Is there a field/varriable that represents if the group is on a dataset/general profile access list?  Or a counter on the number of times its on an access list?

We want to see if there are groups we potentially want to cleanup because they might not serve a purpose.

------------------------------
Linnea Sullivan
------------------------------

Hi Linnea,

I am not aware of any such counter that exists in RACF. 

But when you have a zSecure license, the following lines of CARLa code might be of interest to you. This CARLa can report about the number of ACL-entries for a particular group and, optionally, include the class and profile names.

newlist type=racf
define #stripacl subselect acl(id=<group-name>)
 select class(dataset,general) segment=base userid=<group-name>
sortlist class key #stripacl
summary class count(5)          

Notes about the CARLa:

• The #stripacl only selects the ACL entry for the group that you want to report about.
• The select statement filters all resource profile that have an ACL entry for the target group
• The sortlist statement is used to include the class name, profile name, and ACL entry in the report. If you are only interested in the ACL statistics, you can remove the sortlist statement.
• The summary shows the number of permits for this group in all resource profiles, and also the number of group permits per resource class.

When I run this on my system for a group named CRMB, it produces something along the lines of:
P R O F I L E   L I S T I N G   25 Oct 2023 23:45                                                           
                                                                                                            
Complex  Class    Count Class    Profile key                                  User     Access  ACL id   When
NMPIPL87            347                                                                                     
         ACCTNUM      1                                                                                     
                        ACCTNUM  ACCT#                                        -group-  ALTER   CRMB         
         CCICSCMD     7                                                                                     
                        CCICSCMD *                                            -group-  ALTER   CRMB         
                        CCICSCMD ATOMSERVICE                                  -group-  ALTER   CRMB         
                        CCICSCMD PROGRAM                                      -group-  READ    CRMB         
                        CCICSCMD SHUTDOWN                                     -group-  UPDATE  CRMB         
                        CCICSCMD STATISTICS                                   -group-  READ    CRMB         
                        CCICSCMD TASK                                         -group-  READ    CRMB         
                        CCICSCMD TRANSACTION                                  -group-  UPDATE  CRMB         
         CONSOLE      1                                                                                     
                        CONSOLE  SDSF                                         -group-  READ    CRMB         
         CRYPTOZ      3                                                                                     
                        CRYPTOZ  CLEARKEY.TTOKEN1                             -group-  CONTROL CRMB         
                        CRYPTOZ  SO.TTOKEN1                                   -group-  CONTROL CRMB         
                        CRYPTOZ  USER.TTOKEN1                                 -group-  UPDATE  CRMB         
         CSFKEYS      3                                                                                     
                        CSFKEYS  **                                           -group-  READ    CRMB         

But be aware that when a group has a permission in a RACF resource profile, it does not mean that this permission is actually used to access the protected resources. For that purpose, you could better use the zSecure Access Monitor if that is active in your systems. 

I hope this helps.

------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM
------------------------------

Original Message:
Sent: Wed October 25, 2023 12:56 PM
From: Linnea Sullivan
Subject: Group Access List Counter

Is there a field/varriable that represents if the group is on a dataset/general profile access list?  Or a counter on the number of times its on an access list?

We want to see if there are groups we potentially want to cleanup because they might not serve a purpose.

------------------------------
Linnea Sullivan
------------------------------

Newlist type=ID provides flags and statistics about USER and GROUP IDs.  One of them shows if the ID was used in a PERMIT.

newlist type=id
  select class=group id=sys*
  sortlist id racf_permit

Also, you can use newlist type=RACF_ACCESS to calculate statistics about IDs:

newlist type=racf_access
  select class<>group id=sys* exists(id:subgrpct)
  summary id * class max(access) count

This shows the groups (only groups have a subgroup count field) matching SYS*, the number of permits, and the highest access level for each.  If you only need the total number of permits, you can remove the "* class" from the summary command.

Note: not tested, maybe Tom can provide some sample reports and improvements.

Note: I seem to remember that (all of) these reports ignore conditional access entries.  When I last used zSecure that included the access monitor based reports.

------------------------------
Rob van Hoboken
-----------------------------

I can confirm that the sample code that Rob suggested for newlist type ID is correct in showing a flag for each selected group profile whether that group is used in a permit. When I run it on my test system, it produces:

I D   26 Oct 2023 11:08
                       
Id       Prm           
SYSAPPL  Yes           
SYSAUDIT Yes           
SYSAUTH  Yes           
SYSCTLG  Yes           
SYSOPR   Yes           
SYSP     No            
SYSPROG  Yes           
SYSTEST  No            

The second sample based in newlist type RACF_ACCESS also works, but had a mistake max(access) should have been coded as access(max)

Also, I added an extra filter in the select statement access<>qualown to suppress access that newlist RACF_ACCESS otherwise reports for access for the owner of the resource profile. 

Sample output  from my system looks like:

R A C F   A C C E S S   A U T H O R I Z A T I O N S   26 Oct 2023 11:11
                                                                       
Id       Class    Access    Count                                      
SYSAPPL           ALTER        54                                      
         DATASET  ALTER        21                                      
         FACILITY READ         18                                      
         PROGRAM  READ          4                                      
         VMPOSIX  NONE          1                                      
         XFACILIT READ         10                                      
SYSAUDIT          ALTER        81                                      
         CSFSERV  READ          1                                      
         DATASET  ALTER        28                                      
         FACILITY UPDATE        9                                      
         OPERCMDS ALTER        14                                      
         PROGRAM  READ          5                                      
         SDSF     READ          2                                      
         SERVAUTH READ          3                                      
         SURROGAT READ          3                                      
         XFACILIT UPDATE       16                                      
SYSAUTH           ALTER       145                                      
         DATASET  NONE          2                                      
         FACILITY ALTER        77                                      

------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM
------------------------------

Original Message:
Sent: Thu October 26, 2023 04:51 AM
From: Rob van Hoboken
Subject: Group Access List Counter

Newlist type=ID provides flags and statistics about USER and GROUP IDs.  One of them shows if the ID was used in a PERMIT.

newlist type=id
  select class=group id=sys*
  sortlist id racf_permit

Also, you can use newlist type=RACF_ACCESS to calculate statistics about IDs:

newlist type=racf_access
  select class<>group id=sys* exists(id:subgrpct)
  summary id * class max(access) count

This shows the groups (only groups have a subgroup count field) matching SYS*, the number of permits, and the highest access level for each.  If you only need the total number of permits, you can remove the "* class" from the summary command.

Note: not tested, maybe Tom can provide some sample reports and improvements.

Note: I seem to remember that (all of) these reports ignore conditional access entries.  When I last used zSecure that included the access monitor based reports.

------------------------------
Rob van Hoboken
-----------------------------

By the way, if you're deleting these groups from RA.G, you can use the SR (show relevant/references) line command to inspect permits, ownership etc. of the ID, before using D.

------------------------------
Rob van Hoboken
------------------------------

Original Message:
Sent: Wed October 25, 2023 12:56 PM
From: Linnea Sullivan
Subject: Group Access List Counter

Is there a field/varriable that represents if the group is on a dataset/general profile access list?  Or a counter on the number of times its on an access list?

We want to see if there are groups we potentially want to cleanup because they might not serve a purpose.

------------------------------
Linnea Sullivan
------------------------------