Hi Pete,
I can see the value of hiding the potentially sensitive information in the CSDATA field and I would agree that your preferred option would be the cleanest. To achieve it, I believe you would need to open an RFE.
The CONVERSION command deals with adjusting qualifiers in a [data set or general resource] name, so does not apply in this context. However, a DEFINE can be used to hide the CSDATA information [that is unlikely to have notable side effects].
Since you are showing a full command as the start point, I assume your CARLa contains a clause like RACFCMD(HOR WRAP 0).
RACFCMD is in fact a repeated field. The first value in the field will contain the command (for example ALTUSER), then there will be later values that contain USER1,
somethingA, CSDATA(XA(ITRM3349320)) , and
somethingB.
The relevant CSDATA() clauses will always be (full, separate) values. Also, each field will be in its own CSDATA clause [at the moment; this does not constitute a documented interface].
There are some special fields for RACFCMD to reduce the amount of information, notably RACFCMD_KEYWORDS (this suppresses all values and only leaves keywords like GROUP without telling you which group was connected), and RACFCMD_EFFECTIVE (the latter suppresses the clauses that were in error or ignored and thus not actually executed). However, this is the only special instrumentation that is available in CARLa, otherwise it is "just a regular repeated field".
That means that the transformation specified in a DEFINE will be applied to
each value in the repeated field. (Also note that using WHERE will result in a selection on the record level, and does not allow making changes to a particular value only.)
So the desired transformation must clip off [at least] the content of the CSDATA() clause without affecting other clauses.
From there, the solution I came up with is:
define type=smf racfcmd_sans_csdata as PARSE(racfcmd,,'CSDATA(')
You print the result like you would RACFCMD itself, with (HOR WRAP 0), to get the full command [without the omitted clauses].
Like so (for testing purposes):
n type=smf; s event=allcommands racfcmd_keywords=csdata
def type=smf racfcmd_sans_csdata(0) as parse(racfcmd,,'CSDATA(')
sortlist recno racfcmd(hor wrap 0) /,
'sanitized:'(11) racfcmd_sans_csdata(hor wrap 0) /
I hope this helps.
Regards,
Jeroen
P.S. Do note that if the clause "CSDATA(" should occur in some other data field (perhaps somewhere between quotes), then the rest of that clause would also be suppressed.
------------------------------
Jeroen Tiggelman
Software Development and Level 3 Support Manager IBM Security zSecure Suite
IBM
Delft
------------------------------
Original Message:
Sent: Thu March 26, 2020 10:42 AM
From: Peter Buckley
Subject: CARLa: Hide CSDATA value in RACFCMD field of SMF Report
Hello,
I'm running a simple, standard CARLa report to show RACF commands issued.
However I now have a requirement to either hide or remove custom data from the ADDUSER and ALTUSER commands, before sending to a new recipient.
As a simple example, I want to change out put like this:
ALTUSER USER1 somethingA CSDATA(XA(ITRM3349320)) somethingB
To either:
ALTUSER USER1 somethingA CSDATA(***************) somethingB
Or:
ALTUSER USER1 somethingA somethingB
The first option would be preferable.
It seems to me that I should be able to do this in some way with the right DEFINE or CONVERSION, or by some manipulation of the RACFCMD field, but the answer escapes me.
Any help would be appreciated.
------------------------------
Pete Buckley
------------------------------