IBM Security Z Security

Security for Z

Join this online user group to communicate across Z Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Access verification in Offline database

    Posted Tue January 21, 2025 07:35 AM

    Hi 
    Looking for the best way to verify changes in an offline database.

    Changes to GCICSTRN applied to OFFLINE database - who can access the Transaction (user or Group)?


    Is there something similar to RA.1 that can run against an OFFLINE database?
     
    Need to boost Transaction owners level of confidence in a major change.

    Thanks 



    ------------------------------
    James Lumsden
    ------------------------------


  • 2.  RE: Access verification in Offline database

    Posted Tue January 21, 2025 08:55 AM

    Not really... The problem is that the Offline CICS resource profiles are not raclisted anywhere, and thus that the Offline GCICSTRN profiles are ignored.

    The best I can offer is to run "merged profiles" in RA.R for %CICSTRN, and check the ACLs.



    ------------------------------
    Guus Bonnes
    ------------------------------

    Original Message


  • 3.  RE: Access verification in Offline database

    Posted Tue January 21, 2025 09:02 AM
    Edited by Bobby Borisov Tue January 21, 2025 09:03 AM

    Hello,

    maybe I didn't understand the question correct but here goes: 
    I think you could load an offline database into zSecure. This process involves using the 'Input files' option under the 'Setup' menu. 

    Then you can query it same as the live one. 

    Alternatively, 

    you could use REXX and an IRRDBU00 unload of both active and offline databases to compare whatever field you need to, or you could do it manually by browsing the unload files and looking at the needed record types 

    To boost level of confidence I would : 

    • Generate before-and-after reports using zSecure or IRRDBU00 outputs.
    • Document and validate the applied changes.
    • Simulate access scenarios to confirm correctness.
    • Have a revert plan with ready commands. 

    Hope this helps. 

    Bobby



    ------------------------------
    Bobby Borisov Mainframe Security Consultant
    ------------------------------

    Original Message


  • 4.  RE: Access verification in Offline database

    Posted Tue January 21, 2025 09:46 AM

    Hi Bobby,

    For most zSecure menu options you could use SETUP FILES to control which database to query. However, RA.1 works with the CKGRACF program. That normally runs against the active database regardless of SETUP FILES.

    What would work is being inside the RACF-Offline environment, as CKGRACF is supported by RACF-Offline per https://www.ibm.com/docs/en/szs/3.1.0?topic=SS2RWS_3.1.0/urm_racf/admin_audit/racfoffline_racf_cmds_support.htm ; this would require the person doing the querying to logon to the RACF-Offline environment.

    Regards,



    ------------------------------
    Jeroen Tiggelman
    IBM - Software Development Manager IBM Security zSecure
    Delft
    ------------------------------

    Original Message


  • 5.  RE: Access verification in Offline database

    Posted Tue January 21, 2025 09:52 AM

    Ah, but I missed Guus's response about RACLISTing... I suppose it still would not work.



    ------------------------------
    Jeroen Tiggelman
    IBM - Software Development Manager IBM Security zSecure
    Delft
    ------------------------------

    Original Message


  • 6.  RE: Access verification in Offline database

    Posted Tue January 21, 2025 09:19 AM

    An other approach would be to match an historic Access Monitor file against the Offline database, via  a Compare run.



    ------------------------------
    Guus Bonnes
    ------------------------------

    Original Message


  • 7.  RE: Access verification in Offline database

    Posted Thu January 23, 2025 07:27 AM

    Hi All
    Thanks for the responses.
    We believe that updating RACF Offline to support RACLISTing would be a really positive contribution to this sort of issue.

    Is this worth us submitting an IBM Idea for consideration? 
    Is there any  concept of how long it might take to produce  if the Idea was adopted, and has any work already been done in this area? 

    Or an SPE for us to help us out in the short term? 

    Regards.

    James



    ------------------------------
    James Lumsden
    ------------------------------

    Original Message


  • 8.  RE: Access verification in Offline database

    Posted Mon January 27, 2025 03:21 AM
    Edited by Rob van Hoboken Mon January 27, 2025 03:22 AM

    Hi James,

    Newlist type RACF_ACCESS includes simulation of RACLIST, from the manual

    Grouping profile members are only present as separate records for RACLISTed grouping classes,

     For SETROPTS or GLOBAL=YES RACLIST-ed classes, permits per member profile or grouping profile member might be present twice because the RACLIST merge result is also returned for records that have the flag RACLIST_MERGE set on.

    You could run a CARLa query on the active and the same on the OFFLINE database, and compare the results externally, i.e., eyeball the reports.

    newlist type=racf_access
      select member_class=TCICSTRN raclist_merge=yes
      sortlist id access class profile
      summary member_key(17) count(nd)

    You have to allocate a relevant CKFREEZE so zSecure can figure out the link between grouping and member class, and the RACLIST status of the class.

    Unfortunately, RACF_ACCESS does not offer the ACL(RESOLVE) functionality, so this report would only provide insight for re-organized profiles, not for restructured (user) groups.

    You might be able to use COMPAREOPT to have zSecure show a comparison between the 2 databases, with 2 CKFREEZE files allocated and appropriate COMPLEX/VERSION values.


    ------------------------------
    Rob van Hoboken
    ------------------------------



Related Content