IBM Security Z Security

Security for Z

Join this online user group to communicate across Z Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Zsecure Alert for Add or Delete user from RACF

    Posted Wed February 08, 2023 02:14 AM
    Hi ALL

    I have setup an Alert for Zsecure Alert to send an email incase of ADD or Delete user from RACF as some other actions needed for other Department
    my Alert was like this

     DEF TYPE=SMF COMTYPE(CHAR,12) AS WORD(RECORDDESC,2,' ')
    S type=(80,81,83) ((RELOCATE=6 OR EVENT=RACPRIV)) racfcmd=:ADDUSER
    sortlist,
    recno(nd),
    'Alert: RACF ADD USER '(t) racfcmd_user(t) ' BY ADMIN'(t) user(t),
    'Alert: RACF ADD USER ' racfcmd_user ' BY ADMIN' user(0) /,
    'THIS EMAIL GENERATED FORM ZSECURE ALERT TO NOTIFYTHE TEAM' /,
    / ' Alert id 4007',
    / ' Date and time'(18) date(9) time(11),
    / ' ADMIN'(18) user(8) name,
    / ' USER'(18) racfcmd_user(8) racfcmd_user:NAME,
    / ' CIVILID'(18) racfcmd_user:INSTDATA,
    / ' DEPT'(18) racfcmd_user:WADEPT,
    / ' RACF action '(18,noretain) COMTYPE ,
    / ' Result'(18) descriptor(0,explode),
    / ' Job name'(18) jobname,
    / ' System ID'(18) system,
    //
    it works fine and send email but for  give empty data for fields racfcmd_user:NAME ,racfcmd_user:INSTDATA

    in other words i cant get any relative data in my Alert however if i use the below query from CO.C i got all the fields 
    n type=SMF
    S type=(80,81,83) ((RELOCATE=6 OR EVENT=RACPRIV)) racfcmd=:ADDUSER
    sortlist date(7) time(5) user("Admin_ID") USER:NAME("ADMIN_NAME",20),
    racfcmd_user(8,"User") racfcmd_user:NAME("USER_NAME",20) ,
    racfcmd_user:WADEPT("WORK_DEPT",20),racfcmd_user:INSTDATA("CIVI_ID",20)

    would you please adivse on this

    Thanks
    Mohammed Ibrahem

    ------------------------------
    Mohammed Ibrahem
    ------------------------------


  • 2.  RE: Zsecure Alert for Add or Delete user from RACF

    Posted Wed February 08, 2023 03:22 AM
    Hi Mohammed,

    The lookup function gets its data from (a copy of) the RACF data source (live database or UNLOAD). When you add a user, the RACF data source being used might not contain the user yet, so then the lookup would not work.

    By default the Alert started task reassesses the current information about the system environment and user attributes hourly as explained here: https://www.ibm.com/docs/en/szs/2.5.0?topic=implications-intervals

    You might want to obtain the NAME from the command that is being issued for ADDUSER instead. I would recommend looking at the PARSE function of DEFINE.

    For deleting a user the lookup should work (unless it had been added since the previous hourly interval).

    Regards,

    ------------------------------
    Jeroen Tiggelman
    Software Development and Level 3 Support Manager IBM Security zSecure Suite
    IBM
    Delft
    ------------------------------

    Original Message


  • 3.  RE: Zsecure Alert for Add or Delete user from RACF

    Posted Thu February 09, 2023 01:34 AM

    Thanks Jeroen for your answer

    i have tried the PARSE Function as below

    DEF TYPE=SMF COMTYPE(CHAR,12)  AS WORD(RECORDDESC,2,' ')      
    DEF TYPE=SMF UN(CHAR,20)  AS PARSE(RACFCMD,'NAME(',')')       
    DEF TYPE=SMF CIVILID(CHAR,20)  AS PARSE(RACFCMD,'DATA(',')')  
    DEF TYPE=SMF DEPT(CHAR,20)  AS PARSE(RACFCMD,'WADEPT(',')')   

    alloc type=RACF primary active                                      
    S type=(80,81,83) ((RELOCATE=6 OR EVENT=RACPRIV)) racfcmd=:ADDUSER  
     sortlist,                                                          
      recno(nd),                                                        

