IBM Security Z Security

 View Only
Expand all | Collapse all

Field RACF CATEGORY: A hexadecimal (internal) value must be specified

  • 1.  Field RACF CATEGORY: A hexadecimal (internal) value must be specified

    Posted Wed August 11, 2021 03:52 PM
    A customer wants to select CATEGORY=CSR in this report: 

    n n=based1 segment=base

    s s=base c=dataset /* category=csr */

    sortlist complex key(44,wrap) category instdata

    But CATEGORY can't be used in SELECT. 
    We have this information in CATEGORY dictionary: "This field is found in USER, DATASET, and GENERAL profiles. For SELECT/EXCLUDE processing, a hexadecimal (internal) value must be specified. It is a repeated field listing the security categories to which the user has access, or to which the data set or resource belongs. The number of security categories is listed in the NUMCTGY field."

    Question: What does "hexadecimal (internal) value must be specified" mean? What am I supposed to use in this field?
    Or do you have another suggestion?

    Thanks!



    ------------------------------
    Gabriel Vicoso Amaral
    ------------------------------


  • 2.  RE: Field RACF CATEGORY: A hexadecimal (internal) value must be specified
    Best Answer

    Posted Thu August 12, 2021 02:09 AM
    Hi Gabriel,

    The RACF data set profile contains "index numbers" that identify the CATEGORYs. In order to translate those numbers to names, other RACF profiles need to be consulted. Selection support has been built in such a way that this lookup cannot reliably be done in that phase, so you must specify the "index number" and not the name of the category for the record selection.

    If you print the CATEGORY field in hexadecimal (with overriding output format HEX), you can see the index number in that format:

    sortlist complex key(44,wrap) category CATEGORY(HEX)

    might yield something in this format:

    Complex Profile key                                  Ctgry   Ctgry
    SECDATA GTST1.NONEXIST.DISCRETE.PROFILE1             CAT1    0009

    You cannot use CAT1 for the selection, but must use the 0009.

    Your selection might look like this:

    s s=base c=dataset category='0009'x

    Note that putting the value in quotes and appending an X indicates that you are specifying a number in hexadecimal.

    Regards,

    ------------------------------
    Jeroen Tiggelman
    Software Development and Level 3 Support Manager IBM Security zSecure Suite
    IBM
    Delft
    ------------------------------



  • 3.  RE: Field RACF CATEGORY: A hexadecimal (internal) value must be specified

    Posted Thu August 12, 2021 08:57 AM
    Hi Jeroen, thanks for the answer! I didn't find it in any documentation.
    It works well in our System.

    Thanks, Regards.


    ------------------------------
    Gabriel Vicoso Amaral
    ------------------------------



  • 4.  RE: Field RACF CATEGORY: A hexadecimal (internal) value must be specified

    Posted Thu August 12, 2021 09:48 AM
    Hi Gabriel,

    You are welcome.

    Do you have a suggestion how we could make the documentation clearer?

    I would say that "a hexadecimal (internal) value must be specified" is correct, but not particularly clear to someone who is not very well versed in the context.

    Would it have helped you if the text had read, say,

    This field is found in USER, DATASET, and GENERAL profiles. It is a repeated field listing the security categories to which the user has access, or to which the data set or resource belongs. The number of security categories is listed in the NUMCTGY field. For SELECT/EXCLUDE processing, you cannot use the category name; the internal value must be specified in hexadecimal notation, for example, CATEGORY='value'X, where value is the output you get when using the overriding output format HEX, that is, CATEGORY(HEX)."

    ?

    FTR, you can find the documentation for HEX in the CARLa book, Chapter 1, under "LIST family of commands" in subsection "Format names".

    And you can find the explanation of the use of conversion characters in a selection in Chapter 1, under "SELECT and EXCLUDE" - "Selection types" - "Selection with a field-value compare" in one of the "Usage notes": "Quoted strings can be suffixed with one the following type characters listed in <table> [..]", where the table then explains the X as being for hexadecimal.

