-
Notifications
You must be signed in to change notification settings - Fork 8
DataFrames
pyRACF dynamically creates a property for every recordtype it parses from the IRRDBU00 unload. The properties return a DataFrame of the recordtype with column names the same as those in the IBM Documentation. For instance, the unloaded basic-user-information (record Type 200) will have a column name USBD_NAME to contain the "User ID as taken from the profile name".
The following properties directly relate to the recordtypes, and mostly have field names starting with the value under Prefix.
Record Type | Prefix | Property | Description |
---|---|---|---|
0100 | GPBD | .groups |
Group Basic Data record (0100). |
0101 | GPSGRP | .subgroups |
Group Subgroups record (0101). |
0102 | GPMEM | .connects |
Group Members record (0102). [note 1] |
0103 | GPINSTD | .groupUSRDATA |
Group Installation Data record (0103). |
0110 | GPDFP | .groupDFP |
Group DFP Data record (0110). |
0120 | GPOMVS | .groupOMVS |
Group OMVS Data record (0120). |
0130 | GPOVM | .groupOVM |
Group OVM Data record (0130). |
0141 | GPTME | .groupTME |
Group TME Data record (0141). |
0151 | GPCSD | .groupCSDATA |
Group CSDATA custom fields (0151). |
0200 | USBD | .users |
User Basic Data record (0200). |
0201 | USCAT | .userCategrories |
User Categories record (0201). |
0202 | USCLA | .userClasses |
User Classes record (0202). |
0203 | USGCON | .groupConnect |
User Group Connections record (0203). [note 1] |
0204 | USINSTD | .userUSRDATA |
User Installation Data record (0204). |
0205 | USCON | .connectData |
User Connect Data record (0205). [note 1] |
0206 | USRSF | .userRRSFDATA |
RRSF data record (0206). |
0207 | USCERT | .userCERTname |
user certificate name record (0207). |
0208 | USNMAP | .userAssociationMapping |
User Associated Mappings record (0208). |
0209 | USDMAP | .userDistributedIdMapping |
User Associated Distributed Mappings record (0209). |
020A | USMFA | .userMFAfactor |
user Multifactor authentication data record (020A). |
020B | USMPOL | .userMFApolicies |
user Multi-factor authentication policies record (020B) |
0210 | USDFP | .userDFP |
User DFP data record (0210). |
0220 | USTSO | .userTSO |
User TSO Data record (0220). |
0230 | USCICS | .userCICS |
User CICS Data record (0230). |
0231 | USCOPC | .userCICSoperatorClasses |
User CICS Operator Class record (0231). |
0232 | USCRSL | .userCICSrslKeys |
User CICS RSL keys record (0232). |
0233 | USCTSL | .userCICStslKeys |
User CICS TSL keys record (0233). |
0240 | USLAN | .userLANGUAGE |
User Language Data record (0240). |
0250 | USOPR | .userOPERPARM |
User OPERPARM Data record (0250). |
0251 | USOPRP | .userOPERPARMscope |
User OPERPARM Scope record (0251). |
0260 | USWRK | .userWORKATTR |
User WORKATTR Data record (0260). |
0270 | USOMVS | .userOMVS |
User Data record (0270). |
0280 | USNETV | .userNETVIEW |
user NETVIEW segment record (0280). |
0281 | USNOPC | .userNETVIEWopclass |
user OPCLASS record (0281). |
0282 | USNDOM | .userNETVIEWdomains |
user DOMAINS record (0282). |
0290 | USDCE | .userDCE |
user DCE data record (0290). |
02A0 | USOVM | .userOVM |
user OVM data record (02A0). |
02B0 | USLNOT | .userLNOTES |
LNOTES data record (02B0). |
02C0 | USNDS | .userNDS |
NDS data record (02C0). |
02D0 | USKERB | .userKERB |
User KERB segment record (02D0). |
02E0 | USPROXY | .userPROXY |
user PROXY record (02E0). |
02F0 | USEIM | .userEIM |
user EIM segment record (02F0). |
02G1 | USCSD | .userCSDATA |
user CSDATA custom fields record (02G1). |
1210 | USMFAC | .userMFAfactorTags |
user Multifactor authentication factor configuration data record (1210). |
0400 | DSBD | .datasets |
Data Set Basic Data record (0400). |
0401 | DSCAT | .datasetCategories |
Data Set Categories record (0401). |
0402 | DSCACC | .datasetConditionalAccess |
Data Set Conditional Access record (0402). |
0403 | DSVOL | .datasetVolumes |
Data Set Volumes record (0403). |
