IBM Security Z Security

 View Only

 Problems with understanding the documentation of RACF Access Monitor

Stephan Reichelt's profile image
Stephan Reichelt posted Thu November 21, 2024 07:48 AM

Hello everyone,
We recently installed the Access Monitor. However, we are not sure about some of the documentation.
Our goal is to trace all accesses from all userids on our systems.
Now there are the three members C2PAMJOB, C2PAMPCL and C2PAMRCL. We don't quite understand the description. For example, we had entered M52* YES in member C2PAMJOB, expecting that only accesses by users with the prefix M52* would be recorded. However, this is not the case. Accesses by users with a different prefix are also recorded.
What is meant by the additional recorded job data? Where in which panel in AM can this be found/queried? We have not found/seen anything about point 1 (access evaluation).
Regarding the other two members: are they really only for the POE? We want access to all RACF classes to be recorded. Do the two members play a role in this?
What should be displayed as a POE for a class such as OPERCMDS, for example?
I hope I have been able to formulate our questions clearly and that you can shed light on our ignorance.

Kind regards
Stephan

Jeroen Tiggelman's profile image
Jeroen Tiggelman posted Thu November 21, 2024 08:39 AM

Hi Stephan,

These members are explained in the section of the Installation Guide titled "Definition of the users or classes for which to collect detail data". So I would not expect them to control what users data was collected for at all, only for which users more details got collected.

"Collection of Port Of Entry information is controlled by the contents of the C2PAMRCL and C2PAMPCL members. [...] POE information is collected only for those events for which the Resource class and the POE class both have the value YES specified." as the entire documentation of these members says to me that indeed they are only for populating the Port Of Entry information.

The documentation for the fields in the ACCESS report type explains under JOBNAME that "This field is reported as missing if the input record does not contain the field. For most ACCESS files, the JOBNAME field is present only for those userids for which the JOBNAME field has been activated in the C2PAMJOB customization member." The UTOKEN_POE* fields say something parallel for the other two members.

So on a primary level, my understanding is that some of the fields on some of the displays might be empty when you are not collecting this detail information. This does not specify what records are collected, and it also doesn't seem to be about specific reports so much.

In AM.1, the option "Show configured fields" controls whether these extra fields are shown. If you have it tagged, then "Further selection" will also show additional options:

Specify further selection criteria:                             
Jobname . . . . . . . . ________  (jobname or EGN mask)         
Port Of Entry class . . ________  (class or EGN mask)           
Port Of Entry . . . . . _________________  (POE or EGN mask)

This is documented with the advanced selection criteria.

I hope this begins to help.

Regards,

Jeroen

Rob van Hoboken's profile image
Rob van Hoboken posted Thu November 21, 2024 11:08 AM

Jeroen is quite right in his reference to documentation and explanation.

C2PACMON does not filter the events.  Filtering events would give you incorrect results when you report, for example, unused profiles or unused permits, so you might delete entries that are in fact still used.

The 3 configuration members are used to fill in fields in the access records that would otherwise remain empty.  C2PACMON leaves these fields empty because it is designed to summarize the information, so it counts the number of events that fits the key fields of the (summarized) access record and write the count(s) in the access record instead of writing each event.  If you tell it to fill in the optional fields, the summarization becomes less effective, resulting in (many) more records and more space usage.

The intent of C2PAMJOB is to select only those user IDs where job name information is needed, for example, a shared started task user ID or the OPCA shared user ID.  You specify the prefix of the user IDs, do not code an asterisk.

Stephan Reichelt's profile image
Stephan Reichelt posted Fri November 22, 2024 01:07 AM

Hello and good morning,
Thank you very much for your quick and competent answers.
This has helped me a lot to understand how the query and the additional member work.
Have a nice day.
Best regards
Stephan