IBM Security Z Security

 View Only
Expand all | Collapse all

Access Monitor Permit Usage - Display User ID

  • 1.  Access Monitor Permit Usage - Display User ID

    Posted Thu December 09, 2021 02:43 PM
    I have some User IDs that are connected to a group.   That group is permitted to some datasets and db2 profiles.    I want to remove the userids from that group, but I see via AM.4 that the userids are using the connection to the group.   So I tried AM.3 to see what permissions are being used by the group.

    Is there a way to see what User Ids used the group to access those permissions.   With RACF_ACCESS, there is no USERID field, and the field ID refers to what was being permitting, in which in my case is the group.

    Or is there some other option in Access Monitor to display what permission the User ID accessed via a connected group?

    Linnea Sullivan

  • 2.  RE: Access Monitor Permit Usage - Display User ID

    Posted Fri December 10, 2021 03:26 AM
    Hi Linnea,

    with option AM.1 - Access summary by user of profile, you can investigate the resources that (a) certain user IDs have (has) accessed.
    In the output and run options of the AM.1 panel, you can select option 4 - Summary by simulated groups used for access.

    That selection generates an overview of which resources your specified user ID(s) has (have) accessed via their connect groups. For example:
                     IBM Security zSecure ACCESS summary    0 s elapsed, 0.0 s CPU
    Command ===>                                                   Scroll===> CSR 
    Access monitor records for Userids like CRMBTZ1 10 Dec 2021 09:20             
       ViaGrps  Occurrence First occurrenc Last occurrence                        
    __ CRMB           3367  8Dec2021 07:52  8Dec2021 17:09                        
    __ CRMBZDEV          1  8Dec2021 07:52  8Dec2021 07:52                        
    __ SYSPROG        3391  8Dec2021 07:52  8Dec2021 17:09                        
    __ VESGRP         3366  8Dec2021 07:52  8Dec2021 17:09                        ​

    You can zoom into the reported groups, to review which resources in which classes this user ID has accessed via this group connection.
    Would that be helpful for your investigation?

    Tom Zeehandelaar
    z/OS Security Enablement Specialist - zSecure developer

  • 3.  RE: Access Monitor Permit Usage - Display User ID

    Posted Fri December 10, 2021 06:20 AM
    Hey Linnea.
    You should also remember that RACF does not show preference for one group over another, when both permit the requested access.  As a consequence, Access Monitor reports may show one OR MORE groups that COULD have given access to the profile.  This will be visible when SIMULATED FIELDS are requested, in the DETAILS of the Access Monitor information, at the end of the details panel. 
    When you are cleaning up the RACF database, and replacing the functionality of a group with another group, the users may be connected to both, until you finally remove (or delete) the old group.  When zSecure notices that the user is connected to both groups, and the dataset profile has an adequate permit for both groups, the VIA GROUPS field shows both group names.
    AM.1 has a "Simulated fields selection" option to show ONLY access events where the group specified is alone in providing access (the group is ESSENTIAL), that points at resource access that still uses (only) the old group.  Specify the old group name on the "Group(s) used for access" field and / the "Essential group(s)" checkbox.  This finds where a connect/permit for the old group has not (yet) been copied to a replacement group.

    Rob van Hoboken