    / '   -Alert id        4007',                            
    / '   -Date and time'(18) date(9) time(11),              
    / '   -System ID'(18) system,                            
    / '   -Job name'(18) jobname,                            
    / '   -Result'(18) descriptor(0,explode),                                  
    / '  -ADMIN_ID'(18) user(8) ,                            
    / '  -ADMIN_NAME'(18) name,                              
    / '  -USER_ID'(18) racfcmd_user(8),                      
    / '  -USER_NAME'(18) UN(wrap,HOR,0),                     
    / '  -CIVILID'(18) CIVILID(wrap,HOR,0),                  
    / '  -DEPTARTMENT'(18,noretain) DEPT(wrap,HOR,0),        
    / '  -Action Needed '(18,noretain) COMTYPE ,      

    it works fine and i got my data but the layout for the fields come from PARSE are shifted

       -Alert id        4007
       -Date and time  09Feb2023 09:18:55.77
       -System ID      bbbb
       -Job name       aaaaaaa
       -Result         Success
      -ADMIN_ID        cccccccc
      -ADMIN_NAME      bbbbbbbb
      -USER_ID         aaaaaaaa
      -USER_NAME             yyyyyyyyyyyyyyyy
      -CIVILID             xxxxxxxxxxxxxxxxx
      -DEPTARTMENT                               zzzzzzzzz
      -Action Needed   ADDUSER

    if you have any idea about how to fix . thanks again for your support

         



    ------------------------------
    Mohammed Ibrahem
    ------------------------------

    Original Message


  • 4.  RE: Zsecure Alert for Add or Delete user from RACF

    Posted Thu February 09, 2023 03:48 AM
    Edited by Rob van Hoboken Thu February 09, 2023 04:02 AM

    The RACFCMD field is actually a repeated field, similar to the field CGGRPNM in the RACF USER profiles.  That means, for the command and each of the keywords, a separate entry (line) is prepared in the RACFCMD field.  You know this, because when you want to display or print the RACF command, you write RACFCMD(HOR,WRAP,0).  HOR means, print all the entries (lines) in one horizontal string.

    Now, the PARSE( ) function processes each entry of the RACFCMD field separately.  If the entry does not match, PARSE leaves an EMPTY value, with length 0.  The HOR modifier that you used concatenates these empty values with a space (blank) in between.  So, if the NAME('programmer name') field is the 6th parameter in the command, your PARSE skips the RACF command and 5 other parameters, and HOR concatenates these with 6 spaces BEFORE the actual NAME value.

    I hated this too when I was faced with the behavior of HOR and could find no work-around. Feel free to RFE a solution, my request fell on deaf (or, at least, over-committed) ears.

    ------------------------------
    Rob van Hoboken
    ------------------------------



  • 5.  RE: Zsecure Alert for Add or Delete user from RACF

    Posted Thu February 09, 2023 03:50 AM
    Edited by Rob van Hoboken Thu February 09, 2023 04:02 AM

    By the way, in your SELECT command

    S type=(80,81,83) ((RELOCATE=6 OR EVENT=RACPRIV)) racfcmd=:ADDUSER  

    it is easier and more efficient to use the EVENT field to select the command, like so 

    S type=80 event=ADDUSER  

    ------------------------------
    Rob van Hoboken
    ------------------------------



  • 6.  RE: Zsecure Alert for Add or Delete user from RACF

    Posted Thu February 09, 2023 06:00 AM

    Hi Mohammed,

    Rob correctly explained what is happening.

    I can think of no way of putting the value without the preceding blanks onto the same line in a single pass.

    You can get the value into a fixed position onto the line below by removing the (WRAP,HOR,0) and using ' '(18,NE) at the start of the next line.

    (But you get stuck with many extra line breaks including empty lines in this way, so this might not help you much.)

    Note: NOTEMPTY (or NE for short) does not work when you have a literal string other than blanks.

    (And of course a two-pass solution is possible, but I don't think that is very useful in an Alert context.)

    Regards,



    ------------------------------
    Jeroen Tiggelman
    Software Development and Level 3 Support Manager IBM Security zSecure Suite
    IBM
    Delft
    ------------------------------

    Original Message


Related Content