View previous topic :: View next topic
|
Author |
Message |
vasanthz
Global Moderator
Joined: 28 Aug 2007 Posts: 1742 Location: Tirupur, India
|
|
|
|
Hello,
We have a RACF profile with the name NEWPROF. We need to find the list of resources this NEWPROF RACF profile allows access.
I am a newbie with RACF and this maybe a basic question.
When I issue TSLO LG NEWPROF it lists the superior group, and users connected to the profile. But does not have the resources list.
Could you please let me know how to get this? or do I need to read the concepts first?
Regards, |
|
Back to top |
|
|
steve-myers
Active Member
Joined: 30 Nov 2013 Posts: 917 Location: The Universe
|
|
|
|
- Since you are using the LG (LISTGRP) command to list NEWPROF, it is a group, not a profile. A RACF profile defines the users and groups that can access a resource. A group serve two purposes -
- It defines a group of users.
- It is an anchor, of sorts, for data set profiles for which the high level qualifier is not a user. For example, I'd bet your shop has a SYS1 group for the profiles that define access to SYS1 data sets.
You should attempt to use the correct terminology. - If you are asking which profiles group xxx can access, there does not seem any way to get this from RACF. If I were charged with retrieving this information I would "dump" the RACF data base and analyze the dump; something that would require a great deal of analysis and research.
|
|
Back to top |
|
|
vasanthz
Global Moderator
Joined: 28 Aug 2007 Posts: 1742 Location: Tirupur, India
|
|
|
|
Hi Steve, Thank you for your input. The name contained PROF and I assumed it was a RACF profile. Also not to mention I am new to RACF and grasping terminologies.
I will check tomorrow if that is a group.
Thanks again, |
|
Back to top |
|
|
steve-myers
Active Member
Joined: 30 Nov 2013 Posts: 917 Location: The Universe
|
|
|
|
Quote: |
When I issue TSLO LG NEWPROF it lists the superior group, and users connected to the profile. |
You already said it's a group; you used LG to list it. "Superior group" is only listed by LG. |
|
Back to top |
|
|
steve-myers
Active Member
Joined: 30 Nov 2013 Posts: 917 Location: The Universe
|
|
|
|
RACF 101
A RACF "resource" is a named something. A data set, for example, can be a RACF resource.
Generically, there are two types of resources: data sets and "general" resources, which can be almost anything else. "General" resources can be a pain in the neck since documentation is scattered, especially for installation defined resources.
A "profile" defines access to a resource.
Now let's examine this access -
Code: |
listdsd da('sys1.linklib') generic authuser
INFORMATION FOR DATASET SYS1.** (G)
LEVEL OWNER UNIVERSAL ACCESS WARNING ERASE
----- -------- ---------------- ------- -----
00 SYS1 READ NO NO
AUDITING
--------
FAILURES(ALTER)
NOTIFY
--------
NO USER TO BE NOTIFIED
YOUR ACCESS CREATION GROUP DATASET TYPE
----------- -------------- ------------
READ SYSPROG NON-VSAM
NO INSTALLATION DATA
SECURITY LEVEL
------------------------------------------
NO SECURITY LEVEL
CATEGORIES
----------
NO CATEGORIES
SECLABEL
--------
NO SECLABEL
ID ACCESS
-------- -------
SYSPROG ALTER
SYSPROC ALTER
ID ACCESS CLASS ENTITY NAME
-------- ------- -------- ----------------------------------------------------
NO ENTRIES IN CONDITIONAL ACCESS LIST
READY |
You use the RACF LISTDSD command to list accesses to either a data set profile or a data set resource. The LISTDSD command in the example specifies a resource.
There are two types of data set profiles.- Discrete - A "discrete" profile specifies access to a unique data set.
- Generic - A "generic" profile specifies access to a data set resource regardless of where it is located unless it is also protected by a discrete profile.
The LISTDSD command specified GENERIC to list the generic profile. If you do not specify GENERIC the command will attempt to find the discrete profile for the resource, which usually results in NO RACF DESCRIPTION FOUND FOR SYS1.LINKLIB.
