​Hello CARLa Gurus,
I'd like to list all my userids with the following informations:

Userid
Name            
DFLTGRP   
Connect-Groups
TSO if any    
OMVS if any
General Resource Access if any
No datasets access 

Who can Show me how to do?

Thank you very much.


------------------------------
[Rachid B.] [Kebbi]
[Security Administrator]
[C&A]
[Düsseldorf/Germany]
------------------------------

There are some challenges with this request.
1. RACF keeps information in different places: NAME, DFLTGRP, CGGRPNM are in the BASE segment of the profile, TSO and OMVS are different segment types.  These are read at arbitrary times by zSecure and that implies the fields are not available in the same (output) line.
But CARLa has an implicit lookup operator : that could add a field from the segment into the BASE segment report, if we had a field name.
2. Unfortunately, there is no single field to express if the user has a TSO or OMVS segment.  We could print the UID number, reasoning that a user without a valid UID could not use z/OS UNIX services, even if the user has an OMVS segment.  The same cannot be said for TSO segment fields, but we could print the TSO maximum logon size.   A missing logon size could be construed as no TSO access.
newlist type=racf
  select class=user segment=base
  sortlist profile(8,"Userid") name dfltgrp cggrpnm :uid(9) :tmsize(8,"TSO size")
3. Adding the "General resource access" in this single line would not be practical.

We can also generate a single line for each of the components, and bundle them together per userid value.  This is done with the MERGELIST block.  It creates sorting across newlist boundaries using the field values from the individual sortlist lines.

mergelist
  newlist type=racf
    s c=user s=base mask=*
    sortlist profile(8,"Userid",page),
             :supgroup(nd),
             segment(nd),
             Name,
             dfltgrp,
             congrpnm(hor)
  newlist type=racf
    s c=user s=tso mask=*
    sortlist profile(8,"Userid"),
             :supgroup(nd),
             segment
  newlist type=racf
      s c=user s=omvs mask=*
      sortlist profile(8,"Userid"),
               :supgroup(nd),
               segment
  newlist type=racf_access
    s c<>(user,group,dataset) id:id.id.class=USER id=*
    sortlist id,
             class profile
endmerge

This uses :supgroup to create an empty field (superior groups only have value for group profiles), so any of the output lines for the USER profile sort before output lines from racf_access (CLASS is a non-blank value, so it sorts after the empty fields).
You could adjust the filter (mask=* and id=*) to limit this report to specific user ids.

Hi Rob,
first of all I'll thank you for your help.
I dont Need the informatio for TSO and OMVS Segment in a line. It is ok if the Information are appended to the list.​

Thanks

------------------------------
[Rachid B.] [Kebbi]
[Security Administrator]
[C&A]
[Düsseldorf/Germany]
------------------------------

Original Message:
Sent: Wed April 15, 2020 09:11 AM
From: Rob van Hoboken
Subject: CARLa

There are some challenges with this request.
1. RACF keeps information in different places: NAME, DFLTGRP, CGGRPNM are in the BASE segment of the profile, TSO and OMVS are different segment types.  These are read at arbitrary times by zSecure and that implies the fields are not available in the same (output) line.
But CARLa has an implicit lookup operator : that could add a field from the segment into the BASE segment report, if we had a field name.
2. Unfortunately, there is no single field to express if the user has a TSO or OMVS segment.  We could print the UID number, reasoning that a user without a valid UID could not use z/OS UNIX services, even if the user has an OMVS segment.  The same cannot be said for TSO segment fields, but we could print the TSO maximum logon size.   A missing logon size could be construed as no TSO access.
newlist type=racf
  select class=user segment=base
  sortlist profile(8,"Userid") name dfltgrp cggrpnm :uid(9) :tmsize(8,"TSO size")
3. Adding the "General resource access" in this single line would not be practical.

We can also generate a single line for each of the components, and bundle them together per userid value.  This is done with the MERGELIST block.  It creates sorting across newlist boundaries using the field values from the individual sortlist lines.

mergelist
  newlist type=racf
    s c=user s=base mask=*
    sortlist profile(8,"Userid",page),
             :supgroup(nd),
             segment(nd),
             Name,
             dfltgrp,
             congrpnm(hor)
  newlist type=racf
    s c=user s=tso mask=*
    sortlist profile(8,"Userid"),
             :supgroup(nd),
             segment
  newlist type=racf
      s c=user s=omvs mask=*
      sortlist profile(8,"Userid"),
               :supgroup(nd),
               segment
  newlist type=racf_access
    s c<>(user,group,dataset) id:id.id.class=USER id=*
    sortlist id,
             class profile
endmerge

This uses :supgroup to create an empty field (superior groups only have value for group profiles), so any of the output lines for the USER profile sort before output lines from racf_access (CLASS is a non-blank value, so it sorts after the empty fields).
You could adjust the filter (mask=* and id=*) to limit this report to specific user ids.

