IBM Security Z Security

 View Only

 Formatting the output from a segment with repeat fields

Linnea Sullivan's profile image
Linnea Sullivan posted Wed March 05, 2025 04:51 PM

Some at IBM may have been consulted about case TS018624912, concerning the output of reporting in the MFA Segment.

I received a request to create a report of the MFA segment.  In many cases a userid may have multiple factors.  The Carla code below does report on the MFA segment:

newlist type=racf name=usrmfa
SELECT C=USER S=BASE EXISTS(FACTOR)
SORTLIST key(8) ,
factorn,
FACTOR_name,
FACtor_active,
 mfa_factor_tag_value

However if the user has more than one factor each factor appears on a separate line.

But I was requested to format the output like this:  userid factor name, factor active, mfa factor tag, factor name(2), factor active(2), mfa factor tag(2)

All on a single print line.   I have tried using HOR and I don't think I can separate the values in a repeat field.

Suggestions?

Jeroen Tiggelman's profile image
Jeroen Tiggelman

Hi Linnea,

Your requirement as stated can only work if you have but a single tag/value combination for each factor, as in general MFA_FACTOR_TAG_VALUE is not "beside" FACTOR_NAME at all. That repeated field is not compatible in number with the fields of the FACTORN repeat group.

In the RACF database templates FACTORN is the count field for the repeat group consisting of FACTOR, FACACDT, and FACTAGS (in the USER BASE segment).

                  RACF template definitions                     "FACTORN" found 
 Command ===>                                                   Scroll===> CSR  
                                                 5 Mar 2025 23:45               
    Complex  Timestamp         Template Custom                                  
    ZOSV2R2   5 Mar 2025 23:45      595     57                                  
    Entity   Segment  Field     Id Alias-of Group     Bytes Dflt Format   Outlen
    USER     BASE     FACTORN  110                        4 00   Num           2
    USER     BASE     FACTOR   111          FACTORN  Varies 00   Char         20
    USER     BASE     FACACDT  112          FACTORN       8 FF   Hex          16
    USER     BASE     FACTAGS  113          FACTORN  Varies 00   Char         72

The CARLa fields FACTOR_NAME and FACTOR_ACTIVE are based on FACTOR and FACACDT, respectively.

FACTAGS, however, is not a single factor and value, but can be repeated within the repeat group entry. MFA_FACTOR_TAG_VALUE expands that into multiple entries for the same factor, so in general can have more values than the count of the basic repeat group. So the idea that its values can be printed next to the other ones is not generally true. (Also, MFA_TAG_FACTOR, MFA_TAG_NAME and MFA_TAG_VALUE likewise expand on the basis of FACTAGS.)

CARLa field        : FACTAGS                                          
Newlist type       : RACF                                             
Header default     : MFA tags                                         
Field prefix header: MFA tags                                         
                                                                      
This field is found in USER profiles. It shows a combination of data  
pertaining to Multi-Factor Authentication: all tags associated with a 
factor, and the value of those tags. The preferred interface to this  
database field is the MFA_FACTOR_TAG_VALUE combination field.         

HORIZONTAL only adds secondary values for a field (which can be a combination field) behind the first one.

So the closest approach to what you want is just applying HOR to MFA_FACTOR_TAG_VALUE. Because this is a combination field, it prints a factor, a tag, and a value in one go.

If we consider this, we see that the FACTOR_NAME in your query is arguably superfluous, since it should occur as part of MFA_FACTOR_TAG_VALUE anyway [provided each factor has a tag]. The only issue left, then, is that you have no way of putting FACTOR_ACTIVE with the factor. FACTOR_ACTIVE is essentially an indication if FACACDT is filled in (exists) or not.

I hope this may give you some ideas as to how to approach some of the requirements you have... you might want to split looking at which factors are (not) active and whether some have no tags from listing the sets of tags and values, perhaps... but I think there is no good way to achieve what you requested.

Regards,

Jeroen