VM:Secure provides three commands to query the rules structure you have built: CAN, QRULES, and RULEMAP.
The CAN and QRULES commands are provided to respond to the question, "Can USERx access resource Y?" CAN is designed for programmatic use; it displays a return code indicating whether the user can access the resource. QRULES responds to this query by displaying the rule governing the access request.
The RULEMAP command lists rules that apply to a named user or security group. Use RULEMAP to answer the question, "Which rules specifically reference USERx?"
You will find these commands documented in the VM:Secure Reference guide on Broadcom's Tech Docs Platform found at:
https://techdocs.broadcom.com/us/en/ca-mainframe-software/traditional-management/ca-vm-secure-for-z-vm-with-security/3-2/reference.html