IBM Security Z Security

Hello, I'd like to find the most efficient way to get group information from a class=facility profile, hoping someone will school me on this. In my example below I'm listing out groups in a particular class=facility profile:

newlist nopage                                      
select s=base class=facility mask=IRR.PASSWORD.RESET
sortlist acl(aclid)                                 

This will only get me the group ids but I'd like to get a list of all the users from the listed groups. I don't think I can get that information in one pass. So my thinking is I'll need to generate CARLa select statements like below and run it in the next pass:

newlist nopage                                  
select class=group segment=base mask=group_1
select class=group segment=base mask=group_2  

select class=group segment=base mask=group_nn
define grpusr(8) subselect connects(user=*)     
sortlist grpusr(sort) grpusr:name grpusr:dfltgrp

Is there a better way to accomplish this?

I suggest you look at the ACL formats like ACL(RESOLVE) or ACL(RESOLVE,UNIVERSAL) and ACL(EFFECTIVE).

See https://www.ibm.com/docs/en/szs/3.1.0?topic=introduction-access-list-display-modes-reference-material

Hello, I'd like to find the most efficient way to get group information from a class=facility profile, hoping someone will school me on this. In my example below I'm listing out groups in a particular class=facility profile:

newlist nopage                                      
select s=base class=facility mask=IRR.PASSWORD.RESET
sortlist acl(aclid)                                 

This will only get me the group ids but I'd like to get a list of all the users from the listed groups. I don't think I can get that information in one pass. So my thinking is I'll need to generate CARLa select statements like below and run it in the next pass:

newlist nopage                                  
select class=group segment=base mask=group_1
select class=group segment=base mask=group_2  

select class=group segment=base mask=group_nn
define grpusr(8) subselect connects(user=*)     
sortlist grpusr(sort) grpusr:name grpusr:dfltgrp

Is there a better way to accomplish this?

This got me what I needed, Thanks!

newlist nopage                                      
select s=base class=facility mask=IRR.PASSWORD.RESET
define rscusr(8,resolve,sort) subselect acl(user=*) 
sortlist rscusr rscusr:name rscusr:dfltgrp          

------------------------------
David Low

Original Message:
Sent: Wed May 08, 2024 11:38 AM
From: Hans Schoone
Subject: CARLa getting group information from class=facility requires two passes?

I suggest you look at the ACL formats like ACL(RESOLVE) or ACL(RESOLVE,UNIVERSAL) and ACL(EFFECTIVE).

See https://www.ibm.com/docs/en/szs/3.1.0?topic=introduction-access-list-display-modes-reference-material

------------------------------
Hans Schoone
Chief Architect zSecure
IBM - zSecure architect
Delft

Original Message:
Sent: Wed May 08, 2024 11:34 AM
From: David Low
Subject: CARLa getting group information from class=facility requires two passes?

Hello, I'd like to find the most efficient way to get group information from a class=facility profile, hoping someone will school me on this. In my example below I'm listing out groups in a particular class=facility profile:

newlist nopage                                      
select s=base class=facility mask=IRR.PASSWORD.RESET
sortlist acl(aclid)                                 

This will only get me the group ids but I'd like to get a list of all the users from the listed groups. I don't think I can get that information in one pass. So my thinking is I'll need to generate CARLa select statements like below and run it in the next pass:

newlist nopage                                  
select class=group segment=base mask=group_1
select class=group segment=base mask=group_2  

select class=group segment=base mask=group_nn
define grpusr(8) subselect connects(user=*)     
sortlist grpusr(sort) grpusr:name grpusr:dfltgrp

Is there a better way to accomplish this?

------------------------------
David Low
------------------------------

Hi David, 

I am not really sure why you use a DEFINE statement for this report. Also, you code MASK= whereas your filter does not contain a mask, so coding KEY= would make more sense. For what it is worth, the following code should produce the same results:

newlist nopage                                     
select s=base class=facility key=IRR.PASSWORD.RESET
sortlist acl(8,resolve,sort) acl:name acl:dfltgrp  

Hope you find this helpful

------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM

Original Message:
Sent: Wed May 08, 2024 01:56 PM
From: David Low
Subject: CARLa getting group information from class=facility requires two passes?

This got me what I needed, Thanks!

newlist nopage                                      
select s=base class=facility mask=IRR.PASSWORD.RESET
define rscusr(8,resolve,sort) subselect acl(user=*) 
sortlist rscusr rscusr:name rscusr:dfltgrp          

------------------------------
David Low

Original Message:
Sent: Wed May 08, 2024 11:38 AM
From: Hans Schoone
Subject: CARLa getting group information from class=facility requires two passes?

I suggest you look at the ACL formats like ACL(RESOLVE) or ACL(RESOLVE,UNIVERSAL) and ACL(EFFECTIVE).

See https://www.ibm.com/docs/en/szs/3.1.0?topic=introduction-access-list-display-modes-reference-material

------------------------------
Hans Schoone
Chief Architect zSecure
IBM - zSecure architect
Delft

Original Message:
Sent: Wed May 08, 2024 11:34 AM
From: David Low
Subject: CARLa getting group information from class=facility requires two passes?

Hello, I'd like to find the most efficient way to get group information from a class=facility profile, hoping someone will school me on this. In my example below I'm listing out groups in a particular class=facility profile:

newlist nopage                                      
select s=base class=facility mask=IRR.PASSWORD.RESET
sortlist acl(aclid)                                 

This will only get me the group ids but I'd like to get a list of all the users from the listed groups. I don't think I can get that information in one pass. So my thinking is I'll need to generate CARLa select statements like below and run it in the next pass:

newlist nopage                                  
select class=group segment=base mask=group_1
select class=group segment=base mask=group_2  

select class=group segment=base mask=group_nn
define grpusr(8) subselect connects(user=*)     
sortlist grpusr(sort) grpusr:name grpusr:dfltgrp

Is there a better way to accomplish this?

------------------------------
David Low
------------------------------