Hi,

In zSecure Audit is there a way to make an assertion via the panels (AU.R.C) and specify which complex it applies to?

I am trialling making unloads and CKFREEZEs from multiple environments available on one lpar and then running all the compliance checks from there.

As an example, if I attempt to update the CONFIGS (Configuration of resource names for domain sensitivities):


There does not appear to be an option to say which environment that assertion is for:

I see there is a field SELECT_COMPLEX available for report type ASSERT, but it doesn't populate with anything when I make my assertion via the panel.

If you have any suggestions that would be great. 

Nathan,

No, not right now.
AU.R.C was designed to handle configuration alerts and members for the whole domain.

Thanks for confirming Ron.

In that case I think my solution would be to have a different ASSERT dataset prefixes for each system.

Related to that, one of the things I am trying to do is report on the configuration assertions for each system. I had been using code like below to get the system name. But now that I am running the jobs for all environments on a single lpar, :run.system('System') is no longer suitable. Can you think of a way I could access the complex field instead? As its not available in report type ASSERT.  

alloc type=RACF backup active complex=[lpar]
alloc type=ASSERT DSNPREF=[asrtpref].ASR SAVE POSTPONE
alloc type=CKFREEZE DD=C3IOC0 complex=[lpar]
alloc type=CKRCMD DD=CKRCMD03

n type=assert name=ASSERTCF nodetailinherit dd=ASSERTCF,
 header=prefix prefixlen=0 prefixsep=' ' header=tsvt retain

 select assert_as_state=config
 exclude ifdefined(ASSERT_EXCLUDE)

 sortlist,
    :run.datetime(9,"Run_Date"),
    :run.system('System'),
    select_complex(0,"Asserted_System"),
    assert_etod(nd,bw),
    assert_datetime(9,"Asrt_date"),
    ASSERT_ENDDATE(9,"End_date"),
    ASSERT_CURRENT,
    ASSERT_ERROR,
    assert_recorder(0,"Asserter_UserID"),
    assert_by(0),
    assert_comment(0),
    CONFIG_MASKTYPE("Mask_type"),
    SELECT_CLASS("Selected_Class"),
    config_resource(0,"Value")

Nathan,

Does the NEWLIST TYPE=ASSERT output benefit from the ALLOC commands for TYPE=RACF and TYPE=CKFREEZE?  I would have thought it just needs the TYPE=ASSERT file.

However, if you have a properly written ALLOC for, say, TYPE=CKFREEZE, with a COMPLEX specified, you could use NEWLIST TYPE=RUN_DD to print the COMPLEX value from that ALLOC command in the same report file, preceding the ASSERT report:

newlist type=run_dd 
  select type=CKFREEZE
  sortlist complex system datetime :run.datetime

Unfortunately, you cannot use :run_dd, so integrating the complex name into your tsvt is more complex.

Regarding your shared assert file, you could of course stay away from AU.R.C and manage your assert file using the trusted editor, or using a spreadsheet with a formatting formula, relying on the syntax documented here, and INCLUDE these into you compliance evaluations as CARLa commands.

------------------------------
Rob van Hoboken
------------------------------

Thanks Rob.

Unfortunately, you cannot use :run_dd, so integrating the complex name into your tsvt is more complex.

Yeah that's where I'm getting stuck.

A bit of background as to why I am trying to get the lpar name as part of this report. I'm generating 3 reports for each lpar when I run the compliance checks:

1. A summary of the results (using report type compliance_rule_set)
2. The full results (using report type compliance)
3. A report of all the configuration asserts plus the contents of the CKACUST and CKACUSV libraries

The reports are all generated in TSV format, uploaded to SharePoint and the results displayed in a PowerBI dashboard. The idea is that for each lpar the results and all the inputs are available to end users and auditors to review so they get the complete picture. For this to work the way I'm intending each row of each report needs to contain the lpar it relates to so that the tables in the dashboard can be filtered on lpar.

So if you happen to have an answer to how you would get the complex value into the tsv I would be very grateful.

My current workaround is to include the below statement. But it doesn't completely solve my problem as in my reports I do some lookups of the complex value to return other fields I have defined, which obviously doesn't work when I do it this way.

DEFINE TYPE=ASSERT assert_sys("System",str$blank("&LPAR."),0) true

As I suggested before, ASSERT is a dumb newlist type that dumps the assertion input.  It has no system or complex affiliation, i.e., the CKFREEZE information is not used for this newlist.  Only lookups to newlist type=RACF and RUN are allowed.

If you need more fields in each ASSERT output line, you would have to write a DEFINE TYPE=ASSERT for each field with literal contents, like you did with assert_sys before.  If you need more fields, add as many defines.

If you have your LPAR name in a JCL symbol, you could use:

// EXPORT SYMLIST=(LPAR,COMPLEX)
// SET LPAR=PROD,COMPLEX=PRODPLEX
// EXEC C2RC
//DEFINES DD *,SYMBOLS=JCLONLY
  DEFINE TYPE=ASSERT assert_sys("System",str$blank("&LPAR."),0) true
  DEFINE TYPE=ASSERT assert_plex("Plex",str$blank("&COMPLEX."),0) true
/*
//SYSIN DD *
  ....
  IMBED DD=DEFINES

If you need lookup functionality, generate those DEFINE commands in a preceding CKRCARLA step (writing to a tempfile allocate to CKR2PASS) and IMBED them into your reporting step.

Alternatively, and with more flexibility, add a step AFTER your reporting step to mangle the TSVT with ASSERT output, adding fields in each line to your liking, before sending the result over to sharepoint.

------------------------------
Rob van Hoboken
------------------------------

Nathan,

The ASSERT newlist has SELECT_* fields that report the complex, system, class, etc, that apply to the assertion record.

Field                                        Description                    Len MaxLn Format
SELECT_CLASS                                 Object type or resource class    8       Char  
SELECT_COMPLEX                               Complex name                     8       Char  
SELECT_PROFTYPE                              Profile or data set type         7       Char  
SELECT_RESOURCE                              Object or resource name         64  1024 Char  
SELECT_SYSTEM                                System name                      8       Char  
SELECT_VOLSER_KEY                            Volume serial key                6       Char  

So, just change "select assert_as_state=config" into "select assert_as_state=config select_complex=('????','<all>')"

The <all> is to also select the assertions without any complex, as they, unless superseded by a more specific assertion, also apply to the systems in the selected complex.

Note that the AU.R.H menu generates the following CARLa command:

define type=assert assert_exclude boolean where,
  not(select_complex=(????,'<all>'))
imbed member=CKADQEA

(or member=CKALQEA for print output)