Hi everyone , 

We are migrating some z/OS LPARs from  CA-Top Secret to IBM RACF  and to check out our migration process we want to run zSecure simulation , with the  RACF database loaded ,  where we have as input , extracted from CA-Top Secret, a list of resources for many classes, the access list  and the related access level .
The idea is to run a batch CARLa code to have these information to compare with CA-Top Secret input.

Does anyone of you have the CARLa code to do this ?

Thank you 

------------------------------
Jose Villela Ribeiro Junior
zSecurity Consultant
------------------------------

If you have a list of resources you can extract the access list from RACF as follows. I assume one of the resources is XFACILIT CKNDSN.SMF.READ

newlist type=racf
  select class=XFACILIT bestmatch=CKNDSN.SMF.READ
  sortlist class profile acl(explode)

This shows output like the following

Class    Profile key  User    Access  ACL id
XFACILIT CKNDSN.SMF.* USER1   READ    SYSPROG
                      OTHUSER READ    CRMA
                      LSTUSER READ    CRMA 

showing the profile used by the resource, and the users with their access. In this case the access is given through RACF groups.

This may get you on track?

Sander

------------------------------
Sander De Graaf
------------------------------

Original Message:
Sent: Tue February 01, 2022 06:09 AM
From: Jose Villela Ribeiro Junior
Subject: zSecure - Simulatiing access from a list of resources

Hi everyone , 

We are migrating some z/OS LPARs from  CA-Top Secret to IBM RACF  and to check out our migration process we want to run zSecure simulation , with the  RACF database loaded ,  where we have as input , extracted from CA-Top Secret, a list of resources for many classes, the access list  and the related access level .
The idea is to run a batch CARLa code to have these information to compare with CA-Top Secret input.

Does anyone of you have the CARLa code to do this ?

Thank you 

------------------------------
Jose Villela Ribeiro Junior
zSecurity Consultant
------------------------------

Thanks Sander , 

It can help , but the best approach for me is to check if the ACL was migrated succesfully , so if the zSecure could give the simulation access results is the better option showing the RC code or something like this.     I will pass to zSecure that user id ABCD has UPDATE  on dataset SYS1.XYZ.XPTO and the result from simulation should be OK or NOT OK and the reason , for example , the user id has READ by the group GROUPA.

Does zSecure has that option ?  

Thank you

------------------------------
Jose Villela Ribeiro Junior IBM zSecurity Consultant
------------------------------

Original Message:
Sent: Tue February 01, 2022 07:23 AM
From: Sander De Graaf
Subject: zSecure - Simulatiing access from a list of resources

If you have a list of resources you can extract the access list from RACF as follows. I assume one of the resources is XFACILIT CKNDSN.SMF.READ

newlist type=racf
  select class=XFACILIT bestmatch=CKNDSN.SMF.READ
  sortlist class profile acl(explode)

This shows output like the following

Class    Profile key  User    Access  ACL id
XFACILIT CKNDSN.SMF.* USER1   READ    SYSPROG
                      OTHUSER READ    CRMA
                      LSTUSER READ    CRMA 

showing the profile used by the resource, and the users with their access. In this case the access is given through RACF groups.

This may get you on track?

Sander

------------------------------
Sander De Graaf

Original Message:
Sent: Tue February 01, 2022 06:09 AM
From: Jose Villela Ribeiro Junior
Subject: zSecure - Simulatiing access from a list of resources

Hi everyone , 

We are migrating some z/OS LPARs from  CA-Top Secret to IBM RACF  and to check out our migration process we want to run zSecure simulation , with the  RACF database loaded ,  where we have as input , extracted from CA-Top Secret, a list of resources for many classes, the access list  and the related access level .
The idea is to run a batch CARLa code to have these information to compare with CA-Top Secret input.

Does anyone of you have the CARLa code to do this ?

Thank you 

------------------------------
Jose Villela Ribeiro Junior
zSecurity Consultant
------------------------------

Hi Jose,

I don't think we have a direct option to test RACF profiles. You may be able to create a "fake" ACCESS input file, and then use NEWLIST TYPE=ACCESS with the SIM_ fields to see if anything "changed". But I have to leave any help in that to the NEWLIST TYPE=ACCESS experts.

------------------------------
Sander De Graaf
------------------------------

Original Message:
Sent: Tue February 01, 2022 07:54 AM
From: Jose Villela Ribeiro Junior
Subject: zSecure - Simulatiing access from a list of resources

Thanks Sander , 

It can help , but the best approach for me is to check if the ACL was migrated succesfully , so if the zSecure could give the simulation access results is the better option showing the RC code or something like this.     I will pass to zSecure that user id ABCD has UPDATE  on dataset SYS1.XYZ.XPTO and the result from simulation should be OK or NOT OK and the reason , for example , the user id has READ by the group GROUPA.

Does zSecure has that option ?  

