Re: [EXTERNAL] Re: Profiles specific to user
Ahhh, SORT is my kryptonite.. – Vignesh Mainframe Infrastructure -Original Message- From: IBM Mainframe Discussion List On Behalf Of Elardus Engelbrecht Sent: 09 November 2018 09:17 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: [EXTERNAL] Re: Profiles specific to user Sankaranarayanan, Vignesh wrote: >Thanks for this.. can this be updated to add accesses available through UACC? No. That type of info is in the base part of the profile. Look in unloaded record type 0400 for datasets this field DSBD_UACC and adjust the ICETOOL job for that. Look in this below URL for 'Security Server RACF Macros and Interfaces' for the record layout of the unloaded records. https://www.ibm.com/support/knowledgecenter/SSLTBW_2.2.0/com.ibm.zos.v2r2.icha300/toc.htm Groete / Greetings Elardus Engelbrecht -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN MARKSANDSPENCER.COM Unless otherwise stated above: Marks and Spencer plc Registered Office: Waterside House 35 North Wharf Road London W2 1NW Registered No. 214436 in England and Wales. Telephone (020) 7935 4422 Facsimile (020) 7487 2670 www.marksandspencer.com Please note that electronic mail may be monitored. This e-mail is confidential. If you received it by mistake, please let us know and then delete it from your system; you should not copy, disclose, or distribute its contents to anyone nor act in reliance on this e-mail, as this is prohibited and may be unlawful. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: [EXTERNAL] Re: Profiles specific to user
Sankaranarayanan, Vignesh wrote: >Thanks for this.. can this be updated to add accesses available through UACC? No. That type of info is in the base part of the profile. Look in unloaded record type 0400 for datasets this field DSBD_UACC and adjust the ICETOOL job for that. Look in this below URL for 'Security Server RACF Macros and Interfaces' for the record layout of the unloaded records. https://www.ibm.com/support/knowledgecenter/SSLTBW_2.2.0/com.ibm.zos.v2r2.icha300/toc.htm Groete / Greetings Elardus Engelbrecht -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: [EXTERNAL] Re: Profiles specific to user
Thanks for this.. can this be updated to add accesses available through UACC?
– Vignesh
Mainframe Infrastructure
-Original Message-
From: IBM Mainframe Discussion List On Behalf Of
Elardus Engelbrecht
Sent: 08 November 2018 15:29
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: [EXTERNAL] Re: Profiles specific to user
Sankaranarayanan, Vignesh wrote:
>Thanks all, so we've roughly come to the same answer, i.e., processing DBU00
>using SORT/ICETOOL/REXX or Nigel's utilities..
>Will wait to hear from Elardus on whether he can share his sweet
>pre-existing REXX
Sorry that you have to wait 1000 years, but I got tied up with 1001 things ...
Not that 'sweet' ... ;-)
Here is a sample one for Datasets. This one select ALL profiles for two
ids/group:
//SELECT EXEC PGM=ICETOOL
//TOOLMSG DD SYSOUT=*
//DFSMSG DD SYSOUT=*
//PRINTDD SYSOUT=*
//DBUDATA DD DISP=SHR,DSN=RACF.UNLOAD
//TEMP0001 DD DISP=(NEW,DELETE,DELETE),SPACE=(CYL,(20,5,0)),
//UNIT=3390
//TOOLIN DD *
SORTFROM(DBUDATA) TO(TEMP0001) USING(RACF)
DISPLAY FROM(TEMP0001) LIST(PRINT) -
PAGE -
TITLE('DATASET ACCESS LIST') -
DATE(4MD/) -
TIME(24:) -
BLANK -
ON(62,8,CH) HEADER('ID') -
ON(71,8,CH) HEADER('ACCESS') -
ON(10,44,CH) HEADER('PROFILE NAME')
//RACFCNTL DD *
SORTFIELDS=(10,44,CH,A,10,62,CH,A)
INCLUDE COND=(5,4,CH,EQ,C'0404',AND,
(62,8,CH,EQ,C'',OR,
62,8,CH,EQ,C''))
OPTION VLSHRT
//
Another sample, but for General Resources with selection of a single id:
//SELECT EXEC PGM=ICETOOL
//TOOLMSG DD SYSOUT=*
//DFSMSG DD SYSOUT=*
//PRINTDD SYSOUT=*
//DBUDATA DD DISP=SHR,DSN=RACF.UNLOAD
//TEMP0001 DD DISP=(NEW,DELETE,DELETE),SPACE=(CYL,(20,5,0)),
//UNIT=3390
//TOOLIN DD *
SORTFROM(DBUDATA) TO(TEMP0001) USING(RACF)
DISPLAY FROM(TEMP0001) LIST(PRINT) -
PAGE -
TITLE('GEN RESOURCES ACCESS LIST') -
DATE(4MD/) -
TIME(24:) -
BLANK -
ON(266,8,CH) HEADER('ID') -
ON(275,8,CH) HEADER('ACCESS') -
ON(257,8,CH) HEADER('CLASS') -
ON(10,80,CH) HEADER('PROFILE NAME')
//RACFCNTL DD *
SORTFIELDS=(10,246,CH,A,10,266,CH,A)
INCLUDE COND=(5,4,CH,EQ,C'0505',AND,266,7,CH,EQ,C'')
OPTION VLSHRT
//
You can insert your own selection for Class, profiles, etc. Just check the
length of the profile name in this example.
