IBM Security Z Security

 View Only
Expand all | Collapse all

Carla Report: Identify Resource Profiles assigned to a (missing or Not Found) userids

  • 1.  Carla Report: Identify Resource Profiles assigned to a (missing or Not Found) userids

    Posted Wed May 24, 2023 10:14 AM

    Trying to create Carla report to determine if 1st node of a *.SUBMIT SURROGAT profile is not defined as a userid to RACF.

    I can do this by generating LISTUSER commands and run the commands in RACF, but would like to do the same with Carla.

    Results from RACF LU command would be "UNABLE TO LOCATE USER ENTRY XXXXXX'                                     

    Can Carla list the userids from below #qual1 and determine which are not defined as userids to RACF? 

    N TYPE=RACF NOPAGE DD=CKRCMD                               

    Define #qual1('Qual1') as word(profile,1,'.')              

    s class=surrogat s=base (mask=*.submit)

    SORTLIST "LU" #QUAL1 



    ------------------------------
    Scott Lahner
    ------------------------------


  • 2.  RE: Carla Report: Identify Resource Profiles assigned to a (missing or Not Found) userids

    Posted Wed May 24, 2023 11:13 AM

    Hi Scott,

    Here is a first idea as a starting point:

     N TYPE=RACF nopage dd=ckr2pass                        
     Define #qual1('Qual1') as word(profile,1,'.')         
     s class=surrogat s=base (mask=*.submit)               
     list `n nopage empty='Unable to locate user entry`,   
       #qual1(0) | `'; s c=user s=base key=` |,            
       #qual1(0) | `; sortlist "` | qual1(0) | ` found"`   


    You can run this from CO.C, then it will put the next query in the CKR2PASS file, you should be able to PF3 and 'R'un the query.

    Regards,



    ------------------------------
    Jeroen Tiggelman
    IBM - Software Development and Level 3 Support Manager IBM Security zSecure Suite
    Delft
    ------------------------------



  • 3.  RE: Carla Report: Identify Resource Profiles assigned to a (missing or Not Found) userids

    Posted Wed May 24, 2023 11:18 AM

    Hi Scott, 

    Are you aware that Verify option (AU.V) - Permit that finds undefined users and groups and their permits can automatically generate RDELETE SURROGAT commands when the user ID in the high level qualifier of SURROGAT *.SUBMIT profiles does no longer exist and you select the delete option named "Dataset and id-specific profiles" on the follow up panel?
    In the SYSPRINT work data set of Verify Permit, you can then find the following message: 

    CKR0261 04 Key with unknown CRMATST  general resource profile SURROGAT CRMATST.SUBMIT

    That message explains that userid CRMATST no longer exists in your RACF input source and, therefore, it suggests to delete the SURROGAT profile named CRMATST.SUBMIT by generating that comand in the CKRCMD work data set. When your goal is to clean up only the SURROGAT profiles, you can just remove all other generated commands by Verify Permit and then only delete the SURROGAT profiles that you want to clean up. 

    But why only clean up SURROGAT profiles that refer to userids that no longer exist? You might also want to clean up their orphan permissions,  DATASET, JESSPOOL, and other profiles that these undefined users are still referred in. And that is what Verify Permit does in a more automated fashion. 

    I hope that you find this answer helpful. 



    ------------------------------
    Tom Zeehandelaar
    z/OS Security Enablement Specialist - zSecure developer
    IBM
    ------------------------------



  • 4.  RE: Carla Report: Identify Resource Profiles assigned to a (missing or Not Found) userids

    Posted Wed May 24, 2023 11:33 AM

    Note that this method will only flag discrete first qualifiers that do not match a current user ID.

    The first query I suggested will on the other hand flag generic qualifiers even when there is a matching current user ID.

    If you would want to not flag generic qualifiers that actually do match a current userid, you'd need to change KEY to MASK. You'd probably also want to add OUTLIM=1 to the generated query to avoid excessive output. And I originally used an occurrence of QUAL1 in my original query, which I changed to the intended #QUAL1 here as well.

