Does anyone have something to do this? I need to "explode" the roles, integrate any included roles, and list the role members with their names.
There is no canned report available for this request.
You may want to look at ACFESAGE and possibly use a REXX
to read the records. The SAGEREC records are 0490/0491/0492.
You could then read the 0200 records to associate a name with a logonid.
The problem is that the Role implementation is overly complex. Logonid masks can be used to include users, Logonids or their masks can be used to exclude users, Roles can be composed of Roles.
So, it is not as simple as reading the records from the ESAGE output.
The Compliance Information Analysis (CIA) component that is available to all CA ACF2 customers provides additional options which you can use to accomplish your desired results. https://docops.ca.com/ca-acf2-for-z-os/16-0/en/auditing-and-compliance/implement-compliance-information-analysis
CIA provides very useful out-of-the-box reports, sample queries and service functions. Beyond these out-of-the-box options, users are often amazed at what they can accomplish, and the productivity gains they can realize by leveraging CIA’s advanced capabilities with just a small investment in time. Let’s take your use case as an example:
If the CIA database is installed and uses CA Datacom, you can use the following JCL to create a file which you can import directly into an Excel workbook. Then, using Excel filtering capabilities, it is very easy to see all LIDs defined under a role. If the role is a group role, the list of LIDs under the intermediate roles is handled.
//STEP01 EXEC PGM=DBSQLPR
//STEPLIB DD DISP=SHR,DSN=PRODUCT.CIA60RT.CIAMUF.CUSLIB
// DD DISP=SHR,DSN=PRODUCT.CEM60PR.CAAXLOAD
//SYSPRINT DD SYSOUT=*
//STDERR DD SYSOUT=*
//STDOUT DD SYSOUT=*
//OPTIONS DD *
- - - - - - - - - - - - - - - - 10 Line(s) not Displayed
//SYSIN DD *
SELECT SYSID,USERID,ROLEID,ROLSYSID,ROLETYPE FROM CIADB01.ROLEXREF;
In the following screen shot, we take the output above from Excel and filter on the ZZSGRP ROLE to see all the LIDs contained under this role (including via sub groups).
In the following screen shot, we filter on LID ZZLID8 and see the various ROLEs it is defined under. Note that we can also see any UID masks used in rules for which the UID string of ZZLID8 matches.
You can leverage some of CIA’s capabilities without actually creating the database or fussing with SQL. To do so, make a copy of the acf2lib.CAX1JCL0(CIAUNLD) job and add a step that uses REXX to extract the information. The acf2lib.CAX1JCL0(CIA4DBLD) job has the required information to understand the record layout for creating the sample JCL and REXX:
//UNLRX EXEC PGM=IKJEFT01,REGION=2M
//SYSPROC DD DSN=BROJA17.ACF2.CNTL,DISP=SHR
//UNLOAD DD DISP=SHR,DSN=&HLQ..UNLOAD
//OUTFILE DD DSN=BROJA17.RX0400,DISP=OLD
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
"execio * diskr" UNLOAD "(stem unlrec. finis"
outline.1 = "SYSID,USERID,ROLEID,ROLESYSID,ROLETYPE"
outline.0 = 1
do i = 1 to unlrec.0
when substr(unlrec.i,1,8) = "RX0400 " then do
sysid = strip(substr(unlrec.i,9+2,8))
userid = strip(substr(unlrec.i,19+2,24))
roleid = strip(substr(unlrec.i,45+2,24))
rolesysid = strip(substr(unlrec.i,71,8))
roletype = strip(substr(unlrec.i,79,1))
prtline = sysid||',' ||userid||','||roleid||',' ,
p = outline.0 + 1
outline.p = prtline
outline.0 = p
"execio * diskw" OUTFILE "(stem outline. finis"
In the previous example, the ROLEXREF CIA table was leveraged to show all LIDS under a role. The ROLEINFO and ROLEREC have additional information related to the use case from this post. Like the above examples, you can do a select from the ROLEREC table and import the results into a spreadsheet. Doing so simplifies the analysis of the hierarchy of LIDS, ROLES and GROUPS. If the CIA database was created using DB2, you can use advanced SQL like below to recreate the hierarchy. In the sample SQL below, we start with a GROUP and expand all the GROUPS, ROLES and LIDS under it.
WITH RC (ROLEID, ROLETYPE, ROLEMASK, INCLEXCL) AS
SELECT ROOT.ROLEID, ROOT.ROLETYPE, ROOT.ROLEMASK, ROOT.INCLEXCL
FROM CIADB01.ROLEREC ROOT
WHERE ROOT.ROLEID = 'ZZSGRP'
AND ROOT.SYSID = 'DE30'
SELECT CHILD.ROLEID, CHILD.ROLETYPE, CHILD.ROLEMASK, CHILD.INCLEXCL
FROM RC PARENT, CIADB01.ROLEREC CHILD
WHERE CHILD.ROLEID = PARENT.ROLEMASK
SELECT RC.ROLEID, RC.ROLEMASK, RC.ROLETYPE, RC.INCLEXCL,
FROM RC LEFT JOIN CIADB01.USERINFO AS UI
ON RC.ROLEMASK = UI.USERID
The following sample shows the output from the above query. In this query, we specified to start with ROLE ZZSGRP and to see all the roles that are defined under it, as well as the LIDs. We see all the LIDS (similar to the first screen shot above), but here we also see the intermediate roles.
ROLEID ROLEMASK ROLETYPE INCLEXCL USERID
ZZSGRP ZZGRP1 G I -------
ZZSGRP ZZGRP2 G I -------
ZZROL1 ZZLID1 R I ZZLID1
ZZROL1 ZZLID2 R I ZZLID2
ZZROL2 ZZLID2 R I ZZLID2
ZZROL2 ZZLID3 R I ZZLID3
ZZROL3 ZZLID4 R I ZZLID4
ZZROL3 ZZLID5 R I ZZLID5
ZZGRP1 ZZROL1 G I -------
ZZGRP1 ZZROL2 G I -------
ZZGRP2 ZZROL2 G I -------
ZZGRP2 ZZROL3 G I -------
The data for the above example:
INSERT ZZROL1 INCLUDE(ZZLID1,ZZLID2) ROLE
INSERT ZZROL2 INCLUDE(ZZLID2,ZZLID3) ROLE
INSERT ZZROL3 INCLUDE(ZZLID4,ZZLID5) ROLE
INSERT ZZGRP1 INCLUDE(ZZROL1,ZZROL2) GROUP
INSERT ZZGRP2 INCLUDE(ZZROL2,ZZROL3) GROUP
INSERT ZZSGRP INCLUDE(ZZGRP1,ZZGRP2) GROUP
It is difficult to explain all the various possibilities using CIA in this post, as there are several options available and variations of how to implement those options. The options depend on whether the CIA database is installed and, if so, whether DB2 or CA Datacom was used to define the repository.
If there is any interest in further details about how CIA can be used (from yourself or anyone in the Communities), we can provide additional details in a separate forum.