Specifically, I have an application that makes a series of RACROUTE calls (up to 70) when a user enters the CICS application, in order to determine what application profile applies to the user. I have a local tool written in REXX for security admins that helps analyze the access lists for the relevant resource profiles.
I used to be a sysprog, BAL programmer, etc. ACF2 developer, but I am looking for an easier way to accomplish my goals than using ICHEINTY..zSECURE CARLA may be the answer but I am far more familiar with REXX. My similar REXX tool used to do this for ACF2 easily, now I want a RACF version. ACF TEST used to give detail, like the specific rule like that allowed.
I use the zSECURE ckgracf command to find out whether the user is "alllowed" the resource. Unfortunately it gives no other useful information.
I do a RACF rlist and parse out the access list of permits, which are USERIDs and GROUPs.
I do a listuser of each to find out whether it's a USERID or a GROUP
If it's a USERID then I see whether it's the USERID of interest and display it if it is.
It it's not a USERID I assume it's a GROUP

That's where the problem is. I can't find any easy way of finding the USERIDs in a UNIVERSAL GROUP short of using ICHEINTY or a database unload utility.
But CARLa can do lovely things like this sample code:

newlist  n=baseg3 segment=base nopage 
select s=base c=group ,KEY=CICSINTG   
sortlist connects(universal,8)        

I can run that in batch, or from the zSECURE panels, but is there a way to call this CARLa in the foreground from my REXX, passing the KEY and retrieving the results?

I keep thinking RACF should have an easy way to display the USERIDs in a UNIVERSAL GROUP but I sure can't find it.
I imagine the real answer might be to learn to do all this in CALRa or indeed just use BAL assembler and the ICHEINTY interface.
But I'll bet zSECURE developers run CARLa in the foreground under TSO TEST to debug...so this should be do-able.

Performance is already terrible...I want the REXX to do this many thousands of times, so I am not expecting a miracle.

By the way, if you want to check if a user has access on a profile, or on a list of profiles, you can do this in a single CARLa call.

newlist type=racf
  define usersaccess(explode) subselect acl(user=ABC)
  select class=TCICSTRN key=XYZ
  sortlist profile uacc usersaccess

The EXPLODE modifier causes all relevant connect groups to show up, including any direct permits.  If you want zSecure to figure out if the user has (any) access, use the RESOLVE modifier instead, if access is given via one or more connect groups, one group name will be shown.

If the user has no explicit access, the output will show only the profile key and UACC value.

Specifically, I have an application that makes a series of RACROUTE calls (up to 70) when a user enters the CICS application, in order to determine what application profile applies to the user. I have a local tool written in REXX for security admins that helps analyze the access lists for the relevant resource profiles.
I used to be a sysprog, BAL programmer, etc. ACF2 developer, but I am looking for an easier way to accomplish my goals than using ICHEINTY..zSECURE CARLA may be the answer but I am far more familiar with REXX. My similar REXX tool used to do this for ACF2 easily, now I want a RACF version. ACF TEST used to give detail, like the specific rule like that allowed.
I use the zSECURE ckgracf command to find out whether the user is "alllowed" the resource. Unfortunately it gives no other useful information.
I do a RACF rlist and parse out the access list of permits, which are USERIDs and GROUPs.
I do a listuser of each to find out whether it's a USERID or a GROUP
If it's a USERID then I see whether it's the USERID of interest and display it if it is.
It it's not a USERID I assume it's a GROUP

That's where the problem is. I can't find any easy way of finding the USERIDs in a UNIVERSAL GROUP short of using ICHEINTY or a database unload utility.
But CARLa can do lovely things like this sample code:

newlist  n=baseg3 segment=base nopage 
select s=base c=group ,KEY=CICSINTG   
sortlist connects(universal,8)        

I can run that in batch, or from the zSECURE panels, but is there a way to call this CARLa in the foreground from my REXX, passing the KEY and retrieving the results?

I keep thinking RACF should have an easy way to display the USERIDs in a UNIVERSAL GROUP but I sure can't find it.
I imagine the real answer might be to learn to do all this in CALRa or indeed just use BAL assembler and the ICHEINTY interface.
But I'll bet zSECURE developers run CARLa in the foreground under TSO TEST to debug...so this should be do-able.

