IBM Security Z Security

I have some User IDs that are connected to a group.   That group is permitted to some datasets and db2 profiles.    I want to remove the userids from that group, but I see via AM.4 that the userids are using the connection to the group.   So I tried AM.3 to see what permissions are being used by the group.

Is there a way to see what User Ids used the group to access those permissions.   With RACF_ACCESS, there is no USERID field, and the field ID refers to what was being permitting, in which in my case is the group.

Or is there some other option in Access Monitor to display what permission the User ID accessed via a connected group?

------------------------------
Linnea Sullivan
------------------------------

Hi Linnea,

with option AM.1 - Access summary by user of profile, you can investigate the resources that (a) certain user IDs have (has) accessed.
In the output and run options of the AM.1 panel, you can select option 4 - Summary by simulated groups used for access.

That selection generates an overview of which resources your specified user ID(s) has (have) accessed via their connect groups. For example:

                 IBM Security zSecure ACCESS summary    0 s elapsed, 0.0 s CPU
Command ===>                                                   Scroll===> CSR 
Access monitor records for Userids like CRMBTZ1 10 Dec 2021 09:20             
   ViaGrps  Occurrence First occurrenc Last occurrence                        
__ CRMB           3367  8Dec2021 07:52  8Dec2021 17:09                        
__ CRMBZDEV          1  8Dec2021 07:52  8Dec2021 07:52                        
__ SYSPROG        3391  8Dec2021 07:52  8Dec2021 17:09                        
__ VESGRP         3366  8Dec2021 07:52  8Dec2021 17:09                        ​

You can zoom into the reported groups, to review which resources in which classes this user ID has accessed via this group connection.
Would that be helpful for your investigation?

------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM
Delft
+31643351728
------------------------------

Original Message:
Sent: Thu December 09, 2021 02:43 PM
From: Linnea Sullivan
Subject: Access Monitor Permit Usage - Display User ID

I have some User IDs that are connected to a group.   That group is permitted to some datasets and db2 profiles.    I want to remove the userids from that group, but I see via AM.4 that the userids are using the connection to the group.   So I tried AM.3 to see what permissions are being used by the group.

Is there a way to see what User Ids used the group to access those permissions.   With RACF_ACCESS, there is no USERID field, and the field ID refers to what was being permitting, in which in my case is the group.

Or is there some other option in Access Monitor to display what permission the User ID accessed via a connected group?

------------------------------
Linnea Sullivan
------------------------------

Hey Linnea.
You should also remember that RACF does not show preference for one group over another, when both permit the requested access.  As a consequence, Access Monitor reports may show one OR MORE groups that COULD have given access to the profile.  This will be visible when SIMULATED FIELDS are requested, in the DETAILS of the Access Monitor information, at the end of the details panel. 
When you are cleaning up the RACF database, and replacing the functionality of a group with another group, the users may be connected to both, until you finally remove (or delete) the old group.  When zSecure notices that the user is connected to both groups, and the dataset profile has an adequate permit for both groups, the VIA GROUPS field shows both group names.
AM.1 has a "Simulated fields selection" option to show ONLY access events where the group specified is alone in providing access (the group is ESSENTIAL), that points at resource access that still uses (only) the old group.  Specify the old group name on the "Group(s) used for access" field and / the "Essential group(s)" checkbox.  This finds where a connect/permit for the old group has not (yet) been copied to a replacement group.

------------------------------
Rob van Hoboken
------------------------------

Original Message:
Sent: Thu December 09, 2021 02:43 PM
From: Linnea Sullivan
Subject: Access Monitor Permit Usage - Display User ID

I have some User IDs that are connected to a group.   That group is permitted to some datasets and db2 profiles.    I want to remove the userids from that group, but I see via AM.4 that the userids are using the connection to the group.   So I tried AM.3 to see what permissions are being used by the group.

Is there a way to see what User Ids used the group to access those permissions.   With RACF_ACCESS, there is no USERID field, and the field ID refers to what was being permitting, in which in my case is the group.

Or is there some other option in Access Monitor to display what permission the User ID accessed via a connected group?

------------------------------
Linnea Sullivan
------------------------------