILE ACID Index, a sequential search within the administrator's scope completes the query. For a user with a small number of ACIDs in their scope, it is reasonably quick; however, for an SCA or an LSCA, it can require much longer to complete. Therefore, you might consider using batch processing to execute this command as an SCA. The amount of time required is similar to the time required to execute the TSS LIST(ACIDS) DATA(BASIC) command.

Example: WHOHAS function

To display permitted accesses to resources, the administrator enters a TSS WHOHAS command. This command displays the owner of the resource, ACIDs who are authorized access to the resource, and administrator ACIDs who are permitted administrative authority over the resource.

To determine who has access information for data sets prefixed with SFT.CICS., enter:

TSS WHOHAS DSNAME(SFT.CICS)

CA Top Secret displays the ACIDs and the access information shown below.

RESOURCE      =  SFT.CICS.                  OWNER(SFTDEPT)
  XAUTH     =  SFT.CICS.              ACID(SFTUSR1)
    ACCESS  =  UPDATE
  XAUTH     =  SFT.CICS.LOAD          ACID(SFTUSR2)
    ACCESS  =  UPDATE,CONTROL
  XAUTH     =  SFT.                   ACID(SFTMNGR)
    ACCESS  =  READ
  ADMIN     =  SFT.                   ACID(SFTDCA)
    ACCESS  =  ALL
  XAUTH     =  SFT.*.TEST             ACID(SFTMNGR)
    ACCESS  =  UPDATE,CONTROL

The figure above shows the resource owner (SFTDEPT), all matching access PERMITS (XAUTH), as well as administrator ACIDs to which the resource was permitted with the ACTION(ADMIN) keyword.