0404 | DSACC | .datasetAccess |
Data Set Access Record (0404). |
0405 | DSINSTD | .datasetUSRDATA |
Data Set Installation Data Record (0405). |
0406 | DSMEM | .datasetMember |
Data Set Member Data Record (0406). |
0410 | DSDFP | .datasetDFP |
Data Set DFP Data record (0410). |
0421 | DSTME | .datasetTME |
Data Set TME Data Record (0421). |
0431 | DSCSD | .datasetCSDATA |
Data Set CSDATA custom fields record (0431). |
0500 | GRBD | .generals |
General Resource Basic Data record (0500). |
0501 | GRTVOL | .generalTAPEvolume |
General Resource Tape Volume Data record (0501). |
0502 | GRCAT | .generalCategories |
General Resources Categories record (0502). |
0503 | GRMEM | .generalMembers |
General Resource Members record (0503). |
0504 | GRVOL | .generalTAPEvolumes |
General Resources Volumes record (0504). |
0505 | GRACC | .generalAccess |
General Resource Access record (0505). |
0506 | GRINSTD | .generalUSRDATA |
General Resource Installation Data record (0506). |
0507 | GRCACC | .generalConditionalAccess |
General Resources Conditional Access record (0507). |
0508 | GRFLTR | .DistributedIdFilter |
Filter Data record (0508). |
0509 | GRDMAP | .DistributedIdMapping |
General Resource Distributed Identity Mapping Data record (0509). |
0510 | GRSES | .SESSION |
General Resources Session Data record (0510). |
0511 | GRSESE | .SESSIONentities |
General Resources Session Entities record (0511). |
0520 | GRDLF | .DLFDATA |
General Resources DLF Data record (0520). |
0521 | GRDLFJ | .DLFDATAjobnames |
General Resources DLF Job Names record (0521). |
0530 | GRSIGN | .SSIGNON |
SSIGNON data record (0530). |
0540 | GRST | .STDATA |
Started Task data record (0540). |
0550 | GRSV | .SVFMR |
Systemview record (0550). |
0560 | GRCERT | .CERT |
Certificate Data record (0560). |
1560 | GRCERTN | .CERTname |
general resource certificate information record (1560). |
0561 | CERTR | .CERTreferences |
Certificate References record (0561). |
0562 | KEYR | .KEYRING |
Key Ring Data record (0562). |
0570 | GRTME | .TME |
general resource TME data record (0570). |
0571 | GRTMEC | .TMEchild |
general resource TME child record (0571). |
0572 | GRTMER | .TMEresource |
general resource TME resource record (0572). |
0573 | GRTMEG | .TMEgroup |
general resource TME group record (0573). |
0574 | GRTMEE | .TMErole |
general resource TME role record (0574). |
0580 | GRKERB | .KERB |
general resource KERB segment record (0580). |
0590 | GRPROXY | .PROXY |
general resource PROXY record (0590). |
05A0 | GREIM | .EIM |
general resource EIM segment record (05A0). |
05B0 | GRALIAS | .ALIAS |
general resource ALIAS group record (05B0). |
05C0 | GRCDT | .CDTINFO |
general resource CDTINFO data record (05C0). |
05D0 | GRICTX | .ICTX |
general resource ICTX segment record (05D0). |
05E0 | GRCFDEF | .CFDEF |
general resource CFDEF data record (05E0). |
05F0 | GRSIG | .SIGVER |
general resource SIGVER data record (05F0). |
05G0 | GRCSF | .ICSF |
general resource ICSF record (05G0). |
05G1 | GRCSFK | .ICSFsymexportKeylabel |
general resource ICSF key label record (05G1). |
05G2 | GRCSFC | .ICSFsymexportCertificateIdentifier |
general resource ICSF certificate identifier record (05G2). |
05H0 | GRMFA | .MFA |
Multifactor factor definition data record (05H0) |
05I0 | GRMFP | .MFPOLICY |
Multifactor Policy Definition data record (05I0). |
05I1 | GRMPF | .MFPOLICYfactors |
user Multifactor authentication policy factors record (05I1). |
05J1 | GRCSD | .generalCSDATA |
General Resources CSDA custom fields record (05J1). |
05K0 | GRIDTP | .IDTFPARMS |
Identity Token data record (05K0). |
05L0 | GRJES | .JES |
JES data record (05L0). |
[note 1]: DataFrames .connects
and .groupConnect
present limited information. .connects
ignores universal groups, and both lack information about group privileges. Complete information about connection between groups and users, including connect authority, is stored in .connectData
.
