IBM Security Z Security

 View Only
Expand all | Collapse all

Copy definitions from one RACF DB to another

  • 1.  Copy definitions from one RACF DB to another

    Posted Thu March 24, 2022 09:16 AM
    Hi all,

    Let me explain the situation we have here: We need to copy several RACF resources (IDs, groups, group connects and dataset profiles) from system A to system B. The easiest way to do that would be to simply clone the whole RACF database of system A and make it active on the system B, but we can not do that because many RACF definitions already in place on system B would be lost.

    I was wondering if it is possible to use zSecure/CARLa to copy the specific RACF resources from one system to another.

    That's what I was going to do: Make a copy of system B RACF database using IRRUT200, send it over to system A.
    Now, with System A and system B RACF databases in one system, I could use zSecure/CARLa to copy some definitions from one DB to the other.

    I was taking a look at the zSecure options, and I saw this  RA.4 Mass update Specify mass copy/recreate/delete actions. I saw some options to copy users, groups and datasets, which is exactly what we need. However, I couldn't a find a way to generate the commands based on the RACF database of system A, and somehow redirect the commands to be executed against the RACF database copy of system B.

    I hope I was able to make myself clear and understandable. If this is something doable, I would appreciate any help.

    Thanks in advance,
    Danilo Farias


    ------------------------------
    Danilo Farias
    ------------------------------


  • 2.  RE: Copy definitions from one RACF DB to another

    IBM Champion
    Posted Fri March 25, 2022 04:13 AM
    Edited by Rob van Hoboken Fri March 25, 2022 04:14 AM
    Hi Danilo
    There could be conflicts between database A and B, for example, an ID existing in both databases could be a group in one and a user id the other.  Or permissions for the same ID on a resource could be different between the two databases.  zSecure contains the MERGE facility to take (part of) a RACF database and merge it into another.  This is described in Chapter 9 of the zSecure User Reference Manual, using batch JCL.  Some sample JCL can be used to identify the differences in the selected profiles BEFORE making the merge.  There is one thing to take care of, the databases should have no internal inconsistencies: you should run VERIFY on both databases and resolve the errors before copying your database (as described in Chapter 9).

    Alternatively, you could use RECREATE, simply by selecting the copy of the RACF database A, using type "RACF.COPY" in option SE.1.  Then execute the commands using "Live RACF" or "Active RACF" as the destination.  The commands will simply run on your active (system B).

    You should also look at RACF Offline (part of zSecure Admin) that can be used to test the commands issued.  The command will be executed on a copy of the (system B?) database that you created for these tests, and you can run zSecure reports on this copy, even use Access Monitor to simulate if all ACCESS events from System A or System B will still be accepted after the commands were/will be run.

    ------------------------------
    Rob van Hoboken
    ------------------------------