Hello
I'm looking for a simple approach to compare ACL's from two different RACF Databases accessible via CKNSERVE.
Currently working is the comparison/existence of dataset profiles with the following carla script:
alloc type=RACF primary zsecnode=DEV complex=DEV
alloc type=RACF primary zsecnode=PROD complex=PROD
define #DEV('DEV',3,hb) boolean where complex=DEV
define #PROD('PRD',3,hb) boolean where complex=PROD
NEWLIST type=RACF nodup required pl=0 dd=DATASET ,
title='DATASET - Difference' Empty='No Dataset differences'
select class=Dataset segment=base ,
complex=(DEV,
PROD)
summary class(8) key('D S N P',44) #DEV ,
#PROD count(nd,<2)
That works as well for generic resource profiles, users and groups.
Comparing the ACL of two profiles does not seem to work in a similar simple approach. Attempts of using the SUBSELECTS on the ACL with ACLID and access levels was not successful so far. Haven't found any hint besides the compareopt. I thought about something like that:
alloc type=RACF primary zsecnode=DEV complex=DEV
alloc type=RACF primary zsecnode=PROD complex=PROD
compareopt name=acl_compare,
type=racf,
base=(complex=PROD),
compare=(acl),
show=all
newlist type=racf compareopt=acl_compare nodup ,
t="compare acl values",
empty="acl values are the same"
define #res compare_result
define #fld(cmpfld,10,'Attr') compare_changes
define #cmpbasv(9,'PROD',cmpbasv) compare_changes
define #cmpchgv(9,'DEV',cmpchgv) compare_changes
select class=dataset mask=sys1.** complex=(PROD,DEV)
sortlist profile acl #res ,
#fld,
#cmpbasv,
#cmpchgv
Unfortunately the approach from above does not show the expected result. I would expect something like
PROFILE KEY PROD ACL-ID PROD ACCESS DEV ACL-ID DEV ACCESS
SYS1.PARMLIB USER1 READ USER1 ALTER
USER4 UPDATE USER4 CONTROL
SYS1.PROLCIB USER2 CONTROL
Did anyone of you solved such an ACL compare already in the past and can share further insights on how to do that?
any feedback appreciated
marco
------------------------------
Marco Egli
------------------------------