IBM Security Z Security

Does zSecure have a utility that would compare one RACF DB to another RACF DB?   Or compare 2  zSecure unloads?

Our multiple systems are connected via RRSF, so in theory the databases should be in sync.   However, I do some cases where that is not the case.   I would like to produce a report of what is out of sync and show it to our administration team to verify these situations are intentional, or do I have a different issue.

Hi Linnea, 

zSecure supports a feature that is named "Show differences" that is capable of comparing RACF DBs, UNLOADs, and/or CKFREEZE data sets from different systems or from the same system at different points in time. 
When you have access to the IBM Security Learning Services Academy, you can find 2 videos that I have recorded about this topic:

• How to use the Show Differences feature in zSecure Admin Part 1
• How to use the Show Differences feature in zSecure Admin Part 2

For your your convenience here's a link to the Academy: https://www.securitylearningacademy.com/

I hope this answers your question. 

Does zSecure have a utility that would compare one RACF DB to another RACF DB?   Or compare 2  zSecure unloads?

Our multiple systems are connected via RRSF, so in theory the databases should be in sync.   However, I do some cases where that is not the case.   I would like to produce a report of what is out of sync and show it to our administration team to verify these situations are intentional, or do I have a different issue.

Tom, so my team looked at those 2 videos, and have ran some tests, and we have a few questions:

1. We are rolling out zOS 2.5.   PHRINT(Phrase Interval) is new with 2.5.    When I compare against a 2.4 system every User ID is an exception.    Anyway to exclude a field from the comparision?
2. When comparing groups I see this on a number of groups USERID(->).    Normally I would see USERID(ABCD123->) or USERID(->XYZ1234).   What is USERID(->) telling me?
3. When I run the process under TSO I see the list of Users or Groups that are not the same.     I can put a "S" beside the User or Group and see the difference.     But if I have a lot of Users/Groups I don't want to select them one by one.    I tried PRINT FORMAT thinking it may have a column to show the differences.    Any thoughts on how to list the changes in PRINT FORMAT?

Thanks

------------------------------
Linnea Sullivan

Original Message:
Sent: Wed March 22, 2023 01:34 PM
From: Tom Zeehandelaar
Subject: Compare RACF Databases

Hi Linnea, 

zSecure supports a feature that is named "Show differences" that is capable of comparing RACF DBs, UNLOADs, and/or CKFREEZE data sets from different systems or from the same system at different points in time. 
When you have access to the IBM Security Learning Services Academy, you can find 2 videos that I have recorded about this topic:

• How to use the Show Differences feature in zSecure Admin Part 1
• How to use the Show Differences feature in zSecure Admin Part 2

For your your convenience here's a link to the Academy: https://www.securitylearningacademy.com/

I hope this answers your question. 

------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM

Original Message:
Sent: Wed March 22, 2023 09:36 AM
From: Linnea Sullivan
Subject: Compare RACF Databases

Does zSecure have a utility that would compare one RACF DB to another RACF DB?   Or compare 2  zSecure unloads?

Our multiple systems are connected via RRSF, so in theory the databases should be in sync.   However, I do some cases where that is not the case.   I would like to produce a report of what is out of sync and show it to our administration team to verify these situations are intentional, or do I have a different issue.

------------------------------
Linnea Sullivan
------------------------------

Hi Linnea. Thanks for the feedback. Let me try to answers your questions to the best of my ability.

1. I do not know of an easy way to exclude a field from the comparison. The 'Show differences' function uses a CARLa COMPAREOPT specification. In the UI, zSecure uses the so called 'default COMPAREOPT specification'. This specification simply runs the 'Show differences' function for all fields that support comparisons. However, the CARLa Command Reference contain a section about this COMPAREOPTS keyword that explains how you can specify you own COMPAREOPT specification that only compares the fields that you are interested in to compare. 