Performance is already terrible...I want the REXX to do this many thousands of times, so I am not expecting a miracle.

Hi Rob,

Note that EXPLODE does not trigger UNIVERSAL, you have to specify that separately.

Regards,

By the way, if you want to check if a user has access on a profile, or on a list of profiles, you can do this in a single CARLa call.

newlist type=racf
  define usersaccess(explode) subselect acl(user=ABC)
  select class=TCICSTRN key=XYZ
  sortlist profile uacc usersaccess

The EXPLODE modifier causes all relevant connect groups to show up, including any direct permits.  If you want zSecure to figure out if the user has (any) access, use the RESOLVE modifier instead, if access is given via one or more connect groups, one group name will be shown.

If the user has no explicit access, the output will show only the profile key and UACC value.

Specifically, I have an application that makes a series of RACROUTE calls (up to 70) when a user enters the CICS application, in order to determine what application profile applies to the user. I have a local tool written in REXX for security admins that helps analyze the access lists for the relevant resource profiles.
I used to be a sysprog, BAL programmer, etc. ACF2 developer, but I am looking for an easier way to accomplish my goals than using ICHEINTY..zSECURE CARLA may be the answer but I am far more familiar with REXX. My similar REXX tool used to do this for ACF2 easily, now I want a RACF version. ACF TEST used to give detail, like the specific rule like that allowed.
I use the zSECURE ckgracf command to find out whether the user is "alllowed" the resource. Unfortunately it gives no other useful information.
I do a RACF rlist and parse out the access list of permits, which are USERIDs and GROUPs.
I do a listuser of each to find out whether it's a USERID or a GROUP
If it's a USERID then I see whether it's the USERID of interest and display it if it is.
It it's not a USERID I assume it's a GROUP

That's where the problem is. I can't find any easy way of finding the USERIDs in a UNIVERSAL GROUP short of using ICHEINTY or a database unload utility.
But CARLa can do lovely things like this sample code:

newlist  n=baseg3 segment=base nopage 
select s=base c=group ,KEY=CICSINTG   
sortlist connects(universal,8)        

I can run that in batch, or from the zSECURE panels, but is there a way to call this CARLa in the foreground from my REXX, passing the KEY and retrieving the results?

I keep thinking RACF should have an easy way to display the USERIDs in a UNIVERSAL GROUP but I sure can't find it.
I imagine the real answer might be to learn to do all this in CALRa or indeed just use BAL assembler and the ICHEINTY interface.
But I'll bet zSECURE developers run CARLa in the foreground under TSO TEST to debug...so this should be do-able.

Performance is already terrible...I want the REXX to do this many thousands of times, so I am not expecting a miracle.

Hi Rob,

Note that EXPLODE does not trigger UNIVERSAL, you have to specify that separately.

Regards,

By the way, if you want to check if a user has access on a profile, or on a list of profiles, you can do this in a single CARLa call.

newlist type=racf
  define usersaccess(explode) subselect acl(user=ABC)
  select class=TCICSTRN key=XYZ
  sortlist profile uacc usersaccess

The EXPLODE modifier causes all relevant connect groups to show up, including any direct permits.  If you want zSecure to figure out if the user has (any) access, use the RESOLVE modifier instead, if access is given via one or more connect groups, one group name will be shown.

If the user has no explicit access, the output will show only the profile key and UACC value.

Specifically, I have an application that makes a series of RACROUTE calls (up to 70) when a user enters the CICS application, in order to determine what application profile applies to the user. I have a local tool written in REXX for security admins that helps analyze the access lists for the relevant resource profiles.
I used to be a sysprog, BAL programmer, etc. ACF2 developer, but I am looking for an easier way to accomplish my goals than using ICHEINTY..zSECURE CARLA may be the answer but I am far more familiar with REXX. My similar REXX tool used to do this for ACF2 easily, now I want a RACF version. ACF TEST used to give detail, like the specific rule like that allowed.
I use the zSECURE ckgracf command to find out whether the user is "alllowed" the resource. Unfortunately it gives no other useful information.
I do a RACF rlist and parse out the access list of permits, which are USERIDs and GROUPs.
I do a listuser of each to find out whether it's a USERID or a GROUP
If it's a USERID then I see whether it's the USERID of interest and display it if it is.
It it's not a USERID I assume it's a GROUP

