What is the ACF2 ACCESS Command and how is it used?
search cancel

What is the ACF2 ACCESS Command and how is it used?


Article ID: 26328


Updated On:


ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC PanApt PanAudit


What is the ACF2 TSO ACCESS subcommand? How is it used?



Component: ACF2MS


  1. What is the access command?

    The ACCESS command is used to display 'who' has access to specific resource or dataset. The ACCESS subcommand lists each rule line that matches a given input resource and the users that match the UID mask on the rule line(s). The ACCESS subcommand simulates validation for users that match UID masks on rule line(s). If a user's UID matches the UID mask on a given rule line, the user is not listed after subsequent rule lines that contain a matching UID mask. The exceptions to this rule are the rule lines that contain environment variables- such as, PROGRAM, SHIFT, RECCHECK, LIB, etc. When these parameters are found on rule lines and a user has not matched a previous rule line that do not contain environment variables, the ACCESS subcommand's output will list the user after the matching rule lines, until a matching rule line is encountered that does not contain environment variables. This rule line is the last rule line that the user will be listed under. The ACCESS subcommand will also process through any NEXTKEY's that are in the rules. Currently, the ACCESS command will not process Keys that have been modified by Exits. 

  2. Syntax of the ACCESS subcommand:

    Access [Dsname(dsname)] [Resource(resourcename) Type(typecode) [Class(c)]

  3. How to enable the access command:

    The GSO OPTS ACCESS|NOACCESS Option needs to be enabled. This specifies whether the ACCESS subcommand is enabled for processing. 
    The default is NOACCESS.

    Note: A refresh of the OPTS record and an F ACF2,NEWUID operator command is required to build the LID/UID cross- reference table. This command needs to be issued anytime you add logonid records or update their uid string. This command updates the in storage UID table used by the ACCESS command.

  4. ACCESS command - example:

    ? access dsname('SYSX.dummy')
    ACCESS Subcommand Results For: SYSX.DUMMY

    Key: SYSX

    Lids: All logonids Reason: The environment LIB and PGM are not checked.

    Ruleline: - UID(*) READ(A) WRITE(A) EXEC(A)
    Lids: All other logonids

The CA-ACF2 Administration Guide section 'ACCESS Subcommand' contains detailed documentation related to the ACCESS subcommand.

Additional Information

If the ACF2 ACCESS DSNAME() command is not producing intended results, verify if PTF LU10009 is applied. 

** AMZ Jun 16 '23