Who has access to a critical resource?

Situation:
The auditor wants to find out who has access to a resource (in this case a dataset) that has been classified as critical by its owner, so that she can be sure that only approved access rights have been granted.
This is something that that a RACF administrator might want to find out, too.

Complications:
General access rights are granted using the Universal Access attribute. In RACF, other additional access rights can be granted directly to users or to groups. If access rights are granted to a group, all the users connected to that group also have these access rights.
RACF shows the IDs of all the authorized users and groups with access to the resource, but does not differentiate between them. Therefore a follow-up analysis needs to be made to find out which of the IDs refer to groups. Once the groups have been determined, the auditor can find out which users are connected to them (making sure that the connect hasn't been revoked).

Solution:
First of all, all access rights to the resource concerned need to be listed (RACF command: LISTDSD DATASET(datasetname) ALL). Now the auditor needs to find out which of the IDs listed are actually groups (in a best-case scenario, naming conventions would show this). All the users for each of these groups must then be listed.

The ideal solution is offered by the Beta 88 zSecurity Administrator – only one command and you've got the answer straight away.