That's where the problem is. I can't find any easy way of finding the USERIDs in a UNIVERSAL GROUP short of using ICHEINTY or a database unload utility.
But CARLa can do lovely things like this sample code:

newlist  n=baseg3 segment=base nopage 
select s=base c=group ,KEY=CICSINTG   
sortlist connects(universal,8)        

I can run that in batch, or from the zSECURE panels, but is there a way to call this CARLa in the foreground from my REXX, passing the KEY and retrieving the results?

I keep thinking RACF should have an easy way to display the USERIDs in a UNIVERSAL GROUP but I sure can't find it.
I imagine the real answer might be to learn to do all this in CALRa or indeed just use BAL assembler and the ICHEINTY interface.
But I'll bet zSECURE developers run CARLa in the foreground under TSO TEST to debug...so this should be do-able.

Performance is already terrible...I want the REXX to do this many thousands of times, so I am not expecting a miracle.

Hi Gregory,

You can specify multiple ACL format modifiers together, like so:

newlist type=racf
  define usersaccess(explode universal) subselect acl(user=ABC)
  select class=TCICSTRN key=XYZ
  sortlist profile uacc usersaccess

Regards,

Hi Rob,

Note that EXPLODE does not trigger UNIVERSAL, you have to specify that separately.

Regards,

By the way, if you want to check if a user has access on a profile, or on a list of profiles, you can do this in a single CARLa call.

newlist type=racf
  define usersaccess(explode) subselect acl(user=ABC)
  select class=TCICSTRN key=XYZ
  sortlist profile uacc usersaccess

The EXPLODE modifier causes all relevant connect groups to show up, including any direct permits.  If you want zSecure to figure out if the user has (any) access, use the RESOLVE modifier instead, if access is given via one or more connect groups, one group name will be shown.

If the user has no explicit access, the output will show only the profile key and UACC value.

Specifically, I have an application that makes a series of RACROUTE calls (up to 70) when a user enters the CICS application, in order to determine what application profile applies to the user. I have a local tool written in REXX for security admins that helps analyze the access lists for the relevant resource profiles.
I used to be a sysprog, BAL programmer, etc. ACF2 developer, but I am looking for an easier way to accomplish my goals than using ICHEINTY..zSECURE CARLA may be the answer but I am far more familiar with REXX. My similar REXX tool used to do this for ACF2 easily, now I want a RACF version. ACF TEST used to give detail, like the specific rule like that allowed.
I use the zSECURE ckgracf command to find out whether the user is "alllowed" the resource. Unfortunately it gives no other useful information.
I do a RACF rlist and parse out the access list of permits, which are USERIDs and GROUPs.
I do a listuser of each to find out whether it's a USERID or a GROUP
If it's a USERID then I see whether it's the USERID of interest and display it if it is.
It it's not a USERID I assume it's a GROUP

That's where the problem is. I can't find any easy way of finding the USERIDs in a UNIVERSAL GROUP short of using ICHEINTY or a database unload utility.
But CARLa can do lovely things like this sample code:

newlist  n=baseg3 segment=base nopage 
select s=base c=group ,KEY=CICSINTG   
sortlist connects(universal,8)        

I can run that in batch, or from the zSECURE panels, but is there a way to call this CARLa in the foreground from my REXX, passing the KEY and retrieving the results?

I keep thinking RACF should have an easy way to display the USERIDs in a UNIVERSAL GROUP but I sure can't find it.
I imagine the real answer might be to learn to do all this in CALRa or indeed just use BAL assembler and the ICHEINTY interface.
But I'll bet zSECURE developers run CARLa in the foreground under TSO TEST to debug...so this should be do-able.

Performance is already terrible...I want the REXX to do this many thousands of times, so I am not expecting a miracle.