IBM Security Z Security

 View Only

  • 1.  Carla - zSecure Network and Complex Identification on one line

    Posted Wed March 27, 2024 12:06 PM

    I have a requirement to identify Userids with a Password on each RACF DB within our zSecure Network. Lets say the total number of DB's within our zSecure Network is 10. I need to run the below Carla and identify which Complex the Userids reside on. Is there a way to report this information on one line and identify a) the specific Complexes where the Userid was found  b) If found on all 10 complexes state "ALL"

    ALLOC TYPE=RACF BACKUP ACTIVE ZSECNODE=*                     
    n type=racf segment=BASE DD=FILE1 NOPAGE                                                    
     s s=base c=user HAS_PASSWORD=YES                                 
    sortlist key('Userid',8)  HAS_PASSWORD PASSDATE(10,USDATE),         
    PASSWORD_EXPIRED('PWEXP',5) COMPLEX

    So the output required would contain one entry for each Userid with the Complex information written horizontally and state "ALL" if the Count of Complexes was 10 (the total in our zSecure network).  For example:

    USERID   HAS_PASSWORD  LASTPWCHANGE  PWEXP   COMPLEX           
    USERA    YES                           05/12/23                 Y              DV1,TS1,PR1       
    USERB    YES                           05/13/23                 Y              ALL               
    USERC    YES                           05/12/23                 Y              DV1,DV2,DV3,PR2   

    Not as critical but a nice to have would be to identify the most recent date of each occurance.

                                                                   

     



    ------------------------------
    Scott Lahner
    ------------------------------


  • 2.  RE: Carla - zSecure Network and Complex Identification on one line

    IBM Champion
    Posted Wed March 27, 2024 12:50 PM
    Edited by Rob van Hoboken Wed March 27, 2024 12:55 PM

    The SUMMARY command can be used to get identically named profiles (users) on a single line.  You can use boolean fields to add information about the complex where the profile originated.  Suppose you have the RACF input sources tagged with ALLOC COMPLEX=A and ALLOC COMPLEX=B.  Or, you omit the COMPLEX and the SYSTEM ID or RRSF NODE will be used as default complex.

    newlist type=racf
      define in_A(str$blank("A"),8,"A") boolean where complex=A
      define in_B(str$blank("B"),8,"B") boolean where complex=B
      select class=user segment=base HAS_PASSWORD=YES
      sum profile(8,"User ID") passdate(10,usdate,max) in_a in_b

    That means you have to tailor the define commands with the complex names you have in the system.  The SUM command should have only one normal field (profile) and all other fields should be statistics, either by defining the fields as a boolean, or by adding modifier MAX after the field.  If you mistakenly add a normal field to the SUM line-up, and the field has different values on the complexes, you will have multiple lines for the same user ID.

    No, the complex names are not easily concatenated into a single field with commas.

    Also, an ALL indicator does not easily come to mind.

    ------------------------------
    Rob van Hoboken
    ------------------------------



  • 3.  RE: Carla - zSecure Network and Complex Identification on one line

    Posted Wed March 27, 2024 05:23 PM

    Thanks Rob!  Couple questions:

    What if I defined a variable - define #HPW('Has_PW',6) boolean where has_password=yes and then added that to my sum - sum profile(8,"User ID") passdate(10,usdate,max) in_a in_b #HPW.   And lets say in Complex A USERIDA has_password=yes but in Complex B USERIDA has_password=blank.  How does Carla know what value to populate in #HPW? 

    And lets say I added has_password,max to my sum - sum profile(8,"User ID") passdate(10,usdate,max) in_a in_b has_password('Has_Pw',6,max) - would Carla always find the entry with YES because it's the highest value?



    ------------------------------
    Scott Lahner
    ------------------------------

    Original Message


  • 4.  RE: Carla - zSecure Network and Complex Identification on one line

    IBM Champion
    Posted Wed March 27, 2024 05:35 PM

    define #HPW('PW',3,str$blank('HPW')) boolean where has_password=yes

    results in a normal, non-statistic field, so SUMMARY shows unique combinations of profile and #HPW: if a user ID has a password on 5 systems, and no password on one, you will get 2 lines in the report.

    If however you turn in into a statistic:

    define #HPW('PW',3,str$blank('HPW')) max(has_password)

    this field will show HPW if any of the user IDs has a password: True is stored as 1, False as 0, so the max( ) is 1 (True) if any profile has 1.  It would not indicate on WHICH complexes a password was issued, but would indicate THAT there are some, maybe all.

    Also, you could add a column COUNT to show how many instances of the user ID were found on all the complexes you accessed.





    Original Message


  • 5.  RE: Carla - zSecure Network and Complex Identification on one line

    Posted Thu March 28, 2024 03:27 AM

    Hi Rob,

    A BOOLEAN is a summary statistic; it should show Yes when any of the values is true.
    If you want a non-static field you should use TRUE instead; this should split the observations as part of the summary key.

    Regards,



    ------------------------------
    Jeroen Tiggelman
    IBM - Software Development Manager IBM Security zSecure Suite
    Delft
    ------------------------------

    Original Message