IBM Security Z Security

Hello All, 

I receive a report in Excel from HR that has the first and last name of users who are no longer in the organization and must be removed from RACF. I am running a CARLa report that searches the RACF DB for a match on the names and if found it writes the RACF ID and other relevant information to the CKREPORT sysout. Please refer to the attachment CARLa_INPUT for a sample of the input file. The issue I have is that with the CARLa statements I'm using the program must find a complete match of the first and last name in RACF in order to write it to the CKREPORT sysout. Refer to the other attachment for the section of the CARLa that does the selection. 

I know that when using the ISPF panels to run zSecure I can find all the names in the DB that are partial matches. For example, using a name in my input file (JOSE TUPAS) I can search on "JO" and it will display the JOSE TUPAS information. Can you show me how to accomplish a similar partial match using CARLa in a batch program? To be specific, again using the previous example, how would I code the CARLa so that it will write out any record it finds that has only "JO TUPAS?' The reason I want to have this function is that often the RACF name will have a nickname or some name other than the formal name HR uses. In my example, "JOSE TUPAS" is listed in the HR files but in RACF he is listed as "JOE" TUPAS. Your help is very much appreciated.     

------------------------------
Mory Bindler
------------------------------

Hi Mory,

The ISPF panels (that is RA.U, selection field for Name) will generate a substring scan, like NAME=:'JO'. Note the colon.
I believe this requires an actual string and not a reference in that position.
That suggests to me that you would write a TYPE=$HRNAME query that would generate a TYPE=RACF query with the search arguments you want.

Searching for both "JO" and "TUPAS" would appear to mean that you would want something like this generated:

select s=base c=user name=:'JO' name=:"TUPAS"

Clearly, the program could not guess from the input "JOSE TUPAS" that you would want to scan for JO TUPAS, so you would need to provide these arguments in your input file.

I hope this begins to help.

Regards,

------------------------------
Jeroen Tiggelman
IBM - Software Development Manager IBM Security zSecure Suite
Delft
------------------------------

Original Message:
Sent: Wed June 05, 2024 03:18 PM
From: Mory Bindler
Subject: Question on using CARLa to produce a report of selected userids from the RACF database

Hello All, 

I receive a report in Excel from HR that has the first and last name of users who are no longer in the organization and must be removed from RACF. I am running a CARLa report that searches the RACF DB for a match on the names and if found it writes the RACF ID and other relevant information to the CKREPORT sysout. Please refer to the attachment CARLa_INPUT for a sample of the input file. The issue I have is that with the CARLa statements I'm using the program must find a complete match of the first and last name in RACF in order to write it to the CKREPORT sysout. Refer to the other attachment for the section of the CARLa that does the selection. 

I know that when using the ISPF panels to run zSecure I can find all the names in the DB that are partial matches. For example, using a name in my input file (JOSE TUPAS) I can search on "JO" and it will display the JOSE TUPAS information. Can you show me how to accomplish a similar partial match using CARLa in a batch program? To be specific, again using the previous example, how would I code the CARLa so that it will write out any record it finds that has only "JO TUPAS?' The reason I want to have this function is that often the RACF name will have a nickname or some name other than the formal name HR uses. In my example, "JOSE TUPAS" is listed in the HR files but in RACF he is listed as "JOE" TUPAS. Your help is very much appreciated.     

------------------------------
Mory Bindler
------------------------------

If you know the layout of the name field in the user profiles, you can optimize the SELECT command.  For example, if the first name is always at the beginning of the name field, you could write

select name=JO*

to match JOE BLACK, JONATHAN SEAGULL etc, without falling foul of Scarlett Johansson.

You can combine this with the substring match that Jeroen proposed:

select class=user name=JO* name=:TUPAS

It would be easy to write a CARLa that reads your HRNAMES input file, and generates the required CARLa:

// EXEC C2RC
//CKR2PASS DD DISP=(,PASS),DSN=&PASS
//HRNAMES DD *
JOE BLACK
JOHN TUPAS
//SYSIN DD *
deftype type=$hrnames
alloc type=$hrnames dd=hrnames
newlist type=$hrnames dd=ckr2pass nopage
  define first(char) as word(record,1)
  define last(char) as word(record,2)
  define once(nd) boolean where true
  define each(nd) count
  summary once,
  "newlist type=racf empty='nothing to delete' ",
/ "select class=user (key=SYS1,"
  summary each,
  "or (name=" | first(0) | "* name=:" | last(0) | "),"
  summary once,
  ")",
/ "sortlist key(8,'user id') name ljdate"
// EXEC C2RC
//SYSIN DD DISP=(OLD,PASS),DSN=&PASS

Things get a little hairier when the HRNAMES data has more than 2 words in the name, like middle initials.

------------------------------
Rob van Hoboken
------------------------------