    N TYPE=RACF nopage dd=ckr2pass                              
    Define #qual1('Qual1') as word(profile,1,'.')               
    s class=surrogat s=base (mask=*.submit)                     
    list `n nopage outlim=1 empty='Unable to locate user entry`,
      #qual1(0) | `'; s c=user s=base mask=` |,                 
      #qual1(0) | `; sortlist "` | #qual1(0) | ` found"`        



    :-)

    Regards,



    ------------------------------
    Jeroen Tiggelman
    IBM - Software Development and Level 3 Support Manager IBM Security zSecure Suite
    Delft
    ------------------------------



  • 5.  RE: Carla Report: Identify Resource Profiles assigned to a (missing or Not Found) userids

    Posted Wed May 24, 2023 01:00 PM

    Jeroen, thank you very much for providing this Carla code, I'm newer to Carla and still learning, this was extremely helpful. 
    I had a few follow up questions for you:
    What do the left quotes do (` `) are they different than double quotes (" ") or standard tick marks (' ')?
    Is there anyway to only show the Empty entries or not found entries?
    And I'm not following why you would need OUTLIM=1? 

    Tom, thanks for your reply as well. I understand there are methods to finding orphaned permissions, but would AU.V also identify if a SURROGAT profile was incorrectly defined for a RACF group (e.g. GROUP1.SUBMIT)?
     



    ------------------------------
    Scott Lahner
    ------------------------------



  • 6.  RE: Carla Report: Identify Resource Profiles assigned to a (missing or Not Found) userids

    Posted Wed May 24, 2023 03:55 PM

    Hi Scott,

    The three types of quotes all do the same thing. You just use different types of quotes for nesting. So here the left quotes specify string literals at the level of the first query, and I use the other types of quotes to get string literals specified within the second query. https://www.ibm.com/docs/en/szs/2.5.0?topic=syntax-rules

    OUTLIM=1 specifies that you want at most one line of regular output. The query with KEY is so specific that you will only ever get one line of output per RACF database, but when MASK is used there might actually be multiple user IDs that match a generic qualifier, which would result in duplicate output lines (as I only print the mask and "found" on the line--if you'd add KEY you could see the actually matching user IDs).

    EMPTYLIST (or EMPTY for short) specifies a string literal that is printed when the report has no regular output (that is, no records were selected).  https://www.ibm.com/docs/en/szs/2.5.0?topic=language-option

    So the reason that this approach cannot only show "the empty entries" is that these are not entries, but the absence of any entries in a whole series of very specific queries where I try to select each specific user id. 

    Regards,



    ------------------------------
    Jeroen Tiggelman
    IBM - Software Development and Level 3 Support Manager IBM Security zSecure Suite
    Delft
    ------------------------------



  • 7.  RE: Carla Report: Identify Resource Profiles assigned to a (missing or Not Found) userids

    Posted Wed May 24, 2023 04:10 PM

    Thanks for the explanations, appreciate the assistance. 



    ------------------------------
    Scott Lahner
    ------------------------------



  • 8.  RE: Carla Report: Identify Resource Profiles assigned to a (missing or Not Found) userids

    Posted Wed May 24, 2023 04:31 PM

    A general way of recognizing a user ID is testing if a lookup to DFLTGRP works. Unfortunately, for TYPE=RACF the look-ups are performed after reading the entire database, which means that you cannot use them with SELECT/EXCLUDE, nor in a WHEN clause.

    And the problem with "user ids" that do not exist, is that there are no records in TYPE=RACF that correspond to them, so there is no way of running through them in another pass.

    What you can do is write all "user ids" to be tested to an output file, and then define that output file as DEFTYPE input file and use that to run through the ids and do a lookup to DFLTGRP from there.

    I don't feel like coding a two-pass query now, I just give two queries to be run one after the other.

    alloc type=output dd=interim dsn=CRMBINT.C2R2295.REPORT  
    N TYPE=RACF nopage dd=interim                            
    Define #qual1('Qual1') as word(profile,1,'.')            
    s class=surrogat s=base (mask=*.submit)                  
    sortlist #qual1(0)                                       


    Since I am writing to a VBA file, this will effectively put a bunch of userids into it starting on position 2.

    deftype type=$userids                                    
    alloc type=$userids dd=myfile  dsn=CRMBINT.C2R2295.REPORT
    n nopage type=$userids                                   
    def userid as substring(record,2)                        
    x exists(userid:dfltgrp)                                 
    sortlist 'Unable to locate user entry' userid            


    Regards,



    ------------------------------
    Jeroen Tiggelman
    IBM - Software Development and Level 3 Support Manager IBM Security zSecure Suite
    Delft
    ------------------------------



  • 9.  RE: Carla Report: Identify Resource Profiles assigned to a (missing or Not Found) userids

    IBM Champion
    Posted Thu May 25, 2023 04:23 AM
    Edited by Rob van Hoboken Thu May 25, 2023 04:24 AM

    Jeroen is absolutely right to point out the processing stages of NEWLIST TYPE=RACF: it reads the RACF database very efficiently, thus preventing clever use of lookup in the SELECT command.