Thank you

------------------------------
Jose Villela Ribeiro Junior IBM zSecurity Consultant

Original Message:
Sent: Tue February 01, 2022 07:23 AM
From: Sander De Graaf
Subject: zSecure - Simulatiing access from a list of resources

If you have a list of resources you can extract the access list from RACF as follows. I assume one of the resources is XFACILIT CKNDSN.SMF.READ

newlist type=racf
  select class=XFACILIT bestmatch=CKNDSN.SMF.READ
  sortlist class profile acl(explode)

This shows output like the following

Class    Profile key  User    Access  ACL id
XFACILIT CKNDSN.SMF.* USER1   READ    SYSPROG
                      OTHUSER READ    CRMA
                      LSTUSER READ    CRMA 

showing the profile used by the resource, and the users with their access. In this case the access is given through RACF groups.

This may get you on track?

Sander

------------------------------
Sander De Graaf

Original Message:
Sent: Tue February 01, 2022 06:09 AM
From: Jose Villela Ribeiro Junior
Subject: zSecure - Simulatiing access from a list of resources

Hi everyone , 

We are migrating some z/OS LPARs from  CA-Top Secret to IBM RACF  and to check out our migration process we want to run zSecure simulation , with the  RACF database loaded ,  where we have as input , extracted from CA-Top Secret, a list of resources for many classes, the access list  and the related access level .
The idea is to run a batch CARLa code to have these information to compare with CA-Top Secret input.

Does anyone of you have the CARLa code to do this ?

Thank you 

------------------------------
Jose Villela Ribeiro Junior
zSecurity Consultant
------------------------------

For a user JOSE, you can find the authorities using

report scope=JOSE

This takes into account UACC, permits to ID(*), group privileges, decentralized administration (CKGRACF), and if you have a CKFREEZE allocated you can even see where profiles have been forgotten (unprotected data sets).  Each of these reasons (and more!) can be suppressed using a SUPPRESS REASON=xxxx command.  See the A line command in RA.U to generate CARLa.

With NEWLIST TYPE=R_SCOPE you can further customize the layout (and selection!) of the report.  This may help you to write the compare function you're looking for.

Alternatively, you could use RACF OFFLINE to activate the new RACF database for your TSO or batch session, and issue RACF commands on the offline database.

------------------------------
Rob van Hoboken
------------------------------

Original Message:
Sent: Tue February 01, 2022 06:09 AM
From: Jose Villela Ribeiro Junior
Subject: zSecure - Simulatiing access from a list of resources

Hi everyone , 

We are migrating some z/OS LPARs from  CA-Top Secret to IBM RACF  and to check out our migration process we want to run zSecure simulation , with the  RACF database loaded ,  where we have as input , extracted from CA-Top Secret, a list of resources for many classes, the access list  and the related access level .
The idea is to run a batch CARLa code to have these information to compare with CA-Top Secret input.

Does anyone of you have the CARLa code to do this ?

Thank you 

------------------------------
Jose Villela Ribeiro Junior
zSecurity Consultant
------------------------------

ACCESS files are built using CARLa code in members you can find in SCKRCARL.  C2PAMCOL is the daily collector, you can look at the SUMMARY command to see how to write your own ACCESS records.  Another sample is C2PAMCVT.

Ten years ago, I wrote CARLa code to read the log file from CA Cleanup, and convert it into an ACCESS file, so a customer could migrate from CA Cleanup (for RACF) to Access Monitor reporting.  You can probably take inspiration from this code.  The documentation is in Import CA Cleanup into Access Monitor and the CARLa code in CARLa.  At the time there was functionality missing (generate a TOD value, specify arbitrary hex values in output) so there are supporting Rexxes and you had to enter HEX values across the non-printables in the CARLa, look at the comments for the exact value.  The same deficiencies are still there.

------------------------------
Rob van Hoboken
------------------------------

Original Message:
Sent: 2/2/2022 5:14:00 AM
From: Rob van Hoboken
Subject: RE: zSecure - Simulatiing access from a list of resources

ACCESS files are built using CARLa code in members you can find in SCKRCARL.  C2PAMCOL is the daily collector, you can look at the SUMMARY command to see how to write your own ACCESS records.  Another sample is C2PAMCVT.

Ten years ago, I wrote CARLa code to read the log file from CA Cleanup, and convert it into an ACCESS file, so a customer could migrate from CA Cleanup (for RACF) to Access Monitor reporting.  You can probably take inspiration from this code.  The documentation is in Import CA Cleanup into Access Monitor and the CARLa code in CARLa.  At the time there was functionality missing (generate a TOD value, specify arbitrary hex values in output) so there are supporting Rexxes and you had to enter HEX values across the non-printables in the CARLa, look at the comments for the exact value.  The same deficiencies are still there.

------------------------------
Rob van Hoboken
------------------------------