IBM Security Z Security

 View Only

  • 1.  User report with only GrpSpec or Oper or Aud groups listed

    Posted Thu May 30, 2024 06:13 PM

    Hello - i need help with the report below. I only want to show groups in which a user has group - special, Oper, or Auditor. I do not want group1 or group4 in the output below:

    User ID  Name                 Special  Operations Auditor  Connect groups       

    JOEUSR1  SUMI JOSEPH                                       GROUP1             

                                                      YES      GROUP2          

                                           YES                 GROUP3          

                                                               GROUP4          

                                  YES                          GROUP5          

    CARLA used : 

    s s=base c=user  (GrpSpec OR GrpOp OR GrpAud)                  
    sortlist " - complex"(tt,page) complex(tt,page) stamp(tt),     
    ,                                                              
    key(8,"User ID") name,                                         
    GrpSpec(8,"Special"),                                          
    GrpOper(10,"Operations"),                                      
    GrpAud(8,"Auditor"),                                           
    cggrpnm(25,"Connect groups")          

    thanks.                        



    ------------------------------
    Joseph Sumi
    ------------------------------


  • 2.  RE: User report with only GrpSpec or Oper or Aud groups listed

    Posted Fri May 31, 2024 01:13 AM

    Hi Joe, 

    you do not have to use CARLa for your requested query, this selecton is supported out-off-the-box in the zSecure user interface. 

    Just go to option RA.G for selecting group profiles, and select additional selection criteria option "Connect fields". Then, at the bottom of the follow on display, you can select Special, Operations, and Auditor in option "Set of attributes (only shows attributes)" with OR logic. 

    Optionally, you can select the options "Print format", "Print Connects", and "Print names", to generates a printed report rather than an ISPF display. 

    Here's a sample of the results of this query in one of my development systems.



    ------------------------------
    Tom Zeehandelaar
    z/OS Security Enablement Specialist - zSecure developer
    IBM
    ------------------------------

    Original Message


  • 3.  RE: User report with only GrpSpec or Oper or Aud groups listed

    IBM Champion
    Posted Fri May 31, 2024 03:15 AM
    Edited by Rob van Hoboken Fri May 31, 2024 03:16 AM

    I agree with Tom, this report is available in the user interface, RA.U.

    The SELECT command selects whole profiles from the database, and connect groups are part of a profile.  So when you print CGGRPNM, you will see all the connect groups in the selected profile.

    In order to prune the connect groups, and all their attributes too, CARLa has the SUBSELECT command.  This works after the profile(s) have been selected.  It is documented with the DEFINE command.

    newlist type=racf
  s s=base c=user  (GrpSpec OR GrpOp OR GrpAud) 
  define priv_connects subselect connects(GrpSpec OR GrpOper OR GrpAud)
  sortlist " - complex"(tt,page) complex(tt,page) stamp(tt),
    key(8,"User ID") name,
    priv_connects

    Alternatively, you could look at RACF_ACCESS, which has a single line for each connect group entry, and lookup to the attributes of the entry.  This means the SELECT command in RACF_ACCESS will select (and exclude) individual connect groups for a user.  If memory serves, something like this would work.  Note, it uses implicit lookup for the privileges:

    newlist type=racf_access
  select class=group (:grpspec or :grpoper or :grpaud)
  summary id(8,"Userid") * profile(8,"Group") :grpspec :grpoper :grpaud


    ------------------------------
    Rob van Hoboken
    ------------------------------



  • 4.  RE: User report with only GrpSpec or Oper or Aud groups listed

    Posted Fri May 31, 2024 09:40 AM

    Hello - thanks, i found some old double-pass carla i had and modified it. I'm really close to what i want but one question. I want the "No" to be blank.

    Here is my output:

    Userid   Name                 Special Operations Auditor Groupid

    USER1    SUMI, JOSEPH         Yes     No         No      GROUP1
    USER1    SUMI, JOSEPH         Yes     No         No      GROUP2
    USER1    SUMI, JOSEPH         Yes     Yes        No      GROUP3
    USER1    SUMI, JOSEPH         Yes     Yes        No      GROUP4 

    Here is the 2nd pass CARLA:

