Hello All, 

In searching through the sample members in the SCKRCARL library I don't see any samples of how to produce a report of user accounts that were created since a specific date, e.g. 30 days ago. I'm using zSecure 2.4. Does anyone have a sample batch job for this? Also, I tried to do this via the zSecure panels with the report option and userdata (option 9) but the results display contains last connect and last use date only, no create date. Here are the input data I used in the report panel:  

  Menu         Options       Info    Commands     Setup
─────────────────────────────────────────────────────────────────────────────
                         zSecure Admin+Audit for RACF          0.1 s CPU, RC=
Command ===>

Enter up to 3 SELECT condition sets:
Select  class=user
Select  ljdate>2023-10-29
Select
Enter up to 3 EXCLUDE condition sets:
Exclude dfp or omvs or tso
Exclude
Exclude
Enter output variables:
Display key(8,key) complex segment pgmrname dfltgrp owner revoke(1) |
        revoke_inactive(1) | protected(1) spec(1) | oper(1) | auditor(1)
        adsp(1) | grpacc(1) any_group_soa(1) congrpct clcnt last_connect_date
        ljdate ljtime seclabel passdate passint revokedt resumedt instdata
        flag4 class connects connects:data / clname(header) / raclink(header)

Select a set of standard report variables for one of these profile classes:
   User      Dataset     Connect     General resource with cond.acc.list
   Group     Tape                    General resource with member list
  *ZSECURE

 

------------------------------
Mory Bindler
------------------------------

Mory,

RA.U
select "Other fields"
and then on the next panel, select on "Creation date".

Specify additional selection criteria:                                         
Selection by date                                                              
Last logon/connect. __   _________________      (operator: < <= > >= = <> ^= ) 
Last logon/update . __   _________________      (date: yyyy-mm-dd, ddMMMyyyy   
Password changed  . __   _________________       NEVER, DUMPDATE, DUMPDATE-nnn,
Pass phrase changed __   _________________       DUMPDATE-INACTIVE, TODAY,     
Creation date . . . >=   TODAY-90                TODAY-nnn, TODAY-INACTIVE)    
Revoke date . . . . __   _________________                                     

------------------------------
Ronald van der Laan
------------------------------

Original Message:
Sent: Fri December 29, 2023 12:25 PM
From: Mory Bindler
Subject: zSecure report of user accounts created in last 30 days

Hello All, 

In searching through the sample members in the SCKRCARL library I don't see any samples of how to produce a report of user accounts that were created since a specific date, e.g. 30 days ago. I'm using zSecure 2.4. Does anyone have a sample batch job for this? Also, I tried to do this via the zSecure panels with the report option and userdata (option 9) but the results display contains last connect and last use date only, no create date. Here are the input data I used in the report panel:  

  Menu         Options       Info    Commands     Setup
─────────────────────────────────────────────────────────────────────────────
                         zSecure Admin+Audit for RACF          0.1 s CPU, RC=
Command ===>

Enter up to 3 SELECT condition sets:
Select  class=user
Select  ljdate>2023-10-29
Select
Enter up to 3 EXCLUDE condition sets:
Exclude dfp or omvs or tso
Exclude
Exclude
Enter output variables:
Display key(8,key) complex segment pgmrname dfltgrp owner revoke(1) |
        revoke_inactive(1) | protected(1) spec(1) | oper(1) | auditor(1)
        adsp(1) | grpacc(1) any_group_soa(1) congrpct clcnt last_connect_date
        ljdate ljtime seclabel passdate passint revokedt resumedt instdata
        flag4 class connects connects:data / clname(header) / raclink(header)

Select a set of standard report variables for one of these profile classes:
   User      Dataset     Connect     General resource with cond.acc.list
   Group     Tape                    General resource with member list
  *ZSECURE

 

------------------------------
Mory Bindler
------------------------------

Hi Mory,

actually this is fairly easy to produce just using our zSecure ISPF user interface. Select option RA.U (RACF - User). Select the Additional selection criteria option that is named "Other fields", if you prefer a printed report and you option "Print format" in the output and run options, and press Enter.

Next:

That should return a report of all user IDs where the creation date is more recent than today minus 30 days.

On my system, that generated the following display:

If you are interested in the underlying CARLa code that produced the report, you can access the COMMANDS data set on the RESULT panel:

The top part of the CARLa code contains:

When you look at the select statement in line 000005, you can learn how to do this in your own written CARLa program. 

I hope this helps,

------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM
------------------------------

Original Message:
Sent: Fri December 29, 2023 12:25 PM
From: Mory Bindler
Subject: zSecure report of user accounts created in last 30 days

Hello All, 

In searching through the sample members in the SCKRCARL library I don't see any samples of how to produce a report of user accounts that were created since a specific date, e.g. 30 days ago. I'm using zSecure 2.4. Does anyone have a sample batch job for this? Also, I tried to do this via the zSecure panels with the report option and userdata (option 9) but the results display contains last connect and last use date only, no create date. Here are the input data I used in the report panel:  

  Menu         Options       Info    Commands     Setup
─────────────────────────────────────────────────────────────────────────────
                         zSecure Admin+Audit for RACF          0.1 s CPU, RC=
Command ===>

