You are very welcome. :-)
IBM - Software Development and Level 3 Support Manager IBM Security zSecure Suite
Original Message:
Sent: Thu May 25, 2023 04:31 PM
From: Scott Lahner
Subject: Carla Report: Identify Resource Profiles assigned to a (missing or Not Found) userids
Jeroen and Rob thank you very much for sharing these reports, I see a use for each of them. This has been very educational for me, thanks for helping. Looking forward to the next challenge and chatting again.
------------------------------
Scott Lahner
Original Message:
Sent: Thu May 25, 2023 02:44 AM
From: Jeroen Tiggelman
Subject: Carla Report: Identify Resource Profiles assigned to a (missing or Not Found) userids
Eh... It appears that it actually does specifically take note that this is an ID position because the second qualifier is SUBMIT and the class is SURROGAT, it just does not check the ID type.
------------------------------
Jeroen Tiggelman
IBM - Software Development and Level 3 Support Manager IBM Security zSecure Suite
Delft
Original Message:
Sent: Thu May 25, 2023 02:35 AM
From: Jeroen Tiggelman
Subject: Carla Report: Identify Resource Profiles assigned to a (missing or Not Found) userids
Hi Scott,
In case of an enhancement request, be sure to define exactly what the requirement is. In this particular case we are only looking at *.SUBMIT. You are correct, by the way, that VERIFY PERMIT is not currently paying much special attention to SURROGAT or functional positions in SURROGAT for this, but simply noting a discrete HLQ for which the ID does not exist.
Alternatively, you could use this query to find the HLQs that do exist but are groups as a supplement to finding undefined IDs:
n nopage dd=ckr2pass outlim=1 sortlist `n nopage; s c=group s=base key=(,` N TYPE=RACF nopage dd=ckr2pass Define #qual1('Qual1') as word(profile,1,'.') s class=surrogat s=base (mask=*.submit) sortlist #qual1(0) | `,` n nopage dd=ckr2pass outlim=1 sortlist `); sortlist "Located group entry" key(0)`
Regards,
------------------------------
Jeroen Tiggelman
IBM - Software Development and Level 3 Support Manager IBM Security zSecure Suite
Delft
Original Message:
Sent: Thu May 25, 2023 02:13 AM
From: Tom Zeehandelaar
Subject: Carla Report: Identify Resource Profiles assigned to a (missing or Not Found) userids
Hi Scott,
When the group name that is used as high level qualifier of the SURROGAT profile exists (GROUP1 in your example), then AU.V - Permit would not show that SURROGAT proifle GROUP1.SUBMIT is wrongly defined because the ID GROUP1 exists in the RACF database. The current support did not cater for checking that the ID is actually a userid rather than a groupid. But, I guess that you could consider to open an enhancement request for this additional check to be added to the AU.V - Permit option.
------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM
Original Message:
Sent: Wed May 24, 2023 12:59 PM
From: Scott Lahner
Subject: Carla Report: Identify Resource Profiles assigned to a (missing or Not Found) userids
Jeroen, thank you very much for providing this Carla code, I'm newer to Carla and still learning, this was extremely helpful.
I had a few follow up questions for you:
What do the left quotes do (` `) are they different than double quotes (" ") or standard tick marks (' ')?
Is there anyway to only show the Empty entries or not found entries?
And I'm not following why you would need OUTLIM=1?
Tom, thanks for your reply as well. I understand there are methods to finding orphaned permissions, but would AU.V also identify if a SURROGAT profile was incorrectly defined for a RACF group (e.g. GROUP1.SUBMIT)?
------------------------------
Scott Lahner
Original Message:
Sent: Wed May 24, 2023 11:33 AM
From: Jeroen Tiggelman
Subject: Carla Report: Identify Resource Profiles assigned to a (missing or Not Found) userids
Note that this method will only flag discrete first qualifiers that do not match a current user ID.
The first query I suggested will on the other hand flag generic qualifiers even when there is a matching current user ID.
If you would want to not flag generic qualifiers that actually do match a current userid, you'd need to change KEY to MASK. You'd probably also want to add OUTLIM=1 to the generated query to avoid excessive output. And I originally used an occurrence of QUAL1 in my original query, which I changed to the intended #QUAL1 here as well.
N TYPE=RACF nopage dd=ckr2pass Define #qual1('Qual1') as word(profile,1,'.') s class=surrogat s=base (mask=*.submit) list `n nopage outlim=1 empty='Unable to locate user entry`, #qual1(0) | `'; s c=user s=base mask=` |, #qual1(0) | `; sortlist "` | #qual1(0) | ` found"`
:-)
Regards,
------------------------------
Jeroen Tiggelman
IBM - Software Development and Level 3 Support Manager IBM Security zSecure Suite
Delft
Original Message:
Sent: Wed May 24, 2023 11:17 AM
From: Tom Zeehandelaar
Subject: Carla Report: Identify Resource Profiles assigned to a (missing or Not Found) userids
Hi Scott,
Are you aware that Verify option (AU.V) - Permit that finds undefined users and groups and their permits can automatically generate RDELETE SURROGAT commands when the user ID in the high level qualifier of SURROGAT *.SUBMIT profiles does no longer exist and you select the delete option named "Dataset and id-specific profiles" on the follow up panel?
In the SYSPRINT work data set of Verify Permit, you can then find the following message:
CKR0261 04 Key with unknown CRMATST general resource profile SURROGAT CRMATST.SUBMIT
That message explains that userid CRMATST no longer exists in your RACF input source and, therefore, it suggests to delete the SURROGAT profile named CRMATST.SUBMIT by generating that comand in the CKRCMD work data set. When your goal is to clean up only the SURROGAT profiles, you can just remove all other generated commands by Verify Permit and then only delete the SURROGAT profiles that you want to clean up.
But why only clean up SURROGAT profiles that refer to userids that no longer exist? You might also want to clean up their orphan permissions, DATASET, JESSPOOL, and other profiles that these undefined users are still referred in. And that is what Verify Permit does in a more automated fashion.
I hope that you find this answer helpful.
------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM
Original Message:
Sent: Wed May 24, 2023 09:34 AM
From: Scott Lahner
Subject: Carla Report: Identify Resource Profiles assigned to a (missing or Not Found) userids
Trying to create Carla report to determine if 1st node of a *.SUBMIT SURROGAT profile is not defined as a userid to RACF.
I can do this by generating LISTUSER commands and run the commands in RACF, but would like to do the same with Carla.
Results from RACF LU command would be "UNABLE TO LOCATE USER ENTRY XXXXXX'
Can Carla list the userids from below #qual1 and determine which are not defined as userids to RACF?
N TYPE=RACF NOPAGE DD=CKRCMD
Define #qual1('Qual1') as word(profile,1,'.')
s class=surrogat s=base (mask=*.submit)
SORTLIST "LU" #QUAL1
------------------------------
Scott Lahner
------------------------------