IBM Security Z Security

 View Only

  • 1.  How to execute CARLa COPY commands after a SORTLIST ?

    Posted Mon March 08, 2021 01:13 PM
    Hi guys, 

    I have a CARLa script that is creating CARLa COPY commands in the Sortlist. 
    How can I run these CARLa commands in the same or another CARLa script ?
    The CARLa script is :
    select c=user s=base cggrpnm=consult
    sortlist " COPY USER=" | key(0) " TOUSER=USERBKP"

    In the second step I need to "bypass" CARLa restriction to COPY differents User ids to the same same id , in this case USERBKP.
    I've tried use the suppress message(0535,536) , but it doesn´t  "bypass" that restriction.
    The intention is to create all RACF commands to recreate an deleted userid. The delete reason is to follow the customer procedure to delete revoked ids after 30 days.  But , we know , they want to save the user id  settings to recreate it if necessary.
    Do you have any idea how to do this using CARLa ?  By COPYING  ou another way ?

    Thanks
    Jose Villela

    ------------------------------
    José Villela Ribeiro Júnior
    ------------------------------


  • 2.  RE: How to execute CARLa COPY commands after a SORTLIST ?

    IBM Champion
    Posted Tue March 09, 2021 03:43 AM
    Edited by Rob van Hoboken Tue March 09, 2021 03:45 AM
    If you write CARLa commands to DD name CKR2PASS, zSecure's ISPF interface presents the results and allows you to run the commands in a 2nd pass.  In a batch job you can use catalogued procedure C2RC2 to run these CARLa commands immediately.

    I would like to suggest another approach for your requirement.  zSecure has a RECREATE function to create profiles from a copy of the RACF database.  Many customers use this to recover profiles that were deleted by accident, or delete prematurely.  They create an UNLOAD of the RACF database, for example, every day or every week, into a GDG.  You can look at job C2RJPREP (in SCKRSAMP or CKRJOBS) for JCL to build a new UNLOAD.

    When you have an UNLOAD of a date when the user ID, or the missing profile, still existed, you create a set of input files in SE.1 with the UNLOAD dsname and type UNLOAD, or an archive copy of the RACF database with type COPY.RACF.  Then you unselect the active RACF database from SE.1.  You can use RA.U to inspect the (old) user ID and use the R line command to recreate it.  This generates the RACF commands, like ADDUSER, ALTUSER, CONNECT, PERMIT and even ADDSD and RDEF as needed.  When you run these on your active RACF db, the user ID is largely recreated.

    ------------------------------
    Rob van Hoboken
    ------------------------------


  • 3.  RE: How to execute CARLa COPY commands after a SORTLIST ?

    Posted Tue March 09, 2021 06:26 AM
    Hi Rob , 

    I agree with you with the idea to change the approach for the solution. My first idea was to develop an intire solution via batch jobs, using COPY commands to save recreate RACF commands for future reference, if necessary. Having a daily RACF Unload file via GDG is a good idea. 

    I´d like to suggest zSecure CARLa development  team to include a parameter in COPY command to be possible to "bypass" the restriction to copy  USERABC to USERABC, why not ?  :-)

    Thanks Rob

    Jose Villela




    ------------------------------
    José Villela Ribeiro Júnior
    ------------------------------

    Original Message


  • 4.  RE: How to execute CARLa COPY commands after a SORTLIST ?

    Posted Tue March 09, 2021 03:46 AM

    Hi José,

    frankly, I have no clue why you would want to do this?

    Even if you could find a way to successfully bypass the CKR0535 and CKR0536 messages and generate copy commands resulting from multiple user IDs to a single target user ID. Then, you would not know which were the original user IDs that contributed to these commands for the target user ID, "USERBP" in your scenario. There would be no way to restore a contributing deleted user ID to its original state using the RACF command generated for "USERBKP". 

    Furthermore, recreating/copying an (unintentionally) deleted user ID can easily be performed when you keep RACF backups and/or zSecure UNLOAD data sets that still contain the original user ID that is deleted from the primary active RACF db. When you allocate on of these input sources to your CARLa script, it would be easy to restore that deleted user ID in it's original state. 
    I guess what I am failing to see is what is the goal of your CARLa script, what business problem are you trying to solve?

    HTH Tom



    ------------------------------
    Tom Zeehandelaar
    z/OS Security Enablement Specialist - zSecure developer
    IBM
    Delft
    +31643351728
    ------------------------------

    Original Message


  • 5.  RE: How to execute CARLa COPY commands after a SORTLIST ?

    Posted Tue March 09, 2021 05:46 AM
    Hi Tom, 
    I agree with your considerations and concerns using COPY commands copying from multiple  to a specific user ID. It was my first idea to have  "backup commands" to recreate deleted user IDs when necessary.  

