IBM Security Z Security

 View Only

  • 1.  zSecure CARLa Newlist Type=Sensdsn Filtering

    Posted Mon February 08, 2021 11:39 AM
    Greetings, I am looking for some advice on how I can do filtering on the newlist type=sensdsn racf_acl field, since it does not support subselect like the "acl" version under newlist type=racf.

    The goal is to only display racf_acl entries where the racf_acl access "subfield" is >= priv_access. Here is what I have so far without the desired filtering:

    newlist type=sensdsn required retain pl=0,
   esm=racf nopage header=column nodup
sortlist,
  complex,
  dsname(44),
  priv_access("Priv_Access",firstonly,12),
  racf_profile(firstonly),
  racf_uacc,
  racf_acl,
  priv_senstype(firstonly),
  priv_concern(firstonly,200)​


    Any guidance is appreciated



    ------------------------------
    Adam Klinger
    ------------------------------


  • 2.  RE: zSecure CARLa Newlist Type=Sensdsn Filtering

    Posted Mon February 08, 2021 12:31 PM
    Hi Adam,

    Quick answer: that's what TYPE=RACF_ACCESS was designed for ... select on class=DATASET and PRIV_SENSTYPE.

    Hope that is enough to put you on the right track...!

    ------------------------------
    Hans Schoone
    Chief Architect zSecure
    IBM
    Delft
    ------------------------------

    Original Message


  • 3.  RE: zSecure CARLa Newlist Type=Sensdsn Filtering

    Posted Mon February 08, 2021 04:20 PM
    Yes, thanks Hans! Looking at it from that direction I was able to put something similar together:
    newlist type=racf_access required retain pl=0,
   esm=racf nopage header=column nodup
select  exists(priv_senstype)

DEFINE id_type('Id_Type',8) as id:id.id.class

sortlist,
 complex,
 class,
 resource,
 profile,
 priv_senstype(firstonly,20),
 id,
 id_type,
 access​

    However -- is there a way to pull in the "priv_concern" field from a newlist such as "resource" or "sensdsn" into this, since that field is not a part of "type=racf_access" or a Template field?

    ------------------------------
    Adam Klinger
    ------------------------------

    Original Message


  • 4.  RE: zSecure CARLa Newlist Type=Sensdsn Filtering

    IBM Champion
    Posted Tue February 09, 2021 09:51 AM
    Here is  another discussion about using RACF_ACCESS to build profile listings.  However, there is no lookup of audit concerns or risk access levels.

    Instead, you could look at TRUSTED, though this consumes lots more CPU time.  TRUSTED shows you only the users that have privileged access levels, and it caters for an audit concern field.  Note that a single profile can cover multiple sensitive data sets, each with their own audit concern, so a single PERMIT to a profile can show up as multiple  lines in this report:

    n type=trusted
      s class=dataset userid_privilege=permitgrp
      sum racf_class,
          racf_profile,
          via,
          access,
          senstype auditconcern,
          count(nd)
    n type=trusted
      s class=dataset userid_privilege=permitusr
      sum racf_class,
          racf_profile,
          userid,
          access,
          senstype auditconcern,
          count(nd)

    If you add an OPTION HEADER=CSV or HEADER=CSVT before the first newlist statement, you could import the result into excel.

    ------------------------------
    Rob van Hoboken
    ------------------------------

    Original Message


  • 5.  RE: zSecure CARLa Newlist Type=Sensdsn Filtering

    Posted Tue February 09, 2021 01:09 PM
    Thanks Rob, newlist type=trusted seems like the way to go for my needs.

    ------------------------------
    Adam Klinger
    ------------------------------

    Original Message