2. When comparing groups, the field USERID represents a user ID that is connected to that group. Thus, when you encounter USERID(ABCD123->) this indicates that user ID ABCD123 was connected to that group in the compare base, but this user ID is no longer connected to that group in the main set. Encountering USERID(->XYZ1234) means that user ID XYZ1234 is not connected to the selected group in the compare base but it connected to this group in the main set that you allocated.

3. Well indeed the Print format would be your way to go with this one. However, by default, the one line users with changes overview only contain a column about the type (ADD, DEL, CHG, CHG-, or CHG+) of change, but not the details of the change(s). When you select option 'full page form' in the print output format, you will get the change details reported. However, that is in a full page format for each changed user. But when you look at the COMMANDS work data set, you can see that the change details are generated by the following CARLa specification (compareopt=1 ? / COMPARE_CHANGES). 

If you are only interested in a report of all changed users with the change details, I guess you can customize sortlist of the CARLa that generates the report. I reran my query in print format (without the 'full page format) and then customized COMMANDS like so:

symbolic num compareopt=1                                              DEFAULT COMPAREOPT_SHOW=(ADD,DEL,CHG+,CHG-,CHG)                        DEFINE TYPE=* HELPPANEL=CKRT3SHD COMPARE_CHANGES(CMPCHG,0,WW,HEADER),   COMPARE_CHANGES                                                       DEFINE TYPE=* HELPPANEL=CKRT3SHD COMPARE_RESULT(NOSORTLIST,NODETAIL),   COMPARE_RESULT                                                        n n=baseu1 segment=BASE required allowrestrict ,                        ,                                                                      tt="zSecure Admin+Audit for RACF USER overview",                       st='All users'                                                         s s=base c=user                                                        sortlist " - complex"(tt,page) complex(tt,page) stamp(tt),             ,                                                                      key(8,"User") name (compareopt=1 ? compare_result, COMPARE_CHANGES(0))

 That generates a report with all users that are changed with their name, change type, and change details. On my system it looks like this:

zSecure Admin+Audit for RACF USER overview - complex ED02      3Oct2018 13:01 
All users                                                                     
                                                                              
User     Name                 Comp Changes                                    
CR550Q   US TRAINING ID R     DEL                                             
CR550R   US TRAINING ID R     DEL                                             
CR550S   US TRAINING ID R     DEL                                             
CRMBER3  BERT LIND            CHG  CGGRPNM(->CRMBNAG1)
 PHRINT(->0)        
CRMBHJ2  HAM GOETZ            CHG  PHRINT(->0)            
CRMBJK1  JERRY KAPLAN         CHG  CGGRPNM(->SYSPROG)     
                                   DFLTGRP(TRAINERS->CRMB)
                                   OWNER(TRAINERS->CRMB)  

Would that help?

------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM

Original Message:
Sent: Thu March 30, 2023 12:33 PM
From: Linnea Sullivan
Subject: Compare RACF Databases

Tom, so my team looked at those 2 videos, and have ran some tests, and we have a few questions:

1. We are rolling out zOS 2.5.   PHRINT(Phrase Interval) is new with 2.5.    When I compare against a 2.4 system every User ID is an exception.    Anyway to exclude a field from the comparision?
2. When comparing groups I see this on a number of groups USERID(->).    Normally I would see USERID(ABCD123->) or USERID(->XYZ1234).   What is USERID(->) telling me?
3. When I run the process under TSO I see the list of Users or Groups that are not the same.     I can put a "S" beside the User or Group and see the difference.     But if I have a lot of Users/Groups I don't want to select them one by one.    I tried PRINT FORMAT thinking it may have a column to show the differences.    Any thoughts on how to list the changes in PRINT FORMAT?

Thanks

------------------------------
Linnea Sullivan

Original Message:
Sent: Wed March 22, 2023 01:34 PM
From: Tom Zeehandelaar
Subject: Compare RACF Databases

Hi Linnea, 

zSecure supports a feature that is named "Show differences" that is capable of comparing RACF DBs, UNLOADs, and/or CKFREEZE data sets from different systems or from the same system at different points in time. 
When you have access to the IBM Security Learning Services Academy, you can find 2 videos that I have recorded about this topic:

• How to use the Show Differences feature in zSecure Admin Part 1
• How to use the Show Differences feature in zSecure Admin Part 2

For your your convenience here's a link to the Academy: https://www.securitylearningacademy.com/

I hope this answers your question. 

