I remember seeing GROUP(->) listed when a group was removed and reconnected to a user. This changes the (chronological) order of group names in CONGRPNM, so a change in the field was found, but the same groups were found, thus the less than sensical GROUP(->). Now, I do not remember if the USERID field in a GROUP profile is similarly ordered, or if it's alphabetically, but that might be an explanation.
Regarding MERGE, this was originally designed to synchronize authorities and access controls between RACF databases, so you will find that not all fields are supported. Consequently, changes to some segment fields may go unobserved. Also, MERGE may be slow in picking up support for new fields. But I saw it used as an after the crash cleanup for early implementations of RRSF. Again, from memory....
Original Message:
Sent: Fri March 31, 2023 10:13 AM
From: Linnea Sullivan
Subject: Compare RACF Databases
Thanks for the information. Followup on #2. I understand when a userid is listed in field, but I am literally seeing "USERID(->)" There is no user ID on either side of the ->.
In Rob's earlier response it pointed me to the sample library where I found C2RJMSYN. It seems to be capable of analyzing the entire RACF DB (via a unload) and displaying the differences. Do you know of any pro's / con's of using that process over going through RA.U RA.G RA.D and RA.R to comapre/show differences?
------------------------------
Linnea Sullivan
Original Message:
Sent: Fri March 31, 2023 05:30 AM
From: Tom Zeehandelaar
Subject: Compare RACF Databases
Hi Linnea. Thanks for the feedback. Let me try to answers your questions to the best of my ability.
1. I do not know of an easy way to exclude a field from the comparison. The 'Show differences' function uses a CARLa COMPAREOPT specification. In the UI, zSecure uses the so called 'default COMPAREOPT specification'. This specification simply runs the 'Show differences' function for all fields that support comparisons. However, the CARLa Command Reference contain a section about this COMPAREOPTS keyword that explains how you can specify you own COMPAREOPT specification that only compares the fields that you are interested in to compare.
2. When comparing groups, the field USERID represents a user ID that is connected to that group. Thus, when you encounter USERID(ABCD123->) this indicates that user ID ABCD123 was connected to that group in the compare base, but this user ID is no longer connected to that group in the main set. Encountering USERID(->XYZ1234) means that user ID XYZ1234 is not connected to the selected group in the compare base but it connected to this group in the main set that you allocated.
3. Well indeed the Print format would be your way to go with this one. However, by default, the one line users with changes overview only contain a column about the type (ADD, DEL, CHG, CHG-, or CHG+) of change, but not the details of the change(s). When you select option 'full page form' in the print output format, you will get the change details reported. However, that is in a full page format for each changed user. But when you look at the COMMANDS work data set, you can see that the change details are generated by the following CARLa specification (compareopt=1 ? / COMPARE_CHANGES).
If you are only interested in a report of all changed users with the change details, I guess you can customize sortlist of the CARLa that generates the report. I reran my query in print format (without the 'full page format) and then customized COMMANDS like so:
symbolic num compareopt=1 DEFAULT COMPAREOPT_SHOW=(ADD,DEL,CHG+,CHG-,CHG) DEFINE TYPE=* HELPPANEL=CKRT3SHD COMPARE_CHANGES(CMPCHG,0,WW,HEADER), COMPARE_CHANGES DEFINE TYPE=* HELPPANEL=CKRT3SHD COMPARE_RESULT(NOSORTLIST,NODETAIL), COMPARE_RESULT n n=baseu1 segment=BASE required allowrestrict , , tt="zSecure Admin+Audit for RACF USER overview", st='All users' s s=base c=user sortlist " - complex"(tt,page) complex(tt,page) stamp(tt), , key(8,"User") name (compareopt=1 ? compare_result, COMPARE_CHANGES(0))
That generates a report with all users that are changed with their name, change type, and change details. On my system it looks like this:
zSecure Admin+Audit for RACF USER overview - complex ED02 3Oct2018 13:01
All users
User Name Comp Changes
CR550Q US TRAINING ID R DEL
CR550R US TRAINING ID R DEL
CR550S US TRAINING ID R DEL
CRMBER3 BERT LIND CHG CGGRPNM(->CRMBNAG1)
PHRINT(->0)
CRMBHJ2 HAM GOETZ CHG PHRINT(->0)
CRMBJK1 JERRY KAPLAN CHG CGGRPNM(->SYSPROG)
DFLTGRP(TRAINERS->CRMB)
OWNER(TRAINERS->CRMB)
Would that help?
------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM
Original Message:
Sent: Thu March 30, 2023 12:33 PM
From: Linnea Sullivan
Subject: Compare RACF Databases
Tom, so my team looked at those 2 videos, and have ran some tests, and we have a few questions:
- We are rolling out zOS 2.5. PHRINT(Phrase Interval) is new with 2.5. When I compare against a 2.4 system every User ID is an exception. Anyway to exclude a field from the comparision?
- When comparing groups I see this on a number of groups USERID(->). Normally I would see USERID(ABCD123->) or USERID(->XYZ1234). What is USERID(->) telling me?
- When I run the process under TSO I see the list of Users or Groups that are not the same. I can put a "S" beside the User or Group and see the difference. But if I have a lot of Users/Groups I don't want to select them one by one. I tried PRINT FORMAT thinking it may have a column to show the differences. Any thoughts on how to list the changes in PRINT FORMAT?
Thanks
------------------------------
Linnea Sullivan
Original Message:
Sent: Wed March 22, 2023 01:34 PM
From: Tom Zeehandelaar
Subject: Compare RACF Databases
Hi Linnea,
zSecure supports a feature that is named "Show differences" that is capable of comparing RACF DBs, UNLOADs, and/or CKFREEZE data sets from different systems or from the same system at different points in time.
When you have access to the IBM Security Learning Services Academy, you can find 2 videos that I have recorded about this topic:
For your your convenience here's a link to the Academy: https://www.securitylearningacademy.com/
I hope this answers your question.
------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM
Original Message:
Sent: Wed March 22, 2023 09:36 AM
From: Linnea Sullivan
Subject: Compare RACF Databases
Does zSecure have a utility that would compare one RACF DB to another RACF DB? Or compare 2 zSecure unloads?
Our multiple systems are connected via RRSF, so in theory the databases should be in sync. However, I do some cases where that is not the case. I would like to produce a report of what is out of sync and show it to our administration team to verify these situations are intentional, or do I have a different issue.
------------------------------
Linnea Sullivan
------------------------------