    There is another NEWLIST type that processes the SELECT (and EXCLUDE) command after completely reading the RACF database...

    newlist type=RACF_ACCESS title="Missing user ID in 1st qualifier"
      define #qual1('Qual1') as word(profile,1,'.')
      select class=surrogat profile=*.submit id=-uacc-
      exclude exists(#qual1:dfltgrp)
      sortlist profile


    ------------------------------
    Rob van Hoboken
    ------------------------------



  • 10.  RE: Carla Report: Identify Resource Profiles assigned to a (missing or Not Found) userids

    Posted Thu May 25, 2023 02:13 AM

    Hi Scott, 

    When the group name that is used as high level qualifier of the SURROGAT profile exists (GROUP1 in your example), then AU.V - Permit would not show that  SURROGAT proifle GROUP1.SUBMIT is wrongly defined because the ID GROUP1 exists in the RACF database.  The current support did not cater for checking that the  ID is actually a userid rather than a groupid. But, I guess that you could consider to open an enhancement request for this additional check to be added to the AU.V - Permit option.



    ------------------------------
    Tom Zeehandelaar
    z/OS Security Enablement Specialist - zSecure developer
    IBM
    ------------------------------



  • 11.  RE: Carla Report: Identify Resource Profiles assigned to a (missing or Not Found) userids

    Posted Thu May 25, 2023 02:35 AM

    Hi Scott,

    In case of an enhancement request, be sure to define exactly what the requirement is. In this particular case we are only looking at *.SUBMIT. You are correct, by the way, that VERIFY PERMIT is not currently paying much special attention to SURROGAT or functional positions in SURROGAT for this, but simply noting a discrete HLQ for which the ID does not exist.

    Alternatively, you could use this query to find the HLQs that do exist but are groups as a supplement to finding undefined IDs:

    n nopage dd=ckr2pass outlim=1                             
    sortlist `n nopage; s c=group s=base key=(,`              
    N TYPE=RACF nopage dd=ckr2pass                            
    Define #qual1('Qual1') as word(profile,1,'.')             
    s class=surrogat s=base (mask=*.submit)                   
    sortlist #qual1(0) | `,`                                  
    n nopage dd=ckr2pass outlim=1                             
    sortlist `); sortlist "Located group entry" key(0)`       


    Regards,



    ------------------------------
    Jeroen Tiggelman
    IBM - Software Development and Level 3 Support Manager IBM Security zSecure Suite
    Delft
    ------------------------------



  • 12.  RE: Carla Report: Identify Resource Profiles assigned to a (missing or Not Found) userids

    Posted Thu May 25, 2023 02:44 AM
    Edited by Jeroen Tiggelman Thu May 25, 2023 02:44 AM

    Eh... It appears that it actually does specifically take note that this is an ID position because the second qualifier is SUBMIT and the class is SURROGAT, it just does not check the ID type.



    ------------------------------
    Jeroen Tiggelman
    IBM - Software Development and Level 3 Support Manager IBM Security zSecure Suite
    Delft
    ------------------------------



  • 13.  RE: Carla Report: Identify Resource Profiles assigned to a (missing or Not Found) userids

    Posted Thu May 25, 2023 04:32 PM

    Jeroen and Rob thank you very much for sharing these reports, I see a use for each of them. This has been very educational for me, thanks for helping. Looking forward to the next challenge and chatting again.



    ------------------------------
    Scott Lahner
    ------------------------------



  • 14.  RE: Carla Report: Identify Resource Profiles assigned to a (missing or Not Found) userids

    Posted Fri May 26, 2023 03:16 AM

    You are very welcome. :-)



    ------------------------------
    Jeroen Tiggelman
    IBM - Software Development and Level 3 Support Manager IBM Security zSecure Suite
    Delft
    ------------------------------