Hello,

I'm leading a project of solving security findings within clients z/OS system. In this context we have to solve an ITSS requirement of removing all ID(*) entries from access control lists of profiles.  Before we can do this we'd like to know which User ID's got access to these profiles through the ID(*) definition but so far we didn't found an approach to get this report.

Is there a chance to get those data with CARLA from access monitor data or does SMF provide these information?

------------------------------
best regards
Karsten Jacob
------------------------------

In AM.1 select " / Simulated fields selection " and on the next panel select " / ID_STAR " ... that uses the RACF database in your set of files to simulate what access would be used for each access monitor record, and select only the records that would use the id(*) permission.

------------------------------
Hans Schoone
IBM
Delft
------------------------------

Original Message:
Sent: Wed January 15, 2020 04:18 AM
From: Karsten Jacob
Subject: User-ID's getting access through ID(*) ACL entry

Hello,

I'm leading a project of solving security findings within clients z/OS system. In this context we have to solve an ITSS requirement of removing all ID(*) entries from access control lists of profiles.  Before we can do this we'd like to know which User ID's got access to these profiles through the ID(*) definition but so far we didn't found an approach to get this report.

Is there a chance to get those data with CARLA from access monitor data or does SMF provide these information?

------------------------------
best regards
Karsten Jacob
------------------------------

In AM.1, select "Simulated fields selection" and then select "ID_STAR".  This shows what id(*) permits in the RACF database selected in SE.1 would be used for the access monitor records.

------------------------------
Hans Schoone
IBM
Delft
------------------------------

Original Message:
Sent: Wed January 15, 2020 04:18 AM
From: Karsten Jacob
Subject: User-ID's getting access through ID(*) ACL entry

Hello,

I'm leading a project of solving security findings within clients z/OS system. In this context we have to solve an ITSS requirement of removing all ID(*) entries from access control lists of profiles.  Before we can do this we'd like to know which User ID's got access to these profiles through the ID(*) definition but so far we didn't found an approach to get this report.

Is there a chance to get those data with CARLA from access monitor data or does SMF provide these information?

------------------------------
best regards
Karsten Jacob
------------------------------

Besides the ID_STAR selection, you might also look at the GLOBAL, UACC and WARNING checkboxes.  Together, these help you find unspecific access paths.
You will also want to play with the Output/run options, in particular the "Summary by member class and profile" will draw your attention to the profiles, whereas the default "Summary by user id" identifies the ... well... users first.
At the end of the detail display (keep hitting S in front of the summary lines) you will see how zSecure determined the access path by comparing access list entries of the profile with connect group entries of the user that accessed the resource:

Current RACF database effect
RACF return code current DB 0
Authority used in current DB ID_STAR
Grp permit used in current DB
RACF Profile type current DB GENERIC
RACF class and profile in DB DATASET CATALOG.DEV
Installation data
Creation/definition date 13 Jun 2018

You might also be interested in options AM.9.4 + 5.  These generate a group (if you want), CONNECT and PERMIT commands  to grant access to the users that currently gain access through UACC and ID(*).  You want to use selection on CLASS, RESOURCE mask and INTENT to use different group names.