HTH!
Groete / Greetings
Elardus Engelbrecht
--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to
lists...@listserv.ua.edu with the message: INFO IBM-MAIN
MARKSANDSPENCER.COM
Unless otherwise stated above:
Marks and Spencer plc
Registered Office:
Waterside House
35 North Wharf Road
London
W2 1NW
Registered No. 214436 in England and Wales.
Telephone (020) 7935 4422
Facsimile (020) 7487 2670
www.marksandspencer.com
Please note that electronic mail may be monitored.
This e-mail is confidential. If you received it by mistake, please let us know
and then delete it from your system; you should not copy, disclose, or
distribute its contents to anyone nor act in reliance on this e-mail, as this
is prohibited and may be unlawful.
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: [EXTERNAL] Re: Profiles specific to user
Sankaranarayanan, Vignesh wrote: >Thanks all, so we've roughly come to the same answer, i.e., processing DBU00 >using SORT/ICETOOL/REXX or Nigel's utilities.. >Will wait to hear from Elardus on whether he can share his sweet pre-existing >REXX I lost/overwritten my REXX, so that is not 'sweet' from me... ;-) ... but still have ICETOOL jobs which you can use it. I will come back to you with some samples... Groete / Greetings Elardus Engelbrecht -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: [EXTERNAL] Re: Profiles specific to user
Thanks all, so we've roughly come to the same answer, i.e., processing DBU00 using SORT/ICETOOL/REXX or Nigel's utilities.. Will wait to hear from Elardus on whether he can share his sweet pre-existing REXX – Vignesh Mainframe Infrastructure -Original Message- From: IBM Mainframe Discussion List On Behalf Of Walt Farrell Sent: 03 November 2018 22:07 To: IBM-MAIN@LISTSERV.UA.EDU Subject: [EXTERNAL] Re: Profiles specific to user On Sat, 3 Nov 2018 15:00:01 -0500, Mike Cairns wrote: >Unfortunately the SEARCH command only applies to the user executing the >command. Returning the profiles that *you*, the executing user, have access >to. I think what Vignesh is asking for is a list of the profiles for a given >user when asking the question as an administrator. I think you're forgetting the USER(userID) paramater on SEARCH, Mike: USER(userid) Specifies that RACF is to list the profiles that the specified user has access to (READ authority or higher, or owner) for the class you specify on the CLASS operand. RACF lists only those profiles that the specified owner is allowed to see. Nonetheless, I agree with you that using IRRDBU00 is a better approach, as SEARCH does not tell you -what- access the user has, nor -why- he has it. Generating a report based on IRRDBU00 output can tell you both of those, though you do need to perform the additional processing to include accesses based on the user's groups and UACC. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN MARKSANDSPENCER.COM Unless otherwise stated above: Marks and Spencer plc Registered Office: Waterside House 35 North Wharf Road London W2 1NW Registered No. 214436 in England and Wales. Telephone (020) 7935 4422 Facsimile (020) 7487 2670 www.marksandspencer.com Please note that electronic mail may be monitored. This e-mail is confidential. If you received it by mistake, please let us know and then delete it from your system; you should not copy, disclose, or distribute its contents to anyone nor act in reliance on this e-mail, as this is prohibited and may be unlawful. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
