Hi David,
When I look in the section on RA.3.4 in the Admin and Audit User Reference Manual for zSecure 2.4.0, I find:
The Via column shows the user ID or group in the access list entry that gave the access indicated.
The value can also be any of the following:
followed by a list of values including
-SCP.ID-
followed by
For more information, see the "VIA" field description in the REPORT_SCOPE NEWLIST in IBM Security zSecure CARLa Command Reference
When I look in that section, I find the following explanation for that value:
Resource in scope due to access permitted on a CKG.SCP.ID... scope check
When I look at the ACCESS field for the same report type, I get redirected to a table for the ACCESS=<level> parameter of the REPORT CARLa command that explains CKGOWNR as:
Access granted by the CKGRACF authorized component of IBM Security zSecure Admin through the CKG.SCP scope profiles. Exactly what can be changed further depends on CKG.CMD profile access. This can only be more access then standard RACF, not less.
The CKGRACF component allows defining administrative scope at a very granular level. This scope is defined using profiles with prefixes as shown here, in a class that can be configured (it defaults to XFACILIT). For details, see Chapter 12 "CKGRACF Command Language" in the User Reference Manual.
In the back of the chapter is a section "CKGRACF authority checks" with a subsection "Scope profiles", which explains, among other things:
Access through CKGRACF is regulated by the access granted by two different checks: ID profile checks (CKG.SCP.ID), and user/group (U/G) profile checks (CKG.SCP.U or CKG.SCP.G). ID profiles permit access directly based on the groupid/userid associated with the target object. SCP.U/G profiles use the ownership tree of the target object, with as top qualifier either a user (for SCP.U profiles) or a group (for SCP.G profiles).
Anyway, to make a long story short, CKGOWNR roughly means that you have "owner" level authority through CKGRACF, that is, you are authorized to use that component to make modifications.
I hope this helps.
Best regards,
------------------------------
Jeroen Tiggelman
Software Development and Level 3 Support Manager IBM Security zSecure Suite
IBM
Delft
------------------------------
Original Message:
Sent: Wed April 14, 2021 04:05 PM
From: David Malbuff
Subject: What is CKGOWNR and why is it granting access to my resources?
Trying to review how I have "alter" access to a profile in class DASDVOL when I am not in the access list either via ID or group or resource owner.
In ZSecure Admin, RA.3.4 (Permit/Scope), with my user ID and Specify type of authorization 3 3. Scope (access or administrative authority by any means):
expanded (option "S Show additional information") :
What is this? What is CKGOWNR? It's not in the resource class or profile access list. It's not defined to RACF.
The only documented reference to CKGOWNR is in the ZSecure messages manual with no indication of what it is, why it is. or where it is.
How is it I am being granted alter access in this manner, and what does "-SCP.ID-" mean?
Thanks in advance for any help.
------------------------------
David Malbuff
------------------------------