CARLa Combining with resources

Objective: retrieve information about the owner of a resource profile from the owning user or group profile.

Suppose that you want to generate a report of all data set profiles that are owned by a user ID instead of a group. The default security policy of the company states that data set profiles must always be owned by a group. To accomplish this task, you first generate a report of all data set profiles owned by any user ID.

When you attempt to run this CARLa program against the “Active Primary RACF database”, you receive the following zSecure error messages:

To produce this report, CARLa must read through the entire RACF database twice. This double read is not supported on the active primary (or backup) RACF database. Use command “SETUP FILES” or option “SE.1” to switch your input set. Select an input set that uses a RACF UNLOAD in combination with a CKFREEZE. You might need to create such a set, or ask your administrator for the data set names. When done, press F3 and next enter GO or RUN to run this same CARLa code again.

The output must look like this screen capture. Note that the report contains only data set profiles that are owned by a user ID instead of a group profile:

The exists clause as used in this exercise requires a two-pass read through the RACF database and is not supported on the active primary or backup RACF database. The reason for the required dual pass is that the RACF database is basically not-sorted. So at the time that the program encounters a dataset profile, it might not have seen the profile for the owner yet. And therefore it cannot determine if the owner has a DFLTGRP (is a user) or not. So if you receive error message CKR0664, use option Setup Files (SE.1) and select an Unload data set instead.

In this example, the exists clause uses the value of the field “OWNER” to retrieve the value of the field “DFLTGRP”. If the pertinent owner is a USER, field “DFLTGRP” has a value, so the “exists” clause is true. That setting causes the data set profile to be selected. If, however, the pertinent owner is a GROUP, field “DFLTGRP” does not have a value (because a GROUP profile does not have a default group). This outcome means that the “exists” clause is false. Therefore, the data set profile is not selected in the final report.

The “basefield:value” notation as used in this exercise is often referred to as “explicit lookup”. Using the explicit lookup function, you can retrieve USER, GROUP, or CONNECT information from profiles that you initially did not select in your SELECT statement.

Exercise:

It would be great to include the names of the pertinent user IDs that are found to own one or more data set profiles. Use the explicit lookup function to include the names of the owning user IDs in this overview.
Also include the revoke status and whether the pertinent user ID is protected.

After finishing this exercise, you can switch back to using the “Active Primary RACF database” for input again. Alternatively, you can continue using this Unload and CKFREEZE data set.

View Suggested samples and answers

Continue with Comparing more than 4 IDs

IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.