IBM Security Z Security

Security for Z

Join this online user group to communicate across Z Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  zSecure CARLa: REF2GRP Profile Definitions

    Posted Thu February 27, 2020 08:59 AM
    I'm looking to update the CARLa posted at https://www.ibm.com/support/knowledgecenter/SS2RWS_2.4.0/com.ibm.zsecure.doc_2.4.0/zSecure_wiki/grpdef.txt to only generate define / permit commands when the profile doesn't currently exists

     /* Generate REF2GRP profiles for groups that have connected users.
    These profiles are used to interpret connect group usage from
    CA Cleanup in the simulated ACCESS file.
 */
n type=racf nopage dd=ckrcmd
 select class=group (aclcnt>0 or universal)
 sortlist 'rdefine ref2grp' profile(0) 'owner(zsecmon)' /,
          'permit' profile(0) 'class(ref2grp) id(' | profile(0) | ')'​

    What's the best way to go about doing so?

    ------------------------------
    Adam Klinger
    ------------------------------


  • 2.  RE: zSecure CARLa: REF2GRP Profile Definitions

    Posted Thu February 27, 2020 09:39 AM
    Edited by Rob van Hoboken Thu February 27, 2020 12:24 PM
    You could use a two pass process:
    pass 1 generates EXCLUDE KEY=xxxxx for each profile in the REF2GRP class.
    pass 2 includes these EXCLUDE commands to weed the list of group names.
    Something like:

    //STEP1    EXEC C2RC
    //CKR2PASS DD DISP=(NEW,PASS),DSN=&&CKR2PASS
    //SYSIN    DD *
    alloc type=racf active
    print dd=CKR2PASS nopage
    newlist type=racf
      define once(nd) boolean where class==class
      define every(nd) count
      select class=ref2grp segment=base
      summary once  'exclude key=(,'
      summary every key(0) | ','
      summary once  ')'
    //STEP2    EXEC C2RC
    //COMMANDS DD SYSOUT=*
    //EXCLUDES DD DISP=(OLD,PASS),DSN=&&CKR2PASS
    //SYSIN    DD *
    alloc type=racf active
    print dd=COMMANDS nopage
    newlist type=racf
      select class=group (aclcnt>0 or universal)
      include dd=excludes
      sortlist 'rdefine ref2grp' profile(0) 'owner(zsecmon)' /,
               'permit' profile(0) 'class(ref2grp) id(' | profile(0) | ')'



  • 3.  RE: zSecure CARLa: REF2GRP Profile Definitions

    Posted Thu February 27, 2020 04:38 PM
    Great, this works perfectly!

    ------------------------------
    Adam Klinger
    ------------------------------

    Original Message


Related Content