IBM Security Z Security

Security for Z

Join this online user group to communicate across Z Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Create PERMIT delete command, create RALT delmem,

    Posted Tue March 17, 2020 09:43 AM
    Edited by Bachir KEBBI Tue March 17, 2020 10:22 AM
    Hello CARLa specialists,
    I have to cleanup some general resources and until now I've done with:

    1) Listing the resource: RL class profile-name ALL
    2) Editing the dataset and adding the PE commands DEL automatically via CARLa:
    PE profile-name ID(userid) CLASS(class) DEL
    3) Now I have to delete the resource members and the command should be created automatically via CARLa:
    RALT class  resource-profile   -
    DELMEM( resources-member in group)      
    4) Last step is to delete the resource class itself

    I'll be happy if someone help me to create the 3 Carla script:
    1) RL classes  class-profile ALL or AUTH
    2) Build the PE class-profile CLASS(xxxxxx) DEL
    3) Build RALT .....  DELMEM(....)
    RALT class  class-profile     -
    DELMEM(member, member,   ...)  

    Many thanks for all/any help.


    ------------------------------
    [Rachid B.] [Kebbi]
    [Security Administrator]
    [C&A]
    [Düsseldorf/Germany]
    ------------------------------
    ​​


  • 2.  RE: Create PERMIT delete command, create RALT delmem,

    Posted Wed March 18, 2020 04:32 AM
    Um, if you have CARLa, then I'd believe you also have zSecure Admin (among other tools).
    If you're trying to delete a bunch of profiles, why would you not take the simple route of displaying them all thru RA.R, for your Classname profile ** (EGN match), then from that list put a DD on the first line of them and a DD on the last line of them, let it churn for a bit, and it will provide you with all of the necessary commands to delete all of the profiles?  More specifically -- if you're planning on getting rid of all of the profiles, why do you need to delete all of the permits and all of the members in the grouping class before you delete the profiles?  Deleting the profiles will get rid of all of the permits and all of the members in the profile without you having to specifically delete them first.  I mean, you said you wanted to delete the resource class, so it's easy to delete the profiles, no CARLa necessary.  (Unless I'm misunderstanding your goal here...)

    ------------------------------
    Scott Tietjen CISSP
    ------------------------------

    Original Message


  • 3.  RE: Create PERMIT delete command, create RALT delmem,

    Posted Wed March 18, 2020 05:06 AM
    Hi Bashir,
    like Scott, it is not quite clear to me what exactly is the goal of your 3 CARLa sripts. If you simple want to delete a bunch of general resource profiles entirely, Scott's suggestion is indeed by far the easiest way to go. 
    Also, using the interactive zSecure Admin user interface as suggested by Rob is a useful strategy.

    However, when you want to delete permissions from ACLs and/or members from member lists more selectively, you might like these CARLa scripts:

    1. List all profile in GCICSTRN class including ACL (owner, installation data, member list)

newlist type=racf                                                             
 select class=gcicstrn segment=base                                           
 sortlist key uacc acl /* owner instdata memlst */                                  
                                                                              
2. Selectively delete permissions for IDs SYSPROG and/or SYS1 from selected GCICSTRN profiles

newlist type=racf nopage retain dd=ckrcmd                                     
 define #acl(aclid) subselect acl(id(sysprog,sys1))                              
 select class=gcicstrn segment=base acl(id(sysprog,sys1))                     
 sortlist 'permit' key(0) 'class(' | class(0) | ') id(' | #acl(0) | ') delete'
                                                                              
3. Seletively delete member CEDA from the member list of selected GCICTRN profiles

newlist type=racf nopage dd=ckrcmd                                            
 select class=gcicstrn segment=base memlst=:CEDA                              
 sortlist 'ralter' class(0) key(0) 'delmem(CEDA)'                             ​
    Notes:
    • /*....*/ means comment in CARLa. Therefore the columns owner, installation data, and member list are currently not included in the generated report.
    • NOPAGE suppress the printing of layout characteristics such as titles, column headers, and page numbers.
    • DD=CKRCMD redirects the output of the CARLa to the CKRCMD work data set where the generate commands can be reviewed/edited, run, submitted, or saved (for later execution)
    • RETAIN repeats the profile name in the generated commands when both SYSPROG and SYS1 are permitted on a single ACL.
    • The DEFINE statement only selects (sub-selects) the ACL entries to SYSPROG and SYS1 so that permissions to other IDs are not deleted.
    • The pipe (|) is used to suppress blanks that are otherwise automatically inserted by the SORTLIST statement. In the German code page, you should use the exclamation mark (!) instead of the pipe sign (|) to suppress blanks.
    • If needed you can add more filters to the SELECT statement to select only the applicable profiles. For example added OWNER=RACFADM, you only generate RACF commands for GCICSTRN profiles that are owned by RACFADM.
    I hope this helps. 





