Portal | Manuals | References | Downloads | Info | Programs | JCLs | Master the Mainframes
IBM Mainframe Computers Forums Index
 
Register
 
IBM Mainframe Computers Forums Index Mainframe: Search IBM Mainframe Forum: FAQ Memberlist Usergroups Profile Log in to check your private messages Log in
 

 

RACF profile access

 
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> All Other Mainframe Topics
View previous topic :: :: View next topic  
Author Message
vasanthz

Global Moderator


Joined: 28 Aug 2007
Posts: 1445
Location: Azeroth

PostPosted: Fri Sep 23, 2016 5:51 am    Post subject: RACF profile access
Reply with quote

Hello,

We have a RACF profile with the name NEWPROF. We need to find the list of resources this NEWPROF RACF profile allows access.

I am a newbie with RACF and this maybe a basic question.

When I issue TSLO LG NEWPROF it lists the superior group, and users connected to the profile. But does not have the resources list.

Could you please let me know how to get this? or do I need to read the concepts first?

Regards,
Back to top
View user's profile Send private message

steve-myers

Active User


Joined: 30 Nov 2013
Posts: 461
Location: The Universe

PostPosted: Fri Sep 23, 2016 10:06 am    Post subject:
Reply with quote

  1. Since you are using the LG (LISTGRP) command to list NEWPROF, it is a group, not a profile. A RACF profile defines the users and groups that can access a resource. A group serve two purposes -
    1. It defines a group of users.
    2. It is an anchor, of sorts, for data set profiles for which the high level qualifier is not a user. For example, I'd bet your shop has a SYS1 group for the profiles that define access to SYS1 data sets.
    You should attempt to use the correct terminology.
  2. If you are asking which profiles group xxx can access, there does not seem any way to get this from RACF. If I were charged with retrieving this information I would "dump" the RACF data base and analyze the dump; something that would require a great deal of analysis and research.
Back to top
View user's profile Send private message
vasanthz

Global Moderator


Joined: 28 Aug 2007
Posts: 1445
Location: Azeroth

PostPosted: Fri Sep 23, 2016 10:50 am    Post subject:
Reply with quote

Hi Steve, Thank you for your input. The name contained PROF and I assumed it was a RACF profile. Also not to mention I am new to RACF and grasping terminologies.

I will check tomorrow if that is a group.

Thanks again,
Back to top
View user's profile Send private message
steve-myers

Active User


Joined: 30 Nov 2013
Posts: 461
Location: The Universe

PostPosted: Fri Sep 23, 2016 11:16 pm    Post subject:
Reply with quote

Quote:
When I issue TSLO LG NEWPROF it lists the superior group, and users connected to the profile.

You already said it's a group; you used LG to list it. "Superior group" is only listed by LG.
Back to top
View user's profile Send private message
steve-myers

Active User


Joined: 30 Nov 2013
Posts: 461
Location: The Universe

PostPosted: Mon Sep 26, 2016 8:49 am    Post subject:
Reply with quote

RACF 101

A RACF "resource" is a named something. A data set, for example, can be a RACF resource.

Generically, there are two types of resources: data sets and "general" resources, which can be almost anything else. "General" resources can be a pain in the neck since documentation is scattered, especially for installation defined resources.

A "profile" defines access to a resource.

Now let's examine this access -
Code:
listdsd da('sys1.linklib') generic authuser
 INFORMATION FOR DATASET SYS1.** (G)

 LEVEL  OWNER    UNIVERSAL ACCESS   WARNING   ERASE
 -----  -------- ----------------   -------   -----
  00    SYS1            READ          NO      NO

 AUDITING
 --------                                                                     
 FAILURES(ALTER)

 NOTIFY
 --------
 NO USER TO BE NOTIFIED

 YOUR ACCESS  CREATION GROUP  DATASET TYPE
 -----------  --------------  ------------
    READ         SYSPROG        NON-VSAM

 NO INSTALLATION DATA

               SECURITY LEVEL
 ------------------------------------------
 NO SECURITY LEVEL

 CATEGORIES
 ----------
 NO CATEGORIES

 SECLABEL
 --------
 NO SECLABEL

    ID     ACCESS
 --------  -------
 SYSPROG    ALTER
 SYSPROC    ALTER

    ID    ACCESS   CLASS                ENTITY NAME
 -------- ------- -------- ----------------------------------------------------
 NO ENTRIES IN CONDITIONAL ACCESS LIST
 READY
You use the RACF LISTDSD command to list accesses to either a data set profile or a data set resource. The LISTDSD command in the example specifies a resource.

There are two types of data set profiles.
  • Discrete - A "discrete" profile specifies access to a unique data set.
  • Generic - A "generic" profile specifies access to a data set resource regardless of where it is located unless it is also protected by a discrete profile.
The LISTDSD command specified GENERIC to list the generic profile. If you do not specify GENERIC the command will attempt to find the discrete profile for the resource, which usually results in NO RACF DESCRIPTION FOUND FOR SYS1.LINKLIB.

INFORMATION FOR DATASET SYS1.** (G)

SYS1.** is the actual profile, and (G) indicates it is a generic profile.

