IBM Security Z Security

Hi Gianfranco,

The ACL(ID(id)) clause on SELECT selects on IDs that are directly on the ACL of that profile, as we try to explain here: https://www.ibm.com/docs/en/szs/3.1.0?topic=SS2RWS_3.1.0/com.ibm.zsecure.doc_3.1.0/admin_audit/carla_cmnd_lang_select_srch_prof_name.htm

So if the user is directly on the ACL, but the group the user is connected to is not, then selection on the group will not select the profile.

Conversely, if the group appears on the ACL, a select for the user ID will not bring up that profile.

The easy way to get the permits for a particular user ID would seem to be via option RA.3.4 (Permit/scope).

I am not totally sure which of the sub-options of RA.3.4 you are really thinking of here.
But as an example, sub-option 2 generates a CARLa like the following:

SUPPRESS REASON=( UACC ID(*) GLOBAL WARNING NOPROF SPECIAL AUDIT GRPAUDIT GRPOPER GRPSPEC OWNER PWDCHANGE SELFCON ALTER-M CKGRACMAP CKGRACDCERT CKGOWNER CREATE)N REQUIRED N=SCOPE0D T=:T1 TYPE=REPORT_SCOPE                                      DEFINE HIGH_ACCESS("HighAcc") MAX(ACCESS)   d key(nondispl) class,                                                            proftype(detail) key(both,"Profile name") volser(detail)  access_via_when(76  / key(0,d,wrap,firstonly,"Full profile name",header),                           / access_via_when(d,header,76)                                                  summary complex id * class count(8,"Profiles") HIGH_ACCESS                    REPORT SCOPE=CRMBJTI                                                            

This first defined a layout and then requests the relevant data for one of more userids, in this case only for CRMBJTI.

You might want to generate the last statement like
   REPORT ,

     SCOPE=id1,

     SCOPE=id2,

oslt, by running another CARLa query that lists the users for the group on these SCOPE keywords, and then concatenate that to the layout.

I hope this begins to help.

Regards,

Hello Jeroen

in your example CRMBJTI is a group or user ?

About auto-generation of REPORT SCOPE=id1, ....

There is a limit on numer of id in scope.

Note that we have gruoup with thousand if user or universal group

Hi Gianfranco,

The ACL(ID(id)) clause on SELECT selects on IDs that are directly on the ACL of that profile, as we try to explain here: https://www.ibm.com/docs/en/szs/3.1.0?topic=SS2RWS_3.1.0/com.ibm.zsecure.doc_3.1.0/admin_audit/carla_cmnd_lang_select_srch_prof_name.htm

So if the user is directly on the ACL, but the group the user is connected to is not, then selection on the group will not select the profile.

Conversely, if the group appears on the ACL, a select for the user ID will not bring up that profile.

The easy way to get the permits for a particular user ID would seem to be via option RA.3.4 (Permit/scope).

I am not totally sure which of the sub-options of RA.3.4 you are really thinking of here.
But as an example, sub-option 2 generates a CARLa like the following:

SUPPRESS REASON=( UACC ID(*) GLOBAL WARNING NOPROF SPECIAL AUDIT GRPAUDIT GRPOPER GRPSPEC OWNER PWDCHANGE SELFCON ALTER-M CKGRACMAP CKGRACDCERT CKGOWNER CREATE)N REQUIRED N=SCOPE0D T=:T1 TYPE=REPORT_SCOPE                                      DEFINE HIGH_ACCESS("HighAcc") MAX(ACCESS)   d key(nondispl) class,                                                            proftype(detail) key(both,"Profile name") volser(detail)  access_via_when(76  / key(0,d,wrap,firstonly,"Full profile name",header),                           / access_via_when(d,header,76)                                                  summary complex id * class count(8,"Profiles") HIGH_ACCESS                    REPORT SCOPE=CRMBJTI                                                            

This first defined a layout and then requests the relevant data for one of more userids, in this case only for CRMBJTI.

You might want to generate the last statement like
   REPORT ,

     SCOPE=id1,

     SCOPE=id2,

oslt, by running another CARLa query that lists the users for the group on these SCOPE keywords, and then concatenate that to the layout.

I hope this begins to help.

Regards,

------------------------------
gianfranco casati
zOS Senior S.E. - DB2LUW S.E. - Tivoli S.E.
Gesiass
Milan
+39(0)22514752
------------------------------