IBM Mainframe Forum

[danielgp89]

Hello Everyone!

How Can I extract a report with the IBM zSecure Audit tool, of the users that has direct permits or access to profiles or resources, like READ, UPDATE, ALTER etc.

I can extract a report with the whole world including Groups and Users, but I don't know which one is a group or user.

Best Regards!

[Blackthorn]

How are you extracting the report at present? If you specify the ACL keyword on your SORTLIST statement, you'll get three extra columns which will indicate whether the ID in question id a group or not.

[danielgp89]

I'm Using the Option R.3.4 (Permit/Scope - Report access of a user or group)

In this section I want to know, which users has direct access to resources, so I'm Using the option 1. (Direct permit to the Id (Id on access list). Then I type a user on the ID, with the (Output in print format) on.

When It appears me the access of that user I typed F3 and in the Options it appears "Enter a selection in front of highlighted line below" I selected COMMANDS in that CALRa COMMAND LINE, I see this:

SUPPRESS REASON=(OWNER)
N REQUIRED N=SCOPE0L TYPE=REPORT_SCOPE,
TOPTITLE="U S E R A U T H O R I Z A T I O N F O R I D "
DEFINE HIGH_ACCESS("HighAcc") MAX(ACCESS)
sortlist id(page,toptitle) id:name(page,toptitle),
complex(page,toptitle) stamp(toptitle),
class key(nondispl),
proftype key("Profile name") volser access_via_when
REPORT PERMIT=C104584

What I was looking for is that instead of type each PERMIT for each User maybe there is something liker PERMIT=* OR PERMIT=ALLUSERS something like that obviously doesn't work because it looks for a User name * or ALLUSERS

I want the hole Universe of Users

[steve-myers]

I ran into this issue back in the 1990s when I had to work with RACF and never had a real resolution. A RACF access list specifies a userid or a group name. What is not so readily available is a table that can translate a group name to the users that group represents. Another issue in RACF is the concept of a group serves at least two purposes.

• A group of hopefully related users.
• A string that [usually] represents the high level qualifier for a data set name.

For example, you almost certainly have a SYS1 “group” that may not have any users in it, but it has at least one access profile like SYS1.* or SYS1.** to control access to SYS1 data sets..

Just to complicate the issue, even more, data set profiles have the concept of “universal access” or UACC. Your generic SYS1 data set access profile may specify a UACC of READ, which is used when a more specific access profile is not used.

In other words, between UACC and group accesses it can be quite difficult to say who can access what data set in a general case. If you want to know if user JOE can access data set PROD.MAYROLL.MASTER, you first retrieve the RACF access profile for the data set. First check its UACC, then look at the access list for the data set. If the UACC is none, then find out if JOE is in the access list. Then determine which group JOE is in and see if that group is in the access list. If you still have any hair left you'll be lucky!

[danielgp89]

Hello @steve-myers!

hahahah yeah I know!! And I'm only 29 years old, so imagine how I will look like when I get 45.

Mostly the difficult thing is to use the IBM products. This issue I would solve it so easily with a product that does the same thing like zSecure, is from Beta Systems Beta88.

I just figured out, how to solve the problem, but I have to do, too many manual stuff, like first extract a report of the complete universe of the users, then copy from blocks of hundreds,to the CARLa query, like.

REPORT PERMIT=xxxxx1
REPORT PERMIT=xxxxx2
REPORT PERMIT=xxxxx3
REPORT PERMIT=xxxxx4
And so on....... to the 30k users that the RACF DB has.

The report brings the users that have direct access to resource or datasets and the type of access (READ, ALTER, UPDATE, ALTER, etc).

But I was wondering, if there is a Variable that bring all the users at once.

The main idea of this report is to analyze why those users have access direct to dataset and resource instead of access them by group.

[steve-myers]

Hello @steve-myers!

hahahah yeah I know!! And I'm only 29 years old, so imagine how I will look like when I get 45.

Mostly the difficult thing is to use the IBM products. This issue I would solve it so easily with a product that does the same thing like zSecure, is from Beta Systems Beta88.

I just figured out, how to solve the problem, but I have to do, too many manual stuff, like first extract a report of the complete universe of the users, then copy from blocks of hundreds,to the CARLa query, like.

REPORT PERMIT=xxxxx1
REPORT PERMIT=xxxxx2
REPORT PERMIT=xxxxx3
REPORT PERMIT=xxxxx4
And so on....... to the 30k users that the RACF DB has.

The report brings the users that have direct access to resource or datasets and the type of access (READ, ALTER, UPDATE, ALTER, etc).

But I was wondering, if there is a Variable that bring all the users at once.

The main idea of this report is to analyze why those users have access direct to dataset and resource instead of access them by group.

You are still not doing the complete job, READ all of my last post.

[Blackthorn]

OK, I think we're coming at this from the wrong angle. RA.3.4 is designed to show you all the access that a particular user has to a resource, regardless of whether it is directly, via a group, UACC or whatever. The user ID can be specified as '*' since that is a valid ID to have on an access list - it does not mean that all users will be reported on. Instead we need to list all profiles, along with their access list. Try this bit of CARLa -

alloc type=RACF primary active zsecnode=.
print dd=ckreport
newlist type=racf nopage
s c=dataset and s=base mask=**
sortlist key acl

That will list all dataset profiles, along with their access list. The access list consists of three columns, the first of which identifies whether the entry is a group or not. So with a bit of simple post processing, it would be easy to pull out all the ones which are users.

[danielgp89]

Thanks so much for your time and help @Blackthorn!

The CARLa query worked fine!

You are the Best!!!

My Best Regards!!!

[danielgp89]

Ok!! Let me tried to explain what are we looking for

The main idea of this post is to find out, how can we extract a report with the z/Secure tool with the Report Panel (3.4 -Permit/Scope) option, that bring us those users who have direct or indirect access to resource.

Our pal @blackthorn gave us an example of a way to extract that report.

But our RACF auditor, got crazy and he start asking for a report of the access of all the users that lives in RACF with their permits and connections to resources and their type of access (READ,UPDATE,ALTER) etc, and the group of wich they inherited the access.

Actually our RACF has a world of 34k users approx.

We are looking for a query that could brings us the whole universe with just a command and not with the need of specifying one by one!!

[enrico-sorichetti]

But our RACF auditor,

should be proficient in understanding the content of
https://www-01.ibm.com/servers/resource ... enDocument

and ...

how can we extract a report with the z/Secure tool with the Report Panel

is just the wrong approach

Your auditor needs to extract some data FULL STOP.
and as long as he/she gets it the tool used is irrelevant

here is the link to the list of manuals available for z/secure

https://www.ibm.com/support/knowledgece ... y_zos.html

and also a few of links useful to meditate on

RACF cross-reference utility (IRRUT100)
https://www.ibm.com/support/knowledgece ... UT100_.htm

Using the RACF database unload utility (IRRDBU00)
https://www.ibm.com/support/knowledgece ... /dbuh2.htm

Using the database unload utility output effectively
https://www.ibm.com/support/knowledgece ... 00/eff.htm

unfortunately most often the need to use a tool and nothing else just shows poor understanding of the base product (*)

z/secure? We don't need no stinking z/secure!

(*) that' s the politically correct wording for ignorance