IBM Security Z Security

 View Only
  • 1.  User report with data from multiple segments

    Posted Wed April 27, 2022 07:26 AM
    I'm just starting to use zSecure and trying to under Carla as well.  Doing a migration from ACF2 to RACF as well.  Trying to reproduce a report.
    I need to report on 
    Userid / Name / Last Access Date / TSOPROC / CICS OPIDENT / Connected Group (with a specific SUPGROUP)
    And only list those ids with groups that have the SUPGROUP=xxxxx
    Been playing with NEWLIST and MERGELIST, but not getting very far. I can list all the items separately, but not all together yet.

    Thanks
    Richard

    ------------------------------
    Richard McIntosh
    ------------------------------


  • 2.  RE: User report with data from multiple segments

    IBM Champion
    Posted Thu April 28, 2022 04:49 AM
    Edited by Rob van Hoboken Thu April 28, 2022 04:55 AM

    The RACF database holds these fields in separate records, called segments.  The segments for a single ID can be in different places in the database; since CARLa can process the database in (physical) sequential order, there is no guarantee the BASE segment is processed before the TSO or CICS segment.  Also, since CARLa wants to select profiles during the reading phase, and it only reads each block/record once, some trickery is needed to display fields from different segments when a select is needed on any field other than the PROFILE/KEY field.  One such trick is using the SUMMARY command.  See this.

    Newer releases of CARLa made these workarounds redundant through implicit lookup to find fields belonging to the same profile, but stored in different segments:

    newlist type=racf
      select class=user dfltgrp=xxxx
      sortlist key(8,"User ID") name ljdate :tlproc :opident connects

    The select statement implicitly only selects the base segment due to DFLTGRP being in the base segment.
    There is a niggle with all lookups, this doesn't work well with repeated (multi-value) fields....

    You could use the DEFINE CONNECTS SUBSELECT CONNECTS(condition) command to reduce the number of connect group names listed in the output.

    But now comes a challenge, you want to have a list of users that are connected to a group BELOW xxxx.  That is something the RACF newlist type does not support for the active RACF db, but only for an unloaded database as input.  I guess what would work is

    newlist type=racf
      select class=user congrpnm:supgroup=xxxx
      sortlist key(8,"User ID") name ljdate :tlproc :opident connects

    ------------------------------
    Rob van Hoboken
    ------------------------------


  • 3.  RE: User report with data from multiple segments

    IBM Champion
    Posted Thu April 28, 2022 05:08 AM
    If you were only interested to run this report in a batch job, you could use a two pass query to go around this silly restriction (lookup in the select only supported from an unload).

    // EXEC C2RC
    //CKR2PASS DD DISP=(,PASS),DSN=&GRPINFO,SPACE=(TRK,(10,10))
    //SYSIN DD *
    newlist type=racf nopage dd=ckr2pass
      select class=group segment=base
      sortlist key(8) supgroup
    // EXEC C2RC
    //GRPINFO DD DISP=(OLD,PASS),DSN=&GRPINFO
    //SYSIN DD *
    deftype type=@grpinfo 
    alloc type=@grpinfo dd=grpinfo
    define type=@grpinfo group as substr(record,1,8)
    define type=@grpinfo supgroup as substr(record,10,8)

    newlist type=racf
    select class=user congrpnm:@grpinfo.group.supgroup=xxxxxx
    sortlist key(8,"User ID") name ljdate :tlproc :opident connects
    //


    ------------------------------
    Rob van Hoboken
    ------------------------------



  • 4.  RE: User report with data from multiple segments

    Posted Thu April 28, 2022 11:19 AM
    I used the 2 pass example and it's close to what I need. It printed all the connected groups for the user though, not just those groups with the SUPGROUP I selected.

    So for userA, they have 4 connected groups, but only 1 of those groups has a SUPGROUP of what I'm looking for. The report is only selecting the users that have groups with a SUPGROUP selected, but it shows all of the users groups still.

    ------------------------------
    Richard McIntosh
    ------------------------------



  • 5.  RE: User report with data from multiple segments

    IBM Champion
    Posted Thu April 28, 2022 11:50 AM
    Edited by Rob van Hoboken Thu April 28, 2022 11:53 AM
    As I suggested in my 1st answer, you could redefine the field CONNECTS to reduce the connect groups shown, like so

    newlist type=racf
      define connects subselect connects(group:@grpinfo.group.supgroup=xxxxxx)
      select class=user congrpnm:@grpinfo.group.supgroup=xxxxxx
      sortlist key(8,"User ID") name ljdate :tlproc :opident connects

    ------------------------------
    Rob van Hoboken
    ------------------------------


  • 6.  RE: User report with data from multiple segments

    Posted Thu May 05, 2022 06:37 AM
    Thanks for the advice I was able to come up with something that does work for me.  

    newlist type=RACF,
    toptitle='Daily NYP Audit Report'
    define #nyptpx(8,'TPXPROF') subselect connects(group=NYP*)
    select class=user s=base dfltgrp=ahnyp
    sortlist key('Logonid',8) name ljdate(8),
    :tlproc('TSO',8) :opident('CICSID',6) #nyptpx

    ------------------------------
    Richard McIntosh
    ------------------------------