IBM Security Z Security

 View Only
  • 1.  CARLa: Dataset Profiles accessed by userids

    Posted Tue September 15, 2020 04:39 AM

    Hi,
    I want to produce a report which is able to show me all the userids that have accessed certain dataset profiles. These dataset profiles are owned by a specific OWNER.

    I currently have a CARLa program which produces me a report with all the dataset profiles that are owned by this OWNER. However, I would like for this report to also produce all the userids who have accessed each of these dataset profiles.
    Is there a way in producing this?

    Any advice would be much appreciated.

    Thanks.
    Daniel



    ------------------------------
    Daniel Vuceric
    ------------------------------


  • 2.  RE: CARLa: Dataset Profiles accessed by userids

    IBM Champion
    Posted Tue September 15, 2020 09:19 AM
    Hi Daniel
    You can use an SMF report to identify users that have accessed data sets.  These reports can be found under EV.D (events - data sets), but the layout of these reports is not very flexible.  So it may be easier to write a trivial little CARLa program to get your report.
    First, you need an SMF dump data set.  You add this to an input set under SE.1, with input type SMF.
    Next, you need a RACF database for input, and a CKFREEZE data set.  The CKFREEZE is optional, but if you omit is, you MUST add a command SUPPRESS CKFREEZE in the CARLa program.

    This is the whole program:

    newlist type=smf
    select class=dataset :owner=sysauth intent>=read
    summary profile * userid intent(max)
    summary userid intent(max) * profile

    The :OWNER selection tells zSecure to look up the OWNER value from the  RACF database.  This supports SMF record types  that do not contain RACF infos, like SMF 14 and 15.

    There are 2 reports produced, one by profile, like so:

    Profile                  User     Intent
    C2POLICE.*.**                     ALTER
                             IBMUSER  UPDATE
                             C2PSUSER ALTER

    This shows the profile and the highest access level anyone used,  from the SMF records.  Next it shows the user ids and the access they used.

    The second report lists per user id, the profiles:

    User     Intent  Profile
    CKNSERVE READ
                     USER.*.**
    CKQRADAR READ
                     SYS1.*.**
                     USER.*.**

    Note, you may find entries with a missing  (blank) user id, this may be due to an SMF record that did not contain a user id.  You can suppress these with an extra command

    EXCLUDE MISSING(USERID)

    ------------------------------
    Rob van Hoboken
    ------------------------------



  • 3.  RE: CARLa: Dataset Profiles accessed by userids

    Posted Tue September 15, 2020 11:54 PM
    Thanks Rob! Information you provided is very helpful and worked as intended.

    ------------------------------
    Daniel Vuceric
    ------------------------------



  • 4.  RE: CARLa: Dataset Profiles accessed by userids

    IBM Champion
    Posted Wed September 16, 2020 09:09 AM
    Edited by Rob van Hoboken Wed September 16, 2020 09:13 AM
    One of my friends asked: [They] want to see who is doing the access over a period of time, using SMF might be troublesome because of reading in all the tons of SMF data.    What if the site used Access Monitor.     Could that data be used to report on the activity over a greater period of time?

    Unfortunately, the implicit lookup operator for :OWNER does not work with Access Monitor data (newlist type=access), and an explicit lookup (access_profile:owner) won't work because this lookup is only supported on 8 character entity names (users and groups).  So an OWNER specific report is out of the question with ACCESS.  RFE anyone?

    If you KNEW the profile keys, you could simply use AM.1 to get the report.  Fill  in the SAF class as DATASET and the SAF resource as a filter/pattern.  Remember to specify Output run option 1: Summary by user.  You could also write your trivial little CARLa:

    newlist type=access
      select class=dataset access_profile=sys*.**,
        rectype=auth access_result=0
      summary userid intent * access_profile count(nd)

    with a result like:
    A C C E S S   T R A C E   R E C O R D   L I S T I N G

    Userid Intent Profile key used
    AXRUSER READ
    SYS1.*.**
    SYS1.MPF.**
    AXRUSER UPDATE
    SYSAPPL.**
    SYS1.MPF.**
    C2PSUSER READ
    SYS1.*.**
    IWST READ
    SYSAPPL.**
    SYS1.*.**
    IWST UPDATE
    SYSAPPL.**
    IWST ALTER
    SYSAPPL.**
    SYS1.*.**
    ------------------------------
    Rob van Hoboken
    ------------------------------