------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM

Original Message:
Sent: Wed March 22, 2023 09:36 AM
From: Linnea Sullivan
Subject: Compare RACF Databases

Does zSecure have a utility that would compare one RACF DB to another RACF DB?   Or compare 2  zSecure unloads?

Our multiple systems are connected via RRSF, so in theory the databases should be in sync.   However, I do some cases where that is not the case.   I would like to produce a report of what is out of sync and show it to our administration team to verify these situations are intentional, or do I have a different issue.

------------------------------
Linnea Sullivan
------------------------------

Thanks for the information.   Followup on #2.     I understand when a userid is listed in field, but I am literally seeing  "USERID(->)"    There is no user ID on either side of the ->.

In Rob's earlier response it pointed me to the sample library where I found C2RJMSYN.     It seems to be capable of analyzing the entire RACF DB (via a unload) and displaying the differences.  Do you know of any pro's / con's of using that process over going through   RA.U  RA.G  RA.D and RA.R to comapre/show differences?

Hi Linnea. Thanks for the feedback. Let me try to answers your questions to the best of my ability.

1. I do not know of an easy way to exclude a field from the comparison. The 'Show differences' function uses a CARLa COMPAREOPT specification. In the UI, zSecure uses the so called 'default COMPAREOPT specification'. This specification simply runs the 'Show differences' function for all fields that support comparisons. However, the CARLa Command Reference contain a section about this COMPAREOPTS keyword that explains how you can specify you own COMPAREOPT specification that only compares the fields that you are interested in to compare. 

2. When comparing groups, the field USERID represents a user ID that is connected to that group. Thus, when you encounter USERID(ABCD123->) this indicates that user ID ABCD123 was connected to that group in the compare base, but this user ID is no longer connected to that group in the main set. Encountering USERID(->XYZ1234) means that user ID XYZ1234 is not connected to the selected group in the compare base but it connected to this group in the main set that you allocated.

3. Well indeed the Print format would be your way to go with this one. However, by default, the one line users with changes overview only contain a column about the type (ADD, DEL, CHG, CHG-, or CHG+) of change, but not the details of the change(s). When you select option 'full page form' in the print output format, you will get the change details reported. However, that is in a full page format for each changed user. But when you look at the COMMANDS work data set, you can see that the change details are generated by the following CARLa specification (compareopt=1 ? / COMPARE_CHANGES). 

If you are only interested in a report of all changed users with the change details, I guess you can customize sortlist of the CARLa that generates the report. I reran my query in print format (without the 'full page format) and then customized COMMANDS like so:

symbolic num compareopt=1                                              DEFAULT COMPAREOPT_SHOW=(ADD,DEL,CHG+,CHG-,CHG)                        DEFINE TYPE=* HELPPANEL=CKRT3SHD COMPARE_CHANGES(CMPCHG,0,WW,HEADER),   COMPARE_CHANGES                                                       DEFINE TYPE=* HELPPANEL=CKRT3SHD COMPARE_RESULT(NOSORTLIST,NODETAIL),   COMPARE_RESULT                                                        n n=baseu1 segment=BASE required allowrestrict ,                        ,                                                                      tt="zSecure Admin+Audit for RACF USER overview",                       st='All users'                                                         s s=base c=user                                                        sortlist " - complex"(tt,page) complex(tt,page) stamp(tt),             ,                                                                      key(8,"User") name (compareopt=1 ? compare_result, COMPARE_CHANGES(0))

 That generates a report with all users that are changed with their name, change type, and change details. On my system it looks like this:

zSecure Admin+Audit for RACF USER overview - complex ED02      3Oct2018 13:01 
All users                                                                     
                                                                              
