IBM Security Z Security

Hi Linnea,

These updates were included in the October 2024 Service Stream Enhancement (which is not the latest update).

ZCMD-I-80 resulted in Policy profiles for Custom Data management.

ZCMD-I-75 was generalized from NOCSDATA to segment deletion in general and resulted in an additional access level CONTROL to profiles for non-base segment control (C4R.class.segment and C4R.class.segment.=RACUID).

Note that the latter change is an incompatible one, you now need CONTROL for deletion.

I hope this helps.

Regards,
Jeroen

Jeroen, not sure if you will see this or not.    Seems like the site has changed and the REPLY button is missing.    Anyway, I created a C4R.USER.CSDATA.**  put the profile in WARN mode temporarily just to see what data I would see in Access Monitor.     I made  a number of changes to some userid's CSDATA segment, but did not see anything hit that profile.

I would assume that it would mean we have overlooked installing a PTF?

Hi Linnea,

I find the new interface more confusing also, but I can confirm that I saw your response [and immediately, as I have set this community set to sending individual responses].

According to my blog entry about the October deliverable, this should be covered by:

• PTF UJ96191 for APAR  OA66993 (this updates code shared between zSecure Command Verifier and zSecure Admin)
• PTF UJ96190 for APAR  OA66994 (this updates code specific to zSecure Command Verifier)

I am going to forward your trace question to someone else on my team.

Regards,
Jeroen

>  Seems like the site has changed and the REPLY button is missing. 

When you open a new tread, you have the option to ask a Question, or start an open ended Discussion.  The options in the Thread depend on this selection.

Questions only have the Answer button, and you can only answer the original question.  All answers are stored chronologically.  Yuch.

Discussions offer a Reply button, in each of the postings.

I suppose they wanted to clean up the interface.  Now the users have to think before they start, like "I really want to ask a Question, but I think this question will take some iterations to answer, so lets open a Discussion." 

Hi Linnea,

I recommend to active the Command Verifier trace by issuing TSO command C4RCATMN DEBUG and then update the CSDATA of a specific user. The trace will show the C4R profiles to be checked and you will get the result. It looks like this:

.

.

C4R903I Find owner of connect: CRMBPH3 CRMB                          
C4R903I Owner of connect CRMBPH3 CRMB      is CRMB                   
C4R903I Add segment 00008000                                         
C4R903I Scope check CSDATA                                           
C4R903I Check exist segment USER CSDATA   CRMBPH3                    
C4R903I -00- RACI for: USER     CSDATA   CRMBPH3                     
C4R903I Locate profile for: C4R.USER.CSDATA                          
C4R903I ---- No profile found                                                   
C4R903I Find owner of user CRMBPH3                                              
C4R903I Owner of user CRMBPH3  is CRMB                                          
C4R903I Locate profile for: C4R.USER.CSDATA.STR01.CRMB.CRMBPH3                  
C4R903I ---- No profile found                                                   
C4R903I Check exist segment USER CSDATA   CRMBPH3                               
C4R903I -00- RACI for: USER     CSDATA   CRMBPH3                                
C4R903I Locate profile for: C4R.ALTUSER.=PRECMD.CSDATA.ALT                      
C4R903I ---- No profile found                                                   
C4R903I Locate profile for: C4R.ALTUSER.=PSTCMD.CSDATA.ALT                      
C4R903I ---- No profile found                                                   
C4R903I Locate profile for: C4R.ALTUSER.=REPLACE.CSDATA.ALT                     
C4R903I ---- No profile found                                                   
C4R913I ALTUSER  CRMBPH3 CSDATA(STR01('TESTING DATA'))                          
C4R903I Locate profile for: C4R.ALTUSER.=CKXLOG                                 
C4R903I ---- No profile found                                                   
C4R903I Get field                                                               
C4R903I ---- class=USER    <<<                                                  
C4R903I ---- prof_type=                                                         
C4R903I ---- Get DFLTGRP  from CRMBPH3                                          
C4R903I Find owner of user CRMBPH3                                              
C4R903I Owner of user CRMBPH3  is CRMB                                          
C4R903I Locate profile for: C4R.USER.=CMDAUD.=SURROGATE                         
C4R903I ---- No profile found                                                   
C4R903I Locate profile for: C4R.USER.=CMDAUD.=SEGMENT.CRMB.CRMBPH3              
C4R903I ---- No profile found                                                   
C4R903I Locate profile for: C4R.USER.=CMDAUD.=ATTR.CRMB.CRMBPH3        
C4R903I ---- No profile found                                          
C4R903I RACLIST global Z                  

Please let me know the outcome, the trace can be deactivated by C4RCATMN NODEBUG.

Thank you very much, kind regards,

Paul.