ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Need a query to list all persons with $DD-ADM profile

book

Article ID: 40562

calendar_today

Updated On:

Products

Datacom DATACOM - AD CIS COMMON SERVICES FOR Z/OS 90S SERVICES DATABASE MANAGEMENT SOLUTIONS FOR DB2 FOR Z/OS COMMON PRODUCT SERVICES COMPONENT Common Services Datacom/AD CA ecoMeter Server Component FOC EASYTRIEVE REPORT GENERATOR FOR COMMON SERVICES INFOCAI MAINTENANCE IPC UNICENTER JCLCHECK COMMON COMPONENT Mainframe VM Product Manager CHORUS SOFTWARE MANAGER CA On Demand Portal CA Service Desk Manager - Unified Self Service PAM CLIENT FOR LINUX ON MAINFRAME MAINFRAME CONNECTOR FOR LINUX ON MAINFRAME GRAPHICAL MANAGEMENT INTERFACE WEB ADMINISTRATOR FOR TOP SECRET Xpertware

Issue/Introduction

Question:

I've been asked by auditors to provide a "system generated list" (ie, a query) of all users with administrative access.

I know people with administrative access have the $DD-ADM profile.

Can you help me with a DataQuery query or some command that will list PERSONS with the $DD-ADM profile.

 

Answer:

See below two ways to get the result via Data Query or DDUTILTY: 

The following Data Query SYSIN should do it: 
Continuation "+" in column 72 
----+----1----+----2----+----3----+----4----+----5----+----6----+----7-- 
//SYSIN DD * 
SIGN-ON DATACOM-INSTALL PASSWORD NEWUSER 
OPTION QUERYLANG=DQL 
FIND RELATIONSHIP RELATED BY SUBJ-OCC-NAME VIA ENTITY-NAME TO PERSON + 
WITH PERSON.ENTITY-VER = RELATIONSHIP.SUBJ-VRS-NUM                                           + 
AND PERSON.STATUS NOT = 'H'                                                                                                   + 
AND RELATIONSHIP.ENTITY-NAME = 'PER-ATZ-AUTH'                                                           + 
AND RELATIONSHIP.OBJ-OCC-NAME = '$DD-ADM'                                                                 + 
SORT RELATIONSHIP SUBJ-OCC-NAME OBJ-OCC-NAME                                                    + 
PRINT FROM RELATIONSHIP SUBJ-OCC-NAME 'USER NAME'                                            + 
OBJ-OCC-NAME 'AUTHORIZATION' 
EXECUTE * 

or 

The following DDUTILTY SYSIN should do it as well: 

//SYSIN DD * 
+USR DATACOM-INSTALL,NEWUSER 
-DEF PATH,PERATZ 
-DEF TRACE,AUTHORIZATION.PERSON,PER-ATZ-AUTH 
-END 
-RPT START,AUTHORIZATION,$DD-ADM(PROD,PRIV),PERATZ 
-RPT INDEX 
-END 
/* 

 

Environment

Release:
Component: DB