IBM Security Z Security

Security for Z

Join this online user group to communicate across Z Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  CKFREEZE Data set report

    Posted Thu January 19, 2023 12:33 AM
    Edited by Luc Martens Thu January 19, 2023 12:38 AM
    Hi there,
    I'm struggling to produce a report that would generate IDCAMS delete stmts of ISPPROF data sets for users that don't exists anymore.

    Our naming convention for ISPPROF data set is as follows: xxxxTSO.userid.ISPPROF

    I managed to get a list from a CKFREEZE data set as follows:
    NEWLIST TYPE=DSN NAME=DSNLIST NOPAGE
    SELECT DSN=%%%%TSO.*.ISPPROF
    SELECT DSN=%%%%TSO.*.ISRPROF
    SORTLIST SYSTEM VOL DSN

    This gives f.i. the following report:

    COMMAND ===>
    ****************************************
    SSTE EEE001 ECEMTSO.U14794.ISPPROF
    SSTE MIGRAT AABBTSO.A0KB144.ISPPROF
    SSTE MIGRAT AABBTSO.A0KB425.ISPPROF
    SSTE MIGRAT AABBTSO.A000282.ISPPROF
    SSTE MIGRAT AABBTSO.A001949.ISPPROF
    SSTE MIGRAT AABBTSO.A001950.ISPPROF

    I would like to lookup via a carla query if the userid (=second level qualifier) exists in RACF. 
    If not, I need to generate a 'DELETE' datasetname stmt which can be executed via an IDCAMS job.

    Anyone an idea on how to accomplish this?

    thank you for your help.



    ------------------------------
    Luc Martens
    ------------------------------


  • 2.  RE: CKFREEZE Data set report

    Posted Thu January 19, 2023 02:29 AM
    Edited by Ronald van der Laan Thu January 19, 2023 03:11 AM

    Hi Luc,

    If you are using RACF, then the following should work:

    newlist type=dsn name=dsnlist nopage
    define profile_user('UserID',8) as word(dsn,2,'.')
    define is_user true where exists(profile_user:racf.dfltgrp)
    select dsn=(%%%%TSO.*.ISPPROF,%%%%TSO.*.ISRPROF) not(is_user)
    sortlist system vol dsn



    ------------------------------
    Ronald van der Laan
    ------------------------------

    Original Message


  • 3.  RE: CKFREEZE Data set report

    Posted Thu January 19, 2023 03:11 AM
    Hi Ronald,
    thank you for your reply.

    It worked nicely.
    This is my final result: I just modified the where exists clause in missing, as I wanted to cleanup for non-existing users.
    alloc type=racf active
    alloc type=CKFREEZE DD=CKFREEZE

    NEWLIST TYPE=DSN NAME=DSNLIST NOPAGE DD=DAREPORT
    SELECT DSN=%%%%TSO.**.ISPPROF
    SELECT DSN=%%%%TSO.**.ISRPROF
    SORTLIST SYSTEM DSN VOL

    newlist type=dsn name=dellist nopage DD=RAREPORT
    define profile_user('UserID',8) as word(dsn,2,'.')
    define is_user true where missing(profile_user:racf.dfltgrp)
    select dsn=(%%%%TSO.**.ISPPROF,%%%%TSO.**.ISRPROF) is_user
    sortlist ' DELETE' dsn 'PURGE'

    ------------------------------
    Luc Martens
    ------------------------------

    Original Message


  • 4.  RE: CKFREEZE Data set report

    Posted Thu January 19, 2023 11:41 AM
    Luc
    The algorithm that you use is the same as Ronald's, he used NOT(is_user) in the SELECT command to invert the boolean, you changed the boolean's value.  I would just recommend that you change the name of the (inverted) variable into NOT_A_USER because IS_USER suggests that the user ID exists.

    Note, if for any reason the ALLOC command for the RACF data set is removed, all user IDs will appear to be not found.

    ------------------------------
    Rob van Hoboken
    ------------------------------

    Original Message


  • 5.  RE: CKFREEZE Data set report

    Posted Thu January 19, 2023 12:44 PM
    Thank you Rob for the feedback.
    I'm getting "CKR0617 16 Missing RACF security database for system SSTC complex SSTC" when RACF db should not be available.
    So that's quite save, because my delete step is only executed when RC=0.

    regards, Luc

    ------------------------------
    Luc Martens
    ------------------------------

    Original Message


Related Content