IBM Security Z Security

 View Only
  • 1.  CARLa - Repeat group dates/DEFINEs with BOOLEAN

    Posted Tue April 04, 2023 03:18 PM

    Hello,

    Having some difficulty applying a Boolean define to repeat group values.  Want to identify when GROUP CONNECTs are at least 100 days old and when they have been used in the last 100 days. 

    First attempt:

    DEFINE #USED BOOLEAN WHERE LAST_CONNECT_DATE>=TODAY-100         
    DEFINE #INSCOPE BOOLEAN WHERE CGCREADT<=TODAY-100               
    NEWLIST TYPE=RACF NOPAGE retain                                 
    SELECT SEGMENT=BASE CLASS=USER                                  
    sortlist key(8) connects last_connect_date cgcreadt #used #inscope

    The Boolean values seemed to be applied correctly, but only to the first value in the repeat GROUP (RETAIN caused the first value to be repeated for all repeat group entries).

    Have also tried running the search without the Boolean indicators and then using the results as an input to another step, but have not been able to correctly use DEFINE/CONVERT to pull out date values into a format that is compatible with the Boolean DEFINEs.

    Probably missing something silly, but have hit the wall.  Any suggestions?



    ------------------------------
    Steven Hoover
    ------------------------------


  • 2.  RE: CARLa - Repeat group dates/DEFINEs with BOOLEAN

    Posted Wed April 05, 2023 04:45 AM
    Edited by Sander De Graaf Wed April 05, 2023 04:45 AM

    I managed to get to the following, where I believe #used and #inscope are correct. I use a two-step process, where the second process reads in the output of the first.
    In the first process I generate a data set with the following CARLa

    n type=racf dd=RPTPRE nopage retain 
     select segment=base class=user not(key=(irrcerta,irrmulti,irrsitec)) 
     sortlist key(8) connects(8), 
                         last_connect_date(10,$date) cgcreadt(10,$date)

    This file is than read by a DEFTYPE newlist:

    deftype type=$ljdate     
                                                                   
    define type=$ljdate userid(8) as substr(record,1,8) 
    define type=$ljdate group(8)  as substr(record,10,8) 
    define type=$ljdate ljdate as, 
                            convert(substr(record,19,10),datetime) 
    define type=$ljdate creadt as, 
                            convert(substr(record,30,10),datetime) 
                                                                   
    define type=$ljdate #used true where, 
                            ljdate>=today-100 
    define type=$ljdate #inscope true where, 
                            creadt<=today-100 
    alloc type=$ljdate dd=RPTPRE 
                                                                   
    n type=$ljdate dd=report nopage 
     sortlist userid group ljdate(10) creadt(10) #used #inscope 


    Probably there is still something to enhance. I hope this helps.

    Please note that using a define "BOOLEAN" is the same as define "TRUE" on SORTLIST.



    ------------------------------
    Sander De Graaf
    ------------------------------



  • 3.  RE: CARLa - Repeat group dates/DEFINEs with BOOLEAN

    Posted Thu April 06, 2023 01:26 PM

    The defines on the second step was the source of my problem, I didn't have them set up correctly.  This is exactly what was needed, thanks Sander! 



    ------------------------------
    Steven Hoover
    ------------------------------



  • 4.  RE: CARLa - Repeat group dates/DEFINEs with BOOLEAN

    IBM Champion
    Posted Wed April 05, 2023 09:56 AM

    There is another issue at play, LAST_CONNECT_DATE is a field at the base level, similar to the LJDATE field.  You cannot expect this value to be different for each connect group.  Even if you go to the source information of LAST_CONNECT_DATE, that is, list the CGLJDATE, you will see the field is only set for the default group, or the group(s) used as logon group, for each user.
    If you need a report of groups that are actually used, look at zSecure Access Monitor.  This calculates the groups that may have been used in access checking for profiles, and flags the ones that have no apparent need.



    ------------------------------
    Rob van Hoboken
    ------------------------------



  • 5.  RE: CARLa - Repeat group dates/DEFINEs with BOOLEAN

    Posted Thu April 06, 2023 01:30 PM

    Hi Rob, thanks for the note.  Was planning to verify against Access Monitor data as well, should have included that detail in the original post.  The biggest problem was identifying the scope since we wouldn't want to wipe out anything that had not already been around for x days.  If there's an easier way to do it than generating a report of all CONNECTs that are x days old (using method above) and then matching it against Access Monitor data, would be happy to hear about it.



    ------------------------------
    Steven Hoover
    ------------------------------



  • 6.  RE: CARLa - Repeat group dates/DEFINEs with BOOLEAN

    IBM Champion
    Posted Fri April 07, 2023 06:11 AM

    Steve, the User Reference Manual describes 2 strategies to remove "unused" connections, manual (through AM.4) and automatic (AM.8.3).  This process analyzes each access requests, figures out the matching connects and permits that could have granted each requests, and tallies the connects and permits that were thus (possibly) involved.  Entries with a 0 count are considered "unused."  This does not identity redundant groups, it also ignores when the connect groups are used for other purposes, such as delegating group special/operations/auditor or linking to a UNIX file (owning) group.  However, it is a much more accurate approach than taking only age (from CGAUTHDA) as indication.



    ------------------------------
    Rob van Hoboken
    ------------------------------