IBM Security Z Security

Security for Z

Join this online user group to communicate across Z Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  revoke connects with/without a revoke date.

    Posted Tue June 10, 2025 07:51 AM

    L.s

    I have created a CARLA query to display all revoke connects to RACF groups. But I want only select the revoke connects with a revoke date in it. 

    How to do that? I need to do something with subselect and GRPREVOKEDT field, but don't know how.

    Herewith my query to select all revoked connects.

    alloc type=unload dsn='SYHME.CNR##AC1.CKRUNL(0)' complex=AC             

    newlist type=racf_access outlim=1 nopage dd=ckr2pass ll=32752           
    sortlist " " /, ` ` /,                                                  
        `alloc type=unload` ,                                               
        `dsn='SYHME.CNR##` | complex(2) | `1.CKRUNL(0)'` ,                  
        `complex=` | complex(2) | /,                                        
        `newlist   emptylist=hide i=base n=basegd nopage,` /,               
        `    t=:t1 st='All profiles with only  revoke connects'` /,         
        `def connects(universal) subselect connects( (GrpRevoke))           
    ` /,                                                                    
        `select s=base c=group` `and (((,`                                  
    newlist type=racf_access nopage nodup dd=ckr2pass ll=32752              
    select class=group (:GrpRevoke)                                         
    sortlist | profile(0) | ","                                             
    summary `    )) or (complex=`(0) | complex(8) | ` key=(,`(0) count(0,nd)
    newlist type=racf_access outlim=1 nopage dd=ckr2pass ll=32752           
    sortlist `    )))` /,                                                   
       `sortlist key(8,nd) connects, key(8,retain)`        



    ------------------------------
    Stan van OERS
    ------------------------------


  • 2.  RE: revoke connects with/without a revoke date.

    Posted Wed June 11, 2025 04:05 AM
    Edited by Rob van Hoboken Wed June 11, 2025 04:09 AM

    Hoi Stan.

    The GROUP REVOKE DATE field can be found in the USER profile, the field name is CGREVKDT.  The corresponding group name is CGGRPNM.  A report could be

    newlist type=racf
      select class=user cgrevkdt<>never
      sortlist profile(8,"User id") cggrpnm cgrevkdt cgflag4

    Obviously, you could also use sortlist profile(8) connects, but you cannot use CGREVKDT in a SUBSELECT CONNECTS to make the list shorter.  The right field name is GRPREVOKEDT.  See the manual.

    This code could work:

    newlist type=racf
      define connects subselect connects(grprevokedt<>never)
      select class=user cgrevkdt<>never
      sortlist profile(8) connects

    You could also use newlist type=racf_access.  This code should get your results:

    newlist type=racf_access
      select class=group :cgrevkdt<>never
      sortlist profile(8) id(8) :cgrevkdt  :cgflag4


    ------------------------------
    Rob van Hoboken
    ------------------------------



  • 3.  RE: revoke connects with/without a revoke date.

    Posted Wed June 11, 2025 06:06 AM

    Rob,

     

    Thanks. :cgrevkdt<>never was the missing statement for me.

     

     

    With Kind regards,

     

    Stan van Oers

     

    Kyndryl Mainframe Technical Specialist for ABN AMRO

    Mobile: +31(0)6-51344171

    E-mail: stan.van.oers@kyndryl.com

     

    www.kyndryl.com

    cid172802*<a href=image001.jpg@01D9A2DF.0A7D97B0">

     

    Free day on Monday in the odd weeks.

     

     




    Original Message


Related Content