A report of both  users and their roles/group of roles is desired, but did not appear to be possible, regardless of settings of XRLFUNC and XRLFLAG parameters.   

Release : 16.0

Component : CA ACF2 for z/OS 

There is no way to specify the highest level role and get all roles and users returned.

The input parameters are either return roles or return users... not both.

This code was run to obtain the results:

MVC  XRLEYE,=CL4'XRBS' SET EYECATCHER

MVI  XRLVER,XRLVCUR    SET PLIST VERSION

MVI  XRLFUNC,XRLRETG   SET FUNCTION CODE

LA   R15,XRLLN         GET LENGTH OF CB

ST   R15,XRLLEN        SAVE LENGTH OF CB IN CB

LA   R15,ROLENAME      POINT AT USERID

ST   R15,XRLSRCID      SAVE LID ADDRESS

OI   XRLFLAG,XRLINGRP  INPUT IS GROUP

LA   R1,XROLE          POINT AT PLIST

CALL ACF00RBS          CALL RBS BUILD ROUTINE

With these role records...

INSERT CHILD INCLUDE(TIM)

INSERT FATHER INCLUDE(CHILD) GROUP

INSERT MOTHER INCLUDE(CHILD) GROUP

INSERT MGRANDMA INCLUDE(MOTHER) GROUP

INSERT MGRANDPA INCLUDE(MOTHER) GROUP

INSERT PGRANDMA INCLUDE(FATHER) GROUP

INSERT PGRANDPA INCLUDE(FATHER) GROUP

INSERT PGR8GNMA INCLUDE(PGRANDPA) GROUP

INSERT PGR8GNPA INCLUDE(PGRANDMA) GROUP

INSERT MGR8GNMA INCLUDE(MGRANDMA) GROUP

INSERT MGR8GNPA INCLUDE(MGRANDPA) GROUP

Query tests: 

rolename = CHILD  

parms:   XRLFLAG = XRLINGRP;  XRLFUNC = XRLRETG

result: all the role names are returned.

rolename = TIM  

XRLFUNC,XRLRETG returns CHILD

there is no way to specify the highest level role and get all roles and users returned.

the input parameters are either return roles or return users... not both.