IBM Security Z Security

 View Only

 How to Specify Multiple MASK in CARLa

Madeline Sanchez's profile image
Madeline Sanchez IBM Champion posted Tue December 31, 2024 04:54 PM

Hi all! I am looking to created a CARLA report that lists specified groups and what each of these allows access to:

GROUP01

GROUP02

GROUP03

Its a broad report, but just a high-level description will do.

The issue: I would like to specify these groups in my CARLa, however I am only able to do one at a time using MASK:

MERGELIST
   NEWLIST TYPE=RACF
        SELECT CLASS=GROUP SEGMENT=BASE MASK=GROUP01
        SORTLIST KEY(8,"Group") INSTDATA 
    NEWLIST TYPE=RACF
        SELECT CLASS=GROUP SEGMENT=BASE MASK=GROUP02
        SORTLIST KEY(8,"Group") INSTDATA
   NEWLIST TYPE=RACF
        SELECT CLASS=GROUP SEGMENT=BASE MASK=GROUP03
        SORTLIST KEY(8,"Group") INSTDATA
ENDMERGE

I have read and research many resources with no luck. I have tried the following:

NEWLIST TYPE=RACF
        SELECT CLASS=GROUP SEGMENT=BASE MASK=(GROUP01,GROUP02,GROUP03)
        SORTLIST KEY(8,"Group") INSTDATA

I also found another thread that suggested MAKSLIST as shown below (With and without "MASKLIST" with SORTLIST) :

 newlist type=racf                        
     define type=racf masklist as profile 
     select masklist=(GROUP01,GROUP02,GROUP03)  
     sortlist key(8,"Group") instdata

There has to be something I'm missing! Thank you for your assistance!

Tom Zeehandelaar's profile image
Tom Zeehandelaar posted Fri January 03, 2025 04:07 AM

Hi Madeline,

from your message, I find it hard to fully understand what your requirement for your report is. You state that you want to use mask, but your CARLa code samples do not contain any masking characters (* or %). Do you want to report the permitted access for the groups named GROUP01, GROUP02, and GROUP03?
In that case you can code:

NEWLIST TYPE=RACF
        SELECT CLASS=GROUP SEGMENT=BASE KEY=(GROUP01,GROUP02,GROUP03)
        SORTLIST KEY(8,"Group") INSTDATA

Or did you mean to report the permitted access for the groups starting with the prefix GROUP01, GROUP02, and GROUP03. In that case you can code:

NEWLIST TYPE=RACF
        SELECT CLASS=GROUP SEGMENT=BASE (MASK=GROUP01* or MASK=GROUP02* or MASK=GROUP03*)
        SORTLIST KEY(8,"Group") INSTDATA 

or alternatively because the group name cannot exceed 8 characters:

NEWLIST TYPE=RACF
        SELECT CLASS=GROUP SEGMENT=BASE (MASK=GROUP01% or MASK=GROUP02% or MASK=GROUP03%)
        SORTLIST KEY(8,"Group") INSTDATA

However, there might be another way to report the permission to group profiles. zSecure Admin supports the newlist type REPORT_SCOPE that can be used to report the accesses that are permitted to user or group ID.s  In the zSecure User Interface, you can access and use the Scope/permit report with option RA.3.4. 

To report the permissions to the groups GROUP01, GROUP02, and GROUP03 in print format, specify the following options.

                   zSecure Suite - RACF - Report Scope/permit                  
Command ===> __________________________________________________________________
                                                                               
Id  . . . . . . . . GROUP01  GROUP02  GROUP03  ________ ________ ________      
Specify type of authorization                                                  
 1  1. Direct permit to the Id (Id on access list)                             
    2. Direct permit or Connect (Id or Connect Group on access list)           
    3. Scope (access or administrative authority by any means)                 
Report options                                                                 
 Minimum access to show           Specify output options                       
 8  1. Execute     2. Read           Show resources covered by profile         
    3. Update      4. Control           Including data sets on scratch tapes   
    5. Alter       6. Admin                                                    
  7. Owner       8. Show all    /  Output in print format                    
    RACLIST merged view                 Start each Id on a new page            
Select profiles to include. Blank profile field(s) to include missing profiles 
 Data set HLQ  . . . *         (qualifier or filter, * for all, blank for none)
 Dataset profile . . ____________________________________________ (EGN mask)   
                                                                               
