Everybody loves to hate RACF. I will try to tell you about some of the possibilities with RACF. RACF commands are best activated from TSO and in this week I will tell you a little about the commands TSO LD, TSO LU and TSO LG.

Compared to the other two commands TSO LD is the most useful. With this command you can find out what access you have to a dataset. The good part is, that you don't get a 913 abend when you aren't authorized. The syntax is TSO LD DA(<datasetname>) GEN, where the datasetname must be in quotes unless you want to use normal TSO prefixing (normally your userid). The command lists the RACF-profile, which authorize (or protect) the dataset. The information listed contains attributes like 'Universal access' and most important 'Your access'. If 'Your access' is READ you can read the dataset, UPDATE gives you access to write in the dataset and ALTER gives you access to delete the dataset and create it. Most important is that when you don't have any access at all, you are told so and avoids the abend.

TSO LU lists the RACF-groups, you are connected to. You can write TSO LU <userid>, where <userid> is a userid different from your own. It is most likely, that you are not authorized to do so, and RACF will tell you immediately. There is a little trick here. If the userid is not defined to RACF, it will tell you. This can be very useful sometimes.

TSO LG <RACF-group> is supposed to list all the ressources, that a group has access to. Most of us are not authorized to use this command. But again as with TSO LU it can tell you if a group does not exist. At this point it is worth noticing the difference between the security of RACF and DB2. If you query an object in RACF, you will be told if it exists or not. In DB2 you will only be told, that you are not authorized. This is a typical example of inconsistency between two major IBM products.