Properties starting with .general are mostly related to access control profiles that use PERMITs. General resource profiles that represent (system) tables and switches are stored in properties with names that reflect the application segment name (in uppercase, optionally followed by a suffix for lists stored in the segment).
Some of these properties have been extended for easier reporting:
Combines fields from USER profiles (0205) and GROUP profiles (0102). The GPMEM_AUTH
field shows group connect authority, whereas all other field names start with USCON
.
This property should be used for most connect group analysis, instead of .connects
and .groupConnect
.
Column IDSTAR_ACCESS
is added by selecting records from .datasetAccess
and .generalAccess
referencing ID(*). The higher value of prefix_UACC and IDSTAR_ACCESS is stored in ALL_USER_ACCESS
indicating the access level granted to all RACF defined users, except when restricted by specific access.
Returns a combined DataFrame of the DataFrames ._generalSSIGNON
en .generals
, copying the GRBD_APPL_DATA
field to show if replay protection is available for the passticket.
To view column names in a DataFrame, use .columns
>>> r.STDATA.columns
Index(['GRST_RECORD_TYPE', 'GRST_NAME', 'GRST_CLASS_NAME', 'GRST_USER_ID',
'GRST_GROUP_ID', 'GRST_TRUSTED', 'GRST_PRIVILEGED', 'GRST_TRACE'],
dtype='object')
The data tables have index fields assigned to speed up access to entries and to determine "is this ID present in the .users table". Index fields are automatically assigned (generally) as follows. Note that the table prefix is omitted from the index names to ease table processing.
- For tables about groups, users and data sets, the
_NAME
field refers to the profile key. - For general resources,
_CLASS_NAME
and_NAME
refer to the resource class and the profile key, resp. -
.connectData
uses_GRP_ID
and_NAME
as index fields, representing the group name and the user ID, resp. The other two connect related tables use the same structure to facilitate merging of tables. -
.datasetAccess
and.datasetConditionalAccess
use_NAME
,_AUTH_ID
and_ACCESS
as index fields. -
.generalAccess
and.generalConditionalAccess
use_CLASS_NAME
,_NAME
,_AUTH_ID
and_ACCESS
as index fields.
Tables and views derived from these main tables mostly inherit the index fields. To check the index names used in a DataFrame, use .index.names
>>> r.STDATA.index.names
FrozenList(['_CLASS_NAME', '_NAME'])
The data table properties return all profiles and profile data loaded from the RACF input source. Since they typically return more than one entry, the property name represents a plural, such as .users
. To make selections you have to use methods such as .loc[ ]
, .query( )
, .gfilter( )
or rfilter( )
, see Pandas Methods for guidance and examples.
In addition to the data table properties, data selection methods are available to retrieve one profile, or profiles from one class, with an easy syntax. The parameter(s) to these properties are used as a literal search argument, and return entries that fully match the argument(s). These properties typically have a name referring to the singular.
