IBM Security Z Security

Security for Z

Join this online user group to communicate across Z Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  How to report on groups of users with zSecure RA.3.4

    Posted Mon December 09, 2019 08:38 AM
    Within zSecure RA.3.4 I can provide 5 User IDs to run a report on what profiles each user can access.  With using the Output in Print Format I can see the Carla code that is created to produce the report.   So I can see how to add more individual User IDs to the report.

    However, how can I tell the code to report on every ID in the Owning Group ABCDE?  Or every ID in a certain default group, or everyone that has a certain value in a CSDATA segment field?

    For example, a manager comes to me and says I want to see the access permissions of everyone on my team.   I have 50 people on my team and all their IDs are owned by group ABCDE.    Instead of me keying the 50 ids in the report, can I tell the report to produce a report for each user in the group?

    I assume it may be a 2 step process to run a step to select the IDs, and output the IDs into the format for the report, then imbed the list of ids into the report in step 2.       Or is there a better way to do this?

    ------------------------------
    Linnea Sullivan
    ------------------------------


  • 2.  RE: How to report on groups of users with zSecure RA.3.4

    Posted Mon December 09, 2019 02:14 PM
    You may like to take a look at this link on the (soon to be retired) zSecure Wiki
    https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Wa6857722838e_491e_9968_c8157c8cf491/page/Cross%20Table%20Generator
    I think the CROSSTAB REXX might be just what you need.

    ------------------------------
    Andrew Cameron-Heffer
    ------------------------------

    Original Message


  • 3.  RE: How to report on groups of users with zSecure RA.3.4

    Posted Wed December 11, 2019 02:34 PM
    Edited by Rob van Hoboken Fri December 13, 2019 03:40 PM
    Here is a two pass query that first builds a CARLa by selecting user profiles (in this case by finding CSDATA fields with value HR).  The user ids go into field k that is mixed with literals to build a query similar to the one RA.3.G uses.
    Adapt the selection, for example to select users based on the OWNER value.
    Run in CO.C.  This produces output in CKR2PASS.  Inspect and press F3.  Then type an R in front of CKR2PASS.   This produces the report.
    If there are too many user ids to fit on a line, increase the report line length in SE.7.

    n type=racf nopage dd=ckr2pass
      define once(nd) boolean where complex==complex
      define each(nd) boolean where complex==complex
      define k(0) as key
      s class=user segment=csdata dept=HR
      summary once,
        'suppress reason=(uacc id(*) global warning noprof grpaudit,',
      / ' grpoper grpspec owner pwdchange selfcon alter-m ckgowner)',
      / 'n required n=permit1d i=permit type=report_scope,',
      / ' tt="Compare PERMITs for IDs, including group permits, ',
        'complex ",',
      / ' title="Class "'
      summary each k(nd),
        ' define access_' | k | '("' | k | '",8,access_nz) max(access)',
        'where id=' | k
      summary once,
        ' summary complex(toptitle,page) class(title,page),',
      / '   key("Profile name",firstonly),'
      summary each k(nd),
        '   access_' | k | ','
      summary once,
        '   count(nd)',
      / 'report,'
      summary each k(nd),
        ' scope=' | k | ','

    ------------------------------
    Rob van Hoboken
    ------------------------------


  • 4.  RE: How to report on groups of users with zSecure RA.3.4

    Posted Fri December 13, 2019 03:21 AM
    Edited by Rob van Hoboken Fri December 13, 2019 03:42 PM
    When you're running this in a batch job, please ensure the RACF input source is specified in both phases, that means, specify an ALLOC command for the first pass and generate one for the 2nd pass.  Also, if you do not use the C2RC proc to run CARLa, you must generate a PRINT DD=CKREPORT for the 2nd pass.

    //JCLLIB JCLLIB ORDER=(CKR240.CKRPARM,
    // CKR240.SCKRPROC)
    //*
    //STEP1    EXEC C2RC
    //CKR2PASS DD DISP=(,PASS),DSN=&CKR2PASS,SPACE=(TRK,(10,10))
    //SYSIN DD *
    alloc type=racf active
    n type=racf nopage dd=ckr2pass
      define once(nd) boolean where complex==complex
      define each(nd) boolean where complex==complex
      define k(0) as key
      s class=user segment=csdata dept=HR
      summary once,
        'alloc type=racf active',
      / 'print dd=ckreport',
      / 'suppress reason=(uacc id(*) global warning noprof grpaudit,',
      / ' grpoper grpspec owner pwdchange selfcon alter-m ckgowner)',
      / 'n required n=permit1d i=permit type=report_scope,',
      / ' tt="Compare PERMITs for IDs, including group permits, ',
        'complex ",',
      / ' title="Class "'
      summary each k(nd),
        ' define access_' | k | '("' | k | '",8,access_nz) max(access)',
        'where id=' | k
      summary once,
        ' summary complex(toptitle,page) class(title,page),',
      / '   key("Profile name",firstonly),'
      summary each k(nd),
        '   access_' | k | ','
      summary once,
        '   count(nd)',
      / 'report,'
      summary each k(nd),
        ' scope=' | k | ','
    //STEP2    EXEC C2RC
    //CKREPORT DD SYSOUT=*,LRECL=500
    //SYSIN    DD DISP=(OLD,DELETE),DSN=&CKR2PASS

    ------------------------------
    Rob van Hoboken
    ------------------------------


Related Content