There are some details about RACF_ACCESS I forgot to mention. RACF_ACCESS can be a life saver when you have to report profiles at the access list entry level, and in compliance reporting. There are extra fields and field values that you can find documented in the Syntax manual (and with the IN.D menu in ISPF).
The ACCESS field also contains
clever information in addition to the normal access levels you use in PERMIT commands, such as QUALOWN (the ability to access resources when your user ID or group operations privilege matches the qualifier of the data set). You should add an ACCESS<>QUALOWN to your SELECT command.
The ID field contains information about the UACC, by setting ID='-UACC-', access via the Global Access Table through ID=' any -', and 2 lesser important values. When using RACF_ACCESS for other reports, users would explicit exclude those using ID<>-*
Also, RACF_ACCESS simulates RACLIST processing, i.e., the combination of profiles with grouping profiles. Such RACLISTed entries are indicated by flag field RACLIST_MERGE, and should be excluded when only real profiles are needed.
------------------------------
Rob van Hoboken
------------------------------
Original Message:
Sent: Thu June 11, 2020 03:13 AM
From: Free Alexis Val
Subject: higher access in generated commands
Many thanks Rob.
I'm glad to have post my question I learned something today. :)
------------------------------
Alx
Original Message:
Sent: Wed June 10, 2020 03:16 AM
From: Rob van Hoboken
Subject: higher access in generated commands
I agree with Jeroen, a whole new approach is needed, one where individual PERMITs are available as selectable entries. CARLa offers such a data store: RACF_ACCESS.
Next we have to find the highest value of a field in two similar entries, that is the SUMMARY statistic MAX.
Putting these together we get:
newlist type=racf_access dd=ckrcmd nopage retain
define high_access max(access)
select class=facility id=(grpA,grpB)
summary 'PE' profile(0) 'CLASS(' | class(0) | ')',
'ID(newGrp) ACC(' | high_access(0) | ')' count(nd)
Note: RACF_ACCESS does not know about (pseudo) class GENERAL. You can either select the specific classes you need, or write
select class<>(DATASET,GROUP) id=(grpA,grpB)
------------------------------
Rob van Hoboken
------------------------------