IBM Security Z Security

Security for Z

Join this online user group to communicate across Z Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Associate RACF-DS Profile Owner to an input list

    Posted Fri January 20, 2023 04:18 AM
    Hello

    I have to associate the owner of a RACF-Profile to a given Dataset list from an Input file. The current approach is to create a two-pass Carla that first creates a Carla script doing the resolution of the associated profile in RACF.

    Assuming I have a member containing a random list of dataset names like this:
    SYS4.VTS.USS.SHARED.MSHARED.D201112.T234512
AABBC.FVD.ZO9A15.VTS.FILEU.G0110V00 
AABBC.FVD.ML1901.VTS.FILEU.G1980V00 
IBM.SAVE.ZFS1.ZM24G1.D220205.VTS.FILEV 
AABBC.FVD.SY9002.VTS.FILEU.G3084V00
AABBC.FVD.AJKB15.VTS.FILEU.G0110V00 
AABBC.Y05.UCAT.GROUP.VTS.FILEV.G3043V00 
IBM.SAVE.SMPE.Z24.D220205.VTS.FILEV 
IBM.SAVE.AJK4D1.D220205.VTS.FILEV 
IBM.SAVE.SMPE.Z24.D220205.VTS.FILEV 
IBM.SAVE.ZFS1.ZP24G1.D220205.VTS.FILEV 
IBM.SAVE.SMPE.Z24.D220205.VTS.FILEV​

    I then plan to run the following Carla:
    ALLOC TYPE=RACF PRIMARY ACTIVE 

DEFTYPE TYPE=#TAPELST 
ALLOC   TYPE=#TAPELST DD=TAPEDSN 
DEF     TYPE=#TAPELST #TAPE AS WORD(RECORD,1) 

newlist retain required nodup nopage DD=SYSPRINT 
sortlist , 
" NEWLIST RETAIN REQUIRED NODUP NOPAGE " / , 
" s s=base c=dataset bestmatch=" #TAPE / , 
" sortlist profile(0) owner " #TAPE


    I would then expect a list like:
    AABC.FVD.** OWNR1 AABBC.FVD.ZO9A15.VTS.FILEU.G0110V00

    After executing the second script that has been created for each of the dataset in the input file.

    Would that be a feasible approach to tackle this or do you have an better (performing) suggestion?

    regards
    marco

    ------------------------------
    Marco Egli
    ------------------------------


  • 2.  RE: Associate RACF-DS Profile Owner to an input list

    Posted Fri January 20, 2023 05:13 AM
    Hi Marco,

    yes, in principle, your proposed solution should work. I only think it lacks a type=#TAPELST specification in the newlist statement.
    Your message does not describe how you got the member containing the random list of data set names. 
    CARLa supports newlist type DSN (for data set names). When the concerning data sets are part of a CKFREEZE data set, and you can get the same list of data set names through using selection filters on a SELECT statement for newlist DSN there might be a more straight forward solution.

    n type=dsn title='Data sets with their protecting profile and owner'                       
 select dsn=(ibm.save.**,aabbc.fvd.**, ..) <-- use filter(s) to select the data sets of your interest           
 sortlist racf_profile :owner dsn​


    This would generate a similar report.



    ------------------------------
    Tom Zeehandelaar
    z/OS Security Enablement Specialist - zSecure developer
    IBM
    Delft
    +31643351728
    ------------------------------

    Original Message


  • 3.  RE: Associate RACF-DS Profile Owner to an input list

    Posted Fri January 20, 2023 05:32 AM
    Hi Tom
    Thank you very much for the swift response and smarter solution using the freeze file as input.
    I just tried the code you suggested and that seems to work as expected, will continue from there to further tune the report. I assume that I can access with that DSN type all datasets regardless if stored on DASD or TAPE or HSM?
    regards
    marco

    ------------------------------
    Marco Egli
    ------------------------------

    Original Message


  • 4.  RE: Associate RACF-DS Profile Owner to an input list

    Posted Fri January 20, 2023 06:18 AM
    Hi Marco,

    yes, I believe that this is the case.

    ------------------------------
    Tom Zeehandelaar
    z/OS Security Enablement Specialist - zSecure developer
    IBM
    Delft
    +31643351728
    ------------------------------

    Original Message


  • 5.  RE: Associate RACF-DS Profile Owner to an input list

    Posted Mon January 23, 2023 03:41 AM
    I believe you could use the external file as a lookup, so you would not have to write extensive SELECT commands.

    DEFTYPE TYPE=#TAPELST 
ALLOC   TYPE=#TAPELST DD=TAPEDSN 
DEF     TYPE=#TAPELST #TAPE AS WORD(RECORD,1)
DEF     TYPE=#TAPELST #FOUND TRUE WHERE WORD(RECORD,1)<>' '
​
n type=dsn title='Data sets with their protecting profile and owner'                       
 select dsn:#TAPELST.#TAPE.#FOUND>' '
 sortlist racf_profile :owner dsn​


    ------------------------------
    Rob van Hoboken
    ------------------------------

    Original Message


Related Content