Hi Rob,
I get this message:
CKR0520 12 Merged NEWLIST at CKRCMDV line 12 must use same LIST family member as NEWLIST at CKRCMDV line 8
CKR0000 12 CKRCARLA terminated due to input errors    

What is the Problem? I see there are different types!!!

000001 newlist type=racf,                                           
000002    TT='List userids with default, connect groups and TSO'    
000003    select class=user segment=base mask=*                     
000004    exclude mask=irr*                                         
000005    sortlist profile(8,"USERID") NAME DFLTGRP CGGRPNM,        
000006    :tlproc(8,"TSOPROC")                                      
000007 mergelist                                                    
000008   newlist type=racf,                                         
000009        TT='List userids with OMVS segment, Home and UID'         
000010         select class=user segment=omvs uid>0                      
000011        display key(8) home UID                                   
000012  newlist type=racf_access,                                    
000013       TT='Access to General Resources profiles without datasets'
000014       s c<>(user,group,dataset) id:id.id.class=USER id=*        
000015       sortlist id, class profile                                
000016 endmerge                                   ​

------------------------------
[Rachid B.] [Kebbi]
[Security Administrator]
[C&A]
[Düsseldorf/Germany]
------------------------------

Original Message:
Sent: Wed April 15, 2020 09:11 AM
From: Rob van Hoboken
Subject: CARLa

There are some challenges with this request.
1. RACF keeps information in different places: NAME, DFLTGRP, CGGRPNM are in the BASE segment of the profile, TSO and OMVS are different segment types.  These are read at arbitrary times by zSecure and that implies the fields are not available in the same (output) line.
But CARLa has an implicit lookup operator : that could add a field from the segment into the BASE segment report, if we had a field name.
2. Unfortunately, there is no single field to express if the user has a TSO or OMVS segment.  We could print the UID number, reasoning that a user without a valid UID could not use z/OS UNIX services, even if the user has an OMVS segment.  The same cannot be said for TSO segment fields, but we could print the TSO maximum logon size.   A missing logon size could be construed as no TSO access.
newlist type=racf
  select class=user segment=base
  sortlist profile(8,"Userid") name dfltgrp cggrpnm :uid(9) :tmsize(8,"TSO size")
3. Adding the "General resource access" in this single line would not be practical.

We can also generate a single line for each of the components, and bundle them together per userid value.  This is done with the MERGELIST block.  It creates sorting across newlist boundaries using the field values from the individual sortlist lines.

mergelist
  newlist type=racf
    s c=user s=base mask=*
    sortlist profile(8,"Userid",page),
             :supgroup(nd),
             segment(nd),
             Name,
             dfltgrp,
             congrpnm(hor)
  newlist type=racf
    s c=user s=tso mask=*
    sortlist profile(8,"Userid"),
             :supgroup(nd),
             segment
  newlist type=racf
      s c=user s=omvs mask=*
      sortlist profile(8,"Userid"),
               :supgroup(nd),
               segment
  newlist type=racf_access
    s c<>(user,group,dataset) id:id.id.class=USER id=*
    sortlist id,
             class profile
endmerge

This uses :supgroup to create an empty field (superior groups only have value for group profiles), so any of the output lines for the USER profile sort before output lines from racf_access (CLASS is a non-blank value, so it sorts after the empty fields).
You could adjust the filter (mask=* and id=*) to limit this report to specific user ids.

You have 2 NEWLIST blocks and you used/copied the MERGELIST command to combine the output.  However, you changed one of the SORTLIST (output) commands into DISPLAY.  DISPLAY means "show in a modifiable ISPF display" whereas SORTLIST requests output into a data set.  Those 2 different options can be used in one CARLa program, but the output cannot be merged.
The problem goes away when you use the same output command (SORTLIST or DISPLAY).  How does this relate to the CKR0520 message?  LIST, SORTLIST, DISPLAY and (D)SUMMARY are all output producing commands, as family members of the LIST command they share some characteristics.... Ask Google for CKR0520 and you see the Explanation.
By the way, TLPROC is the last used logon procedure, a user that never logged on to TSO (but with a TSO segment) would have an empty value in TLPROC.

------------------------------
Rob van Hoboken
------------------------------