Hi Top-Secret community,
Is there a possibility to determine acids of type user, who "possess" directly or indirectly a particular permission?
For example, for auditing reasons I need to document, which userid's has access to the SYSADM-privilege.
Of course, there is TSS WHOHAS DB2SYS(SYSADM) query, giving acids or profiles, which have this privilege; But beyond that I need to know, which user has the PROFILE resp. the XA ACID-permission. Consequently the XA ACID-permission could be held by another profile and so on and so on, resulting in a recursive process. Finally it should result in a list of users.
Does Top Secret offer an analysis like this? Any hint for an approach for such an analysis as automated (=errorless=audit-proof) as possible would be appreciated very much!
Many thanks in advance....
Anyone available to assist Josef?
The answer is: "It depends". Let me give you three possible solutions - easy to difficult:
Using the TSSCFILE: The TSSCFILE is basically a flat file of the TSS database. There is a Type 0100 record in the TSSCFILE for every ID, a type 0600 record for every PROFILE the user has, a type 3700 for every facility the user has, etc.. The record types and layout of the records is in one of the TSS manuals (don't remember which one at the moment). Using SYNCSORT (and I'm sure IBM Sort too) I create individual files of each record type. Then I use the SYNCSORT JOIN/JOINKEYS statements to create a "master record" with data from these other records. This will work if access is granted by either the use of a FACILITY or a PROFILE (and probably by an individual permit too, but I haven't tried that). I do this all the time.
Using WHOHAS: Run a WHOHAS command in TSO Batch (ex. WHOHAS DATASET(SYS1.PROCLIB)). Parse the output with your favorite language (REXX and SAS work great, so would PL/I - if I had it). When you find a profile you have to explode it into the individual users. Been there, done that, ripped the t-shirt...
Using Basic CIA: I haven't set this up, but as I understand it, once you've loaded the CIA DB2 database, you can run SQL queries to your heart's content.
Hope this helps!
- Don W
many thanks for your hints and details, and to bring my attention to TSSCFILE, which could be a valuable base for reports. Alas, not for my current need, but for other occations.
So, I'm dealing with "WHOHAS" realizing, that it's quite challenging, to get to know, which user has access to a particular privilege like for example DB2SYS(SYSADM). Because I have to take into account not only the users and profiles, which have permitted this privilege, but also indirect possibilities of access. For example, if a batch-acid has the privilege, also all other users and profiles, who are permitted to this acid, have access to the privilege; (a user might submit the job specifying the privileged userid in the jobcard). And there are even more subtile possibilities to have access to the privilege ... as already said: challenging to figure it out ... any additional considerations and hints are more than welcome ... :-)
The other way round, I can read between your lines: Top Secret does not provide that 'kind of recursive analysis' as described here out of the box.
Thanks again and kind regards,
PS: anyone interested in the rexx as a sample - just let me know ...
we put all tss permissions into a db2 database (daily refresh) using tsscfile report as input
Endless possibilites with SQL...
Many thanks, Horst, for you hint!
If you don’t want to go through the trouble of setting up a DB2 (or CA-Datacom) database, you can get the information you want by just running sort against the TSSCFILE (which is a flat file of the CA-TSS database). We have SyncSort here, but I’m sure IBM sort has equivalent reporting features. Feel free to contact me offline if you want additional information and/or sample reports.
- Don (Dweimer@Arrow.com)
Live long and prosper, Spock
Let me add 2 cents to this conversation. All are good suggestions and each has merit but, keep in mind that in some cases just looking at WHOHAS data or just "sorted" CFILE data for resources may not always provide the correct answer because you are not applying the logic of the Security Algorithm into the process.
Shops with minimal profiles on user ACIDs may not see issues with these approaches but others with larger volumes of profiles on users ACIDs or larger numbers of rules to specific resources may need to use these techniques to pre-process the data in order to identify the list of potential users. Then you may need build control cards and apply a TSSSIM routine to those identified users to see which users really have the access you seek. The Global AUTH settings or the RDT MERGE settings can influence the results.
You are correct. Using the TSSCFILE or WHOHAS is not complete due to profiles. However, if the profiles are done in a meaningful way (ex. CICSPAY = access to the CICS PAY transaction) and limited use of the ALL record, you can get a good idea of the access. TSSSIM is better, but even that has some drawbacks - it won't drive the TSSEXIT (Security exit), for one.
When I heard about "CIA", I THOUGHT (hoped) they had a complete solution. Alas, no.