I am trying to determine the usage of a number of classes by executing two queries of TYPE=ACCESS. One query select the usage of existing profiles (ACCESS_RESULT<>4) whereas the other query selects the usage of resource names that do not match an existing profile (ACCESS_RESULT=4).

The effect of assessing multiple classes in one query does however puzzle me quite a bit. The below is the result of a repetitive execution of the same CARLA queries, with the SELECT statements being the only difference:
 - step CARLA0 selects class=(XXXNR,XXXXNR,XXXXXXT*)
 - steps CARLA1 through 8 each selects the one of the 8 classes
 - step CARLA9 selects class XXXNR and XXXXNR in two select statements
 - step CARLA10 selects the six classes matching XXXXXXT*
 - step CARLA11 selects the eight classes in eight select statements, each indicated explicitly
 - step CARLA12 selects the eight classes in three select statements, matching XXXNR, XXXXNR and XXXXXXT*.

-STEPNAME PROCSTEP    RC       MSUhr        CPU           zIIP         Run   
-CARLA0               00       60,5458     19:20,50      0:00,00     20:10,67
-CARLA1               00        1,7978      0:34,46      0:00,00      0:38,19
-CARLA2               00        1,7696      0:33,92      0:00,00      0:37,13
-CARLA3               00        1,7529      0:33,60      0:00,00      0:36,73
-CARLA4               00        1,7639      0:33,81      0:00,00      0:36,88
-CARLA5               00        1,7524      0:33,59      0:00,00      0:36,71
-CARLA6               00        1,7597      0:33,73      0:00,00      0:36,83
-CARLA7               00        1,7858      0:34,23      0:00,00      0:37,49
-CARLA8               00        1,7748      0:34,02      0:00,00      0:37,63
-CARLA9               00       60,0403     19:10,81      0:00,00     19:51,69
-CARLA10              00        1,7863      0:34,24      0:00,00      0:37,64
-CARLA11              00       62,0859     19:50,02      0:00,00     20:20,70
-CARLA12              00       60,4816     19:19,27      0:00,00     19:50,09

I would have expected that the aggregate execution time and CPU consumption of CARLA1 through CARLA8 would be approximately the same as that of CARLA0, CARLA11 and CARLA12 and approximately the same as that of CARLA9 and CARLA10 combined. However, execution time and CPU consumption seems to be increasing by a factor four by having multiple selects on class.

Does anyone have an idea of the reason behind this?

------------------------------
Mikael Rasmussen
Senior Mainframe Security Engineer
Danske Bank

------------------------------

Newlist type of ACCESS not only shows fields from the ACCESS records it read, but also simulates RACF processing by looking up the profile in the current RACF database, for the resource from the ACCESS record.  This lookup is much more expensive (CPU wise) than record processing, so zSecure tries to perform the simulation only for ACCESS records that match the select criteria.  This attempt to reduce the need for simulation is called pre-selection.  See the introduction for ACCESS in the manual.  The effect of pre-selection is reported in message CKR2480.

My guess is that complicated SELECT conditions disable pre-selection, and complicated probably refers to more than one SELECT command, or a CLASS field selection using a list of values.  This means the records cause correlation with RACF profiles, and only after the correlation is the record dropped by SELECT processing.  Message CKR2471 would tell you.
------------------------------
Rob van Hoboken
------------------------------

Thank you, Rob.

After reviewing the SYSPRINT messages, this is indeed the case. Pre-selection is skipped if the SELECT statement gets too complicated - probably related to a logical "or".

With this in mind, I reconstructed the NEWLIST statements that avoids the logical "or" and merged the output with MERGELIST. In this case, pre-selection is done and the output from the query is the exact same, just completed with the efficiency that I was hoping for.

------------------------------
Mikael Rasmussen
Senior Mainframe Security Engineer
Danske Bank
Brabrand
+4540766221
------------------------------

Original Message:
Sent: Sun June 08, 2025 09:12 AM
From: Rob van Hoboken
Subject: zSecure Access Monitor performance.

Newlist type of ACCESS not only shows fields from the ACCESS records it read, but also simulates RACF processing by looking up the profile in the current RACF database, for the resource from the ACCESS record.  This lookup is much more expensive (CPU wise) than record processing, so zSecure tries to perform the simulation only for ACCESS records that match the select criteria.  This attempt to reduce the need for simulation is called pre-selection.  See the introduction for ACCESS in the manual.  The effect of pre-selection is reported in message CKR2480.

My guess is that complicated SELECT conditions disable pre-selection, and complicated probably refers to more than one SELECT command, or a CLASS field selection using a list of values.  This means the records cause correlation with RACF profiles, and only after the correlation is the record dropped by SELECT processing.  Message CKR2471 would tell you.
------------------------------
Rob van Hoboken
------------------------------