User     Name                 Comp Changes                                    
CR550Q   US TRAINING ID R     DEL                                             
CR550R   US TRAINING ID R     DEL                                             
CR550S   US TRAINING ID R     DEL                                             
CRMBER3  BERT LIND            CHG  CGGRPNM(->CRMBNAG1)
 PHRINT(->0)        
CRMBHJ2  HAM GOETZ            CHG  PHRINT(->0)            
CRMBJK1  JERRY KAPLAN         CHG  CGGRPNM(->SYSPROG)     
                                   DFLTGRP(TRAINERS->CRMB)
                                   OWNER(TRAINERS->CRMB)  

Would that help?

------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM

Original Message:
Sent: Thu March 30, 2023 12:33 PM
From: Linnea Sullivan
Subject: Compare RACF Databases

Tom, so my team looked at those 2 videos, and have ran some tests, and we have a few questions:

1. We are rolling out zOS 2.5.   PHRINT(Phrase Interval) is new with 2.5.    When I compare against a 2.4 system every User ID is an exception.    Anyway to exclude a field from the comparision?
2. When comparing groups I see this on a number of groups USERID(->).    Normally I would see USERID(ABCD123->) or USERID(->XYZ1234).   What is USERID(->) telling me?
3. When I run the process under TSO I see the list of Users or Groups that are not the same.     I can put a "S" beside the User or Group and see the difference.     But if I have a lot of Users/Groups I don't want to select them one by one.    I tried PRINT FORMAT thinking it may have a column to show the differences.    Any thoughts on how to list the changes in PRINT FORMAT?

Thanks

------------------------------
Linnea Sullivan

Original Message:
Sent: Wed March 22, 2023 01:34 PM
From: Tom Zeehandelaar
Subject: Compare RACF Databases

Hi Linnea, 

zSecure supports a feature that is named "Show differences" that is capable of comparing RACF DBs, UNLOADs, and/or CKFREEZE data sets from different systems or from the same system at different points in time. 
When you have access to the IBM Security Learning Services Academy, you can find 2 videos that I have recorded about this topic:

• How to use the Show Differences feature in zSecure Admin Part 1
• How to use the Show Differences feature in zSecure Admin Part 2

For your your convenience here's a link to the Academy: https://www.securitylearningacademy.com/

I hope this answers your question. 

------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM

Original Message:
Sent: Wed March 22, 2023 09:36 AM
From: Linnea Sullivan
Subject: Compare RACF Databases

Does zSecure have a utility that would compare one RACF DB to another RACF DB?   Or compare 2  zSecure unloads?

Our multiple systems are connected via RRSF, so in theory the databases should be in sync.   However, I do some cases where that is not the case.   I would like to produce a report of what is out of sync and show it to our administration team to verify these situations are intentional, or do I have a different issue.

------------------------------
Linnea Sullivan
------------------------------

Thanks for the information.   Followup on #2.     I understand when a userid is listed in field, but I am literally seeing  "USERID(->)"    There is no user ID on either side of the ->.

In Rob's earlier response it pointed me to the sample library where I found C2RJMSYN.     It seems to be capable of analyzing the entire RACF DB (via a unload) and displaying the differences.  Do you know of any pro's / con's of using that process over going through   RA.U  RA.G  RA.D and RA.R to comapre/show differences?

Hi Linnea. Thanks for the feedback. Let me try to answers your questions to the best of my ability.

1. I do not know of an easy way to exclude a field from the comparison. The 'Show differences' function uses a CARLa COMPAREOPT specification. In the UI, zSecure uses the so called 'default COMPAREOPT specification'. This specification simply runs the 'Show differences' function for all fields that support comparisons. However, the CARLa Command Reference contain a section about this COMPAREOPTS keyword that explains how you can specify you own COMPAREOPT specification that only compares the fields that you are interested in to compare. 

