Hi Adam,
For selection and filtering on the sub-fields, a good starting point is "
Table 9. ACL subselect - available fields" in the CARLa Command Reference. (It is in the topic on the DEFINE command.)
Using the names from there, we can refer to the second and third columns as the ACCESS and ID columns.
The "When" part really has two parts, the WHENCLASS and WHENPROFILE, which together make up the condition of a conditional ACL entry.
What the first column displays depends on the ACL format. In a normal ACL, it might show "-group-" when the ACL id is a group. If you look at one of the exploded/resolved formats, it will typically list the userids there that are connected to the ACL id (on separate lines).
For SUBSELECT processing (that is, filtering the display on output), you can use GROUP= or USER= to only list groups or users. For SELECT processing (that is, determining which profiles to display the ACL for in the first place), these criteria are not allowed.
For displaying them, the following formats are available (under "Format names" as part of the "LIST family of commands" section of the CARLa Command Reference):
$ACL - Format to generate the trailing part of a RACF PERMIT command that contains the ID, ACCESS, and WHEN parameters. You must add the profile key and CLASS parameter yourself. The format can only be applied to the field name ACL.ACLACCESS - This output format applies only to RACF systems. It is only valid for the ACL field or a subselect thereof. This format displays just the access level, optionally followed by a condition:
• READ or
• READ,PROGRAM=CKRCARLA
It is meant for use with a define subselect ACL variable that selects a specific ID, * for exampleACLID - This output format applies only to RACF systems. It is only valid for the ACL field or a subselect of this field. For each ACL entry, this format displays an ID in the output, optionally followed by a condition in parentheses. If the ACL is in normal format, the ID is the value of ACL id. If the ACL uses field modifiers like EXPLODE or EFFECTIVE, the ID is the value of the resolved user ID. The ACLID format is designed to format the output for a DEFINE SUBSELECT ACL variable that selects a specific access level.
ACLIDACCESS - This output format applies only to RACF systems. It is only valid for the ACL field or a subselect of this field. This format displays the ID followed by the access level and optionally a condition in parentheses. It is meant to display an access list in horizontal wrapped format.
ACLVIA - Only valid for the ACL field or a subselect of this field. This format generates output that is like the default ACL format, except that the first two columns of data, User and Access, are omitted. In other words, only the ACL ID and an optional condition (When) are shown. So taking that in, the solution you found works particularly well when there are no conditional access entries, since then you will just see the ACCESS and ID in the 8 characters you limit the output to. However, for conditional entries, you might see results like "ALTER,PR" and "C##BRT2(", where the additional characters indicate the start of a condition clause.
To display the first column, you can simply limit the normal ACL format to the width of the first column: sub_acl("Type",8)
There is no really easy way to only display the condition.
(BTW, I usually want to have separate displays for conditional and non-conditional entries, as they tend to format really quite differently.)
If you need to do something more complex, you can of course write the normal output to a file, then allocate that as a DEFTYPE file and parse the columns and re-display them in any nice fashion.
I hope that gives you some ideas to work with.
Regards,
--Jeroen
P.S. Sample DEFINE statements can also be found in the standard include member SCKRCARL(C2RXDEF1), such as
VIEW C##A.D.GKR240.$BASE.SCKRCARL(C2RXDEF1) - 18.27 Columns 00001 00072 Command ===> ________________________________________________ Scroll ===> CSR 000095 def helppanel=c2r&ckrerel.z204 type=racf, 000096 idstar("ID(*)",aclaccess,7,nomodify,nodetail), 000097 subselect acl(id("*") missing(whenclass))for unconditional access for ID(*). [Note: the quotes make it a string literal instead of a mask specification.]
------------------------------
Jeroen Tiggelman
Software Development and Level 3 Support Manager IBM Security zSecure Suite
IBM
Delft
------------------------------
Original Message:
Sent: Mon September 28, 2020 11:46 AM
From: Adam Klinger
Subject: zSecure CARLa: Newlist type=racf "acl" field type?
Greetings,
The "ACL" field in newlist type=RACF has these 4 Output fields: User Access ACL id When. I'm looking to extract these into individual fields. What's the best way to go about this?
I've been able to do something like below to get two of the fields (aclid and aclaccess);
define sub_acl subselect acl(exists(id))
sortlist sub_acl("ACL ID",aclid,8),
sub_acl("Access",aclaccess,8)
However I see no subfield for the "Type" (User/Grp) or When. So do those exists, or is there a way to define those fields individually?
------------------------------
Adam Klinger
------------------------------