IBM Security Z Security

Hi All,

We have upgraded to below:
Product/Release
5655-N16 IBM Security zSecure Admin 2.3.1
5655-N17 IBM Security zSecure Audit for RACF 2.3.1

Does the zSecure Admin 2.3.1 allow output of RACF information in a CSV format?

If so, does anyone have any samples of CARLA code that woud produce below dataset report in a dataset into CSV format?
RACF GROUP W0DB
Group nesting level 3
Superior group MIDWEST
Owner MIDWEST
Installation data DATABASE/IMS TECH SUPPT - REQUIRES APPROVAL FROM

RACF GROUP W0DB
Group nesting level 3
Superior group MIDWEST
Owner MIDWEST
Installation data DATABASE/IMS TECH SUPPT - REQUIRES APPROVAL FROM

User/Grp Auth R SOA AG Uacc Revokedt Resumedt RI Name
------------------------------------------------------ -- ----
$JOBD20 USE NONE DB2 TECH PROD JOBS
$JOBIM0 USE NONE IMS T/S PROD JOBS
BMCP USE NONE IMS STC

Thanks much!
Laura

------------------------------
Laura A Bolz
------------------------------

Hi Laura,

the zSecure 2.3.1 CARLa Command Reference contains a section that is named "Field headers and automatic formatting" in chapter 1.
This section contains the following information about producing output in CSV format:

With HEADER=CSV, output is generated in a format that is ready for most spreadsheet programs, with commas between field values and quotes (only) when
needed.
newlist type=racf header=csv
select class=facility
sortlist profile owner uacc instdata

Results in:

BPX.CONSOLE,BPXOWNER,NONE,"WRITE MESSAGES TO Z/OS CONSOLE"
BPX.DAEMON,BPXOWNER,NONE,

With HEADER=CSVT, the column headers are collected in a separate line preceding the variable lines:

Profile key,Owner,UACC,InstData
BPX.CONSOLE,BPXOWNER,NONE,"WRITE MESSAGES TO Z/OS CONSOLE"
BPX.DAEMON,BPXOWNER,NONE,

Note: Note: you should add any quotes and escapes in overriding field titles, because the headers are generated as is.

So when you add header=CSV (or CSVT) to the newlist statement in your CARLa program, it should produce the output in CSV format.
I hope this answers your question sufficiently.

Best regards, Tom

------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM
------------------------------

Original Message:
Sent: Thu April 22, 2021 12:46 PM
From: Laura A Bolz
Subject: CARLA output in CSV Format

Hi All,

We have upgraded to below:
Product/Release
5655-N16 IBM Security zSecure Admin 2.3.1
5655-N17 IBM Security zSecure Audit for RACF 2.3.1

Does the zSecure Admin 2.3.1 allow output of RACF information in a CSV format?

If so, does anyone have any samples of CARLA code that woud produce below dataset report in a dataset into CSV format?
RACF GROUP W0DB
Group nesting level 3
Superior group MIDWEST
Owner MIDWEST
Installation data DATABASE/IMS TECH SUPPT - REQUIRES APPROVAL FROM

RACF GROUP W0DB
Group nesting level 3
Superior group MIDWEST
Owner MIDWEST
Installation data DATABASE/IMS TECH SUPPT - REQUIRES APPROVAL FROM

User/Grp Auth R SOA AG Uacc Revokedt Resumedt RI Name
------------------------------------------------------ -- ----
$JOBD20 USE NONE DB2 TECH PROD JOBS
$JOBIM0 USE NONE IMS T/S PROD JOBS
BMCP USE NONE IMS STC

Thanks much!
Laura

------------------------------
Laura A Bolz
------------------------------

Original Message:
Sent: 4/23/2021 2:52:00 AM
From: Tom Zeehandelaar
Subject: RE: CARLA output in CSV Format

Hi Laura,

the zSecure 2.3.1 CARLa Command Reference contains a section that is named "Field headers and automatic formatting" in chapter 1.
This section contains the following information about producing output in CSV format:

With HEADER=CSV, output is generated in a format that is ready for most spreadsheet programs, with commas between field values and quotes (only) when
needed.
newlist type=racf header=csv
select class=facility
sortlist profile owner uacc instdata

Results in:

BPX.CONSOLE,BPXOWNER,NONE,"WRITE MESSAGES TO Z/OS CONSOLE"
BPX.DAEMON,BPXOWNER,NONE,

With HEADER=CSVT, the column headers are collected in a separate line preceding the variable lines:

Profile key,Owner,UACC,InstData
BPX.CONSOLE,BPXOWNER,NONE,"WRITE MESSAGES TO Z/OS CONSOLE"
BPX.DAEMON,BPXOWNER,NONE,

Note: Note: you should add any quotes and escapes in overriding field titles, because the headers are generated as is.

