Here is another discussion about using RACF_ACCESS to build profile listings. However, there is no lookup of audit concerns or
risk access levels.
Instead, you could look at TRUSTED, though this consumes lots more CPU time. TRUSTED shows you only the users that have
privileged access levels, and it caters for an audit concern field. Note that a single profile can cover multiple sensitive data sets, each with their own audit concern, so a single PERMIT to a profile can show up as multiple lines in this report:
n type=trusted
s class=dataset userid_privilege=permitgrp
sum racf_class,
racf_profile,
via,
access,
senstype auditconcern,
count(nd)
n type=trusted
s class=dataset userid_privilege=permitusr
sum racf_class,
racf_profile,
userid,
access,
senstype auditconcern,
count(nd)
If you add an OPTION HEADER=CSV or HEADER=CSVT before the first newlist statement, you could import the result into excel.
------------------------------
Rob van Hoboken
------------------------------
Original Message:
Sent: Mon February 08, 2021 04:20 PM
From: Adam Klinger
Subject: zSecure CARLa Newlist Type=Sensdsn Filtering
Yes, thanks Hans! Looking at it from that direction I was able to put something similar together:
newlist type=racf_access required retain pl=0, esm=racf nopage header=column nodupselect exists(priv_senstype)DEFINE id_type('Id_Type',8) as id:id.id.classsortlist, complex, class, resource, profile, priv_senstype(firstonly,20), id, id_type, access
However -- is there a way to pull in the "priv_concern" field from a newlist such as "resource" or "sensdsn" into this, since that field is not a part of "type=racf_access" or a Template field?
------------------------------
Adam Klinger
Original Message:
Sent: Mon February 08, 2021 12:31 PM
From: Hans Schoone
Subject: zSecure CARLa Newlist Type=Sensdsn Filtering
Hi Adam,
Quick answer: that's what TYPE=RACF_ACCESS was designed for ... select on class=DATASET and PRIV_SENSTYPE.
Hope that is enough to put you on the right track...!
------------------------------
Hans Schoone
Chief Architect zSecure
IBM
Delft
Original Message:
Sent: Mon February 08, 2021 11:38 AM
From: Adam Klinger
Subject: zSecure CARLa Newlist Type=Sensdsn Filtering
Greetings, I am looking for some advice on how I can do filtering on the newlist type=sensdsn racf_acl field, since it does not support subselect like the "acl" version under newlist type=racf.
The goal is to only display racf_acl entries where the racf_acl access "subfield" is >= priv_access. Here is what I have so far without the desired filtering:
newlist type=sensdsn required retain pl=0, esm=racf nopage header=column nodupsortlist, complex, dsname(44), priv_access("Priv_Access",firstonly,12), racf_profile(firstonly), racf_uacc, racf_acl, priv_senstype(firstonly), priv_concern(firstonly,200)
Any guidance is appreciated
------------------------------
Adam Klinger
------------------------------