Hi Linnea
This is how you list the users that have a specific rolekey in a department. Simply select their CSDATA segments using a comparison on both fields in a single SELECT, this applies both tests as a AND condition:
newlist type=racf name=role0001
select class=user segment=csdata $ROLEKEY=DSTI $AU=045982
sortlist profile(8,"User ID") :name custom_data
The :NAME field finds the corresponding BASE segment, picks up the name, CUSTOM_DATA formats all the CSKEY/CSDATA/CSFLAG values as an illustration.
Finding all users that are NOT connected to a group is also easy. You simply select the BASE segment for all user IDs and exclude the ones that have the required CONNECT already:
newlist type=racf name=conn0001
select class=user segment=base
exclude cggrpnm=RADM0001
sortlist profile(8,"User ID") name connects
You can also convert the EXCLUDE into a NOT( ) clause like so:
newlist type=racf name=conn0001
select class=user segment=base not(cggrpnm=RADM0001)
sortlist profile(8,"User ID") name connects
But these reports find thousands of user IDs. We must combine the two NEWLIST, so the 2nd NEWLIST only works on profiles that have been selected by the 1st. CARLa offers the PROFLIST keyword to link the results of two NEWLIST:
newlist type=racf name=role0001 outlim=0
select class=user segment=csdata $ROLEKEY=DSTI $AU=045982
sortlist profile(8,"User ID") :name custom_data
newlist type=racf name=conn0001 proflist=role0001
select class=user segment=base
exclude cggrpnm=RADM0001
sortlist profile(8,"User ID") name connects
OUTLIM=0 suppresses output of the 1st NEWLIST, so the results are only used internally for PROFLIST processing. PROFLIST=ROLE0001 in the 2nd NEWLIST restricts the selection to profiles that were selected in the NEWLIST referenced, even when that NEWLIST works on different segments.
Internally the two NEWLISTs work concurrently, each selecting profiles (segments really) that match the SELECT command. The 2nd NEWLIST selects thousands and thousands of USERs, so you want to make the SELECT commands as precise as possible. After the whole database has been read, the results of the 2 NEWLISTs are combined, only profiles (by key) that were selected in both are processed for output.
Now, you probably want to generate RACF commands for the user IDs that are not yet connected to the right group, so this is how:
newlist type=racf name=role0001 outlim=0
select class=user segment=csdata $ROLEKEY=DSTI $AU=045982
sortlist profile(8,"User ID") :name custom_data
newlist type=racf name=conn0001 proflist=role0001 nopage dd=ckrcmd
select class=user segment=base
exclude cggrpnm=RADM0001
sortlist "CONNECT" profile(8) "GROUP(RADM0001)"
You might also want to remove CONNECTs to this group, if the user does not have the right ROLEKEY and AU. This is where you can use NOTPROFLIST:
newlist type=racf name=role0001 outlim=0
select class=user segment=csdata $ROLEKEY=DSTI $AU=045982
sortlist profile(8,"User ID") :name custom_data
newlist type=racf name=rem0001 notproflist=role0001 nopage dd=ckrcmd
select class=user segment=base
cggrpnm=RADM0001
sortlist "REMOVE" profile(8) "GROUP(RADM0001)"
By the way, some years ago I wrote a CARLa script to implement role based administration for RACF groups, using CSDATA fields. The whole process, including documentation and source code, can be found in the zSecure Wiki.
Or better, navigate to the Wiki section of the Knowledge Center and find the Chapter about RBAC concepts.
------------------------------
Rob van Hoboken
------------------------------