    //SYSIN DD *                                                            
      alloc type=racf backup                                                
      deftype type=$conns                                                   
      alloc type=$conns dd=conns                                            
      define type=$conns $group(8,'Groupid') as substr(record,10,8)         
      define type=$conns $specuser(8,'Userid') as substr(record,1,8)        
      define type=$conns $name(20,'Name') as substr(record,68,20)           
      define type=$conns $soa(3,'SOA') as substr(record,29,3)               
      define type=$conns $grpspec boolean where substr(record,29,1)='S'     
      define type=$conns $grpoper boolean where substr(record,30,1)='O'     
      define type=$conns $grpaud  boolean where substr(record,31,1)='A'     
                                                                            
      newlist type=$conns tt='GROUP SPECIAL,OPERATIONS,AUDITOR' dd=report   
      select $grpoper OR $grpspec OR $grpaud                                
      sortlist $specuser $name $grpspec(7,'Special') ,                      
      $grpoper(10,'Operations') $grpaud(7,'Auditor') ,                      
      $group                                                                             



    ------------------------------
    Joseph Sumi
    ------------------------------

    Original Message


  • 5.  RE: User report with only GrpSpec or Oper or Aud groups listed

    Posted Fri May 31, 2024 09:51 AM

    Hi Joe,

    That seems a mattter of overriding the output format.

    The table of standard flag formats is here: https://www.ibm.com/docs/en/szs/3.1.0?topic=SS2RWS_3.1.0/com.ibm.zsecure.doc_3.1.0/admin_audit/carla_cmnd_lang_list_fam_cmds_flg_frmts.htm

    The combination "Yes" in mixed case and "blank" does not naturally exist, but you can use STR$BLANK for this, like:

    define type=$conns $grpspec(str$blank("Yes")) boolean where substr(record,29,1)='S'

    Regards,



    ------------------------------
    Jeroen Tiggelman
    IBM - Software Development Manager IBM Security zSecure Suite
    Delft
    ------------------------------

    Original Message


  • 6.  RE: User report with only GrpSpec or Oper or Aud groups listed

    Posted Fri May 31, 2024 11:46 AM

    Thanks all !

    STR$BLANK works great. Below is the 1st pass and 2nd pass CARLA used to produce the user report and their assoicated groups where they have group spec or oper or aud to the group (in case anyone is interested).

    //CKRCARLA EXEC PGM=CKRCARLA,REGION=64M                               

    //SYSPRINT DD SYSOUT=*                                                

    //CONNS DD DISP=(NEW,PASS),SPACE=(TRK,900),DSN=&&CONNS,               

    // RECFM=VB,LRECL=200                                                 

    //SYSIN DD *                                                          

      newlist type=racf nopage retain dd=conns                            

      select class=user segment=base                                      

      exclude cggrpct=0 /* Exclude the irr* userids */                    

      sortlist key(8) connects name instdata                              

    //*                                                                   

    //STEP2 EXEC PGM=CKRCARLA,REGION=64M                                  

    //CONNS DD DISP=(OLD,PASS),DSN=&&CONNS                                

    //SYSPRINT DD SYSOUT=*                                                

    //REPORT  DD DSN=SUMI.GROUP.REPORT(+1),                            

    //    MGMTCLAS=XXXXXXXXX,SPACE=(CYL,(2,2),RLSE),                       

    //    DCB=(DSORG=PS,RECFM=FB,LRECL=255,BLKSIZE=2550),     

    //    DISP=(,CATLG,DELETE)                                            

    //SYSIN DD *                                                          

      alloc type=racf backup                                              

      deftype type=$conns                                                 

      alloc type=$conns dd=conns                                          

      define type=$conns $group(8,'Groupid') as substr(record,10,8)       

      define type=$conns $specuser(8,'Userid') as substr(record,1,8)      

      define type=$conns $name(20,'Name') as substr(record,68,20)         

      define type=$conns $soa(3,'SOA') as substr(record,29,3)             

      define type=$conns $grpspec(str$blank("Yes")) boolean where ,       

      substr(record,29,1)='S'                                             

      define type=$conns $grpoper(str$blank("Yes")) boolean where ,       

      substr(record,30,1)='O'                                             

      define type=$conns $grpaud(str$blank("Yes")) boolean where ,        

      substr(record,31,1)='A'                                             

                                                                          

      newlist type=$conns tt='GROUP SPECIAL,OPERATIONS,AUDITOR' dd=report 

      select $grpoper OR $grpspec OR $grpaud                              

      sortlist ,                                                          

      $specuser $name "    " $grpspec(7,'Special') ,                      

      $grpoper(10,'Operations') $grpaud(7,'Auditor') ,                    

      $group                                                              

    //                                                                    



    ------------------------------
    Joseph Sumi
    ------------------------------

    Original Message