IBM Security Z Security

 View Only
Expand all | Collapse all

List Datasets Affected by Profile via Batch AND NOT reference RACF Database

  • 1.  List Datasets Affected by Profile via Batch AND NOT reference RACF Database

    Posted Wed November 13, 2024 01:39 PM

    Howdy zSecure community.

      New to RACF/ zSecure.  Looking to list datasets affected by a RACF Dataset Profile (as in "LISTDSD DS('whatever') DSNS", BUT reference to live RACF Database foreclosed (/disallowed).

      Rephrasing for clarity, "How would one either:

      1) Execute the 'LISTDSD DA('whatever') DSNS' command such that in does not reference the Live RACF Database?

      2) Obtain a list of dataset names affected by a RACF DATASET PROFILE sans reference to the RACF Database?

    I've been asked to report RACF Dataset Profiles affecting no real datasets.  I expect the next request will be to list datasets affected by either a given RACF Dataset Profile or all of them.  A Batch solution would be preferable.  I'm using awk to pull desired detail from generated output.

      I've already generated a list of LISTDSD commands for 17K+ DATASET Profiles in our Test environment, but I'm not allowed to execute against our Live RACF Database.

       Thank you much for your time and attention.



    ------------------------------
    Dale Reinecke
    ------------------------------


  • 2.  RE: List Datasets Affected by Profile via Batch AND NOT reference RACF Database

    Posted Wed November 13, 2024 02:18 PM

    Hi Dale,

    There are several options. 

    If you want to issue RACF commands against a database that is not the active RACF database, you can use the RACF-Offline component of zSecure Admin.
    https://www.ibm.com/docs/en/szs/3.1.0?topic=manual-racf-offline

    If you want to obtain information from a RACF data source but don't want to do live queries, you can create and use an UNLOAD file with zSecure.
    Could be set up from the interface: https://www.ibm.com/docs/en/szs/3.1.0?topic=used-se2-setup-new-files
    Or could be done with a batch job. https://www.ibm.com/docs/en/szs/3.1.0?topic=production-use-fresh-ckfreeze-unload-each-day

    > I've been asked to report RACF Dataset Profiles affecting no real datasets.

    That sounds like menu option RA.3.3 (Report redundant).
    https://www.ibm.com/docs/en/szs/3.1.0?topic=resources-ra33-redundant-finding-removing-redundant-profiles

    >  I expect the next request will be to list datasets affected by either a given RACF Dataset Profile or all of them. 

    Take a look at RA.3.1 (Report profile).
    https://www.ibm.com/docs/en/szs/3.1.0?topic=resources-ra31-profiles-profiles-their-data-sets

    Regards,



    ------------------------------
    Jeroen Tiggelman
    IBM - Software Development Manager IBM Security zSecure Suite
    Delft
    ------------------------------

    Original Message


  • 3.  RE: List Datasets Affected by Profile via Batch AND NOT reference RACF Database

    Posted Thu November 14, 2024 04:14 AM
    Edited by Rob van Hoboken Thu November 14, 2024 04:16 AM

    REPORT REDUNDANT shows how profiles are different from the less specific profile for the same resource(s).  If there are no relevant differences, the more specific profile is redundant (hence the command name) and could be removed. 

    To check if profiles have no (remaining) data sets to protect, VERIFY NOTEMPTY is the right command.  This leaves the high level qualifier profile, hlq.**, just in case.  VERIFY ALLNOTEMPTY also deletes the HLQ profile.  See here.


    ------------------------------
    Rob van Hoboken
    ------------------------------



  • 4.  RE: List Datasets Affected by Profile via Batch AND NOT reference RACF Database

    Posted Fri November 15, 2024 11:33 AM

    Thank you, Jeroen and Rob.  I'm exploring the options you've described and expect this to lead me to a successful outcome.



    ------------------------------
    Dale Reinecke
    ------------------------------

    Original Message