    ------------------------------
    Tom Zeehandelaar
    z/OS Security Enablement Specialist - zSecure developer
    IBM
    Delft
    +31643351728
    ------------------------------

    Original Message


  • 4.  RE: Create PERMIT delete command, create RALT delmem,

    Posted Thu March 19, 2020 09:25 AM
    Hi Scott, hi Rob, Hi Tom,
    you're all right and it was my intentention to use zSecure RA.R.
    The problem is my Boss and the Auditors need a report to save it for the next several years. It is also easy to save the protocol from RA.R.
    and I should do the deletion one by one and one environment by and one application by one.
    We have 7 environments and for each environement many applications (a short list below).
    So I thought it is better to make the deletion via batch jobs which creates:
    1) PERMIT Deletion for one environment (DEVE) and all applications
    2) DELETE all the resource Members for DEVE and for all applications
    3) Many times later and after a decision from the owner/management I can delete the CLASSes or maybe not.

    Sorry I make you so many problems and many thanks for your helps and hints.
    Rachid (I have two first names but I prefer Rachid, just to eliminate the confusions)


    Short list:
    CLASS                CLASS-PROFILE
    GEJBROLE        WAS8xxxx.appl.WHATEVER.ROLES.ETC

    xxxx                stands for Envrionment (DEVE, INTS, PROD,.....seven of them)
    appl                stands for many applications        
    ROLE                WHATEVER.ADMIN.ROLES.aso....

    Best regards, freundliche Grüße, meilleures salutations, saludos cordiales

    Rachid Bachir KEBBI
    IT-Administration - Authorization



    C&A Services GmbH & Co. OHG | Wanheimer Str. 70 | D-40468 Duesseldorf  | Germany
    T 5560 | bachir.kebbi@canda.com

    Visit us on www.c-a.com or www.facebook.com/ca

    Please consider the environmental impact of needlessly printing this e-mail.
       

    C&A Services GmbH & Co. OHG | Wanheimer Straße 70 | D-40468 Düsseldorf | Sitz: Düsseldorf | Registergericht: Düsseldorf HRA 12655 | Telefon: +49 (211) 9872-01
    Persönlich haftende Gesellschafter: C&A Retail GmbH | Sitz: Zug/Schweiz | UID: CHE-116.290.471
    Geschäftsführer: Michael Asche, Stefan Hafner, Petrus J. Zegger
    FRM Participations S.A. | Sitz: Strassen/Luxemburg | Handels- und Firmenregister Luxemburg: B 58158
    Verwaltungsratsmitglieder: Rafael G. E. Bogaerts, John Drury, Matthias Van der Looven
    Bankkonto: Commerzbank AG | IBAN: DE84 3004 0000 0132 4300 00 | SWIFT/BIC: COBADEFFXXX
    Hinweise zur Verarbeitung Ihrer Daten finden Sie unter: www.c-a.com/GDPR




    Original Message


  • 5.  RE: Create PERMIT delete command, create RALT delmem,

    Posted Thu March 19, 2020 10:49 AM
    Edited by Rob van Hoboken Thu March 19, 2020 10:48 AM
    You can easily run the RACF commands in a batch job, like so.
    Go to SE.4 and select Action: queue commands.
    Go to RA.R and enter an L line command in front of the profile.  This generates an RLIST or LISTDSD command.
    Next clean up the profile by using D line commands.
    Press F3 until you see the RACF commands.  These have not been executed, but queued in CKRCMD.
    Issue SUBMIT to generate JCL.  SUBMIT then option 1 to View or 2 to Edit the job.

    ------------------------------
    Rob van Hoboken
    ------------------------------


  • 6.  RE: Create PERMIT delete command, create RALT delmem,

    Posted Wed March 18, 2020 04:46 AM
    Edited by Rob van Hoboken Wed March 18, 2020 04:47 AM
    If for some reason you wish to keep the (now empty) grouping profiles, you could simply go to RA.R, specify the class name (and if you want, also the profile key/mask), hit Enter.  You see the profile(s), next enter an S in front of the profile you want to clean up, and you see the Access Control List (ACL) and the list of Members.  For entries you wish to delete, enter a D in front.  Hit Enter. 
    If you have Confirmation selected in SE.4, you get a prompt for each entry.  You could also suppress these prompts by typing SET in the command line.  Individual PERMIT DELETE and RALTER DELMEM are issued.
    Depending on the command Action mode in SE.4 and the SET panel, the commands are executed immediately, or written out to CKRCMD.

    Also, if you wish to remove a whole grouping profile, just doing RDELETE is good enough.  This is requested with a D line command in front of the profile key.

    ------------------------------
    Rob van Hoboken
    ------------------------------


Related Content