INFORMATION FOR DATASET SYS1.** (G)
SYS1.** is the actual profile, and (G) indicates it is a generic profile.
Code: |
UNIVERSAL ACCESS
----------------
READ |
"Universal access," also known as UACC, specifies the data set access authorized when the user's access cannot be determined by using the access list.
Code: |
ID ACCESS
-------- -------
SYSPROG ALTER
SYSPROC ALTER |
This is the access list. The ID is a RACF group or an actual user id. "Access" is a code, but it does not mean what is commonly accepted by the term, especially for general resources.- ALTER – The user can allocate and delete resources identified by the profile.
- CONTROL – This is used with VSAM; the user has “control interval” access to the resource.
- UPDATE – The user can update the contents of the resource.
- READ – The user can read the resource.
- NONE – The user cannot use the resource.
These access codes are also used for universal access. |
|
Back to top |
|
|
vasanthz
Global Moderator
Joined: 28 Aug 2007 Posts: 1742 Location: Tirupur, India
|
|
|
|
Thank you Steve for the 101 and explaining it in layman terms. It is certainly helpful.
The NEWPROF which I was mentioning was indeed a group.
Regards,
Vasanth.S |
|
Back to top |
|
|
David Robinson
Active User
Joined: 21 Dec 2011 Posts: 199 Location: UK
|
|
|
|
Despite the confusion over the terminology (group / profile) the OP's question is still valid - how do you tell what resources the group has access to.
This is not easily determined from RACF. Do you have any of the add on tools, such as Vanguard or zSecure, both of which provide this sort of cross referencing? |
|
Back to top |
|
|
steve-myers
Active Member
Joined: 30 Nov 2013 Posts: 917 Location: The Universe
|
|
|
|
David Robinson wrote: |
Despite the confusion over the terminology (group / profile) the OP's question is still valid - how do you tell what resources the group has access to.
This is not easily determined from RACF. Do you have any of the add on tools, such as Vanguard or zSecure, both of which provide this sort of cross referencing? |
I had access to Vanguard RACF Administrator (the proper name for the "Vanguard" Mr. Robinson mentioned) for a while back in the 1990s during my first stint doing RACF admin work, but I didn't know - then - that VRA had the capability. Believe me, I researched that, too!
I'm not familiar with zSecure - in fact until Mr. Robinson's post I had never heard of it.
As Mr. Robinson says, trying to determine what profiles (as opposed to resources) a user or group can access is not easily determined with straight RACF. One would have to "dump" the RACF data base and analyze it to determine this information; a project that would require considerable analysis and research. Better to buy VRA or zSecure!
HTH |
|
Back to top |
|
|
enrico-sorichetti
Superior Member
Joined: 14 Mar 2007 Posts: 10872 Location: italy
|
|
|
|
why not look at the manuals to find out about the
RACF cross-reference utility (IRRUT100) |
|
Back to top |
|
|
steve-myers
Active Member
Joined: 30 Nov 2013 Posts: 917 Location: The Universe
|
|
|
|
IRRUT100 - Another utility I was not familiar with. You can read about it in Security Server RACF System Programmer's Guide for your z/OS release.
I did a trial run. It reports more than just profile access, but that may be just what you want! |
|
Back to top |
|
|
enrico-sorichetti
Superior Member
Joined: 14 Mar 2007 Posts: 10872 Location: italy
|
|
Back to top |
|
|
vasanthz
Global Moderator
Joined: 28 Aug 2007 Posts: 1742 Location: Tirupur, India
|
|
|
|
Thank you Enrico, One of my smart colleague also came up with the same utility and this jcl worked. Thanks David and Steve.
Code: |
//STEP EXEC PGM=IRRUT100
//SYSUT1 DD UNIT=SYSDA,SPACE=(CYL,(5,5))
//SYSPRINT DD SYSOUT=*
//SYSIN DD *
NEWPROF
/* |
|
|
Back to top |
|
|
|