If you do not specify any parameters, all the groups, users, and objects are listed.
If you specify GroupName, only those access control lists relating to that group are listed.
If you specify UserName, only those access control lists relating to that specific user are listed, including any access control lists to which they belong.
If you specify Broker, only those groups, users, or access control lists relating to that broker are listed.
<principal> - <principaltype> - <accesstype> - <objectname> - <objecttype>where
wrkgrp\ali - USER - F - EXE - BROKER\defaultmeans that user "ali" in domain "wrkgrp" has been granted full control over the execution group default in broker "BROKER".
The user ID used to invoke this command must have full control permissions for the object being changed; see ACL permissions for more information.
When z/OS commands are run through the console, they effectively run as the Configuration Manager's started-task ID. This means that the commands inherit a Full Control root ACL and you can carry out any operation.
If you submit a console command to the Configuration Manager you can change any ACL for that Configuration Manager.