    In this first solution idea I would to avoid using RACF Backup or UNLOAD to do this , including some additional steps via zSecure Online. due to that solution would be done via batch jobs.
    Now , based on solution to use RACF UNLOAD created daily via GDG,  is it possible to use RECREATE process via batch ? 

    Thanks Tom.

    Jose Villela

    ------------------------------
    José Villela Ribeiro Júnior
    ------------------------------

    Original Message


  • 6.  RE: How to execute CARLa COPY commands after a SORTLIST ?

    Posted Tue March 09, 2021 07:27 AM
    Edited by Tom Zeehandelaar Tue March 09, 2021 07:35 AM
    Hi José,

    Yes, indeed it is possible to use this RECREATE user ID process via batch. The SCKRCARL member that is named CKRXRUS can be used for this purpose. One way of creating such a batch job using the zSecure user interface that performs a RECREATE of a user ID is as follows:
    • Make sure that you allocate the UNLOAD data set containing the user ID that you want to recreate as input in Setup files (option SE.1).
    • Next, access the CARLa editor with primary command CARLa or use option CO.C and enter the following CARLa code:
    newlist type=racf name=idsel outlim=0
 select class=user key=<-- type the user ID to be recreated here!
 sortlist class key

i m=ckrxrus
    • Notes on this code:
       - The first 3 lines determine the user ID(s) that are to be recreated and assigns the name IDSEL (for ID selection).
       - This IDSEL pre-selection is passed on as input for member CKRXRUS.
       - The outlim=0 specification means that you do not want this newlist to produce output.
       - The select statement defines which user ID is to be recreated.
       - When you want to recreate multiple user IDs simultaneously, you can code it as "select class=user key=(user1,user2,user3, etc.)"
       - The sortlist feeds class "user" and the name of the user ID to member CKRXRUS to process.
       - The "i m=ckrxrus" statement includes the member named CKRXRUS from the allocated SCKRCARL library.

    • Enter command SUBMIT (or SUB) to indicate that you want to run this CARLa in the background.
    • This command shows the "Submit menu". Here, you can add a valid job card for the job on your system. Use option 3, for Submit, to run the recreate job. If all is well, the job produces the appropriate RACF commands to recreate your selected user ID. Optionally, you can add an extra step that executes the generated commands.
    • Alternatively, you can use option 2, for Edit, that allows you to edit, (cleanup JCL to your desired standard,) and save the job as a recreate user ID  job in your company's job library for future use.
    Regards, Tom


    ------------------------------
    Tom Zeehandelaar
    z/OS Security Enablement Specialist - zSecure developer
    IBM
    Delft
    +31643351728
    ------------------------------

    Original Message


  • 7.  RE: How to execute CARLa COPY commands after a SORTLIST ?

    Posted Tue March 09, 2021 01:53 PM
    HI Tom, 

    The CARLa process via CKRXRUS script  you suggested  me works fine. Thank you very much.

    Jose Villela



    Original Message


  • 8.  RE: How to execute CARLa COPY commands after a SORTLIST ?

    IBM Champion
    Posted Wed March 10, 2021 03:51 AM
    Edited by Rob van Hoboken Wed March 10, 2021 05:49 AM
    You can get sample CARLa code by running zSecure option RA.4.6 (Mass update - recreate user).  After the RACF commands are presented, you press F3 to see the RESULTS panel.  SYSPRINT illustrates the CARLa code, though you have to skip the imbedded members to fully match the code you should type into your job.  Hint: CKRXRUS generates the BASE segment fields. connects and raclinks, but not the user specific DATASET and general resource profiles.

    ------------------------------
    Rob van Hoboken
    ------------------------------


  • 9.  RE: How to execute CARLa COPY commands after a SORTLIST ?

    Posted Wed March 10, 2021 04:14 AM
    Edited by Jeroen Tiggelman Wed March 10, 2021 04:54 AM
    Since we are now giving hints, I will point out that the zSecure Admin and Audit User Reference Guide has a subsection "CARLa scripts for RECREATE and COPY functions" in the "Predefined CARLa scripts" section of the "RACF Administration" chapter.

    This explains the difference between the CKRXC* and CKRXR* members, explains about CKGX*, explains how the various LIKELISTs are used with preselection newlists, and lists the functions of the 31 pertinent SCKRCARL members.

    Jeroen

    P.S. Since it is a licensed book, I am not including a direct link.

    ------------------------------
    Jeroen Tiggelman
    Software Development and Level 3 Support Manager IBM Security zSecure Suite
    IBM
    Delft
    ------------------------------

    Original Message