There are 2 fields in TRUSTED that help in building a pseudo access list: USERID_PRIVILEGE indicates how the user gained access: PermitGrp shows it is a permit via a group, PermitUsr indicates a permit directly to the user ID. To find the group name relevant for PertmitGrp, print the content of VIA.
Now, with the SELECT command you used, you will get several extraneous access reasons, for example, Operations, Owner, maybe even ConnAuth, that are going to be confusing for your sysprogs. An EXCLUDE command can be your friend.
Note that TRUSTED also shows REVOKED connect groups as active access reasons. Also, when a USERID has been permitted NONE, but one of his groups has a permit, say ALTER, the active access reason is confusingly shown as ALTER. Just so you know.
------------------------------
Rob van Hoboken
------------------------------
Original Message:
Sent: Mon June 13, 2022 03:37 PM
From: Linnea Sullivan
Subject: Determine Dataset Profile and View Access List in one step
Hans, based on what you shown me, I am going to take this question in a different direction than my original question. So we have a rather large environment. I like some of the features in the reports you described, but I can't possibly do them online. I need to do them with batch, because I am bringing in dozens of CKFREEZE files.
I have been playing with TYPE TRUSTED and TYPE SENSDSN to get me a list in this format: APF Dataset Name, Dataset Profile Name, User/Group with Greater than READ access, and the Access Level. I seem to get mostly there with TYPE TRUSTED and select sensitivity=:apf class=dataset, however the only apparent option is USERID, I would like to have the option to print the entry on the access list that is granting the access.
Is that possible?
I just don't see the fields when I got to IN.D and look at TRUSTED or SENSDSN.
------------------------------
Linnea Sullivan
Original Message:
Sent: Mon June 13, 2022 10:42 AM
From: Hans Schoone
Subject: Determine Dataset Profile and View Access List in one step
That sounds more or less like what the SENSDSN report is designed for – under AU.S , tag MVS EXTENDED and ' select specific reports' , and then SENSITIVE, and then SENRAPF. Now you see every APF data set and can zoom into show the access list and play with ACL X, ACLR, and ACL F, or back to ACL N.
------------------------------
Hans Schoone
Chief Architect zSecure
IBM
Delft
Original Message:
Sent: Fri June 10, 2022 04:56 PM
From: Linnea Sullivan
Subject: Determine Dataset Profile and View Access List in one step
We are trying to create a process for our systems programmers to determine the dataset profile that matches an APF dataset, and then view the access list to determine if that profile's access list is appropriate for an APF library. If the profile is too broad, they can request a new profile with a tighter access list to be created.
So I wanted to provide them a batch job similar to RA.D using the "Any Match" option so that they can just inquire on the APF dataset name. However you cannot mark "Access List" and tell it to report any permissions greater than read, because the ISPF screens say the selection of the Access List criteria is mutually exclusive.
I am guessing I may have to create a 2 pass carla, that 1st takes the APF dataset name that is being created, to determine the profile that would match the dataset name. Then pass that dataset name to a 2nd step to apply the access list criteria to look at the access list for users/groups with greater than read access.
Or is there something more simple that I can provide my systems programmers to determine the profile for their new APF library and who has a greater than READ access?
------------------------------
Linnea Sullivan
------------------------------