IBM Security Z Security

 View Only
Expand all | Collapse all

Exists in Resource Profile

  • 1.  Exists in Resource Profile

    Posted Fri February 16, 2024 04:24 PM

    I'm wondering how I can determine if a profile does not exist in the RACFVARS Class. 

    I am trying to do this with a Two Pass Carla statement. In my first step not listed here I captured profile keys from another resource class and would like to check if the profiles exist in RACFVARS, if not write them to the SORTLIST. 

    In my 2nd step I captured the profiles from the 1st step and try to list each profile to determine which do not exist in RACFVARS, is this possible? I've tried different methods and searched through zCommunity for exists/missing examples but not having any success. Below is the newlist I created from 1st step, in this example &TEST3 does not exist in RACFVARS but the others do (&TEST1, &TEST2).  Is there anything I could add to below newlist to identify &TEST3 not existing in RACFVARS?

     alloc type=RACF primary active zsecnode=.              
     PRINT FILE=RACFVARS                                    
     newlist type=RACF pl=0 tt='Prof  not in RACFVARS'  
       select class=RACFVARS segment=base key=&TEST1      
       select class=RACFVARS segment=base key=&TEST2      
       select class=RACFVARS segment=base key=&TEST3      
      sortlist key(8) owner(8)                               



    ------------------------------
    Scott Lahner
    ------------------------------


  • 2.  RE: Exists in Resource Profile

    Posted Sat February 17, 2024 05:21 AM
    Edited by Jeroen Tiggelman Sat February 17, 2024 05:22 AM

    Hi Scott,

    One way to get feedback that the result of a selection does not exist is the EMPTYLIST keyword on the NEWLIST statement.
    However, this only triggers when no records are selected at all.

    So you'd need to code something like


    newlist type=RACF pl=0 empty='&TEST1 not in RACFVARS'
       select class=RACFVARS segment=base key=&TEST1     
      sortlist key(8) owner(8)        

    newlist type=RACF pl=0 empty='&TEST2 not in RACFVARS'
       select class=RACFVARS segment=base key=&TEST2
      sortlist key(8) owner(8)        

    newlist type=RACF pl=0 empty='&TEST3 not in RACFVARS'
       select class=RACFVARS segment=base key=&TEST3
      sortlist key(8) owner(8)        

    Regards,



    ------------------------------
    Jeroen Tiggelman
    IBM - Software Development Manager IBM Security zSecure Suite
    Delft
    ------------------------------

    Original Message


  • 3.  RE: Exists in Resource Profile

    IBM Champion
    Posted Sat February 17, 2024 08:00 AM

    I wonder...

    newlist type=RACF nopage
       define foundTEST1 count where key=&TEST1
       define foundTEST2 count where key=&TEST2
       define foundTEST3 count where key=&TEST3
       select class=RACFVARS
       summary class(nd) count(nd) '&TEST1 not in RACFVARS' foundTEST1(nd,<1)
       summary class(nd) count(nd) '&TEST2 not in RACFVARS' foundTEST2(nd,<1)
       summary class(nd) count(nd) '&TEST3 not in RACFVARS' foundTEST3(nd,<1)



    ------------------------------
    Rob van Hoboken
    ------------------------------

    Original Message


  • 4.  RE: Exists in Resource Profile

    Posted Sun February 18, 2024 09:25 AM

    Yes, that also works, Rob.



    ------------------------------
    Jeroen Tiggelman
    IBM - Software Development Manager IBM Security zSecure Suite
    Delft
    ------------------------------

    Original Message


  • 5.  RE: Exists in Resource Profile

    Posted Tue February 20, 2024 09:54 AM

    Jeroen/Rob, thanks for the replies.  

    Something to keep in mind is that I'm generating the list of profiles to validate in my 1st pass so I need to develop the commands to execute in the 2nd pass.
    My first list contains 8 char keys (&TEST1 &TEST2 &TEST3) but listed on each line.

    I'm struggling a little with generating the commands both of your provided into my 2nd pass.

    Jeroen's because I have to generate a block of commands for each entry.

    Rob because your varialbe names Foundtest1, 2, 3.  I don't know how many entries I will have from the 1st pass so I need to generate a variable name for each key entry.  

