CA ACF2

Expand all | Collapse all

List the members of Roles with names, integrating sub-roles

Jump to Best Answer
  • 1.  List the members of Roles with names, integrating sub-roles

    Posted 02-20-2019 09:54 AM

    Does anyone have something to do this?  I need to "explode" the roles, integrate any included roles, and list the role members with their names.



  • 2.  Re: List the members of Roles with names, integrating sub-roles
    Best Answer

    Posted 02-20-2019 01:15 PM

    Hi Barry,

    There is no canned report available for this request.

    You may want to look at ACFESAGE and possibly use a REXX 

    to read the records. The SAGEREC records are 0490/0491/0492.

    You could then read the 0200 records to associate a name with a logonid.

     

    regards,

    Ross



  • 3.  Re: List the members of Roles with names, integrating sub-roles

    Posted 03-11-2019 07:11 AM

    Ross,

    The problem is that the Role implementation is overly complex.  Logonid masks can be used to include users, Logonids or their masks can be used to exclude users, Roles can be composed of Roles. 

    So, it is not as simple as reading the records from the ESAGE output.

    Barry



  • 4.  Re: List the members of Roles with names, integrating sub-roles

    Posted 03-20-2019 02:48 PM

    Hi Barry,

     

    The Compliance Information Analysis (CIA) component that is available to all CA ACF2 customers provides additional options which you can use to accomplish your desired results.  https://docops.ca.com/ca-acf2-for-z-os/16-0/en/auditing-and-compliance/implement-compliance-information-analysis 

     

    CIA provides very useful out-of-the-box reports, sample queries and service functions. Beyond these out-of-the-box options, users are often amazed at what they can accomplish, and the productivity gains they can realize by leveraging CIA’s advanced capabilities with just a small investment in time. Let’s take your use case as an example:

     

    If the CIA database is installed and uses CA Datacom, you can use the following JCL to create a file which you can import directly into an Excel workbook. Then, using Excel filtering capabilities, it is very easy to see all LIDs defined under a role. If the role is a group role, the list of LIDs under the intermediate roles is handled.   

     

    //STEP01   EXEC PGM=DBSQLPR                                           

    //STEPLIB  DD  DISP=SHR,DSN=PRODUCT.CIA60RT.CIAMUF.CUSLIB             

    //         DD  DISP=SHR,DSN=PRODUCT.CEM60PR.CAAXLOAD                  

    //SYSPRINT DD  SYSOUT=*                                               

    //STDERR   DD  SYSOUT=*                                                

    //STDOUT   DD  SYSOUT=*                                               

    //OPTIONS  DD  *                                                      

    -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  - 10 Line(s) not Displayed

    SQUISH                                                                 

    DATASEPARATOR=,                                                       

    //SYSIN    DD  *                                                      

      SELECT SYSID,USERID,ROLEID,ROLSYSID,ROLETYPE FROM CIADB01.ROLEXREF;

     

    In the following screen shot, we take the output above from Excel and filter on the ZZSGRP ROLE to see all the LIDs contained under this role (including via sub groups).

     

    In the following screen shot, we filter on LID ZZLID8 and see the various ROLEs it is defined under. Note that we can also see any UID masks used in rules for which the UID string of ZZLID8 matches. 

     

     

    You can leverage some of CIA’s capabilities without actually creating the database or fussing with SQL. To do so, make a copy of the acf2lib.CAX1JCL0(CIAUNLD) job and add a step that uses REXX to extract the information. The acf2lib.CAX1JCL0(CIA4DBLD) job has the required information to understand the record layout for creating the sample JCL and REXX:

     

    //UNLRX    EXEC PGM=IKJEFT01,REGION=2M        

    //SYSPROC  DD  DSN=BROJA17.ACF2.CNTL,DISP=SHR 

    //UNLOAD   DD  DISP=SHR,DSN=&HLQ..UNLOAD      

    //OUTFILE  DD  DSN=BROJA17.RX0400,DISP=OLD    

    //SYSTSPRT DD  SYSOUT=*                        

    //SYSTSIN  DD *                               

    RX0400                                        

    //   

     