Enter up to 3 SELECT condition sets:
Select  class=user
Select  ljdate>2023-10-29
Select
Enter up to 3 EXCLUDE condition sets:
Exclude dfp or omvs or tso
Exclude
Exclude
Enter output variables:
Display key(8,key) complex segment pgmrname dfltgrp owner revoke(1) |
        revoke_inactive(1) | protected(1) spec(1) | oper(1) | auditor(1)
        adsp(1) | grpacc(1) any_group_soa(1) congrpct clcnt last_connect_date
        ljdate ljtime seclabel passdate passint revokedt resumedt instdata
        flag4 class connects connects:data / clname(header) / raclink(header)

Select a set of standard report variables for one of these profile classes:
   User      Dataset     Connect     General resource with cond.acc.list
   Group     Tape                    General resource with member list
  *ZSECURE

 

------------------------------
Mory Bindler
------------------------------

Hi Mory,

In addition to TODAY, there is also DUMPDATE, which would use the date that an UNLOAD was created. (For a live source, it would be the same as TODAY.)

The creation date of a user is in the AUTHDATE field, which can also be addressed through the aliases CREADATE or DEFDATE.

                  RACF template definitions                     Line 374 of 640 
 Command ===> _________________________________________________ Scroll===> CSR  
                                                 3 Jan 2024 08:16               
    Complex  Timestamp         Template Custom                                  
    ZOSV2R2   3 Jan 2024 08:16      595     45                                  
    Entity   Segment  Field     Id Alias-of Group     Bytes Dflt Format   Outlen
 __ USER     BASE     AUTHDATE   4                        3 FF   Date         11
 __ USER     BASE     CREADATE   4 AUTHDATE               3 FF   Date         11
 __ USER     BASE     DEFDATE    4 AUTHDATE               3 FF   Date         11

----

And some related thoughts:

The LJDATE in your example is the last use date, which is either the last time the user logged on or the last time an administrator updated the profile. Because of this ambiguity, zSecure usually uses the LAST_CONNECT_DATE for the last use date instead. You can find examples with that in SCKRCARL members like CKRDLGAG.

VIEW       CRMA.D.ZSSDEV.$BASE.SCKRCARL(CKRDLGAG) - 18.17  Columns 00001 00072 
Command ===> ________________________________________________ Scroll ===> CSR  
000010  * Purpose:                                                             
000011  *     Overview of last logon                                           
000012  * Notes:                                                               
- - -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  8 Line(s) not Displayed 
000021  *     On the use of LAST_CONNECT_DATE:                                 
000022  *     This is the maximum of the CGLJDATEs:                  EZ1901001 
000023  *     - this value is less susceptible to other updates (such          
000024  *       as ALTUSER) besides RACINITs than LJDATE                       
000025  *     - on the other hand, if the user's most recent logon group       
000026  *       is deleted, the estimate may be set back in time               
000027  *     - RACF uses LJDATE to determine the inactivity interval, so      
000028  *       some other LG* samples must not use this field                 

 000047  /* Detail last logon interval ranges non-revoked users       TCR2300*/
 000048   define NrvLjCntRecent('<2 weeks'  10 np db) COUNT where   /*TCR2300*/ 
 000049          (last_connect_date<>never,                        /*930622.43*/
 000050           last_connect_date>dumpdate-14,                   /*930622.43*/
 000051           not(revoke) revoke_inactive=no)                   /*TCR2300*/ 

This report is part of AU.S - RACF user. 

And so is CKRDPWAG, which is the equivalent overview for password and pass phrase changes, which uses the PASSDATE_EFFECTIVE and PHRDATE_EFFECTIVE fields.

Regards,

------------------------------
Jeroen Tiggelman
IBM - Software Development Manager IBM Security zSecure Suite
Delft
------------------------------

Original Message:
Sent: Fri December 29, 2023 12:25 PM
From: Mory Bindler
Subject: zSecure report of user accounts created in last 30 days

Hello All, 

In searching through the sample members in the SCKRCARL library I don't see any samples of how to produce a report of user accounts that were created since a specific date, e.g. 30 days ago. I'm using zSecure 2.4. Does anyone have a sample batch job for this? Also, I tried to do this via the zSecure panels with the report option and userdata (option 9) but the results display contains last connect and last use date only, no create date. Here are the input data I used in the report panel:  

  Menu         Options       Info    Commands     Setup
─────────────────────────────────────────────────────────────────────────────
                         zSecure Admin+Audit for RACF          0.1 s CPU, RC=
Command ===>

Enter up to 3 SELECT condition sets:
Select  class=user
Select  ljdate>2023-10-29
Select
Enter up to 3 EXCLUDE condition sets:
Exclude dfp or omvs or tso
Exclude
Exclude
Enter output variables:
Display key(8,key) complex segment pgmrname dfltgrp owner revoke(1) |
        revoke_inactive(1) | protected(1) spec(1) | oper(1) | auditor(1)
        adsp(1) | grpacc(1) any_group_soa(1) congrpct clcnt last_connect_date
        ljdate ljtime seclabel passdate passint revokedt resumedt instdata
        flag4 class connects connects:data / clname(header) / raclink(header)

Select a set of standard report variables for one of these profile classes:
   User      Dataset     Connect     General resource with cond.acc.list
   Group     Tape                    General resource with member list
  *ZSECURE

 

------------------------------
Mory Bindler
------------------------------