IBM Security Z Security

 View Only
  • 1.  zSecure Carla to compare ACL values

    Posted Tue July 26, 2022 10:07 AM
    Hello

    I'm looking for a simple approach to compare ACL's from two different RACF Databases accessible via CKNSERVE.
    Currently working is the comparison/existence of dataset profiles with the following carla script:

    alloc type=RACF primary zsecnode=DEV    complex=DEV  
    alloc type=RACF primary zsecnode=PROD   complex=PROD 
    define #DEV('DEV',3,hb)           boolean where complex=DEV 
    define #PROD('PRD',3,hb)          boolean where complex=PROD
     NEWLIST type=RACF nodup required pl=0 dd=DATASET ,           
       title='DATASET - Difference' Empty='No Dataset differences'
         select class=Dataset segment=base ,                      
                complex=(DEV,                                     
                         PROD)                                    
      summary class(8) key('D S N P',44) #DEV  ,                            
                                         #PROD   count(nd,<2)  ​


    That works as well for generic resource profiles, users and groups.

    Comparing the ACL of two profiles does not seem to work in a similar simple approach. Attempts of using the SUBSELECTS on the ACL with ACLID and access levels was not successful so far. Haven't found any hint besides the compareopt. I thought about something like that:
    alloc type=RACF primary zsecnode=DEV    complex=DEV  
    alloc type=RACF primary zsecnode=PROD   complex=PROD 
    compareopt name=acl_compare,    
               type=racf,           
               base=(complex=PROD),
               compare=(acl),       
               show=all             
    newlist type=racf compareopt=acl_compare nodup ,   
      t="compare acl values",                          
      empty="acl values are the same"                  
     define #res      compare_result                   
     define #fld(cmpfld,10,'Attr')     compare_changes     
     define #cmpbasv(9,'PROD',cmpbasv) compare_changes
     define #cmpchgv(9,'DEV',cmpchgv)  compare_changes 
    select class=dataset mask=sys1.** complex=(PROD,DEV)
    sortlist profile acl #res ,                               
                         #fld,                                
                         #cmpbasv,                                                       
                         #cmpchgv  ​


    Unfortunately the approach from above does not show the expected result. I would expect something like 

    PROFILE KEY                  PROD ACL-ID   PROD ACCESS    DEV ACL-ID   DEV ACCESS
    SYS1.PARMLIB                 USER1         READ           USER1        ALTER
                                 USER4         UPDATE         USER4        CONTROL
    SYS1.PROLCIB                 	                          USER2        CONTROL​


    Did anyone of you solved such an ACL compare already in the past and can share further insights on how to do that?

    any feedback appreciated
    marco

    ------------------------------
    Marco Egli
    ------------------------------


  • 2.  RE: zSecure Carla to compare ACL values

    IBM Champion
    Posted Wed July 27, 2022 02:43 AM
    Edited by Rob van Hoboken Wed July 27, 2022 02:47 AM
    Hi Marco
    Newlist type=racf gives you whole profiles to work with, and the ACL of a profile is an attribute that is not so easily processed with a summary command.
    To address reporting needs such as your's, newlist type=racf_access hands you each ACL entry in a separate record.  This is how you would print a traditional profile report (of only permits that have access=ALERT as a demo of its flexibility):

    newlist type=racf_access
      select class=dataset profile=sys1.** id<>-* access=alter
      summary profile * id access count(nd)

    ------------------------------
    Rob van Hoboken
    ------------------------------


  • 3.  RE: zSecure Carla to compare ACL values

    Posted Wed July 27, 2022 05:28 AM
    Hi Rob
    Thanks for the fast reply!
    With your hint to use the racf_access I was able to create a better list than before.
    alloc type=RACF primary zsecnode=PROD complex=PROD                  
    alloc type=RACF primary zsecnode=DEV  complex=DEV                   
                                                                        
    mergelist                                                           
     n type=racf_access nopage                                          
     s class=dataset profile=sys1.** id<>-* access>=READ ,              
                                            access<=ALTER complex=(PROD)
       sortlist profile  id access complex                              
                                                                        
     n type=racf_access nopage                                          
     s class=dataset profile=sys1.** id<>-* access>=READ ,              
                                            access<=ALTER complex=(DEV) 
       sortlist profile  id access complex                              
    endmerge                                                            ​