    /*REXX*/                                                    

    "execio * diskr" UNLOAD "(stem unlrec. finis"               

    outline.1 = "SYSID,USERID,ROLEID,ROLESYSID,ROLETYPE"        

    outline.0 = 1                                               

    do i = 1 to unlrec.0                                        

       select                                                   

          when substr(unlrec.i,1,8) = "RX0400  "  then do       

             sysid       = strip(substr(unlrec.i,9+2,8))        

             userid      = strip(substr(unlrec.i,19+2,24))      

             roleid      = strip(substr(unlrec.i,45+2,24))      

             rolesysid   = strip(substr(unlrec.i,71,8))         

             roletype    = strip(substr(unlrec.i,79,1))         

             prtline = sysid||',' ||userid||','||roleid||',' ,  

                ||rolesysid||','||roletype                      

             p = outline.0 + 1                                   

             outline.p = prtline                                

             outline.0 = p                                      

          end                                                   

          otherwise 

        end                                         

     end                                           

     "execio * diskw" OUTFILE "(stem outline. finis"

     exit(0)  

     

    In the previous example, the ROLEXREF CIA table was leveraged to show all LIDS under a role. The ROLEINFO and ROLEREC have additional information related to the use case from this post. Like the above examples, you can do a select from the ROLEREC table and import the results into a spreadsheet. Doing so simplifies the analysis of the hierarchy of LIDS, ROLES and GROUPS. If the CIA database was created using DB2, you can use advanced SQL like below to recreate the hierarchy. In the sample SQL below, we start with a GROUP and expand all the GROUPS, ROLES and LIDS under it.       

     

      WITH RC (ROLEID, ROLETYPE, ROLEMASK, INCLEXCL) AS                    

      (                                                                    

       SELECT ROOT.ROLEID, ROOT.ROLETYPE, ROOT.ROLEMASK, ROOT.INCLEXCL     

       FROM CIADB01.ROLEREC ROOT                                           

       WHERE ROOT.ROLEID   = 'ZZSGRP'                                      

          AND ROOT.SYSID  = 'DE30'                                         

       UNION ALL                                                           

       SELECT CHILD.ROLEID, CHILD.ROLETYPE, CHILD.ROLEMASK, CHILD.INCLEXCL 

       FROM   RC PARENT, CIADB01.ROLEREC CHILD                             

       WHERE CHILD.ROLEID = PARENT.ROLEMASK                                

      )                                                                    

                                                                           

      SELECT RC.ROLEID, RC.ROLEMASK, RC.ROLETYPE, RC.INCLEXCL,             

             UI.USERID, UI.NAME                                            

      FROM  RC LEFT JOIN  CIADB01.USERINFO AS UI                           

            ON RC.ROLEMASK = UI.USERID                                     

      ;

     

    The following sample shows the output from the above query. In this query, we specified to start with ROLE ZZSGRP and to see all the roles that are defined under it, as well as the LIDs. We see all the LIDS (similar to the first screen shot above), but here we also see the intermediate roles.                                                                                                                                                                                               

    ROLEID                    ROLEMASK  ROLETYPE  INCLEXCL  USERID

    ---------+---------+---------+---------+---------+---------+---

    ZZSGRP                    ZZGRP1    G         I         -------

    ZZSGRP                    ZZGRP2    G         I         -------

    ZZROL1                    ZZLID1    R         I         ZZLID1

    ZZROL1                    ZZLID2    R         I         ZZLID2

    ZZROL2                    ZZLID2    R         I         ZZLID2

    ZZROL2                    ZZLID2    R         I         ZZLID2

    ZZROL2                    ZZLID3    R         I         ZZLID3

    ZZROL2                    ZZLID3    R         I         ZZLID3

    ZZROL3                    ZZLID4    R         I         ZZLID4

    ZZROL3                    ZZLID5    R         I         ZZLID5

    ZZGRP1                    ZZROL1    G         I         -------

    ZZGRP1                    ZZROL2    G         I         -------

    ZZGRP2                    ZZROL2    G         I         -------

    ZZGRP2                    ZZROL3    G         I         -------

     

    The data for the above example:

     

    SET XREF(ROL)                                                           

    INSERT ZZROL1 INCLUDE(ZZLID1,ZZLID2) ROLE                               

    INSERT ZZROL2 INCLUDE(ZZLID2,ZZLID3) ROLE                               

    INSERT ZZROL3 INCLUDE(ZZLID4,ZZLID5) ROLE                               

    INSERT ZZGRP1 INCLUDE(ZZROL1,ZZROL2) GROUP                              

    INSERT ZZGRP2 INCLUDE(ZZROL2,ZZROL3) GROUP                              

    INSERT ZZSGRP INCLUDE(ZZGRP1,ZZGRP2) GROUP                              

     

    It is difficult to explain all the various possibilities using CIA in this post, as there are several options available and variations of how to implement those options. The options depend on whether the CIA database is installed and, if so, whether DB2 or CA Datacom was used to define the repository. 

     

    If there is any interest in further details about how CIA can be used (from yourself or anyone in the Communities), we can provide additional details in a separate forum.   

    Thanks,

    Jim