CA VM:Secure provides three commands to query the rules structure you have built: CAN, QRULES, and RULEMAP. Use these commands while you construct your rules database and periodically thereafter to verify that users have appropriate permission to access resources.
The CAN and QRULES commands are provided to respond to the question, "Can USERx access resource Y?" CAN is designed for programmatic use; it displays a return code indicating whether the user can access the resource. QRULES responds to this query by displaying the rule governing the access request.
The RULEMAP command lists rules that apply to a named user or security group. Use RULEMAP to answer the question, "Which rules specifically reference USERx?"