IBM Security Z Security

 View Only
  • 1.  Include LPAR name in RACF User List and Access Reports

    Posted Tue May 25, 2021 02:32 AM
    Wondering if someone can advise what is the best way to include the lpar name in a RACF user list (TYPE=RACF) or access report (TYPE=REPORT_SCOPE)? It seems like it should be straight forward and probably is, but I haven't been able to figure out a good way to do it. Any help would be greatly appreciated.  Thanks very much.

    ------------------------------
    NATHAN SHRIVE
    ------------------------------


  • 2.  RE: Include LPAR name in RACF User List and Access Reports

    Posted Tue May 25, 2021 02:44 AM
    Hi Nathan,

    These report types describe the contents of the security database. The RACF database might be protecting multiple LPARs. Or you might be reporting about a RACF database that is not active. Which LPAR name or names do you want to include?

    Regards,

    ------------------------------
    Jeroen Tiggelman
    Software Development and Level 3 Support Manager IBM Security zSecure Suite
    IBM
    ------------------------------



  • 3.  RE: Include LPAR name in RACF User List and Access Reports

    Posted Tue May 25, 2021 03:12 AM
    Hi Jeroen,

    Thanks for your quick reply. Generally I am running the reports on the Active Backup RACF database so the the value I want to return is the name of the lpar the report is being ran on. The SYSTEM field from other report types seems to contain what I want but I don't know how to access it from the report types I'm using or whether its even possible. Hopefully that makes sense.

    ------------------------------
    NATHAN SHRIVE
    ------------------------------



  • 4.  RE: Include LPAR name in RACF User List and Access Reports

    Posted Tue May 25, 2021 03:02 AM
    Like Jeroen wrote, the RACF database is not architecturally bound to one LPAR, but can be shared (physically or logically).  CARLa uses the concept of COMPLEX to describe all systems that rely on a specific RACF database.  The value of COMPLEX can be set on the ALLOC command (through the COMPLEX field for the Input files in SE.1).  By default COMPLEX is derived from the RRSF nodename (if the system uses RRSF), the SYSPLEX name (if the system is part of a SYSPLEX), or the SYSNAME system symbol.

    You can see the value of COMPLEX in the RA panels, mostly in the 2nd column.

    If you dislike COMPLEX as shown, you can set another value in SE.1 for your selected input sets (using the E line command).  Be sure to set the same value for all sets that you select, zSecure uses your input to simulate if the RACF database and CKFREEZE files belong together.

    If you want to see the ACTIVE LPAR name in your reports, you can show the name of the system where zSecure is currently running with a lookup to the run information, like so

    newlist type=racf title='System special ids'
      select class=user special
      sortlist profile('User') :run.system

    To see the field names in the RUN newlist, enter FIELDS RUN in the command line.

    If you want to print the system name in the title, you could use

    newlist type=racf title='System special ids on system '
      select class=user special
      sortlist profile('User')
      summary :run.sysname(title) count(nd)

    ------------------------------
    Rob van Hoboken
    ------------------------------



  • 5.  RE: Include LPAR name in RACF User List and Access Reports

    Posted Tue May 25, 2021 03:52 AM
    Hi Nathan,

    It seems that Rob meanwhile provided an answer to your question. You can access the SYSTEM field in TYPE=RUN using the lookup :run.system.

    This is always the active SYSTEM, since TYPE=RUN contains the characteristics of the LPAR you run on.

    Note that SYSTEM contains the SMFid (which might or might not really be what you think of when you say "LPAR name", and might or might not match it anyway).

    You can also choose SYSNAME (as specified for the LPAR in the IEASYMxx or IEASYSxx parmlib member) or SYSPLEX (the SYSPLEX name, which might make sense if all LPARs in your SYSPLEX are protected by the same RACF database and you'd prefer your report to stay the same if you submit it from another LPAR in the same environment).

    Note that this implicit lookup construction is allowed towards TYPE=RUN from these report types, while lookup to TYPE=SYSTEM is not, because the profiles in the database are not truly linked to (any of) the CKFREEZE file(s) you "happen to be" running with. There are ways to obtain that information also, but it seems you do not need that for your purpose here. :-)

    Regards,

    ------------------------------
    Jeroen Tiggelman
    Software Development and Level 3 Support Manager IBM Security zSecure Suite
    IBM
    ------------------------------



  • 6.  RE: Include LPAR name in RACF User List and Access Reports

    Posted Tue May 25, 2021 07:48 PM
    Thank you both very much, that was exactly what I was after. It looks like there are some other useful fields under RUN I'll be able to make use of as well :)

    ------------------------------
    NATHAN SHRIVE
    ------------------------------