IBM Security Z Security

 View Only
Expand all | Collapse all

NEWLIST TYPE=TRUSTED not show all GROUPs in ACL

  • 1.  NEWLIST TYPE=TRUSTED not show all GROUPs in ACL

    Posted Thu May 11, 2023 03:36 PM

    I am running the following Carla code :

    newlist type=trusted title="connected to groups with a permit"

      select class=dataset userid_privilege=permitGrp

    with a SUMMARY that includes the via parameter.

    This appears to be working, however in cross checking the Access list for the matching RACF dataset profile not all of the GROUPs that meet the criteria are showing up. If the Group does not currently have any userids connected they are not listed. Is there a way to force these to be listed as well?        



    ------------------------------
    Peter Roberts
    ------------------------------


  • 2.  RE: NEWLIST TYPE=TRUSTED not show all GROUPs in ACL

    IBM Champion
    Posted Fri May 12, 2023 02:47 AM
    Edited by Rob van Hoboken Fri May 12, 2023 02:55 AM

    Hi Peter
    TRUSTED is meant to show USER IDs that have powerful access to sensitive resources.  If a group contains no users, there are no user IDs to show up and the group will not be reported.  Also, user IDs that have innocent privileges will be omitted, for example, READ access to PROCLIBs, whereas UPDATE or more will be shown.

    If you wanted to see all groups, you could resort to NEWLIST TYPE=RACF_ACCESS, like so
    newlist type=racf_access title="groups with a sensitive permit"
      select class=dataset exists(priv_senstype) exists(id:supgroup)
      summary profile * id access count(nd)

    Now, this method will not give you the user IDs involved, only the group names + access

    ------------------------------
    Rob van Hoboken
    ------------------------------