I do not have any experience with the queued commands facilities in CKGRACF. 
Where is there a simple explanation or overview?
We would also like to understand where the pending commands are held, and who has access to them.
Thanks

Lennie

------------------------------
Lennie Dymoke-Bradshaw
------------------------------

Hi Lennie, 

more detailed information about the CKGRACF commands is documented in the IBM zSecure Admin and Audit for RACF User Reference Manual in a section named 'CKGRACF quick reference'. Here is a link to that section:

https://www.ibm.com/docs/en/szs/3.2.0?topic=manual-ckgracf-command-language

For more information about queued commands, you might find reading the section named 'RA.2 QUEUED - Queued commands' to be helpful:

https://www.ibm.com/docs/en/szs/3.2.0?topic=guide-ra2-queued-queued-commands

All CKGRACF queued commands are stored as user data entries in the target RACF profiles for the commands. For processing CKGRACF commands (request, execute, ask, second, complete, withdraw, etc.), RACF administrators require appropriate access to CKG.CMD.** resources in the XFACILIT class, and the target profile must reside in the CKGRACF administrators scope. Fyi, CKG scopes are also defined in the XFACILIT class with CKG.SCP.** profiles.

I hope this helps

------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM
------------------------------

Original Message:
Sent: Wed October 15, 2025 07:26 AM
From: Lennie Dymoke-Bradshaw
Subject: CKGRACF and scheduled commands

I do not have any experience with the queued commands facilities in CKGRACF. 
Where is there a simple explanation or overview?
We would also like to understand where the pending commands are held, and who has access to them.
Thanks

Lennie

------------------------------
Lennie Dymoke-Bradshaw
------------------------------

Many thanks for your prompt reply Tom,
I have spent some time reading the references you gave. I am still pretty confused about much of this. I feel I am missing an overview of the subject. However, I will plough on and see what I can find. I have a couple of specific questions for you.
1. You said that the queued commands are stored with each target profile. So if I have a queued command for a CONNECT, is it stored in the GROUP profile or the USER profile? Is there any way to display this in a meaningful way? 
2. I see  that the option RA.2 shows me all the queued commands if I select option 4. However, this seems to work very quickly. How can it scan every profile to know what is queued?
3. If there are timed actions required, how are these triggered? Is there some other process that needs to run regularly to trigger these?

Regards,
Lennie

------------------------------
Lennie Dymoke-Bradshaw
------------------------------

Original Message:
Sent: Wed October 15, 2025 08:51 AM
From: Tom Zeehandelaar
Subject: CKGRACF and scheduled commands

Hi Lennie, 

more detailed information about the CKGRACF commands is documented in the IBM zSecure Admin and Audit for RACF User Reference Manual in a section named 'CKGRACF quick reference'. Here is a link to that section:

https://www.ibm.com/docs/en/szs/3.2.0?topic=manual-ckgracf-command-language

For more information about queued commands, you might find reading the section named 'RA.2 QUEUED - Queued commands' to be helpful:

https://www.ibm.com/docs/en/szs/3.2.0?topic=guide-ra2-queued-queued-commands

All CKGRACF queued commands are stored as user data entries in the target RACF profiles for the commands. For processing CKGRACF commands (request, execute, ask, second, complete, withdraw, etc.), RACF administrators require appropriate access to CKG.CMD.** resources in the XFACILIT class, and the target profile must reside in the CKGRACF administrators scope. Fyi, CKG scopes are also defined in the XFACILIT class with CKG.SCP.** profiles.

I hope this helps

------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM

Original Message:
Sent: Wed October 15, 2025 07:26 AM
From: Lennie Dymoke-Bradshaw
Subject: CKGRACF and scheduled commands

I do not have any experience with the queued commands facilities in CKGRACF. 
Where is there a simple explanation or overview?
We would also like to understand where the pending commands are held, and who has access to them.
Thanks

Lennie

------------------------------
Lennie Dymoke-Bradshaw
------------------------------

Hi Lennie,

A CONNECT is queued on the GROUP.

I am not sure what you find to be a meaningful way. From the queued commands side, RA.2 option 4 seems good to me. Of course, when you just look at RA.G you will also see all these queued commands in the "user data" section.

Sample:

                  zSecure GROUP #TEST2 Overview                 Line 461 of 474 
 Command ===> _________________________________________________ Scroll===> CSR  
 like #TEST2                                     15 Oct 2025 23:45              
                                                                                
   Command audit trail data                                                     
 _ Attrib:  INSTDATA Added on 24.339/17:06 by CRMBAH1                           
 _ Attrib:  OWNER    Added on 24.339/17:06 by CRMBAH1                           
 _ Attrib:  SUPGRP   Added on 24.339/17:06 by CRMBAH1                           
 _ Attrib:  TERMUACC Removed on 24.339/17:06 by CRMBAH1                         
 _ Profile:          Created on 24.339/17:06 by CRMBAH1                         
 _ Segment: OVM      Added on 24.339/17:06 by CRMBAH1                           
                                                                                
                                                                                
                                                                                
                                                                                
   Commands that have been executed                                             
 _ Queued command (X): CMD AT 28Aug2025 CONNECT  CRMBSI6 GROUP(#TEST2) OPERATION
                                                                                
 **************************** Bottom of Data *****************************

The defined variables for the various queues are in C2RXDEF1.