    Below are my 2nd pass statements.  I do like Rob's approach but what would I code for the variable names in the define statements?

      sortlist,                                     
      "select class=RACFVARS where key=" | #qual1   
      newlist type=RACF outlim=1                    
        select class=RACFVARS s=BASE key=&RACLNDE      
      sortlist,                                     
     "sortlist key(8) owner(8)"                      



    ------------------------------
    Scott Lahner
    ------------------------------

    Original Message


  • 6.  RE: Exists in Resource Profile

    IBM Champion
    Posted Tue February 20, 2024 04:06 PM

    Suppose you have those RACFVARS candidates in a file allocated to INPUT:

    //INPUT DD *
    &TEST1
    &TEST2
    &TEST3
    /*

    You could process the file and generate CARLa to CKR2PASS like so.

    deftype type=@input
    alloc type=@input dd=input
    newlist type=@input nopage dd=ckr2pass
      define profile as substr(record,1,9)
      define wordpart as substr(record,2,9)
      sortlist "define found" | wordpart "count where profile=" | profile
      summary "newlist type=racf nopage" count(nd) /
    newlist type=@input nopage dd=ckr2pass
      sortlist "summary class(nd) count(nd) '" | profile,
        "not in RACFVARS' found" | charpart(0) | "(nd,<1)"
      summary "select class=RACFVARS" count(nd) /

    This uses the character part of the RACFVARS name to name the count field, e.g. foundTEST1 and the profile (including the &) as the selection criterium.  The DEFINES have to occur together, so they are generated in the 1st newlist (from the RACFVARS names in INPUT) and the 2nd newlist generates the SUMMARY commands.

    The result is a CARLa that looks like

    newlist type=RACF nopage
       define foundTEST1 count where key=&TEST1
       define foundTEST2 count where key=&TEST2
       define foundTEST3 count where key=&TEST3
       select class=RACFVARS
       summary class(nd) count(nd) '&TEST1 not in RACFVARS' foundTEST1(nd,<1)
       summary class(nd) count(nd) '&TEST2 not in RACFVARS' foundTEST2(nd,<1)
       summary class(nd) count(nd) '&TEST3 not in RACFVARS' foundTEST3(nd,<1)

    I hope I balanced the quotes and didn't exceed 72 positions anywhere.  Code written from experience and not tested

    Send me a DM if you want to discuss this code.



    ------------------------------
    Rob van Hoboken
    ------------------------------

    Original Message


  • 7.  RE: Exists in Resource Profile

    Posted Wed February 21, 2024 05:23 PM

    Hey Rob, thanks for providing the code, I had to make a few tweaks, see below and got it to work.  The biggest hurdle was figuring out how to get rid of extra spaces being added to the end of the wordpart variable. My coworker helped me and found by defining the variable as a character field - wordpart(char) - we were able to remove the trailing spaces.   Also I stumbled trying to fit the carla code within 72 lines,  for example, where I had to write "Not in RACFVARS" notice it continues to the next line, but I had to close the quotes around "Not" and then continue to next line, that throws me off sometimes. But I got it to work and learned alot along the way.  Thanks.

    deftype type=@input                                                  
    alloc type=@input dd=input                                           
    newlist type=@input nopage dd=ckr2pass                               
     define profile as substr(record,1,8)                                
     define wordpart(char) as substr(record,2,8)                         
     sortlist "define found" | wordpart(0) | ,                           
     " count where profile=" | profile                                   
     summary "newlist type=racf nopage" count(nd) /                      
    newlist type=@input nopage dd=ckr2pass                               
      sortlist "summary class(nd) count(nd) '" | profile(0) | " Not" | /,
      " in RACFVARS' found" | wordpart(0) | "(nd,<1)"                    
      summary "select class=RACFVARS" count(nd) /                        



    ------------------------------
    Scott Lahner
    ------------------------------

    Original Message


  • 8.  RE: Exists in Resource Profile

    IBM Champion
    Posted Thu February 22, 2024 04:10 AM
    Edited by Rob van Hoboken Thu February 22, 2024 04:12 AM

    Thank you for the feedback.  While hindsight is 20-20, memory for me is definitely not.  The RECORD field for DEFTYPE newlists has an ASIS format, and this is not supported for the (0) overriding length (space trimming).  This does not seem to be documented and has been a bugbear for many.

