Original Message:
Sent: Tue January 16, 2024 08:18 AM
From: gianfranco casati
Subject: CARLa Report: Permit x user in Group
Hello Jeroen
in your example CRMBJTI is a group or user ?
About auto-generation of REPORT SCOPE=id1, ....
There is a limit on numer of id in scope.
Note that we have gruoup with thousand if user or universal group
------------------------------
gianfranco casati
zOS Senior S.E. - DB2LUW S.E. - Tivoli S.E.
Gesiass
Milan
+39(0)22514752
Original Message:
Sent: Tue January 16, 2024 07:53 AM
From: Jeroen Tiggelman
Subject: CARLa Report: Permit x user in Group
Hi Gianfranco,
The ACL(ID(id)) clause on SELECT selects on IDs that are directly on the ACL of that profile, as we try to explain here: https://www.ibm.com/docs/en/szs/3.1.0?topic=SS2RWS_3.1.0/com.ibm.zsecure.doc_3.1.0/admin_audit/carla_cmnd_lang_select_srch_prof_name.htm
So if the user is directly on the ACL, but the group the user is connected to is not, then selection on the group will not select the profile.
Conversely, if the group appears on the ACL, a select for the user ID will not bring up that profile.
The easy way to get the permits for a particular user ID would seem to be via option RA.3.4 (Permit/scope).
I am not totally sure which of the sub-options of RA.3.4 you are really thinking of here.
But as an example, sub-option 2 generates a CARLa like the following:
SUPPRESS REASON=( UACC ID(*) GLOBAL WARNING NOPROF SPECIAL AUDIT GRPAUDIT GRPOPER GRPSPEC OWNER PWDCHANGE SELFCON ALTER-M CKGRACMAP CKGRACDCERT CKGOWNER CREATE)N REQUIRED N=SCOPE0D T=:T1 TYPE=REPORT_SCOPE DEFINE HIGH_ACCESS("HighAcc") MAX(ACCESS) d key(nondispl) class, proftype(detail) key(both,"Profile name") volser(detail) access_via_when(76 / key(0,d,wrap,firstonly,"Full profile name",header), / access_via_when(d,header,76) summary complex id * class count(8,"Profiles") HIGH_ACCESS REPORT SCOPE=CRMBJTI
This first defined a layout and then requests the relevant data for one of more userids, in this case only for CRMBJTI.
You might want to generate the last statement like
REPORT ,
SCOPE=id1,
SCOPE=id2,
oslt, by running another CARLa query that lists the users for the group on these SCOPE keywords, and then concatenate that to the layout.
I hope this begins to help.
Regards,
------------------------------
Jeroen Tiggelman
IBM - Software Development Manager IBM Security zSecure Suite
Delft
Original Message:
Sent: Tue January 16, 2024 07:10 AM
From: gianfranco casati
Subject: CARLa Report: Permit x user in Group
I want to create a report with all permits for each user present in group.
I have tried CARLa below, but it seems that I cannot use acl(id(my_group)) in Select, only userid cab be specified.
Any suggest
------------------------------
gianfranco casati
zOS Senior S.E. - DB2LUW S.E. - Tivoli S.E.
Gesiass
Milan
+39(0)22514752
------------------------------