Hi Nicholas.
I looked at the standard printable reports produced by AM.1 and you are right, they are not very helpful for your project. So I cobbled some CARLa together for you. You should be able to copy this into a member of a PDS, then go to option CO.1, enter the name of your PDS (in quotes) with a Type of CKRCARLA. Next you enter an E in front of the PDS, search for your member, and enter an R to run, E to edit.
newlist type=access define test(str$blank('Test'),4) true where req_status_access define result_fail(str$blank('Fail'),0) true, where access_result=8 not(req_status_access) define result_Undef(str$blank('Undef'),0) true, where access_result=4 s class=FACILITY access_profile=CSVLLA.** summary class, access_profile, / ' '(8) 'Userid Name Intent Allowed Test Result', /, * ' '(7) userid userid:name, intent(max,np), access_allowed, test, result_fail | result_undef, count(nd)The result should look like this:
A C C E S S T R A C E R E C O R D L I S T I N G 28 Nov 2019 02:51
Class Profile key used
FACILITY CSVLLA.DEV.**
Userid Name Intent Allowed Test Result
RACFADM RACF ADMIN SHRD USER ALTER ALTER Test
STRTASK DIV STARTED TASK USR UPDATE UPDATE
FACILITY CSVLLA.SYS1.**
Userid Name Intent Allowed Test Result
RACFADM RACF ADMIN SHRD USER ALTER ALTER Test
STRTASK DIV STARTED TASK USR UPDATE ALTER
USERJOE JOE THE PLUMBER READ NONE FailThe Test column indicates that the application issued a "Retrieve allowed access" and usually the requested access is ALTER which results in many failed access results. However, 9 out of 10 times this is the result of an administrator issueing RLIST or LISTDSD on a profile. The other 1 out of 10 would be a CICS menu application providing a list of transaction names to RACF and requesting access allowed info for each.
I agree that the layout could be improved, but this is as far as I get with the formatting that CARLa allows (and without making the program totally unreadable).
As you can see, the report is summarized by profile key. You wanted to externalize the selection of profile. This could be achieved in 2 ways:
You could specify your profile key in the select command like so:
s class=FACILITY access_profile=(,
'BPX.DAEMON',
'BPX.SUPERUSER',
'BPX.**',
)
The quotes allow you to specify generic profiles, without having the generic characters work as
selection filters in the report. So 'BPX.**' only selects the BPX.** profile, and not BPX.SUPERUSER.
Alternatively, you could write the desired profile keys into an input data set for your job. Allocate this as //CONTROL DD * in your JCL.
Then add ahead of the newlist:
deftype type=profsel
alloc type=profsel dd=CONTROL
define type=profsel profile as word(record,1)or, you you wish to test this in ISPF:
deftype type=profsel
alloc type=profsel dd=your.dsname.cntl(member)
define type=profsel profile as word(record,1)This defines a look-up list called PROFSEL that we can use in the SELECT command like so:
s class=FACILITY access_profile:profsel.profile.profile<>' '
The control data set must have the profile keys
exactly how they appear in the report, one profile per line.
------------------------------
Rob van Hoboken
------------------------------
Original Message:
Sent: Wed November 27, 2019 08:27 AM
From: Nicholas Littler
Subject: Access Monitor - checking multiple profiles
We are running a project to remove the ID * entry from Dataset and Resource class profiles. Using zSecure Access Monitor, we are checking usage of profiles to establish users who have accessed the profiles through ID(*). We can then review the access and add those users' role groups to the profiles where appropriate and remove ID(*).
Currently we enter one profile at a time in Access Monitor. This is time consuming and we need to process many profiles through Access Monitor.
Want:
- Read in a profile from a list of profiles held in a dataset (sequential).
- Access monitor to analyse usage of the profile read in.
- Send AM usage output to a dataset.
- Repeat until end of profile list.
This would enable us to process multiple profiles in an efficient manner.
I have created a job from zSecure, to analyse access for one profile. Output is in line in the job output.
A C C E S S T R A C E R E C O R D L I S T I N G 26 Nov 2019 10:30
ACCESS MONITOR RECORDS CLASS: FACILITY, RESOURCES CSVLLA.**
Userid Name Intent Type RetAll ACCRC Class Co
AUTGSS NETVIEW AUTO TASK UPDATE Auth 0 FACILITY BE
FACILITY CSVLLA.CAIS.EASYPLUS.V6R2M0.CAILIB
FACILITY GENERIC CSVLLA.**
INTENT=UPDATE ALLOWED=UPDATE RESULT=0
The code generated in the JCL does not appear to be able to add additional profiles to it:
select ,class=FACILITY,resource=CSVLLA.** rectype=(auth,fast,def)
SORTLIST / " "(8) CLASS,
RESOURCE(84,WRAP) " " ACCESS_COUNT LAST_TOD,
Is it possible to use the profiles in an input file to be processed in sequence and output to a dataset?
Thanks.
------------------------------
Nick Littler
------------------------------