IBM Security Z Security

Expand all | Collapse all

CKGRACF ACCESS Command

  • 1.  CKGRACF ACCESS Command

    Posted Wed July 21, 2021 12:29 PM
    When using the CKGRACF ACCESS to determine if the USER/GROUP has access to the DATASET/RESOURCE, is there a way to get the output to display how the USER obtained the access?

         CKGRACF ACCESS RB110 DATASET SYS1.PARMLIB                   

     CKG582I 00 RB110 has READ access to DATASET SYS1.PARMLIB        

                profile DATASET SYS1.PARMLIB.**                      

    Instead:

         CKGRACF ACCESS RB110 DATASET SYS1.PARMLIB                   

     CKG582I 00 RB110 has READ access to DATASET SYS1.PARMLIB        

                profile DATASET SYS1.PARMLIB.**  via GROUP TSOPROF                    


    I realize I can list the profile and explode the access list to find the user, or run a report on the user to show permissions at the User ID or Group level.

    Was hoping there was some option to use on CKGRACF to show how the access was granted.

    ------------------------------
    Linnea Sullivan
    ------------------------------


  • 2.  RE: CKGRACF ACCESS Command

    Posted Fri July 23, 2021 03:23 AM
    Edited by Rob van Hoboken Fri July 23, 2021 03:28 AM
    CKGRACF was designed to show actual information from RACF, and that includes the result of RACF exits and global profiles.  Unfortunately, RACF does not point to the connect group that granted access, so CKGRACF ACCESS (by design) could not show this information.  The inferred connect group info was also not included in CKGRACF because zSecure (CARLa) already evaluates the effect of connect groups and shows the matching group name in REPORT SCOPE (RA.3.4) for the user and in the resolved (or exploded) access list in RA.D/RA.R.

    If you need a (list of) connect group(s) that matches between the user and the matching profile, added into CKGRACF ACCESS, you could consider an RFE.  Otherwise I would suggest you use a CARLa program mimicked after RA.3.4 or RA.D (using ACL(EXPLODE)).  It is not too difficult to run CARLa from a Rexx and pull the results.

    ------------------------------
    Rob van Hoboken
    ------------------------------