 Other class . . . . *         (class or filter, * for all, blank for none)    
 Other profile . . . ____________________________________________ (EGN mask)     

Pressing Enter results in reporting the permissions to the groups GROUP01, GROUP02, and GROUP03.

If you prefer, you can also manually code a CARLa script. This script could be something along the lines of:

NEWLIST TYPE=REPORT_SCOPE TOPTITLE="GROUP AUTHORIZATION FOR ID: "
 SORTLIST ID(PAGE,TOPTITLE) ID:INSTDATA(PAGE,TOPTITLE),          
          COMPLEX(PAGE,TOPTITLE) STAMP(TOPTITLE),                
          CLASS PROFTYPE(1) KEY("PROFILE NAME") ACCESS WHEN      
 REPORT PERMIT=GROUP01 PERMIT=GROUP02 PERMIT=GROUP03

This CARLa sample script produces a report that includes all permissions to the groups GROUP01, GROUP02, and GROUP03.

I hope this answers your question sufficiently.

Rob van Hoboken's profile image
Rob van Hoboken IBM Champion posted Fri January 03, 2025 05:12 AM

As Tom points out, the MASK field in newlist type=racf allows you to specify a single mask (or filter), like

select class=group mask=sys*

but it does not support a list of filters.  MASK is an alias of FILTER, by the way.  The KEY (or PROFILE) fields in this newlist allows a list of values, but the values must be specified exactly.  So

select class=group profile=sys*    /* finds nothing */
select class=group profile=(sys1,sys2)  /* finds 2 groups */
select class=group (profile=sys1 or profile=sys2)  /* finds 2 groups */

There is a trick to get the same function as MASK, but supporting lists.  In previous posts I have shown it this way.

  1. Add a new field MASKLIST based on PROFILE.  This new field takes the contents of PROFILE, but not the unique behavior of not supporting filters:
  2. Use the MASKLIST field like all other standard CARLa fields, like OWNER, supporting filters and lists

newlist type=racf
  define masklist as profile
  select class=group masklist=(sys1,sys2)  /* selects 2 profiles */
  select class=group masklist=prod*  /* all groups starting with PROD */
  sortlist profile('Group',8) connects

Now you don't need mergelist or multiple select clauses.

Rob van Hoboken's profile image
Rob van Hoboken IBM Champion posted Fri January 03, 2025 05:34 AM

When you say "what each of these (groups) allows access to," what do you mean?  As Tom points out, the REPORT SCOPE (or better, REPORT PERMIT) command would show where the group name is used in a PERMIT on a profile.  However, these REPORT commands require that you specify the group name EXACTLY.  No filters allowed.

So, if your task is to analyze all groups starting with PROD, and show where these are permitted, you would have to generate a REPORT PERMIT=PROD0001, PERMIT=REPORT0002, ...... command.  Hm....

There is another way.  The RACF_ACCESS newlist makes the PERMITs available for easier reporting.  CLASS and PROFILE fields refer to the (dataset or general) profile.  ID and ACCESS are the entries in the access list.  Plus you can use lookups to single out ID values.  How does this work?

newlist type=racf_access
  select class<>group id=prod*
  exclude exists(id:dfltgrp)
  sortlist id access
  summary class profile count(nd)

The select command skips the entries that describe group connect entries, so it only lists permits on DATASET and general resource profiles.   It also skips permits where the ID has a default group, i.e., it is a user ID.

The output is grouped (summarized) by class and profile, without the count of found permits (the ND modifier), and lists the (selected) access list entries for each profile.

Related Content