    Regards,

    ------------------------------
    Jeroen Tiggelman
    Software Development and Level 3 Support Manager IBM Security zSecure Suite
    IBM
    Delft
    ------------------------------



  • 5.  RE: Field RACF CATEGORY: A hexadecimal (internal) value must be specified

    Posted Mon December 13, 2021 07:42 AM
    Hi Jeroen,

    This is an old topic, but I am kind of reviving it because I have other questions. ( I hope you don't mind)

    We are actually using the same CARLa code to identify RACF profiles with a specific value in the CATEGORY field in all systems we support. The problem is that even though the character value in the CATEGORY field is the same, the hexadecimal value will changed in each system. As you said, if the hexadecimal value is some kind of index, it will be different in each system, and I already checked that. In this case, we can not use the same code because the HEX value will not be the same, and since we can not select the field by its character value, we have a problem.

    Question: is it possible to convert this field into something selectable, that is not the hex index value? If not, we will have to find another way to automatically identify the hex value on each system, and somehow change the CARLa code automatically.

    Thanks in advance

    ------------------------------
    Danilo Farias
    ------------------------------



  • 6.  RE: Field RACF CATEGORY: A hexadecimal (internal) value must be specified

    IBM Champion
    Posted Tue December 14, 2021 03:40 AM
    Hi Danilo
    The CATEGORY field is a field in the RACF database, so for systems that share the same database, the selection should be the same.  They are only different if they use a different RACF database (and the CATEGORY class profiles were generated in a different order).

    You could use the COMPLEX field in zSecure as a label for the RACF database.  It is initialized with the RRSF complex ID of RACF, or with the sysplex ID when RRSF is inactive.  You can also specify a text string for complex in your ALLOC command (and in the SE.1 set of input file entry).

    In CARLa, you could specify the COMPLEX together with CATEGORY in a SELECT command, like so

    newlist type=racf
      select class=dataset (,
       (complex=dev category='0009x'),
    or (complex=prod category='0011'x),
      )

    provided the COMPLEX assignment in ALLOC commands, or in RRSF id, is predictable.

    ------------------------------
    Rob van Hoboken
    ------------------------------



  • 7.  RE: Field RACF CATEGORY: A hexadecimal (internal) value must be specified

    Posted Tue December 14, 2021 05:37 AM
    Rob,

    Maybe I didn't make myself clear, I am sorry. The situation is that we are trying to find a way to distribute the same CARLa script to all of our systems, and we have maybe 100+ or 150+ systems in our baseline, and many different RACF databases. That's why selecting this field by the hexadecimal value wouldn't work because we have different hexadecimal values in each system, even though the category name is the same. That's why I asked if it would be possible to select this field in some other way, or perhaps convert this field into something that uses the category name as a fixed value.

    Otherwise we will have to figure out a way to automatically build the script using some other external solution that will identify the hex value in that specific system before "building" the script

    ------------------------------
    Danilo Farias
    ------------------------------



  • 8.  RE: Field RACF CATEGORY: A hexadecimal (internal) value must be specified

    Posted Tue December 14, 2021 09:19 AM
    Edited by Jeroen Tiggelman Tue December 14, 2021 09:21 AM

    Hi Danilo,

    The issue is that the "conversion" indicated in the RACF database itself is not available yet at the time the SELECT statement is evaluated in that run. So if you want to use a conversion based on this information, you would need to do that prior to the run. Which could possibly be by doing another run that processes the conversion present in the RACF database.

    In this case, I think the way to go would be to produce a lookup file that lists the CATEGORY name and its hexadecimal value side by side, and then use that as a DEFTYPE input file and generate the real query.

    In its simplest form that could be generated with this query:
    n type=racf nopage
    s exists(category)
    sortlist category(hex 4) category(0)
    Although this would likely produce many duplicates. (You could run an extra pass to filter those out. :/)
    (SUMMARY does not work instead of SORTLIST because this is a repeated field.)

