Thanks very much for your help. Exactly what I was looking for. We're in the middle of remediation and the zSecure is such a powerful system to help with any ad-hoc issues and reports.
Ensono Corp. / State Street Bank
Ensono Corp.
Original Message:
Sent: Fri November 08, 2024 03:02 AM
From: Tom Zeehandelaar
Subject: Report for listing ID's connected to a GROUP that indicates PROTECT Flag (or not)
Hi Lynn,
the :<fieldname> LOOKUP type is often referred to as the implicit or cross-segment LOOKUP. You can only use this LOOKUP type to retrieve a value from a different segment of the same profile.
In your example, you select GROUP profiles, but the PROTECTED attribute of connected users is not stored in a different segment of group profile STCGROUP. Instead, the PROTECTED attribute is stored is the user profile of the users that are connected to group STCGROUP. For that requirement, CARLa supports a different type of LOOKUP that is named explicit LOOKOP or indirect reference LOOKUP.
The indirect LOOKUP can be used to retrieve a field value from different profiles than the ones that are filtered in the SELECT statement.
The syntax of an indirect reference LOOKUP type is <base field>:<field name>. In your example, you can adjust your code as follows:
n type=racf_access s class=group profile=stcgroup summary profile(8,"Group") count * id("UserID") id:protected
Notice that I use the RACF_ACCESS field ID as the base field for the LOOKUP of the PROTECTED attribute from the user profile that matches the value stored in ID. When the LOOKUP function successfully finds a user profile that matches the ID from RACF_ACCESS, it retrieves the value of the PROTECTED attribute for that user and adds YES in the PTC column when the user is PROTECTED. When the user is not PROTECTED it leaves the PTC column blank.
Running that CARLa on my system reports the following:
R A C F A C C E S S A U T H O R I Z A T I O N S 8 Nov 2024 08:49 Group Count UserID Ptc Count STCGROUP 458 458 AA1 YES 1 ANONYMO 1 CRMAINT 1 CRMASCH 1 CRMBAB1 1 CRMBAB2 1 CRMBAH3 1 CRMBAH4 1 CRMBAH44 YES 1 CRMBAH5 YES 1 CRMBAH6 1 CRMBAH7 YES 1
The PTC column reports YES for the users that are assigned the PROTECTED attribute. For STC users, you probably want all of them to be PROTECTED.
For more information about the LOOKUP function, you can access the IBM Security zSecure CARLa Command Reference:
https://www.ibm.com/docs/en/szs/3.1.0?topic=SS2RWS_3.1.0/com.ibm.zsecure.doc_3.1.0/admin_audit/carla_cmnd_lang_list_family_cmds_indrct_ref.htm
I hope this helps.
------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM
Original Message:
Sent: Thu November 07, 2024 04:12 PM
From: Lynn Gilson
Subject: Report for listing ID's connected to a GROUP that indicates PROTECT Flag (or not)
Hello zSecure Community!
Such a great resource for us zSecure community users. I searched thru the archive/articles here and found one that is similar to a request I have from our mgmt. This involves generating a report that indicates all the ID's/Group's connected or within a particular user defined GROUP. I need to show the PROTECTED Flag indicator too. Again, using the tremendous zSecure Dialogs to generate my starting point and using the articles in this community I was able to generate a sparse zCarla program:
n type=racf_access
s class=group profile=stcgroup
summary profile(8,"Group") count * id("UserID") :protected
This generates a report as:
R A C F A C C E S S A U T H O R I Z A T I O N S 7 Nov 2024 16:06
Group Count UserID Ptc Count
STCGROUP 1386 1386
#CIA0A 1
#CIA0B 1
#CIA0C 1
#CIA0D 1
#CIA0E 1
However my 'Ptc' (PROTECTED) column is empty of values. My recent inquiry on this community forum reminded me to use the ' : ' for the reference to data outside of the TYPE I reference in this program. Is it possible to obtain this data (PROTECTED flag value) using my method in zCarla above?
My humble thanks to all who contribute to this community.
Lynn Gilson
------------------------------
Lynn Gilson
SysProg
Ensono Corp.
Downers Grove, IL,USA
+001-630-944-1442
------------------------------