We are migrating to RACF and zSecure and I'm also setting up a Tivoli LDAP with RACF SDBM. I'm curious about the zSecure "Report scope/permit" function in RA.3.5, which is great, I'm able to obtain all the permits via connected groups for a user. Does RACF or LDAP have an equivalent capability or is this a zSecure exclusive ability? I can't seem to find the same capability using RACF nor LDAP query. Would it require some extra programming work to perform the same function via Tivoli LDAP? The reason I ask is we can obtain this information with our current security setup and LDAP.

Hi David

z/OS LDAP Server and Tivoli Directory Server with SDBM are designed to represent the information in RACF profiles as quickly as possible, so information for a query is retrieved from a single profile.  Think of it as a way to issue LISTUSER (etc) with the limitations of the LISTUSER TSO command.

Report permit and report scope were designed to use information from as many profiles as it takes, which would take extraordinary amounts of processing and time when performed in TDS.

We are migrating to RACF and zSecure and I'm also setting up a Tivoli LDAP with RACF SDBM. I'm curious about the zSecure "Report scope/permit" function in RA.3.5, which is great, I'm able to obtain all the permits via connected groups for a user. Does RACF or LDAP have an equivalent capability or is this a zSecure exclusive ability? I can't seem to find the same capability using RACF nor LDAP query. Would it require some extra programming work to perform the same function via Tivoli LDAP? The reason I ask is we can obtain this information with our current security setup and LDAP.

IBM confirmed it's not possible to get the information we want from the LDAP as there is no attribute present. However I did find that I could also get the information via a RACF SEARCH like so:
SEARCH USER(...) CLASS(...)

This command retrieves all the direct and indirect permits the user has for the specified class. The LDAP documentation shows that the LDAP will perform some RACF SEARCH commands depending on the query, so the IBM tech suggested I make an RFE. We will find a workaround solution since we have a deadline for migration completion. But I may go forward with the RFE just to understand what that process is like.

------------------------------
David Low

Original Message:
Sent: Wed January 03, 2024 01:00 AM
From: Rob van Hoboken
Subject: Report scope/permit function

Hi David

z/OS LDAP Server and Tivoli Directory Server with SDBM are designed to represent the information in RACF profiles as quickly as possible, so information for a query is retrieved from a single profile.  Think of it as a way to issue LISTUSER (etc) with the limitations of the LISTUSER TSO command.

Report permit and report scope were designed to use information from as many profiles as it takes, which would take extraordinary amounts of processing and time when performed in TDS.

------------------------------
Rob van Hoboken

Original Message:
Sent: Wed December 27, 2023 11:18 AM
From: David Low
Subject: Report scope/permit function

We are migrating to RACF and zSecure and I'm also setting up a Tivoli LDAP with RACF SDBM. I'm curious about the zSecure "Report scope/permit" function in RA.3.5, which is great, I'm able to obtain all the permits via connected groups for a user. Does RACF or LDAP have an equivalent capability or is this a zSecure exclusive ability? I can't seem to find the same capability using RACF nor LDAP query. Would it require some extra programming work to perform the same function via Tivoli LDAP? The reason I ask is we can obtain this information with our current security setup and LDAP.

------------------------------
David Low
------------------------------