IBM Security Z Security

When running the Unused Profile Cleanup utility in batch I noticed a concern on the field PERM#.

define Perm#(8," Pe/UACC",dec,noprop) count

Let's say you have an environment of 3 LPARs/PLEXes and each has its own RACF DB that is kept in sync with RRSF.    If you want to determine profile usage you would need to run the access monitor job with access monitor data from the 3 systems and you need the RACF DB or an Unload from the 3 systems as well.

Let's say you have a profile called HELLO.DATA.** that has 10 permissions in it.   So due to RRSF all 3 RACF DB's have the profile with the 10 permissions.

When you run this report AM.8.1 it tells you that PERM# is equal to 30 permissions, because it seems to add the permissions from each RACF DB.

Anyway, to adjust the DEFINE or SORTLIST to make the counter give a count of unique permissions that exist.?

If your RACF databases are synchronized, you should only have to run Access Monitor reports with 1 database.  The others should be identical, right?

However, you must run the ACCESS data sets from all images (together) against this single database.  Normally the records from all but the local ACCESS data sets will be ignored, because the system ID in the ACCESS records is matched with the system ID of the current CKFREEZE.  You will see CKR2251 in SYSPRINT.  To make zSecure accept records from all allocated  ACCESS data sets, add a command 

SIMULATE ACCESS_FALLBACK_DEFAULT

at the beginning of your CARLa statements.  If you run there options from the panels, and wish to use all ACCESS records, go to SETUP PREAMBLE (SE.3) and enter the SIMULATE command into the preamble.  Remember to add a checkmark to activate the preamble.

------------------------------
Rob van Hoboken
------------------------------