    I believe that conversion is contained in the RACF database in the CATEGORY profile in the SECDATA class. If you print the MEMLST (repeated) field, the entries appear to have the form categoryname=decimalvalue.

    Provided that your category names do not contain '='--I did not check the RACF symtax if that might be valid--you could also write a lookup file by formatting that MEMLST, like so:
    n type=racf nopage
    s c=secdata key=category
    def categoryname(char 0) as word(memlst,1,'=')
    def hexvalue(0 hex) as convert(word(memlst,2,'='),decimal,decimal)
    sortlist hexvalue categoryname

    Hmmm.. but this appears to generate an extra " HWM" entry that probably should be ignored (and duplicates the last valid category).
    You can probably achieve that by using this DEFINE instead:
    def hexvalue(8 hex) as
    convert(word(word(memlst,1,' '),2,'='),decimal,decimal)
    which masks away the entry that starts with a blank from being converted.. but would break any values that contained a valid blank (if that is possible).

    Anyway... spent quite a bit of time on this, I hope this gives you some sense of what direction you might or might not want to try. (And perhaps someone else can take if from here? :-))

    Let me know if you have additional questions.

    Regards,

    ------------------------------
    Jeroen Tiggelman
    Software Development and Level 3 Support Manager IBM Security zSecure Suite
    IBM
    Delft
    ------------------------------



  • 9.  RE: Field RACF CATEGORY: A hexadecimal (internal) value must be specified

    Posted Wed December 15, 2021 03:20 AM
    Edited by Jeroen Tiggelman Wed December 15, 2021 03:28 AM
    Hi Danilo,

    Some additions to what I wrote yesterday.

    It is easy to suppress the duplicates from the simple form by just adding he NODUP keyword.

    As to the other approach... I did not check if the format in which this data is contained in the RACF database is an authorized interface.
    As to the form of the entries, "appear to have" is right--this is actually the result of zSecure interpreting and modifying the values before showing them.
    It turns out that the overriding format $MEMLST will just show the category name, so using that avoids any parsing risk of a '=' being in the name.

    Avoiding printing the " HWM" entry does appear to need the complex DEFINE.
    But since the lookup is from the name to the hexadecimal value, it is not a problem that the hexadecimal value shows up on two rows.
    That means that if you would want to go this route, this much simpler query would suffice:
    n type=racf nopage
    s c=secdata key=category

    list memlst(hex 4) memlst($memlst)

    However, taking the safest approach, it could work with the following steps:
    1. generate the lookup file
    2. use the result to write the query-generating query against
    3. run the actual query.

    Like so:
    1. Generate all values in use in the database
    alloc type=output dd=cat dsn=crmbjti.carla(cat)
    n type=racf nopage dd=cat nodup
    s exists(category)
    sortlist category(hex 4) category(0)

    2. Use one of the two-pass query mechanisms (in either the UI or the sample JCL) to generate and run the query:
    deftype type=cat
    alloc type=cat dsn=crmbjti.carla(cat)
    def type=cat hexvalue as substr(record,1,4)
    def type=cat categoryname as substr(record,6)
    n type=cat nopage dd=ckr2pass
    s categoryname=CSR
    sortlist `n n=based1 segment=base` /,
    `s s=base c=dataset category='` |,
    categoryname:cat.categoryname.hexvalue(0) | `'X` /,
    `sortlist complex key(44,wrap) category instdata`


    I hope this helps.

    Regards,

    ------------------------------
    Jeroen Tiggelman
    Software Development and Level 3 Support Manager IBM Security zSecure Suite
    IBM
    Delft
    ------------------------------



  • 10.  RE: Field RACF CATEGORY: A hexadecimal (internal) value must be specified

    Posted Wed December 15, 2021 05:33 AM
    Hi Jeroen,

    Once again, thank you very much for you valuable inputs, I will work with all details you provided and implement that on our systems if possible.

    Really appreciate it!

    Thank you.

    ------------------------------
    Danilo Farias
    ------------------------------