RACF_ACCESS has 4 fields that you can use for simple RACF reports: class, profile, id and access. Suppose you want to have a list of dataset profiles starting with SYS1:
newlist type=racf_access
select class=dataset profile=sys1.**
sortlist profile id access
This will create a line for every "permit" on dataset profiles, including for some pseudo ids like -uacc-. The difference with a newlist type=racf is, each line is an entry and every fields can be easily used in SELECT, whereas with type=RACF, fields like USERID and ACCESS are repeated and you should use SUBSELECT to trim the access list display.
So lets weed out the pseudo ids:
newlist type=racf_access
select class=dataset profile=sys1.**
exclude id=-*
sortlist profile id access
If you wanted to print only the SYS1.** profile, this is what you would do:
newlist type=racf_access
select class=dataset profile="sys1.**"
exclude id=-*
sortlist profile id access
If you want to mimic the output of newlist type=RACF, you would use SUMMARY bring the profile key to the first line:
newlist type=racf_access
select class=dataset
exclude id=-*
sortlist id access id:name
summary profile count(nd)
Anyway, to see only the differences, you could use
COMPAREOPT NAME=EXCSAME by=profile compare=(id,access)
newlist type=racf_access compareopt=excsame
define whathappened compare_results
select class=dataset id<>-*
sortlist profile whathappened id access
------------------------------
Rob van Hoboken
------------------------------
Original Message:
Sent: Fri February 02, 2024 10:51 AM
From: Joseph Sumi
Subject: RA.D Show differences (changes)
I've been experimenting with the newlist type RACF_ACCESS but not having much luck. I checked the manual and could not find a good example to use this like you suggested. Not sure what the select would be or evern the sortlist would look like.
Could more of the carla be provided for me to experiment with for RACF_ACCESS to see the permit changes?
thanks, joe
PS: Tom, thanks for the videos. I see there are many other uses of sort differences across racf.
------------------------------
Joseph Sumi
Original Message:
Sent: Thu February 01, 2024 04:18 AM
From: Rob van Hoboken
Subject: RA.D Show differences (changes)
If you want to monitor the effect of PERMIT commands on profiles, RACF_ACCESS may be the better choice. This newlist type has 1 observation for every entry on the ACL, so you can use SHOW=CHG to see when a permit was changed, and SHOW=(ADD,DEL) to see new and removed permits. This newlist type ignores the conditional access list, though.
------------------------------
Rob van Hoboken
Original Message:
Sent: Mon January 29, 2024 03:23 PM
From: Joseph Sumi
Subject: RA.D Show differences (changes)
Hello Rob - i wasn't able to get your suggestion working. Is there an example ? but I came across "compare_changes". I changed compare_results to:
(compareopt=1 ? compare_changes(CMPCHG4,40),)
This works nice for profile level changes like UACC and AUDIT changes and also for a userID removed from an access list (joesid2) but if I add an id to the access list, I do not see the level of access that was added, I only see JOESID1 in Value-2:
Profile key FieldnamC Value-1 Value-2
id added to access list SUMI.TEST.BBBB.* USERID JOSESD1
id removed from an access list SUMI.TEST.GGG.HHH* USERID JOESID2
Is there a better way to accomplish what i am looking for ?
thanks.
------------------------------
Joseph Sumi
Original Message:
Sent: Mon January 29, 2024 11:21 AM
From: Rob van Hoboken
Subject: RA.D Show differences (changes)
You would use COMPAREOPT NAME=xxx SHOW=CHG in your CARLa, see here. In the newlist statement you would add COMPAREOPT=xxx.
Then use formats CMPBASV and CMPCHGV on the COMPARE_CHANGES field to show the base and changed values.
Something like
define before(cmpbasv) compare_changes
define after(cmpchgv) compare_changes
------------------------------
Rob van Hoboken
------------------------------