​Hi,
to create a list of all General Classes accesses for a userid USER01 and USER02:
SUPPRESS REASON=( UACC ID(*) GLOBAL WARNING NOPROF,          
SPECIAL AUDIT GRPAUDIT GRPOPER GRPSPEC OWNER PWDCHANGE,      
SELFCON ALTER-M CKGRACMAP CKGRACDCERT CKGOWNER CREATE)       
N REQUIRED N=SCOPE0L TYPE=REPORT_SCOPE,                      
TOPTITLE="USER AUTHORIZATION FOR each userid and clss-access "
  DEFINE HIGH_ACCESS("HighAcc") MAX(ACCESS)                  
  S C=CLSS C<>DATASET                                        
  sortlist id(page,toptitle) id:name(page,toptitle),         
  complex(page,toptitle) stamp(toptitle),                    
   class key(nondispl),                                      
   proftype key("Profile name")                              
 REPORT SCOPE=user01 scope=user02  

REPORT:

USER AUTHORIZATION FOR each userid and clss-access USER01   BARBARA BELL
                                                                        
Class    Type    Profile name                                           
CLSS                 TSO#T                                                  
CLSS                 WSF                                                    
USER AUTHORIZATION FOR each userid and clss-access USER02  GERD MUELLER
                                                                        
Class    Type    Profile name                                           
CLSS                 R0ERD#P                                                
CLSS                 TSO#B                                                  
CLSS                 TSO#P                                                  
CLSS                 TSO#T                                                  
CLSS                 WSF   

Now my question: I'd like to list all userid's with the CLASS=CLSS accesses.

How I can do that?

Many thanks



------------------------------
[Rachid B.] [Kebbi]
[Security Administrator]
[C&A]
[Düsseldorf/Germany]
------------------------------

Hi Rachid,

Instead of specifying one statement
REPORT SCOPE=user01 scope=user02,
you can also specify separate statements
REPORT SCOPE=user01
REPORT scope=user02.

If you specify such a statement for each user in the database, that should give you what you want.

You can generate these statements with another CARLa query:
n type=racf nopage; s c=user s=base; list "REPORT SCOPE=" | key

To generate the entire query you can do:
n type=system nopage outlim=1 dd=ckr2pass;
sortlist ,
`SUPPRESS REASON=( UACC ID(*) GLOBAL WARNING NOPROF,` /,
`SPECIAL AUDIT GRPAUDIT GRPOPER GRPSPEC OWNER PWDCHANGE,` /,
`SELFCON ALTER-M CKGRACMAP CKGRACDCERT CKGOWNER CREATE)` /,
`N REQUIRED N=SCOPE0L TYPE=REPORT_SCOPE,` /,
`TOPTITLE="USER AUTHORIZATION FOR each userid and clss-access "` /,
` S C=CLSS` /,
` sortlist id(page,toptitle) id:name(page,toptitle),` /,
` complex(page,toptitle) stamp(toptitle),` /,
` class key(nondispl),` /,
` proftype key("Profile name")`
n type=racf nopage dd=ckr2pass
s c=user s=base; sortlist "REPORT SCOPE=" | key

This will write the commands to CKR2PASS for your review when run in the UI, then you can press PF3 and 'R' before the file to execute the resulting query.

Regards,

--Jeroen

------------------------------
Jeroen Tiggelman
Software Development and Level 3 Support Manager IBM Security zSecure Suite
IBM
Delft
------------------------------

Original Message:
Sent: Thu May 07, 2020 03:23 AM
From: Bachir KEBBI
Subject: List all userids and all CLASSes authorized

​Hi,
to create a list of all General Classes accesses for a userid USER01 and USER02:
SUPPRESS REASON=( UACC ID(*) GLOBAL WARNING NOPROF,          
SPECIAL AUDIT GRPAUDIT GRPOPER GRPSPEC OWNER PWDCHANGE,      
SELFCON ALTER-M CKGRACMAP CKGRACDCERT CKGOWNER CREATE)       
N REQUIRED N=SCOPE0L TYPE=REPORT_SCOPE,                      
TOPTITLE="USER AUTHORIZATION FOR each userid and clss-access "
  DEFINE HIGH_ACCESS("HighAcc") MAX(ACCESS)                  
  S C=CLSS C<>DATASET                                        
  sortlist id(page,toptitle) id:name(page,toptitle),         
  complex(page,toptitle) stamp(toptitle),                    
   class key(nondispl),                                      
   proftype key("Profile name")                              
 REPORT SCOPE=user01 scope=user02  

REPORT:

USER AUTHORIZATION FOR each userid and clss-access USER01   BARBARA BELL
                                                                        
Class    Type    Profile name                                           
CLSS                 TSO#T                                                  
CLSS                 WSF                                                    
USER AUTHORIZATION FOR each userid and clss-access USER02  GERD MUELLER
                                                                        
Class    Type    Profile name                                           
CLSS                 R0ERD#P                                                
CLSS                 TSO#B                                                  
CLSS                 TSO#P                                                  
CLSS                 TSO#T                                                  
CLSS                 WSF   

Now my question: I'd like to list all userid's with the CLASS=CLSS accesses.

How I can do that?

Many thanks



------------------------------
[Rachid B.] [Kebbi]
[Security Administrator]
[C&A]
[Düsseldorf/Germany]
------------------------------

I am not entirely sure how you want this report of user IDs formatted.  Here is another example that you could use.  It lists the CLSS profiles, and for each profile it shows the user IDs that have access via a PERMIT or a CONNECT.   Change the overriding length (8) to the maximum length of your profile keys:
newlist type=racf
 select class=CLSS segment=base 
  sortlist class key(8) acl(resolve)
We use the RESOLVE modifier to find specific (user ID) PERMITs, and the highest access level that a user has via his/her CONNECTs.
If you use ACL(RESOLVE) a lot, you could also define a field name, and use that in subsequent commands:
newlist type=racf
  define users_on_acl(resolve,aclid,"Userid") as acl
 select class=CLSS segment=base
 sortlist class key(8) users_on_acl users_on_acl:name
If you wish to import your report into a database or spreadsheet, you could change the NEWLIST command to repeat the profile class and key in all lines:
newlist type=racf retain
You can suppress the page and column headers:
newlist type=racf nopage
And you could generate a CSV formatted data set:
newlist type=racf retain header=csvt

------------------------------
Rob van Hoboken
------------------------------

Original Message------

I am not entirely sure how you want this report of user IDs formatted.  Here is another example that you could use.  It lists the CLSS profiles, and for each profile it shows the user IDs that have access via a PERMIT or a CONNECT.   Change the overriding length (8) to the maximum length of your profile keys:
newlist type=racf
 select class=CLSS segment=base 
  sortlist class key(8) acl(resolve)
We use the RESOLVE modifier to find specific (user ID) PERMITs, and the highest access level that a user has via his/her CONNECTs.
If you use ACL(RESOLVE) a lot, you could also define a field name, and use that in subsequent commands:
newlist type=racf
  define users_on_acl(resolve,aclid,"Userid") as acl
 select class=CLSS segment=base
 sortlist class key(8) users_on_acl users_on_acl:name
If you wish to import your report into a database or spreadsheet, you could change the NEWLIST command to repeat the profile class and key in all lines:
newlist type=racf retain
You can suppress the page and column headers:
newlist type=racf nopage
And you could generate a CSV formatted data set:
newlist type=racf retain header=csvt

------------------------------
Rob van Hoboken
------------------------------