So when you add header=CSV (or CSVT) to the newlist statement in your CARLa program, it should produce the output in CSV format.
I hope this answers your question sufficiently.

Best regards, Tom

------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM
------------------------------

Original Message:
Sent: Thu April 22, 2021 12:46 PM
From: Laura A Bolz
Subject: CARLA output in CSV Format

Hi All,

We have upgraded to below:
Product/Release
5655-N16 IBM Security zSecure Admin 2.3.1
5655-N17 IBM Security zSecure Audit for RACF 2.3.1

Does the zSecure Admin 2.3.1 allow output of RACF information in a CSV format?

If so, does anyone have any samples of CARLA code that woud produce below dataset report in a dataset into CSV format?
RACF GROUP W0DB
Group nesting level 3
Superior group MIDWEST
Owner MIDWEST
Installation data DATABASE/IMS TECH SUPPT - REQUIRES APPROVAL FROM

RACF GROUP W0DB
Group nesting level 3
Superior group MIDWEST
Owner MIDWEST
Installation data DATABASE/IMS TECH SUPPT - REQUIRES APPROVAL FROM

User/Grp Auth R SOA AG Uacc Revokedt Resumedt RI Name
------------------------------------------------------ -- ----
$JOBD20 USE NONE DB2 TECH PROD JOBS
$JOBIM0 USE NONE IMS T/S PROD JOBS
BMCP USE NONE IMS STC

Thanks much!
Laura

------------------------------
Laura A Bolz
------------------------------

You can get this report with following CARLa:
newlist type=racf pl=0 header=csvt
  select c=group s=base mask=W0DB
  sortlist profile('group'),
           depth('nesting'),
           supgroup('superior'),
           owner('owner'),
           instdata('installation data'),
           userid('userid'),
           userid:connect('connect info'),
           userid:revoke('REVOKED USER',hb),
           userid:revoke_inactive('INACTIVE USER',hb),
           userid:dfltgrp('user default group'),
           userid:instdata('user instdata')

If you dislike the line at the top with field names, change the code to HEADER=CSV.  I added PL=0 to counter an older defect  in the HEADER parameter.
The connect attributes are not exported in a single blob of data.  You could replace this by writing

userid:useracs('auth'),
userid:grprevok('REVOKED',hb),
userid:grpspec('SPECIAL',hb),
userid:grpoper('OPER'),
userid:grpaudit('AUDITOR',hb),
userid:grpadsp('ADSP',hb),
userid:grpacc('GRPACC',hb),
userid:grpuacc('uacc'),
userid:cgrevkdt('revokedate'),
userid:cgresmdt('resumedate'),

instead of userid:connects

I copied heavily from the CARLa code generated by RA.G, as follows.  Run a report in RA.G.  Inspect the group list and press F3.  Enter RESULTS in the command line and select COMMANDS.  This is the CARLa that produced the display.
With recent maintenance in zSecure 2.4, you could also type =CO.L in the command line to jump to the last commands.

Note, zSecure 2.3.1 is old, like 2018.  Many fixes and useful new capabilities have been added since, in zSecure 2.4.  This release will run fine on older releases of z/OS so (from a technology point of view) you don't to wait for z/OS 2.4 to upgrade zSecure.
------------------------------
Rob van Hoboken
------------------------------

Original Message:
Sent: 4/23/2021 3:27:00 AM
From: Rob van Hoboken
Subject: RE: CARLA output in CSV Format

You can get this report with following CARLa:
newlist type=racf pl=0 header=csvt
  select c=group s=base mask=W0DB
  sortlist profile('group'),
           depth('nesting'),
           supgroup('superior'),
           owner('owner'),
           instdata('installation data'),
           userid('userid'),
           userid:connect('connect info'),
           userid:revoke('REVOKED USER',hb),
           userid:revoke_inactive('INACTIVE USER',hb),
           userid:dfltgrp('user default group'),
           userid:instdata('user instdata')

