Robert,
Using AM.1, typically the related entries appear as below so excluding the AccRC > 4 (or only including < 8)
Occurrence Profile key used
6476 SYS1.PARMLIB
Occurrence Intent Type RetAll AccRC
231 ALTER Auth RetAll 8
Also help on the RetAll
CARLa field : REQ_STATUS_ACCESS
Newlist type : ACCESS
Header default : RetAll
Field prefix header: Retrieval of access allowed
This flag field (YES/NO) shows whether the RACROUTE REQUEST=AUTH was used
with the STATUS=ACCESS option. STATUS=ACCESS means that the INTENT is set
to ALTER, and that the final reason code as provided to the caller
reflects the allowed access of the user. The return code as shown by
zSecure uses the regular return code for the access intent ALTER.
The field is only present in AUTH records.
Tri issuing a LISTDSD for the SYS1.PARMLIB and review the result.
Regards
Brian
------------------------------
Brian Mills
------------------------------
Original Message:
Sent: Thu February 25, 2021 07:54 AM
From: Robert Hansel
Subject: C2PCOLL and CKFREEZE Access Requirements
Access Monitoring is showing access attempts by C2PCOLL and CKFREEZE at ALTER level to PARMLIB and APF libraries. I assume this is caused by attempts to list RACF information on these datasets. Unfortunately, someone in the past thought they needed ALTER access and permitted it. I now need to remove the unnecessary permissions but not the permissions they actually need. I haven't figured out a way to differentiate between an Access Monitor ALTER-level access event resulting from actual access versus one for just listing RACF information. I could resort to assigning them UAUDIT to determine their access needs but for a number of reasons prefer not to do so at this time. Thus far, I haven't been able to determine which manual has information about their setup and access needs. Kindly tell me where I would find such information? TIA
------------------------------
Robert Hansel
President and Lead RACF Specialist
RSH Consulting, Inc.
Cambridge MA
6179698211
------------------------------