2. When comparing groups, the field USERID represents a user ID that is connected to that group. Thus, when you encounter USERID(ABCD123->) this indicates that user ID ABCD123 was connected to that group in the compare base, but this user ID is no longer connected to that group in the main set. Encountering USERID(->XYZ1234) means that user ID XYZ1234 is not connected to the selected group in the compare base but it connected to this group in the main set that you allocated.

3. Well indeed the Print format would be your way to go with this one. However, by default, the one line users with changes overview only contain a column about the type (ADD, DEL, CHG, CHG-, or CHG+) of change, but not the details of the change(s). When you select option 'full page form' in the print output format, you will get the change details reported. However, that is in a full page format for each changed user. But when you look at the COMMANDS work data set, you can see that the change details are generated by the following CARLa specification (compareopt=1 ? / COMPARE_CHANGES). 

If you are only interested in a report of all changed users with the change details, I guess you can customize sortlist of the CARLa that generates the report. I reran my query in print format (without the 'full page format) and then customized COMMANDS like so:

symbolic num compareopt=1                                              DEFAULT COMPAREOPT_SHOW=(ADD,DEL,CHG+,CHG-,CHG)                        DEFINE TYPE=* HELPPANEL=CKRT3SHD COMPARE_CHANGES(CMPCHG,0,WW,HEADER),   COMPARE_CHANGES                                                       DEFINE TYPE=* HELPPANEL=CKRT3SHD COMPARE_RESULT(NOSORTLIST,NODETAIL),   COMPARE_RESULT                                                        n n=baseu1 segment=BASE required allowrestrict ,                        ,                                                                      tt="zSecure Admin+Audit for RACF USER overview",                       st='All users'                                                         s s=base c=user                                                        sortlist " - complex"(tt,page) complex(tt,page) stamp(tt),             ,                                                                      key(8,"User") name (compareopt=1 ? compare_result, COMPARE_CHANGES(0))

 That generates a report with all users that are changed with their name, change type, and change details. On my system it looks like this:

zSecure Admin+Audit for RACF USER overview - complex ED02      3Oct2018 13:01 
All users                                                                     
                                                                              
User     Name                 Comp Changes                                    
CR550Q   US TRAINING ID R     DEL                                             
CR550R   US TRAINING ID R     DEL                                             
CR550S   US TRAINING ID R     DEL                                             
CRMBER3  BERT LIND            CHG  CGGRPNM(->CRMBNAG1)
 PHRINT(->0)        
CRMBHJ2  HAM GOETZ            CHG  PHRINT(->0)            
CRMBJK1  JERRY KAPLAN         CHG  CGGRPNM(->SYSPROG)     
                                   DFLTGRP(TRAINERS->CRMB)
                                   OWNER(TRAINERS->CRMB)  

Would that help?

------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM

Original Message:
Sent: Thu March 30, 2023 12:33 PM
From: Linnea Sullivan
Subject: Compare RACF Databases

Tom, so my team looked at those 2 videos, and have ran some tests, and we have a few questions:

1. We are rolling out zOS 2.5.   PHRINT(Phrase Interval) is new with 2.5.    When I compare against a 2.4 system every User ID is an exception.    Anyway to exclude a field from the comparision?
2. When comparing groups I see this on a number of groups USERID(->).    Normally I would see USERID(ABCD123->) or USERID(->XYZ1234).   What is USERID(->) telling me?
3. When I run the process under TSO I see the list of Users or Groups that are not the same.     I can put a "S" beside the User or Group and see the difference.     But if I have a lot of Users/Groups I don't want to select them one by one.    I tried PRINT FORMAT thinking it may have a column to show the differences.    Any thoughts on how to list the changes in PRINT FORMAT?

Thanks

------------------------------
Linnea Sullivan

Original Message:
Sent: Wed March 22, 2023 01:34 PM
From: Tom Zeehandelaar
Subject: Compare RACF Databases

Hi Linnea, 

zSecure supports a feature that is named "Show differences" that is capable of comparing RACF DBs, UNLOADs, and/or CKFREEZE data sets from different systems or from the same system at different points in time. 
When you have access to the IBM Security Learning Services Academy, you can find 2 videos that I have recorded about this topic:

• How to use the Show Differences feature in zSecure Admin Part 1
• How to use the Show Differences feature in zSecure Admin Part 2

For your your convenience here's a link to the Academy: https://www.securitylearningacademy.com/

I hope this answers your question. 

