IBM Security Z Security

Expand all | Collapse all

CARLA to return dataset profiles that cover a list of datasets

Jump to Best Answer
  • 1.  CARLA to return dataset profiles that cover a list of datasets

    Posted Fri December 11, 2020 06:06 PM
    Hi everyone,

    If I have a list of 30 datasets and want to create a report of which dataset profile protects each of them and the basic details of that profile (UACC, audit settings etc) what is the best way to do that using CARLA? I can do it for a single dataset using the BESTMATCH selection criteria but I haven't found an efficient way to do it for multiple datasets. Thanks very much.

    ------------------------------
    NATHAN SHRIVE
    ------------------------------


  • 2.  RE: CARLA to return dataset profiles that cover a list of datasets
    Best Answer

    Posted Mon December 14, 2020 04:45 AM
    Edited by NATHAN SHRIVE Wed December 16, 2020 05:22 PM
    Hi Nathan
    One way to get your list of profiles uses the SIMULATE command to make the data set look important (or sensitive) to zSecure, and then select the profiles that protect these sensitive data sets.  Unfortunately, the normal RACF newlist does not know sensitivity (or SENSTYPE) but RACF_ACCESS does.  RACF_ACCESS does not know how to print the ACL, but the individual entries on the Access Control List are available as records (or entries) in this newlist, and the normal profile fields can be referenced using the implicit lookup operator :

    simulate class=dataset senstype=SiteListIt resource=(,
    IBMUSER.JOB.CNTL,
    SYS1.AOSBN,
    )
    newlist type=racf_access
      define idstar(access_nz) max(access) where id='*'
      s priv_senstype=siteListIt
      summary profile :uacc :audits :auditf idstar

    The result looks like

    R A C F   A C C E S S   A U T H O R I Z A T I O N S   14 Dec 2020 10:42

    Profile             UACC    Success Failure IDSTAR
    IBMUSER.*.**        NONE            READ
    SYS1.*.**           READ    UPDATE  UPDATE  READ

    Note: be sure to enter a comma after each dsname, this builds a value list.
    Also, you must allocate a CKFREEZE data set.

    ------------------------------
    Rob van Hoboken
    ------------------------------


  • 3.  RE: CARLA to return dataset profiles that cover a list of datasets

    Posted Tue December 15, 2020 07:01 PM
    Hi Rob,

    Thanks very much for your assistance. Unfortunately the client is running zSecure Admin 2.3.0, it looks like your solution doesn't work on that version as it does not recognize the sensetype= parameter. I get error CKR0981 12 Invalid SIM_CLASS_KEYWORD "SENSTYPE"

    I did test it on another client that run 2.4.0 and it worked as you described.

    ------------------------------
    NATHAN SHRIVE
    ------------------------------



  • 4.  RE: CARLA to return dataset profiles that cover a list of datasets

    Posted Wed December 16, 2020 03:18 AM
    Edited by Rob van Hoboken Wed December 16, 2020 03:25 AM
    SENSTYPE in an alias of SENSITIVITY.  You would perhaps not be surprised to  know how many misspellings of sensitivity occur.  SIMULATE CLASS=DATASET SENSITIVITY=xxx works in 2.3.0.

    ------------------------------
    Rob van Hoboken
    ------------------------------



  • 5.  RE: CARLA to return dataset profiles that cover a list of datasets

    Posted Wed December 16, 2020 05:22 PM

    Thanks Rob, that worked perfectly.



    ------------------------------
    NATHAN SHRIVE
    ------------------------------