IBM Security Z Security

 View Only
Expand all | Collapse all

CARLa: getting mask from another dataset file

  • 1.  CARLa: getting mask from another dataset file

    Posted Tue January 24, 2023 10:03 AM
    Hello folks. I'm trying to write a code to check the list of dataset profiles from external dataset (approx. 200 profiles, which are dynamic). I have to use mask , because I have a list of dataset profiles in format ABCD.**
    type= racf
    class=dataset
    segment=base

    Defined variables and it works good with profile, unfortunately, I need to use mask. Any specific parameters need to be added?

    ------------------------------
    Viktorija Kulbačiauskienė
    ------------------------------


  • 2.  RE: CARLa: getting mask from another dataset file

    Posted Tue January 24, 2023 10:16 AM

    Hi Viktorija,

    I am afraid I do not really understand your question.

    For starters, I do not understand from what you write why you need to use MASK in the first place.

    Can you explain with a bit more detail what you are trying to check?

    Regards,



    ------------------------------
    Jeroen Tiggelman
    Software Development and Level 3 Support Manager IBM Security zSecure Suite
    IBM
    Delft
    ------------------------------



  • 3.  RE: CARLa: getting mask from another dataset file

    Posted Tue January 24, 2023 10:40 AM
    Hello Jeroen. Thanks for quick reply. I require to use mask instead of profile in dataset class because I'm checking access (type=racf and type=racf_access) of dataset profiles listed in another file. The reason why I have to use mask is because in company's racf database we have number of dataset profiles, like:
    ABCD.*.**
    ABCD.EFGHIJKL.**
    ABCD.MNOPQRS.**
    and etc.

    In another dataset, I have a list of dataset profiles with only first qualifier, like ABCD.**

    ------------------------------
    Viktorija Kulbaciauskiene
    ------------------------------



  • 4.  RE: CARLa: getting mask from another dataset file

    Posted Tue January 24, 2023 10:55 AM
    Hi Viktorija,

    Okay, that makes sense. :-)

    MASK really influences the SELECTion of the profiles, which I believe is what you want.

    So unless you have references to PROFILE/KEY or MASK in a WHERE clause on the DEFINEd variables, I do not think there should be additional considerations.

    Regards,

    ------------------------------
    Jeroen Tiggelman
    Software Development and Level 3 Support Manager IBM Security zSecure Suite
    IBM
    Delft
    ------------------------------



  • 5.  RE: CARLa: getting mask from another dataset file

    IBM Champion
    Posted Wed January 25, 2023 07:04 AM

    Illustrating Jeroen's answer with an example:

    newlist type=racf
      select class=dataset segment=base mask=ABCD.**
      sortlist profile owner

    This selects all dataset profiles starting with ABCD.  The MASK selection accepts a pattern and applies it to the profile key.  You can even use generic characters in the first qualifier, where RACF requires non-generic HLQ, so SELECT ... MASK=AB*.** finds all profiles starting with AB.

    Now, if you have a list of masks, the SELECT command leaves you dangling: MASK does not accept a list.  You could define a new field with the same function as MASK, and now SELECT accepts a list:

    newlist type=racf
      define masklist as mask
      select class=dataset segment=base masklist=(ABCD.**,EFGH.**)
      sortlist profile owner

    If you use PROFILE in the SELECT command, it matches the profile key character for character, exactly matching the generic characters.  This report prints only one specific profile:

    newlist type=racf
      select class=dataset segment=base profile=ABCD.**
      sortlist profile owner



    ------------------------------
    Rob van Hoboken
    ------------------------------



  • 6.  RE: CARLa: getting mask from another dataset file

    Posted Wed January 25, 2023 07:45 AM
    Hello Rob. Thanks for looking at my issue. Masklist is what I actually need.
    I have a compliance check with domain defined, like this:

    DOMAIN Thisisjustdomainname,
    SELECT(racf(class=DATASET,s=base,
    masklist:variable1.var.var<>' '))

    And also I have external file, where all definitions are put in this matter:

    deftype type=variable1 nowarn
    alloc type=variable1 dd=C1234567(extrfile)
    define type=variable1 var as substr(record,3,9)

    extrfile - dataset member with list of dataset profiles in format ABCD.**

    I tried a few places to add your suggested definition (define masklist as mask), unfortunately, got these errors:


    CKR0103 12 Field "MASK" to be processed not found in any template
    or
    CKR0103 12 Field "MASKLIST" to be processed not found in any template

    Any suggestions, what else could be missing? looks like mask not accepted in my carla

    ------------------------------
    Viktorija Kulbaciauskiene
    ------------------------------



  • 7.  RE: CARLa: getting mask from another dataset file

    IBM Champion
    Posted Wed January 25, 2023 09:06 AM

    define type=racf masklist as mask

    but that won't help you much.  When you do a lookup to an external file, you need a base field that is unique for the profile.  MASK (and its defined alias MASKLIST) is just a filter function matches the profile value with a literal, and cannot be used as a lookup base.

    Have you considered using QUAL instead of the profile mask?  QUAL is a valid field for dataset profiles, it is equal to the first qualifier.