------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM

Original Message:
Sent: Wed March 22, 2023 09:36 AM
From: Linnea Sullivan
Subject: Compare RACF Databases

Does zSecure have a utility that would compare one RACF DB to another RACF DB?   Or compare 2  zSecure unloads?

Our multiple systems are connected via RRSF, so in theory the databases should be in sync.   However, I do some cases where that is not the case.   I would like to produce a report of what is out of sync and show it to our administration team to verify these situations are intentional, or do I have a different issue.

------------------------------
Linnea Sullivan
------------------------------

Does zSecure have a utility that would compare one RACF DB to another RACF DB?   Or compare 2  zSecure unloads?

Our multiple systems are connected via RRSF, so in theory the databases should be in sync.   However, I do some cases where that is not the case.   I would like to produce a report of what is out of sync and show it to our administration team to verify these situations are intentional, or do I have a different issue.

You can also read up on the MERGE function in zSecure Admin.  It can be used to list (many) differences between RACF input sources and generate commands to address those https://www.ibm.com/docs/en/szs/2.5.0?topic=guide-using-merge-identify-changes-in-racf 

Does zSecure have a utility that would compare one RACF DB to another RACF DB?   Or compare 2  zSecure unloads?

Our multiple systems are connected via RRSF, so in theory the databases should be in sync.   However, I do some cases where that is not the case.   I would like to produce a report of what is out of sync and show it to our administration team to verify these situations are intentional, or do I have a different issue.

Rob, we been trying out everyone's suggestions, but so far we think your suggestion fits the best.   But we did notice something and did not know if it was intentional or an oversight.   If we compare the base to the target, we see the target contains USERIDs that do not exist on the base.   We think the IDs used to exist on the base but for whatever reason the delete user commands did not get propagated to the target.      We were not sure if we should expect to see DELUSER commands to remove these IDs from the target.      My assumption is that the process just makes sure the UserIDs/Groups/Profiles that exist on the base, gets built on the Target.    But nothing cleans up extra UserIDs/Groups/Profiles that exist on the target.

Thanks

You can also read up on the MERGE function in zSecure Admin.  It can be used to list (many) differences between RACF input sources and generate commands to address those https://www.ibm.com/docs/en/szs/2.5.0?topic=guide-using-merge-identify-changes-in-racf 

Does zSecure have a utility that would compare one RACF DB to another RACF DB?   Or compare 2  zSecure unloads?

Our multiple systems are connected via RRSF, so in theory the databases should be in sync.   However, I do some cases where that is not the case.   I would like to produce a report of what is out of sync and show it to our administration team to verify these situations are intentional, or do I have a different issue.

Hi Linnea,

The first step mentioned for actually merging database is to make sure that the database have reasonable referential integrity: https://www.ibm.com/docs/en/szs/2.5.0?topic=reference-pdf , so I would not recommend relying on results from MERGE if your databases have such structural errors. 

So I would recommend using VERIFY PERMIT and VERIFY CONNECT to clean up the databases first.

Regards,

Rob, we been trying out everyone's suggestions, but so far we think your suggestion fits the best.   But we did notice something and did not know if it was intentional or an oversight.   If we compare the base to the target, we see the target contains USERIDs that do not exist on the base.   We think the IDs used to exist on the base but for whatever reason the delete user commands did not get propagated to the target.      We were not sure if we should expect to see DELUSER commands to remove these IDs from the target.      My assumption is that the process just makes sure the UserIDs/Groups/Profiles that exist on the base, gets built on the Target.    But nothing cleans up extra UserIDs/Groups/Profiles that exist on the target.

