IBM Security Z Security

 View Only
  • 1.  Access Monitor Mixing Newlist Types

    Posted 29 days ago

    I was running an Access Monitor batch job in one Carla step with 2 different Newlist types(TYPE=ACCESS & TYPE=RACF_ACCESS), to produce 2 separate reports.  When I ran the job with both newlists in the same step , the 1st report was missing values for SIM_VIA, SIM_VIA_GROUPS & SIM_PROFILE.   

    If I remove the 2nd Newlist (type=racf_access) from the step, I successfully receive values for each SIM_VIA, SIM_VIA_GROUPS & SIM_PROFILE.

    Is this an expected result when mixing Newlist types and reading Access Monitor data? 

    1st Newlist

     NEWLIST TYPE=ACCESS DD=FILE1 PL=0                                      
      SELECT CLASS=FACILITY RESOURCE=STGADMIN.*   
      SORTLIST LAST_TOD USERID SYSTEM(5),       
      ACCESS_PROFILE,                                           
      INTENT SIM_VIA SIM_VIA_GROUPS SIM_PROFILE,                
      CLASS,RESOURCE                                            

    2nd Newlist

    NEWLIST TYPE=RACF_ACCESS DD=FILE2                                   
    DEFINE TOTAL SUM(ACCESS_COUNT_VIO)                                  
    SELECT CLASS=(FACILITY) PROFILE=STGADMIN.*, 
     ACCESS_COUNT_VIO>0                                                 
    SORTLIST ID CLASS PROFILE PROFTYPE ACCESS_FIRSTUSE ,                
     ACCESS_LASTUSE ACCESS(9) ACCESS_COUNT_VIO(6) ACCESS_COUNT_SUC(7),  
     ACCESS_INTENT_MAX_SUC(7) ACCESS_INTENT_MIN_VIO(7)                  
    SUMMARY TOTAL                                                       



    ------------------------------
    Scott Lahner
    ------------------------------


  • 2.  RE: Access Monitor Mixing Newlist Types
    Best Answer

    Posted 29 days ago

    Hi Scott,

    frankly, I am not entirely sure what is the cause of this behavior that you report when combining the newlist types ACCESS and RACF_ACCESS in a single job.

    However, when you add statement:

    simulate racf_access

     To your CARLa code, the SIM_ fields are resolved as you expected. 

    I hope this helps.



    ------------------------------
    Tom Zeehandelaar
    z/OS Security Enablement Specialist - zSecure developer
    IBM
    ------------------------------



  • 3.  RE: Access Monitor Mixing Newlist Types

    Posted 29 days ago

    Thank you Tom adding this statement resolved the fields when combining the newlists. 



    ------------------------------
    Scott Lahner
    ------------------------------



  • 4.  RE: Access Monitor Mixing Newlist Types

    Posted 28 days ago

    This is in fact documented in the "Important" note in the RACF_ACCESS newlist description:

    If you run a RACF_ACCESS newlist concurrently with an ACCESS newlist, the SIMULATE RACF_ACCESS
    specification controls which profile is used. In a separately run ACCESS newlist, the presence of
    any SIM_* field implies that the resource is matched against the current RACF database. When run
    concurrently with a RACF_ACCESS newlist, such automatic processing does not take place. If you do not
    specify SIMULATE RACF_ACCESS, all SIM_* fields in the ACCESS newlist are reported as missing.



    ------------------------------
    Guus Bonnes
    ------------------------------