Returns a data frame with 1 record from .groups when the group is found, or an empty frame. For example, r.group('SYS1')
Returns a data frame with 1 record from .users when the user ID is found, or an empty frame. For example, r.user('IBMUSER')
Returns a data frame with record(s) from .connectData, fitting the parameters exactly, or an empty frame. For example, r.connect('SYS1','IBMUSER')
If one of the parameters is written as None, or the second parameter is omitted, all profiles matching the specified parameter are shown, with one index level instead of the 2 index levels that .connectData holds.
For example, r.connect('SYS1')
shows all users connected to SYS1, whereas r.connect(None, 'IBMUSER')
shows all the groups IBMUSER is member of. Instead of None, you may specify '**'
.
You can find all entries in .users that have a group connection to SYSPROG as follows:
r.users.loc[r.users.USBD_NAME.isin(r.connect('SYSPROG').index)]
or
r.users.query("_NAME in @r.connect('SYSPROG').index")
These forms use the index structure of .connect, rather that the data, giving better speed. The 2nd example references the index field _NAME
rather than the data column USBD_NAME
.
Returns a data frame with 1 record from .datasets when a profile is found, fitting the parameters exactly, or an empty frame. For example, r.dataset('SYS1.*.**')
To show all dataset profiles starting with SYS1 use r.datasets.gfilter('SYS1.**')
Returns a data frame with records from .datasetAccess, fitting the parameters exactly, or an empty frame. For example, r.datasetPermit('SYS1.*.**', None, 'UPDATE')
shows all IDs with update access on the SYS1.*.** profile (if this exists).
To show entries from all dataset profiles starting with SYS1 use r.datasetAccess.gfilter('SYS1.**', '**', 'UPDATE')
Returns a data frame with records from .datasetConditionalAccess, fitting the parameters exactly, or an empty frame. For example, r.datasetConditionalPermit('SYS1.*.**', None, 'UPDATE')
To show entries from all conditional permits for ID(*) use r.datasetConditionalAccess.gfilter('**', '*', '**')
Returns a data frame with profile(s) from .generals fitting the parameters exactly, or an empty frame. For example, r.general('FACILITY', 'BPX.**')
If one of the parameters is written as None or '**', or the second parameter is omitted, all profiles matching the specified parameter are shown. For example, r.general('UNIXPRIV')
To show general resource profiles relevant to z/OS UNIX use r.generals.gfilter('FACILITY', 'BPX.**')
Returns a data frame with records from .generalAccess, fitting the parameters exactly, or an empty frame. For example, r.generalPermit('UNIXPRIV', None, None, 'UPDATE')
shows all IDs with update access on the any UNIXPRIV profile (if this exists).
To show entries from all TCICSTRN profiles starting with CICSP use r.generalAccess.gfilter('TCICSTRN', 'CICSP*')
Returns a data frame with records from .generalConditionalAccess fitting the parameters exactly, or an empty frame. For example, r.generalConditionalPermit('FACILITY')
To show entries from all conditional permits for ID(*) use r.generalConditionalPermit('**', '**', '*', '**')
or the equivalent r.generalConditionalPermit(None, None, '*', None)
This would also work r.generalConditionalAccess.rfilter(None, None, '\*', None)
These properties present a subset of DataFrames, or the result of DataFrame intersections, to identify points of interest.
The .specials
property will return a "USBD" DataFrame (users) with all users that have the 'special attribute' set. Effectively this is the same as the result from
r.users.loc[r.users['USBD_SPECIAL'] == 'YES']
Like the .specials
property but now all the users that have the 'operations attribute' set will be returned.
Returns a DataFrame with all users that have the 'auditor attribute'
Returns a DataFrame with all revoked users.
Returns a DataFrame with all groups that do not have user connects. (empty groups)
Returns a DataFrame with all dataset definitions that have a Universal Access of 'READ'
Returns a DataFrame with all dataset definitions that have a Universal Access of 'UPDATE'
Returns a DataFrame with all dataset definitions that have a Universal Access of 'CONTROL'
Returns a DataFrame with all dataset definitions that have a Universal Access of 'ALTER'
Returns a tuple of .datasetAccess
DataFrame and .generalAccess
DataFrame with entries that refer to non-existing authid's.