Thanks all !
STR$BLANK works great. Below is the 1st pass and 2nd pass CARLA used to produce the user report and their assoicated groups where they have group spec or oper or aud to the group (in case anyone is interested).
//CKRCARLA EXEC PGM=CKRCARLA,REGION=64M
//SYSPRINT DD SYSOUT=*
//CONNS DD DISP=(NEW,PASS),SPACE=(TRK,900),DSN=&&CONNS,
// RECFM=VB,LRECL=200
//SYSIN DD *
newlist type=racf nopage retain dd=conns
select class=user segment=base
exclude cggrpct=0 /* Exclude the irr* userids */
sortlist key(8) connects name instdata
//*
//STEP2 EXEC PGM=CKRCARLA,REGION=64M
//CONNS DD DISP=(OLD,PASS),DSN=&&CONNS
//SYSPRINT DD SYSOUT=*
//REPORT DD DSN=SUMI.GROUP.REPORT(+1),
// MGMTCLAS=XXXXXXXXX,SPACE=(CYL,(2,2),RLSE),
// DCB=(DSORG=PS,RECFM=FB,LRECL=255,BLKSIZE=2550),
// DISP=(,CATLG,DELETE)
//SYSIN DD *
alloc type=racf backup
deftype type=$conns
alloc type=$conns dd=conns
define type=$conns $group(8,'Groupid') as substr(record,10,8)
define type=$conns $specuser(8,'Userid') as substr(record,1,8)
define type=$conns $name(20,'Name') as substr(record,68,20)
define type=$conns $soa(3,'SOA') as substr(record,29,3)
define type=$conns $grpspec(str$blank("Yes")) boolean where ,
substr(record,29,1)='S'
define type=$conns $grpoper(str$blank("Yes")) boolean where ,
substr(record,30,1)='O'
define type=$conns $grpaud(str$blank("Yes")) boolean where ,
substr(record,31,1)='A'
newlist type=$conns tt='GROUP SPECIAL,OPERATIONS,AUDITOR' dd=report
select $grpoper OR $grpspec OR $grpaud
sortlist ,
$specuser $name " " $grpspec(7,'Special') ,
$grpoper(10,'Operations') $grpaud(7,'Auditor') ,
$group
//
------------------------------
Joseph Sumi
------------------------------
Original Message:
Sent: Fri May 31, 2024 09:50 AM
From: Jeroen Tiggelman
Subject: User report with only GrpSpec or Oper or Aud groups listed
Hi Joe,
That seems a mattter of overriding the output format.
The table of standard flag formats is here: https://www.ibm.com/docs/en/szs/3.1.0?topic=SS2RWS_3.1.0/com.ibm.zsecure.doc_3.1.0/admin_audit/carla_cmnd_lang_list_fam_cmds_flg_frmts.htm
The combination "Yes" in mixed case and "blank" does not naturally exist, but you can use STR$BLANK for this, like:
define type=$conns $grpspec(str$blank("Yes")) boolean where substr(record,29,1)='S'
Regards,
------------------------------
Jeroen Tiggelman
IBM - Software Development Manager IBM Security zSecure Suite
Delft
Original Message:
Sent: Fri May 31, 2024 09:39 AM
From: Joseph Sumi
Subject: User report with only GrpSpec or Oper or Aud groups listed
Hello - thanks, i found some old double-pass carla i had and modified it. I'm really close to what i want but one question. I want the "No" to be blank.
Here is my output:
Userid Name Special Operations Auditor Groupid
USER1 SUMI, JOSEPH Yes No No GROUP1
USER1 SUMI, JOSEPH Yes No No GROUP2
USER1 SUMI, JOSEPH Yes Yes No GROUP3
USER1 SUMI, JOSEPH Yes Yes No GROUP4
Here is the 2nd pass CARLA:
//SYSIN DD *
alloc type=racf backup
deftype type=$conns
alloc type=$conns dd=conns
define type=$conns $group(8,'Groupid') as substr(record,10,8)
define type=$conns $specuser(8,'Userid') as substr(record,1,8)
define type=$conns $name(20,'Name') as substr(record,68,20)
define type=$conns $soa(3,'SOA') as substr(record,29,3)
define type=$conns $grpspec boolean where substr(record,29,1)='S'
define type=$conns $grpoper boolean where substr(record,30,1)='O'
define type=$conns $grpaud boolean where substr(record,31,1)='A'
newlist type=$conns tt='GROUP SPECIAL,OPERATIONS,AUDITOR' dd=report
select $grpoper OR $grpspec OR $grpaud
sortlist $specuser $name $grpspec(7,'Special') ,
$grpoper(10,'Operations') $grpaud(7,'Auditor') ,
$group
------------------------------
Joseph Sumi
Original Message:
Sent: Fri May 31, 2024 03:15 AM
From: Rob van Hoboken
Subject: User report with only GrpSpec or Oper or Aud groups listed
I agree with Tom, this report is available in the user interface, RA.U.
The SELECT command selects whole profiles from the database, and connect groups are part of a profile. So when you print CGGRPNM, you will see all the connect groups in the selected profile.
In order to prune the connect groups, and all their attributes too, CARLa has the SUBSELECT command. This works after the profile(s) have been selected. It is documented with the DEFINE command.
newlist type=racf s s=base c=user (GrpSpec OR GrpOp OR GrpAud) define priv_connects subselect connects(GrpSpec OR GrpOper OR GrpAud) sortlist " - complex"(tt,page) complex(tt,page) stamp(tt), key(8,"User ID") name, priv_connects
Alternatively, you could look at RACF_ACCESS, which has a single line for each connect group entry, and lookup to the attributes of the entry. This means the SELECT command in RACF_ACCESS will select (and exclude) individual connect groups for a user. If memory serves, something like this would work. Note, it uses implicit lookup for the privileges:
newlist type=racf_access select class=group (:grpspec or :grpoper or :grpaud) summary id(8,"Userid") * profile(8,"Group") :grpspec :grpoper :grpaud
------------------------------
Rob van Hoboken
------------------------------