IBM Security Z Security

 View Only
Expand all | Collapse all

Exists in Resource Profile

  • 1.  Exists in Resource Profile

    Posted Fri February 16, 2024 04:24 PM

    I'm wondering how I can determine if a profile does not exist in the RACFVARS Class. 

    I am trying to do this with a Two Pass Carla statement. In my first step not listed here I captured profile keys from another resource class and would like to check if the profiles exist in RACFVARS, if not write them to the SORTLIST. 

    In my 2nd step I captured the profiles from the 1st step and try to list each profile to determine which do not exist in RACFVARS, is this possible? I've tried different methods and searched through zCommunity for exists/missing examples but not having any success. Below is the newlist I created from 1st step, in this example &TEST3 does not exist in RACFVARS but the others do (&TEST1, &TEST2).  Is there anything I could add to below newlist to identify &TEST3 not existing in RACFVARS?

     alloc type=RACF primary active zsecnode=.              
     PRINT FILE=RACFVARS                                    
     newlist type=RACF pl=0 tt='Prof  not in RACFVARS'  
       select class=RACFVARS segment=base key=&TEST1      
       select class=RACFVARS segment=base key=&TEST2      
       select class=RACFVARS segment=base key=&TEST3      
      sortlist key(8) owner(8)                               



    ------------------------------
    Scott Lahner
    ------------------------------


  • 2.  RE: Exists in Resource Profile

    Posted Sat February 17, 2024 05:21 AM
    Edited by Jeroen Tiggelman Sat February 17, 2024 05:22 AM

    Hi Scott,

    One way to get feedback that the result of a selection does not exist is the EMPTYLIST keyword on the NEWLIST statement.
    However, this only triggers when no records are selected at all.

    So you'd need to code something like


    newlist type=RACF pl=0 empty='&TEST1 not in RACFVARS'
       select class=RACFVARS segment=base key=&TEST1     
      sortlist key(8) owner(8)        

    newlist type=RACF pl=0 empty='&TEST2 not in RACFVARS'
       select class=RACFVARS segment=base key=&TEST2
      sortlist key(8) owner(8)        

    newlist type=RACF pl=0 empty='&TEST3 not in RACFVARS'
       select class=RACFVARS segment=base key=&TEST3
      sortlist key(8) owner(8)        

    Regards,



    ------------------------------
    Jeroen Tiggelman
    IBM - Software Development Manager IBM Security zSecure Suite
    Delft
    ------------------------------



  • 3.  RE: Exists in Resource Profile

    IBM Champion
    Posted Sat February 17, 2024 08:00 AM

    I wonder...

    newlist type=RACF nopage
       define foundTEST1 count where key=&TEST1
       define foundTEST2 count where key=&TEST2
       define foundTEST3 count where key=&TEST3
       select class=RACFVARS
       summary class(nd) count(nd) '&TEST1 not in RACFVARS' foundTEST1(nd,<1)
       summary class(nd) count(nd) '&TEST2 not in RACFVARS' foundTEST2(nd,<1)
       summary class(nd) count(nd) '&TEST3 not in RACFVARS' foundTEST3(nd,<1)



    ------------------------------
    Rob van Hoboken
    ------------------------------



  • 4.  RE: Exists in Resource Profile

    Posted Sun February 18, 2024 09:25 AM

    Yes, that also works, Rob.



    ------------------------------
    Jeroen Tiggelman
    IBM - Software Development Manager IBM Security zSecure Suite
    Delft
    ------------------------------



  • 5.  RE: Exists in Resource Profile

    Posted Tue February 20, 2024 09:54 AM

    Jeroen/Rob, thanks for the replies.  

    Something to keep in mind is that I'm generating the list of profiles to validate in my 1st pass so I need to develop the commands to execute in the 2nd pass.
    My first list contains 8 char keys (&TEST1 &TEST2 &TEST3) but listed on each line.

    I'm struggling a little with generating the commands both of your provided into my 2nd pass.

    Jeroen's because I have to generate a block of commands for each entry.

    Rob because your varialbe names Foundtest1, 2, 3.  I don't know how many entries I will have from the 1st pass so I need to generate a variable name for each key entry.  

    Below are my 2nd pass statements.  I do like Rob's approach but what would I code for the variable names in the define statements?

      sortlist,                                     
      "select class=RACFVARS where key=" | #qual1   
      newlist type=RACF outlim=1                    
        select class=RACFVARS s=BASE key=&RACLNDE      
      sortlist,                                     
     "sortlist key(8) owner(8)"                      



    ------------------------------
    Scott Lahner
    ------------------------------



  • 6.  RE: Exists in Resource Profile

    IBM Champion
    Posted Tue February 20, 2024 04:06 PM

    Suppose you have those RACFVARS candidates in a file allocated to INPUT:

    //INPUT DD *
    &TEST1
    &TEST2
    &TEST3
    /*

    You could process the file and generate CARLa to CKR2PASS like so.

    deftype type=@input
    alloc type=@input dd=input
    newlist type=@input nopage dd=ckr2pass
      define profile as substr(record,1,9)
      define wordpart as substr(record,2,9)
      sortlist "define found" | wordpart "count where profile=" | profile
      summary "newlist type=racf nopage" count(nd) /
    newlist type=@input nopage dd=ckr2pass
      sortlist "summary class(nd) count(nd) '" | profile,
        "not in RACFVARS' found" | charpart(0) | "(nd,<1)"
      summary "select class=RACFVARS" count(nd) /

    This uses the character part of the RACFVARS name to name the count field, e.g. foundTEST1 and the profile (including the &) as the selection criterium.  The DEFINES have to occur together, so they are generated in the 1st newlist (from the RACFVARS names in INPUT) and the 2nd newlist generates the SUMMARY commands.

    The result is a CARLa that looks like

    newlist type=RACF nopage
       define foundTEST1 count where key=&TEST1
       define foundTEST2 count where key=&TEST2
       define foundTEST3 count where key=&TEST3
       select class=RACFVARS
       summary class(nd) count(nd) '&TEST1 not in RACFVARS' foundTEST1(nd,<1)
       summary class(nd) count(nd) '&TEST2 not in RACFVARS' foundTEST2(nd,<1)
       summary class(nd) count(nd) '&TEST3 not in RACFVARS' foundTEST3(nd,<1)

    I hope I balanced the quotes and didn't exceed 72 positions anywhere.  Code written from experience and not tested

    Send me a DM if you want to discuss this code.



    ------------------------------
    Rob van Hoboken
    ------------------------------



  • 7.  RE: Exists in Resource Profile

    Posted Wed February 21, 2024 05:23 PM

    Hey Rob, thanks for providing the code, I had to make a few tweaks, see below and got it to work.  The biggest hurdle was figuring out how to get rid of extra spaces being added to the end of the wordpart variable. My coworker helped me and found by defining the variable as a character field - wordpart(char) - we were able to remove the trailing spaces.   Also I stumbled trying to fit the carla code within 72 lines,  for example, where I had to write "Not in RACFVARS" notice it continues to the next line, but I had to close the quotes around "Not" and then continue to next line, that throws me off sometimes. But I got it to work and learned alot along the way.  Thanks.

    deftype type=@input                                                  
    alloc type=@input dd=input                                          &nbs