The ROLE XXXXXXX command can be used to get a list of roles a user is assigned to, but that is a 1 for 1.

Also, this doesn't say what the roles were granting the user access to.

Something that could say every place throughout the ACF2 database that a certain ROLE grants access to would be very useful from an Audit standpoint.

Release : 16.0

Component : ACF2 for z/OS

The ACFRPTRX report can be used to report on all ROLES in the ACF2 database and what access each one gives. Care does need to be taken with this report as running it against the active databases can result in a performance slowdown while the report is running. This all depends on how many ROLES, users, and rulesets the report has to run against. This report will need to be ran separately for the RULES and INFOSTG databases.

Specifying NOACF2 can be done to run the report against the ALT databases, but ROLE processing has to occur against the active role table regardless of whether ACF2 or NOACF2 is specified. The DEFROLE parameter must be specified when running the report with NOACF2 in order for ROLES to be considered.

Here are a couple sample JCL to get started. Mix and match various parameters to tailor the output to specific site needs. Be sure to replace the DSNs in red with the appropriate alternate database names.

To list all resource access a specific Role gives:
//REPORT  EXEC PGM=ACFRPTRX                             
//SYSPRINT DD SYSOUT=*                                  
//RECMAN1  DD DISP=SHR,DSN=SYS1.MAN1                    
//RECMAN2  DD DISP=SHR,DSN=SYS1.MAN2                    
//RECMAN3  DD DISP=SHR,DSN=SYS1.MAN3                    
//LOGONIDS  DD  DISP=SHR,DSN=ACF2.ALTLIDS     
//INFOSTG   DD  DISP=SHR,DSN=ACF2.ALTINFO     
//RULES     DD  DISP=SHR,DSN=ACF2.ALTRULES    
//SYSUT1 DD   UNIT=SYSDA,SPACE=(CYL,(2,2)),DCB=BUFNO=30 
//SYSUT2 DD   UNIT=SYSDA,SPACE=(CYL,(2,2)),DCB=BUFNO=30 
//SYSIN    DD *                                         
TITLE(ACFRPTRX)                                         
ACF2                                                    
RSRC                                                    
NOUIDALL                                                
ROLE(rolename)                                             
TYPE(***)      

The ROLE parameter can be masked. Here is an example to see all dataset access for all roles:
//REPORT  EXEC PGM=ACFRPTRX                            
//SYSPRINT DD SYSOUT=*                                 
//RECMAN1  DD DISP=SHR,DSN=SYS1.MAN1                   
//RECMAN2  DD DISP=SHR,DSN=SYS1.MAN2                   
//RECMAN3  DD DISP=SHR,DSN=SYS1.MAN3                   
//LOGONIDS  DD  DISP=SHR,DSN=ACF2.ALTLIDS    
//INFOSTG   DD  DISP=SHR,DSN=ACF2.ALTINFO    
//RULES     DD  DISP=SHR,DSN=ACF2.ALTRULES   
//SYSUT1 DD   UNIT=SYSDA,SPACE=(CYL,(2,2)),DCB=BUFNO=30
//SYSUT2 DD   UNIT=SYSDA,SPACE=(CYL,(2,2)),DCB=BUFNO=30
//SYSIN    DD *                                        
TITLE(ACFRPTRX)                                        
ACF2                                                   
DSET                                                   
NOUIDALL                                               
ROLE(-)      

The NOUIDALL parameter is used to suppress rule entries where ROLE(-) is used to grant access to all users. This helps filter the report down.

The LID parameter can also be used to report on access based on logonid and includes what ROLES are assigned to the user. This can be fully masked but doing so will produce a very large output that includes all users accesses on the system and may take a very long time to run depending on the size of the databases. The ROLES command is the recommended method of seeing what ROLES a user has access to.