VIEW       CRMA.D.ZSSDEV.$DEV.SCKRCARL(C2RXDEF1) - 01.20   Columns 00001 00072 
Command ===> ________________________________________________ Scroll ===> CSR  
000085  def type=racf helppanel=C2R&ckrerel.Z248,                              
000086    cmdspend("Timed commands waiting for execution",header)              
000087    subselect usr(cngstatus=(PENDING,"PENDING REVERSE"))                 
000088                                                                         
000089  def type=racf helppanel=C2R&ckrerel.Z249,                              
000090    cmdsact("Commands requiring administrator action",header)            
000091    subselect usr(cngstatus=(ASK,REQUEST,                                
000092                      "SECOND APPROVE","SECOND HOLD","COMPLETE HOLD"))   
000093                                                                         
000094  def type=racf helppanel=C2R&ckrerel.Z250,                              
000095    cmdsinact("Inactive commands",header)                                
000096    subselect usr(cngstatus=(EXPIRE,"WITHDRAW REVERSE",                  
000097                             WITHDRAW,"SECOND DENY","COMPLETE DENY"))    
000098                                                                         
000099  def type=racf helppanel=C2R&ckrerel.Z251,                              
000100    cmdsexec("Commands that have been executed",header)                  
000101    subselect usr(cngstatus=(EXECUTED,"COMPLETE APPROVE"))   /*QR80744*/ 

I am not sure why you think it is a problem that the engine is fast.

There is a daily job to evaluate the need for refresh.
https://www.ibm.com/docs/en/szs/3.2.0?topic=production-requirements-rationale-running-daily-ckgracf-job

This essentially runs this CARLa to generate the required CKGRACF REFRESH commands:

VIEW       CRMA.D.ZSSDEV.$BASE.SCKRCARL(CKGXREFR) - 18.11  Columns 00001 00072 
Command ===> ________________________________________________ Scroll ===> CSR  
000022  newlist name=REFRSUPP f=CKGOUT nopage type=system outlim=1 /*QR71112*/ 
000023   sortlist "suppress msg=726" /* copy literal to CKGOUT */  /*QR71112*/ 
000024  newlist name=REFRGEN  f=CKGOUT nopage title='Refresh generic profiles' 
000025   select ckgrefresh<today generic                                       
000026   sortlist "refresh" class "'" | key(0) | "'g"                          
000027  newlist name=REFRREST f=CKGOUT nopage title='Refresh other profiles'   
000028   select ckgrefresh<today not(generic)                                  
000029   sortlist "refresh" class "'" | key(0) | "'d"                          

You can use the CKGREFRESH variable to see when the next refresh for a profile is due.

https://www.ibm.com/docs/en/szs/3.2.0?topic=profiles-racf-field-descriptions#select_list_fields_racf_field_descs__CKGREFRESH

CKGREFRESH, CNGREFRESH
This field is derived from the USR field and contains the date after which a CKGRACF REFRESH command is required; undefined if the profile does not contain scheduled revoke/resume actions or queued commands.

Regards,

------------------------------
Jeroen Tiggelman
IBM - Software Development Manager IBM zSecure
Delft
------------------------------

Original Message:
Sent: Thu October 16, 2025 04:02 AM
From: Lennie Dymoke-Bradshaw
Subject: CKGRACF and scheduled commands

Many thanks for your prompt reply Tom,
I have spent some time reading the references you gave. I am still pretty confused about much of this. I feel I am missing an overview of the subject. However, I will plough on and see what I can find. I have a couple of specific questions for you.
1. You said that the queued commands are stored with each target profile. So if I have a queued command for a CONNECT, is it stored in the GROUP profile or the USER profile? Is there any way to display this in a meaningful way? 
2. I see  that the option RA.2 shows me all the queued commands if I select option 4. However, this seems to work very quickly. How can it scan every profile to know what is queued?
3. If there are timed actions required, how are these triggered? Is there some other process that needs to run regularly to trigger these?

Regards,
Lennie

------------------------------
Lennie Dymoke-Bradshaw

Original Message:
Sent: Wed October 15, 2025 08:51 AM
From: Tom Zeehandelaar
Subject: CKGRACF and scheduled commands

Hi Lennie, 

more detailed information about the CKGRACF commands is documented in the IBM zSecure Admin and Audit for RACF User Reference Manual in a section named 'CKGRACF quick reference'. Here is a link to that section:

https://www.ibm.com/docs/en/szs/3.2.0?topic=manual-ckgracf-command-language

For more information about queued commands, you might find reading the section named 'RA.2 QUEUED - Queued commands' to be helpful:

https://www.ibm.com/docs/en/szs/3.2.0?topic=guide-ra2-queued-queued-commands

All CKGRACF queued commands are stored as user data entries in the target RACF profiles for the commands. For processing CKGRACF commands (request, execute, ask, second, complete, withdraw, etc.), RACF administrators require appropriate access to CKG.CMD.** resources in the XFACILIT class, and the target profile must reside in the CKGRACF administrators scope. Fyi, CKG scopes are also defined in the XFACILIT class with CKG.SCP.** profiles.

I hope this helps

------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM

Original Message:
Sent: Wed October 15, 2025 07:26 AM
From: Lennie Dymoke-Bradshaw
Subject: CKGRACF and scheduled commands

I do not have any experience with the queued commands facilities in CKGRACF. 
Where is there a simple explanation or overview?
We would also like to understand where the pending commands are held, and who has access to them.
Thanks

Lennie

------------------------------
Lennie Dymoke-Bradshaw
------------------------------