Thanks

You can also read up on the MERGE function in zSecure Admin.  It can be used to list (many) differences between RACF input sources and generate commands to address those https://www.ibm.com/docs/en/szs/2.5.0?topic=guide-using-merge-identify-changes-in-racf 

Does zSecure have a utility that would compare one RACF DB to another RACF DB?   Or compare 2  zSecure unloads?

Our multiple systems are connected via RRSF, so in theory the databases should be in sync.   However, I do some cases where that is not the case.   I would like to produce a report of what is out of sync and show it to our administration team to verify these situations are intentional, or do I have a different issue.

True enough, Linnea.  MERGE primarily adds profiles into the current database, when they are found in mergesource but not in current.  So I had to write explicit support for the reverse, using newlist type=merge, I think:

newlist type=merge nopage dd=ckrcmd
  s class=dataset missing(field) exists(profile) missing(src_profile)
  sortlist "deldsd '" | profile(0) | "'"
newlist type=merge nopage dd=ckr2pass
  s class=user missing(field) exists(profile) missing(src_profile)
  sortlist "remove user=" | profile(0)

At least, that's what I remember from 15 (?) years ago.  Maybe I had to reverse the current and mergesource ALLOC commands, so MERGE wants to create profiles (found in current), and use these findings to create the delete commands.  Just run a merge report on the reversed allocations to see what src_profile, cur_profile and profile indicate:

newlist type=merge 
  s class=user
  sortlist profile(8) src_profile(8) cur_profile(8) field value src_value cur_value

Add your own code for groups, general resources and connects.  Fix concept errors... and test thoroughly.

------------------------------
Rob van Hoboken
------------------------------

Rob, we are continuing to play with the merge function, but we are seeing some strange results.   Majority of the changes the merge suggests is right on target just these 2 instances are strange:

#1.   In the STARTED Class SITEA has several profiles create with no access list.   SITEB does not have these profiles.    The merge generates PERMIT profile1 CLASS(STARTED) RESET commands.   I would have thought since the profiles did not exist on SITEB  RDEF and RALT commands would be generated.

#2.  In the DB2 Class MDSNGV  SITEA  does not certain profiles.   Site B does have the profiles.   But the merge is showing permit commands that need to be run on SITEB this should not be possible since SITEA does not have the profiles.       We thought we had the input files reversed, but we noticed the PERMIT commands that were generated hand a lot more groups on the PERMIT command than what existed in the profile on SITEB.   We have run the merge on lots of other systems successfully, so we feel we don't have the input files reversed, but we can't figure out why this is happening.   Its also happening on a couple of user defined classes as well.     Any suggestions to try?

True enough, Linnea.  MERGE primarily adds profiles into the current database, when they are found in mergesource but not in current.  So I had to write explicit support for the reverse, using newlist type=merge, I think:

newlist type=merge nopage dd=ckrcmd
  s class=dataset missing(field) exists(profile) missing(src_profile)
  sortlist "deldsd '" | profile(0) | "'"
newlist type=merge nopage dd=ckr2pass
  s class=user missing(field) exists(profile) missing(src_profile)
  sortlist "remove user=" | profile(0)

At least, that's what I remember from 15 (?) years ago.  Maybe I had to reverse the current and mergesource ALLOC commands, so MERGE wants to create profiles (found in current), and use these findings to create the delete commands.  Just run a merge report on the reversed allocations to see what src_profile, cur_profile and profile indicate:

newlist type=merge 
  s class=user
  sortlist profile(8) src_profile(8) cur_profile(8) field value src_value cur_value

Add your own code for groups, general resources and connects.  Fix concept errors... and test thoroughly.

------------------------------
Rob van Hoboken
------------------------------

Does zSecure have a utility that would compare one RACF DB to another RACF DB?   Or compare 2  zSecure unloads?

Our multiple systems are connected via RRSF, so in theory the databases should be in sync.   However, I do some cases where that is not the case.   I would like to produce a report of what is out of sync and show it to our administration team to verify these situations are intentional, or do I have a different issue.