    ------------------------------
    Rob van Hoboken
    ------------------------------



  • 8.  RE: CARLa: getting mask from another dataset file

    Posted Wed January 25, 2023 10:15 AM
    Hi Rob,

    MASK is a keyword on the SELECT statement, not a field in TYPE=RACF

    So if you try this:
    define type=racf masklist as mask   
    sortlist masklist                   ​
    I am afraid you get:
    CKR0103 12 Field "MASK" to be processed not found in any template at CKRCMDV line 2​

    Regards,

    --Jeroen

    ------------------------------
    Jeroen Tiggelman
    Software Development and Level 3 Support Manager IBM Security zSecure Suite
    IBM
    Delft
    ------------------------------



  • 9.  RE: CARLa: getting mask from another dataset file

    IBM Champion
    Posted Wed January 25, 2023 10:40 AM
    Edited by Rob van Hoboken Wed January 25, 2023 10:41 AM

    How true, my memory has been degrading for almost 2 years, I should get it refreshed ;-).
    What I meant to write:

    newlist type=racf
    define type=racf masklist as profile
    select masklist=(sys*.**,abcd.**)   
    sortlist profile


    This removes special processing of the select command for the PROFILE field, that I described earlier, allowing the field to be matched with generic patterns, thus making it similar to the MASK and FILTER keywords, but with support for value lists.

    ------------------------------
    Rob van Hoboken
    ------------------------------



  • 10.  RE: CARLa: getting mask from another dataset file

    Posted Wed January 25, 2023 11:18 AM
    Hi Viktorija,

    I still do not really understand what you are doing.

    It seems to me that applying SUBSTR(RECORD,3,9) to a record with "ABCD.**" would return "CD.**    "?

    Regards,

    ------------------------------
    Jeroen Tiggelman
    Software Development and Level 3 Support Manager IBM Security zSecure Suite
    IBM
    Delft
    ------------------------------



  • 11.  RE: CARLa: getting mask from another dataset file

    Posted Fri January 27, 2023 03:30 AM
    Hello gentlemen. Many thanks for your help! Looks like QUAL is what I exactly needed to capture the first level qualifier

    ------------------------------
    Viktorija Kulbaciauskiene
    ------------------------------



  • 12.  RE: CARLa: getting mask from another dataset file

    IBM Champion
    Posted Fri January 27, 2023 04:27 AM
    Edited by Rob van Hoboken Fri January 27, 2023 04:27 AM

    If you need a similar field for RACF_ACCESS, you could use

    define type=racf_access qual1 as word(profile,1,'.')

    In newlist type=RACF, QUAL is only defined for DATASET profiles (just like you need), a similar value is available for all entity types through QUAL1.  See the Select/List fields reference.

    ------------------------------
    Rob van Hoboken
    ------------------------------



  • 13.  RE: CARLa: getting mask from another dataset file

    Posted Fri January 27, 2023 05:13 AM
    On the SELECT statement in TYPE=RACF, the keyword QUAL acts in a special way that you might not expect from a regular field (just like PROFILE/KEY).

    The help panel text is:

    CARLa field : Q and QUAL
    Newlist type : RACF
    Header default : QUAL
    Field prefix header: Effective first qualifier

    The QUAL field on a LIST family command contains the first qualifier for
    data set and general resource profiles, and contains the profile key for
    user and group profiles. Non-RDS connect profiles are not supported. For
    data set profiles, it matches the first qualifier (as changed by ICHCNX00
    and ICHNCV00).

    On a SELECT family command it matches any profile if the class is not
    DATASET, and restricts class DATASET profiles to those with a matching
    first qualifier as modified by ICHCNX00 and ICHNCV00. A field-field
    comparison, however, is not restricted to the DATASET class.

    ------------------------------
    Jeroen Tiggelman
    Software Development and Level 3 Support Manager IBM Security zSecure Suite
    IBM
    Delft
    ------------------------------



  • 14.  RE: CARLa: getting mask from another dataset file

    IBM Champion
    Posted Wed January 25, 2023 07:14 AM
    Edited by Rob van Hoboken Wed January 25, 2023 07:17 AM

    If you have selection criteria in an external data set, you can use a two pass job that reads the data set in step 1, generates a CARLa program, step 2 executes the CARLa program, somewhat like this:

    //STEP1 EXEC C2RC
    //CKR2PASS DD DISP=(,PASS),DSN=&&CARLAPGM
    //CRITERIA DD *
    ABCD.**
    EFGH.**
    //SYSIN DD *
    deftype type=criteria
    alloc type=criteria dd=criteria
    newlist type=criteria nopage dd=ckr2pass
      define #mask(0) as word(record,1)
      sortlist "newlist type=racf",
      / "select class=dataset segment=base mask=" | #mask,
      / "sortlist profile owner"
    //STEP2 EXEC C2RC
    //SYSIN DD DISP=(OLD,PASS),DSN=&&CARLAPGM

    ​​------------------------------
    Rob van Hoboken
    ------------------------------