IBM Security Z Security

Hello again!

I'm trying to figure out how to effectively search RACF profiles that match data patterns in an external file to build RACF commands.

The first part I am able to accomplish in reading an external file into my own Deftype type=$audit and having type=$audit variables such as $class, $pmask, $succ, and $fail which has the data.

The next part I'm working on is how to perform newlist type=racf searches using this external file information as the criteria for the search to build commands. The pseudocode if you will is below for what I'm trying to accomplish:

newlist type=racf nopage
select c=general and s=base c=$class(0)  mask=$pmask(0)
sortlist "ralt" | class(0) key(0) | " audit(succ(" | $succ(0) | "," | $fail(0) | ")"	
​

However, I'm not able to find a successful way to use the type=$audit data in this step. I've looked at and attempted the "Lookup" function but it doesn't seem that will quite work in this instance (data in input file doesn't have unique keys).

Any guidance would be appreciated!

------------------------------
Adam Klinger
------------------------------

You could use a NEWLIST TYPE=$AUDIT (assuming you have the DEFTYPE etc commands done) to generate the NEWLIST TYPE=RACF code that you included above:

newlist type=$audit nopage dd=ckr2pass
list  `newlist type=racf nopage dd=ckrcmd`,
/ `select s=base c=` | $class(0) `bestmatch=` | $pmask(0),
/ `sortlist "ralt" class(0) key(0) "audit(succ(` $succ(0) `) fail(` $fail(0) `))"`

It might be easier to specify the relevant resources in a SIMULATE command, and have SENSDSN or RESOURCE find the profile for you:

simulate class=dataset senstype=SiteMyDsn access=read,
         prio=5 concern='Confidential data' resource=(,
SYS1.PROCLIB,
SYS1.PARMLIB,
)
simulate class=FACILITY senstype=SiteMyRes access=read,
         prio=5 concern='Confidential data' resource=(,
BPX.SUPERUSER,
)

newlist type=sensdsn nopage nodup dd=ckrcmd
  select priv_senstype=SiteMyDsn
   sortlist "altdsd '" | racf_profile(0) | "'",
            "audit(succ(update) fail(read))"
newlist type=resource nopage nodup dd=ckrcmd
  select priv_senstype=SiteMyRes
   sortlist "ralt" class(0) racf_profile(0) "audit(all(read))"

------------------------------
Rob van Hoboken
------------------------------

Thanks for the quick response, one or the other of these approaches will certainly meet my needs!

------------------------------
Adam Klinger
------------------------------

Original Message:
Sent: Thu April 02, 2020 10:36 AM
From: Rob van Hoboken
Subject: zSecure CARLa: External File Lookup for RACF Search Criteria

You could use a NEWLIST TYPE=$AUDIT (assuming you have the DEFTYPE etc commands done) to generate the NEWLIST TYPE=RACF code that you included above:

newlist type=$audit nopage dd=ckr2pass
list  `newlist type=racf nopage dd=ckrcmd`,
/ `select s=base c=` | $class(0) `bestmatch=` | $pmask(0),
/ `sortlist "ralt" class(0) key(0) "audit(succ(` $succ(0) `) fail(` $fail(0) `))"`

It might be easier to specify the relevant resources in a SIMULATE command, and have SENSDSN or RESOURCE find the profile for you:

simulate class=dataset senstype=SiteMyDsn access=read,
         prio=5 concern='Confidential data' resource=(,
SYS1.PROCLIB,
SYS1.PARMLIB,
)
simulate class=FACILITY senstype=SiteMyRes access=read,
         prio=5 concern='Confidential data' resource=(,
BPX.SUPERUSER,
)

newlist type=sensdsn nopage nodup dd=ckrcmd
  select priv_senstype=SiteMyDsn
   sortlist "altdsd '" | racf_profile(0) | "'",
            "audit(succ(update) fail(read))"
newlist type=resource nopage nodup dd=ckrcmd
  select priv_senstype=SiteMyRes
   sortlist "ralt" class(0) racf_profile(0) "audit(all(read))"

------------------------------
Rob van Hoboken
------------------------------