IBM Security Z Security

Security for Z

Join this online user group to communicate across Z Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Multiple access paths to resource not displayed in ZSECURE

    Posted Thu January 16, 2020 11:43 AM

    We have a situation with ZSECURE Admin 2.3.1 resource access reporting:

     

    ·         User U is connected to (2) groups: G1 and G2, AUTH=USE

    ·         Groups G1 and G2 both have READ access to resource R

    ·         In panel RA.R, creating a report for resource R, the options "Full detail form", "Print ACL", "Resolve to users" are set.

    ·         Logically, in this case we would expect the report to print (2) lines for user U, one showing ACL ID of group G1, the other showing  ACL ID of group G2.   

    ·         But the report output shows only one line for user U, with  ACL ID showing group G1 but not group G2.  

     

     

    I want to run this by the community before I open a incident.

    I'm hoping this is a mistake of some kind I am making in ZSECURE since I am still new to the product.

    If anyone has encountered this, please advise.

    Thank you.

     

     

    David Malbuff

    Senior Technical Administrator, Mainframe

    FBL Financial Group, Inc.

    Farm Bureau Financial Services

    5400 University Avenue, West Des Moines, IA  50266

    Phone: 515-225-5757 | Mobile: 540-335-7892

     



    Disclaimer:

    This email message and any attachments are intended only for the use of the intended recipient, and may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to this email, and delete or destroy all copies of the original message and attachments thereto. Email sent to or from FBL Financial Group, Inc. and its Affiliates may be retained as required by law, regulation or business practice.

    For security reasons we strongly discourage the submission of sensitive or personal information, such as credit card numbers, social security numbers, or bank account information, through email. Email may not be a secure method of communication. Any email may be copied and held by various computers as it makes its way from our server to yours. Persons not participating in our communications may be able to intercept the communications while being transmitted or stored. If you prefer that we communicate with you via a non-electronic method, please advise us of the same.



  • 2.  RE: Multiple access paths to resource not displayed in ZSECURE

    Posted Thu January 16, 2020 12:46 PM
    Hi David,

    I would recommend playing around with the ACL primary command in display mode (deselect print format, select a profile, go to the detail panel and experiment with ACL EXPLODE, ACL RESOLVE, ACL EFFECTIVE, and ACL NORMAL, to get a feeling for what it means.  ACL EXPLODE expands all group permits into their connected user ids. ACL RESOLVE requests the access list display to be reduce to one line per user ID, with an aribtrary to group id if multiple ids give the same access, and ACL EFFECTIVE adds IDs that have access via operations and group-operations and resolves the way that works together with access(NONE) permits. 
    The print format display has no checkbox for request the EXPLODE format for the ACL because the output also rather explodes...

    ------------------------------
    Hans Schoone
    IBM
    Delft
    ------------------------------

    Original Message


  • 3.  RE: Multiple access paths to resource not displayed in ZSECURE

    Posted Thu January 16, 2020 02:20 PM
    Edited by Jeroen Tiggelman Thu January 16, 2020 02:27 PM
    > The print format display has no checkbox for request the EXPLODE format for the ACL
    > because the output also rather explodes...

    However, since the report is really the output of a CARLa script, it is possible to modify it if you are sure you want the output like that.

    If you press PF3 after running the report, this brings you to the RESULTS panel, where you can
    E(dit) the COMMANDS file; then you can issue
    F RESOLVE
    on the command line and this will locate the line
    / acl(sort(USER),header,resolve) acl:revoke(hb,1) |,
    where you can overtype RESOLVE with EXPLODE, and then
    GO
    on the command line.

    ------------------------------
    Jeroen Tiggelman
    Software Development and Level 3 Support Manager IBM Security zSecure Suite
    IBM
    Delft
    ------------------------------

    Original Message


  • 4.  RE: Multiple access paths to resource not displayed in ZSECURE

    Posted Tue January 21, 2020 08:55 AM

    Belated thank-yous to Jeroen and Hans for their helpful suggestions.  

     

    These simple changes worked exactly as desired and we now have the detailed reports our auditors requested.

     

    Thanks again!

     

    David Malbuff

    Senior Technical Administrator, Mainframe

    FBL Financial Group, Inc.

    Farm Bureau Financial Services

    5400 University Avenue, West Des Moines, IA  50266

    Phone: 515-225-5757 | Mobile: 540-335-7892

     




    Original Message


Related Content