IBM Security Z Security

 View Only

 Exclude groups from an access list

Stan van OERS's profile image
Stan van OERS posted Tue June 17, 2025 11:12 AM

Hello,

I want an overview of all groups connected to certain datasets with access > read.

The following CARLA script give me the correct result:

newlist type=racf retain nopage   LL=160                        
def acl subselect acl( access>read)                            


select class=dataset acl(access>read) (mask=sys1.*.** or,      
mask=sym*l.*.** or mask=sym*p.*.** or mask=sym*g.*.**)         

sortlist key complex acl        

What I am looking for now is how to exclude some groups in the output of this query. 

Can someone give me a hint how to do it?

Thanks in advance

Stan van Oers.

Jeroen Tiggelman's profile image
Jeroen Tiggelman posted Tue June 17, 2025 11:25 AM

Hi Stan,

You can extend the SUBSELECT clause, like:

def acl subselect acl(access>read id<>(groupA,groupB))

Regards,
Jeroen

Stan van OERS's profile image
Stan van OERS posted Wed June 18, 2025 03:10 AM

Jeroen,

Thanks for your suggestion. That's work fine, but if no groups have access > READ anymore, the dataset are listed with an empty list. Can I prevent listing those datasets?

Stan

Rob van Hoboken's profile image
Rob van Hoboken IBM Champion posted Wed June 18, 2025 03:52 AM

> if no groups have access > READ anymore, the dataset are listed with an empty list.

SUBSELECT only reduces the ACL list, but does not affect the selection of the profile.  If you know that you want to exclude some groups, you have to tweak the SELECT command.  You can start with changing the SELECT to

select class=dataset acl(access>read and id<>(group1,group2)),
(mask=sys1.*.** or mask=sym*l.*.** or mask=sym*p.*.** or mask=sym*g.*.**)      

This checks EACH ENTRY in the ACL to have UPDATE or more, AND not be one of your exempted groups.  If any of the entries in the ACL meets this requirement, the whole profile is selected (including the permits for group1 and group2).

Now you have to sort your output filter, using the SUBSELECT that Jeroen provided.

Rob van Hoboken's profile image
Rob van Hoboken IBM Champion posted Wed June 18, 2025 04:06 AM

When I run into challenges selecting entries in the ACL or CONNECTS list of profiles, I prefer to use RACF_ACCESS.  This allows me to use the SELECT command to select entries from the ACL (or CONNECTS) and immediately affect the output.  In other words, I do not have to get my head around the combination of SELECT and SUBSELECT.

newlist type=racf_access nopage   LL=160
  select class=dataset,
    profile=(sys1.*.**, sym*l.*.**, sym*p.*.**, sym*g.*.**),
    id<>(-uacc-,group1,group2),
    access>read access<>qualown
  sortlist profile complex id access        

Note:

  • the field names in RACF_ACCESS are different.  profile is the profile key, but in SELECT it works like MASK
  • ID is the user or group id in the ACL, or the user in CONNECTS.  It also indicates the UACC value as -uacc-
  • ACCESS is the access level of the normal ACL, but also includes the UACC value and the profile ownership access
  • ACL(EXPLODE) and ACL(RESOLVE) are impossible
  • the conditional ACL is not available
  • additional fields from the profile can be used using implicit lookup, e.g., :owner

If you're exporting this list to, e.g., a spreadsheet, try NEWLIST HEADER=TSVT

Stan van OERS's profile image
Stan van OERS posted Wed June 18, 2025 07:13 AM

Jeroen, Rob,

Thanks for your suggestions. report is now as desired.

Stan

Related Content