Code:
UNIVERSAL ACCESS
----------------
       READ
"Universal access," also known as UACC, specifies the data set access authorized when the user's access cannot be determined by using the access list.
Code:
   ID     ACCESS
--------  -------
SYSPROG    ALTER
SYSPROC    ALTER
This is the access list. The ID is a RACF group or an actual user id. "Access" is a code, but it does not mean what is commonly accepted by the term, especially for general resources.
  • ALTER – The user can allocate and delete resources identified by the profile.
  • CONTROL – This is used with VSAM; the user has “control interval” access to the resource.
  • UPDATE – The user can update the contents of the resource.
  • READ – The user can read the resource.
  • NONE – The user cannot use the resource.
These access codes are also used for universal access.
Back to top
View user's profile Send private message
vasanthz

Global Moderator


Joined: 28 Aug 2007
Posts: 1445
Location: Azeroth

PostPosted: Tue Sep 27, 2016 2:11 am    Post subject:
Reply with quote

Thank you Steve for the 101 and explaining it in layman terms. It is certainly helpful.

The NEWPROF which I was mentioning was indeed a group.

Regards,
Vasanth.S
Back to top
View user's profile Send private message
David Robinson

Active User


Joined: 21 Dec 2011
Posts: 175
Location: UK

PostPosted: Tue Sep 27, 2016 7:08 pm    Post subject: Reply to: RACF profile access
Reply with quote

Despite the confusion over the terminology (group / profile) the OP's question is still valid - how do you tell what resources the group has access to.

This is not easily determined from RACF. Do you have any of the add on tools, such as Vanguard or zSecure, both of which provide this sort of cross referencing?
Back to top
View user's profile Send private message
steve-myers

Active User


Joined: 30 Nov 2013
Posts: 461
Location: The Universe

PostPosted: Tue Sep 27, 2016 8:25 pm    Post subject: Re: Reply to: RACF profile access
Reply with quote

David Robinson wrote:
Despite the confusion over the terminology (group / profile) the OP's question is still valid - how do you tell what resources the group has access to.

This is not easily determined from RACF. Do you have any of the add on tools, such as Vanguard or zSecure, both of which provide this sort of cross referencing?

I had access to Vanguard RACF Administrator (the proper name for the "Vanguard" Mr. Robinson mentioned) for a while back in the 1990s during my first stint doing RACF admin work, but I didn't know - then - that VRA had the capability. Believe me, I researched that, too!

I'm not familiar with zSecure - in fact until Mr. Robinson's post I had never heard of it.

As Mr. Robinson says, trying to determine what profiles (as opposed to resources) a user or group can access is not easily determined with straight RACF. One would have to "dump" the RACF data base and analyze it to determine this information; a project that would require considerable analysis and research. Better to buy VRA or zSecure!

HTH
Back to top
View user's profile Send private message
enrico-sorichetti

Global Moderator


Joined: 14 Mar 2007
Posts: 10202
Location: italy

PostPosted: Tue Sep 27, 2016 8:38 pm    Post subject: Reply to: RACF profile access
Reply with quote

why not look at the manuals to find out about the
RACF cross-reference utility (IRRUT100)
Back to top
View user's profile Send private message
steve-myers

Active User


Joined: 30 Nov 2013
Posts: 461
Location: The Universe

PostPosted: Tue Sep 27, 2016 8:57 pm    Post subject:
Reply with quote

IRRUT100 - Another utility I was not familiar with. You can read about it in Security Server RACF System Programmer's Guide for your z/OS release.

I did a trial run. It reports more than just profile access, but that may be just what you want!
Back to top
View user's profile Send private message
enrico-sorichetti

Global Moderator


Joined: 14 Mar 2007
Posts: 10202
Location: italy

PostPosted: Tue Sep 27, 2016 9:06 pm    Post subject: Reply to: RACF profile access
Reply with quote

look at the downloads provided here
http://www-03.ibm.com/systems/z/os/zos/features/racf/downloads/
Back to top
View user's profile Send private message
vasanthz

Global Moderator


Joined: 28 Aug 2007
Posts: 1445
Location: Azeroth

PostPosted: Tue Sep 27, 2016 9:45 pm    Post subject:
Reply with quote

Thank you Enrico, One of my smart colleague also came up with the same utility and this jcl worked. Thanks David and Steve.

Code:
//STEP EXEC PGM=IRRUT100                 
//SYSUT1 DD UNIT=SYSDA,SPACE=(CYL,(5,5))
//SYSPRINT DD SYSOUT=*                   
//SYSIN DD *                             
 NEWPROF                                 
/*       
Back to top
View user's profile Send private message
View previous topic :: :: View next topic  
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> All Other Mainframe Topics All times are GMT + 6 Hours
Page 1 of 1

 

Search our Forum:

Similar Topics
Topic Author Forum Replies Posted
No new posts IMS DC screen Access sivasaras IMS DB/DC 3 Fri Nov 18, 2016 6:38 pm
No new posts Access SQLCA fields inside a stored p... gangapd DB2 4 Thu Oct 27, 2016 10:20 am
No new posts RACF Easytrieve Plus macro Susan Jackson CA Products 0 Fri Jun 03, 2016 8:25 pm
No new posts How to perform Digest Access Authenti... vasanthz All Other Mainframe Topics 0 Tue Mar 15, 2016 4:47 pm
No new posts Transaction Profile amitc23 CICS 1 Thu Feb 04, 2016 3:10 pm


Facebook
Back to Top
 
Mainframe Wiki | Forum Rules | Bookmarks | Subscriptions | FAQ | Tutorials | Contact Us