IBM Security Z Security

 View Only

  • 1.  zSecure CARLa R_SCOPE Newlist: Determine if "ID" is UserID or Group

    Posted Fri May 01, 2020 04:54 PM
    Reply
    Greetings, I have a feeling there's a simple way to do this, but cannot figure out how (locate the field, if one exists).

    Is there a way using CARLa like below to determine if the "access_via_when" field is a RACF UserID or Group?

    ALLOC TYPE=RACF BACKUP ACTIVE
N REQUIRED N=SCOPE0L TYPE=REPORT_SCOPE
  DEFINE HIGH_ACCESS("HighAcc") MAX(ACCESS)
  sortlist id(page,toptitle) id:name(page,toptitle),
    complex(page,toptitle) stamp(toptitle),
    class key(nondispl),
    proftype key("Profile name") volser  access_via_when
REPORT SCOPE=TESTID​





    ------------------------------
    Adam Klinger
    ------------------------------


  • 2.  RE: zSecure CARLa R_SCOPE Newlist: Determine if "ID" is UserID or Group

    Posted Mon May 04, 2020 10:28 AM
    Reply
    I will add the best working way I've came up with so far is two defines and displaying the columns:

    DEFINE   VIA_UserID('VIA_UserID',10) boolean where  via==id
DEFINE   VIA_Group('VIA_Group',10)   boolean where  via<<>>id​

    What I'd prefer is one column with "UserID" or "Group" accordingly, but not have yet got something to work.

    ------------------------------
    Adam Klinger
    ------------------------------

    Original Message


  • 3.  RE: zSecure CARLa R_SCOPE Newlist: Determine if "ID" is UserID or Group

    Posted Wed May 06, 2020 04:34 AM
    Reply
    Hi Adam,

    You could do something like this:

    ALLOC TYPE=RACF BACKUP ACTIVE
    N REQUIRED N=SCOPE0L TYPE=REPORT_SCOPE
    DEF VIA_UserID('Usr/gr' 0 str$blank('UserID')) true where via==id
    DEF VIA_Group('' 0 str$blank('Group ')) true where via<<>>id
    DEFINE HIGH_ACCESS("HighAcc") MAX(ACCESS)
    sortlist id(page,toptitle) id:name(page,toptitle),
    complex(page,toptitle) stamp(toptitle),
    class key(nondispl),
    proftype key("Profile name") volser via_userid |,
    via_group access_via_when
    REPORT SCOPE=TESTUSR scope=TESTGRP

    HTH,

    --Jeroen

    ------------------------------
    Jeroen Tiggelman
    Software Development and Level 3 Support Manager IBM Security zSecure Suite
    IBM
    Delft
    ------------------------------

    Original Message


  • 4.  RE: zSecure CARLa R_SCOPE Newlist: Determine if "ID" is UserID or Group

    Posted Wed May 06, 2020 08:58 AM
    Reply
    Thanks for the suggestion, I do like the idea of effectively merging these fields together in this instance.

    I'll likely open an RFE for having a related "Type" field available in relation to ID as this would be useful

    ------------------------------
    Adam Klinger
    ------------------------------

    Original Message


  • 5.  RE: zSecure CARLa R_SCOPE Newlist: Determine if "ID" is UserID or Group

    Posted Wed May 06, 2020 09:43 AM
    Edited by Rob van Hoboken Wed May 06, 2020 09:46 AM
    Reply

    Oh, you mean using a lookup from the VIA field, listing the ENTITY TYPE of the ID:

    N REQUIRED N=SCOPE0L TYPE=REPORT_SCOPE
      DEFINE via_class('User/grp',8) as via:id.id.class
      DEFINE HIGH_ACCESS("HighAcc") MAX(ACCESS)
      sortlist id(page,toptitle) id:name(page,toptitle),
        complex(page,toptitle) stamp(toptitle),
        class key(nondispl),
        proftype key("Profile name") volser,
        access_via_when via_class



  • 6.  RE: zSecure CARLa R_SCOPE Newlist: Determine if "ID" is UserID or Group

    Posted Mon May 11, 2020 09:51 AM
    Reply
    many thanks Adam.
    Rachid
    Best regards, freundliche Grüße, meilleures salutations, saludos cordiales

    Rachid Bachir KEBBI
    IT-Administration - Authorization



    C&A Services GmbH & Co. OHG | Wanheimer Str. 70 | D-40468 Duesseldorf  | Germany
    T 5560 | bachir.kebbi@canda.com

    Visit us on www.c-a.com or www.facebook.com/ca

    Please consider the environmental impact of needlessly printing this e-mail.
       



    Original Message


  • 7.  RE: zSecure CARLa R_SCOPE Newlist: Determine if "ID" is UserID or Group

    Posted Wed May 06, 2020 04:29 AM
    Reply
    User IDs have a default group (except for those pesky certificate anchors), and groups don't.  We can use this distinction to identify User IDs:
    DEFINE A_UserID(str$blank('Its a User ID'),13) boolean where exists(via:dfltgrp)

    ------------------------------
    Rob van Hoboken
    ------------------------------

    Original Message