    Using the code as above, it shows a variation of the expected result like:
    SYS1.SIOALMOD                                GROUP1 ALTER     DEV
    SYS1.SIOALMOD                                GROUP1 ALTER     PROD
    SYS1.SISTCLIB                                GROUP2 READ      DEV
    SYS1.SISTCLIB                                GROUP2 READ      PROD
    SYS1.SISTCLIB                                GROUP3 READ      DEV
    SYS1.SISTCLIB                                GROUP3 READ      PROD
    SYS1.SISTCLIB                                GROUP1 ALTER     DEV
    SYS1.SISTCLIB                                GROUP1 ALTER     PROD
    SYS1.SISTGDMO                                GROUP3 READ      PROD
    SYS1.SISTGDMO                                GROUP1 ALTER     DEV
    SYS1.SISTGDMO                                GROUP1 UPDATE    PROD​

    With the above result it's possible to work, the perfect solution would be to only get the last two lines as only there is a difference between DEV and PROD on the ACL. All other listed entries are equal between PROD and DEV and those are not interesting. Is there an option like sort/filter on the first three columns within carla?

    Following the suggested approach from your sample I would use a carla like that:

    alloc type=RACF primary zsecnode=PROD complex=PROD
    alloc type=RACF primary zsecnode=DEV  complex=DEV                 
           
     newlist type=racf_access nodup                                        
       select class=dataset profile=sys1.** id<>-* complex=(PROD,DEV)
       summary profile * id access complex                           

    With the above code a result would look like:

    Profile                                      Id       Access    Complex  Count   
    SYS1.PARMLIB                                                                    8
                                                 GROUP1   UPDATE    DEV             1
                                                 GROUP1   UPDATE    PROD            1
                                                 GROUP2   ALTER     DEV             1
                                                 GROUP2   ALTER     PROD            1
                                                 SYS1     QUALOWN   DEV             1
                                                 SYS1     QUALOWN   PROD            1
                                                 GROUP3   ALTER     DEV             1
                                                 GROUP3   ALTER     PROD            1

    That shows a similar result where I would like to filter rows with equal values in Id and Access column. Whatever option is offered in carla I'm happy to follow. If that's not possible I would then further manipulate the data within rexx to filter.

    regards
    marco



    ------------------------------
    Marco Egli
    ------------------------------



  • 4.  RE: zSecure Carla to compare ACL values

    IBM Champion
    Posted Wed July 27, 2022 05:53 AM
    Edited by Rob van Hoboken Thu July 28, 2022 05:39 PM
    As you know, MERGELIST and SUMMARY cannot work together, so you have to work with only SUMMARY and copy the same method from your original email.

     NEWLIST type=RACF_access pl=0 dd=DATASET ,           
       title='DATASET - Difference' Empty='No Dataset differences'
         define #DEV('DEV',3,hb)           boolean where complex=DEV 
         define #PROD('PRD',3,hb)          boolean where complex=PROD
         select class=Dataset id<>-* ,                      
                complex=(DEV,                                     
                         PROD)                                    
         summary class(8) key('D S N P',44),
               * id access #DEV #PROD   count(nd,<2)  ​​
    or
     NEWLIST type=RACF_access pl=0 dd=DATASET ,           
       title='DATASET - Difference' Empty='No Dataset differences'
         define #DEV('DEV',7,access_nz)  max(access) where complex=DEV 
         define #PROD('PRD',7,access_nz) max(access) where complex=PROD
         select class=Dataset id<>-* ,                      
                complex=(DEV,                                     
                         PROD)                                    
         summary class(8) key('D S N P',44),
               * id #DEV #PROD   count(nd,<2)

    ------------------------------
    Rob van Hoboken
    ------------------------------