    ASIS is documented as

    The field is copied without modification. The difference with CHAR is that trailing blanks are preserved. Note that with XML output, trailing blanks (as well as trailing null characters) are trimmed off anyway.

    whereas CHAR states

    Character string. The field is copied without modification, except that trailing blanks are not preserved. See also ASIS.

    We are to conclude that (0) requires that blanks are not preservable, eh?  But your coworker did the right thing, overriding the format of the CHARPART to CHAR. 

    Now about splitting CARLa statements efficiently.  The thing about two-pass code, the statements have to conform to syntax standards in both passes.  Lets split the offending SORTLIST statement for the 1st pass into (light blue) literal and field tokens:

     sortlist "summary class(nd) count(nd) '" | profile,
        "not in RACFVARS' found" | charpart(0) | "(nd,<1)"

    Your noticed that the output exceeds 72 positions, so you want to split the resulting SUMMARY command (syntactically correctly) into  2 lines.  In CARLa that requires a dangling continuation comma.  The easiest place is after the single quoted literal, like so:

    summary class(nd) count(nd) '&TEST1 not in RACFVARS',
     foundTEST1(nd,<1)

    This is done by using the slash operator in the 1st pass, like so:

     sortlist "summary class(nd) count(nd) '" | profile,
        "not in RACFVARS'," / "found" | charpart(0) | "(nd,<1)"

    You see, during the 1st pass, the single quote ' is just a normal character, that doesn't gets significant until the 2nd pass.

    ------------------------------
    Rob van Hoboken
    ------------------------------



  • 9.  RE: Exists in Resource Profile

    Posted Thu February 22, 2024 05:18 AM
    Edited by Jeroen Tiggelman Thu February 22, 2024 05:18 AM

    Hi Rob,

    I am not sure I understand your criticism here.

    ASIS means that blanks are significant and must not be omitted. For example, when recreating a field like TACCNT (TSO segment account specification), a single blank is really different from a missing value.

    Overriding length 0 does not mean that values get trimmed, it means that no padding is done to fill the (non-zero) column width.

    Indeed CHAR means that blank-trimming is expected.

    Regards,



    ------------------------------
    Jeroen Tiggelman
    IBM - Software Development Manager IBM Security zSecure Suite
    Delft
    ------------------------------

    Original Message


  • 10.  RE: Exists in Resource Profile

    IBM Champion
    Posted Thu February 22, 2024 06:33 AM

    The link I included in my post states for overriding length 0:

    For the (SORT)LIST command it means that trailing blanks must be trimmed (stripped) from the output.

    There is no caveat or limitation mentioned that trimming (0) only applies to CHAR fields.



    ------------------------------
    Rob van Hoboken
    ------------------------------

    Original Message


  • 11.  RE: Exists in Resource Profile

    Posted Thu February 22, 2024 07:27 AM

    I created a documentation story to fix this sometime in future.

    Regards,



    ------------------------------
    Jeroen Tiggelman
    IBM - Software Development Manager IBM Security zSecure Suite
    Delft
    ------------------------------

    Original Message


  • 12.  RE: Exists in Resource Profile

    Posted Thu February 22, 2024 09:05 AM

    Thanks for this sample Rob, this was a nice way to split the summary into 2 lines.

    sortlist "summary class(nd) count(nd) '" | profile,
        "not in RACFVARS'," / "found" | charpart(0) | "(nd,<1)"

    p.s. I never did run the output in a subsequent step until today and received "CKR1325 04 Option PL already set differently for output file" so I had to remove NOPAGE from this statement:  summary "newlist type=racf nopage" count(nd) / 



    ------------------------------
    Scott Lahner
    ------------------------------

    Original Message


  • 13.  RE: Exists in Resource Profile

    Posted Thu February 22, 2024 09:29 AM

    The return code 04 means it is a warning, it shouldn't stop the run. It is just telling you that the NOPAGE directive is ignored, because there was another directive earlier on [within the same run]. You can also suppress this message (although that can be questionable, because it can also have RC 12).

    https://www.ibm.com/docs/en/szs/3.1.0?topic=1399-ckr1325



    ------------------------------
    Jeroen Tiggelman
    IBM - Software Development Manager IBM Security zSecure Suite
    Delft
    ------------------------------

    Original Message


  • 14.  RE: Exists in Resource Profile

    Posted Thu February 22, 2024 09:42 AM

    Thanks Jeroen. 



    ------------------------------
    Scott Lahner
    ------------------------------

    Original Message