If you dislike the line at the top with field names, change the code to HEADER=CSV.  I added PL=0 to counter an older defect  in the HEADER parameter.
The connect attributes are not exported in a single blob of data.  You could replace this by writing

userid:useracs('auth'),
userid:grprevok('REVOKED',hb),
userid:grpspec('SPECIAL',hb),
userid:grpoper('OPER'),
userid:grpaudit('AUDITOR',hb),
userid:grpadsp('ADSP',hb),
userid:grpacc('GRPACC',hb),
userid:grpuacc('uacc'),
userid:cgrevkdt('revokedate'),
userid:cgresmdt('resumedate'),

instead of userid:connects

I copied heavily from the CARLa code generated by RA.G, as follows.  Run a report in RA.G.  Inspect the group list and press F3.  Enter RESULTS in the command line and select COMMANDS.  This is the CARLa that produced the display.
With recent maintenance in zSecure 2.4, you could also type =CO.L in the command line to jump to the last commands.

Note, zSecure 2.3.1 is old, like 2018.  Many fixes and useful new capabilities have been added since, in zSecure 2.4.  This release will run fine on older releases of z/OS so (from a technology point of view) you don't to wait for z/OS 2.4 to upgrade zSecure.
------------------------------
Rob van Hoboken
------------------------------

Original Message:
Sent: 4/23/2021 3:27:00 AM
From: Rob van Hoboken
Subject: RE: CARLA output in CSV Format

You can get this report with following CARLa:
newlist type=racf pl=0 header=csvt
  select c=group s=base mask=W0DB
  sortlist profile('group'),
           depth('nesting'),
           supgroup('superior'),
           owner('owner'),
           instdata('installation data'),
           userid('userid'),
           userid:connect('connect info'),
           userid:revoke('REVOKED USER',hb),
           userid:revoke_inactive('INACTIVE USER',hb),
           userid:dfltgrp('user default group'),
           userid:instdata('user instdata')

If you dislike the line at the top with field names, change the code to HEADER=CSV.  I added PL=0 to counter an older defect  in the HEADER parameter.
The connect attributes are not exported in a single blob of data.  You could replace this by writing

userid:useracs('auth'),
userid:grprevok('REVOKED',hb),
userid:grpspec('SPECIAL',hb),
userid:grpoper('OPER'),
userid:grpaudit('AUDITOR',hb),
userid:grpadsp('ADSP',hb),
userid:grpacc('GRPACC',hb),
userid:grpuacc('uacc'),
userid:cgrevkdt('revokedate'),
userid:cgresmdt('resumedate'),

instead of userid:connects

I copied heavily from the CARLa code generated by RA.G, as follows.  Run a report in RA.G.  Inspect the group list and press F3.  Enter RESULTS in the command line and select COMMANDS.  This is the CARLa that produced the display.
With recent maintenance in zSecure 2.4, you could also type =CO.L in the command line to jump to the last commands.

Note, zSecure 2.3.1 is old, like 2018.  Many fixes and useful new capabilities have been added since, in zSecure 2.4.  This release will run fine on older releases of z/OS so (from a technology point of view) you don't to wait for z/OS 2.4 to upgrade zSecure.
------------------------------
Rob van Hoboken
------------------------------

The field USERID in RACF DATASET profiles contains the USERID and GROUP names from PERMITs issued for the profile.  zSecure adds the ACL compound field to make more sense of the permits.  The SUBSELECT ACL function can be used to suppress entries from the report, for example, the NONE and READ permits.  ACL(RESOLVE) calculates how connect groups and user specific permits together arrive at the access level a user enjoys.

So, if you want to see the USER IDs that have access, you use

newlist type=racf pl=0 header=csv
  define acl_update_users(resolve) subselect acl(access>read user=*)
  select c=dataset s=base mask=sys1.** acl(access>read)
  sortlist profile('dataset'),
     acl_update_users(aclid,'userid'),
     acl_update_users(aclaccess,'access'),
     acl_update_users:Name,
     acl_update_users:dfltgrp('user default group')

You will see the dataset field filled in only seldomly.  That is due to the way repeated fields in profile reports are printed.  The non-repeated fields are printed once, at the beginning of the data about a profile, all but the first the value of the repeated fields stand alone on the output line.   You can have the non-repeated fields on all lines by adding RETAIN on the NEWLIST command.

Also, you will see profiles WITHOUT obvious acl information.  That could be due to the data set having no permits, or due to no users or groups having UPDATE.  You cannot suppress these lines.

Finally, note that your mask=ASG.OPS.** selects all profiles that match this mask.  If you want ONLY one profile that matches this value EXACTLY, use profile=ASG.OPS.**

------------------------------
Rob van Hoboken
------------------------------