IBM Security Z Security

Security for Z

Join this online user group to communicate across Z Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  NEWLIST TYPE=TRUSTED not show all GROUPs in ACL

    Posted Thu May 11, 2023 03:36 PM

    I am running the following Carla code :

    newlist type=trusted title="connected to groups with a permit"

      select class=dataset userid_privilege=permitGrp

    with a SUMMARY that includes the via parameter.

    This appears to be working, however in cross checking the Access list for the matching RACF dataset profile not all of the GROUPs that meet the criteria are showing up. If the Group does not currently have any userids connected they are not listed. Is there a way to force these to be listed as well?        



    ------------------------------
    Peter Roberts
    ------------------------------


  • 2.  RE: NEWLIST TYPE=TRUSTED not show all GROUPs in ACL

    Posted Fri May 12, 2023 02:47 AM
    Edited by Rob van Hoboken Fri May 12, 2023 02:55 AM

    Hi Peter
    TRUSTED is meant to show USER IDs that have powerful access to sensitive resources.  If a group contains no users, there are no user IDs to show up and the group will not be reported.  Also, user IDs that have innocent privileges will be omitted, for example, READ access to PROCLIBs, whereas UPDATE or more will be shown.

    If you wanted to see all groups, you could resort to NEWLIST TYPE=RACF_ACCESS, like so
    newlist type=racf_access title="groups with a sensitive permit"
      select class=dataset exists(priv_senstype) exists(id:supgroup)
      summary profile * id access count(nd)

    Now, this method will not give you the user IDs involved, only the group names + access

    ------------------------------
    Rob van Hoboken
    ------------------------------



Related Content