zSecure CARLa Videos

zSecure CARLa Videos Courses:

Comparing CKFREEZE or RACF information sources

Use the COMPAREOPT function to compare records from multiple information sources with each other.

The supported information sources are:

  • CKFREEZE data sets
  • UNLOAD data sets
  • RACF databases

Build system-defined compliance checks

This course explains how to use CARLa to run automated compliance checks that verify whether your system is compliant to supported security standards.

In the zSecure interface, you find the rule-based compliance evaluation feature on the AU.R, for Audit Compliance, panel.

Duration: 15 minutes

Combine user or group information with resource information

This program let you retrieve information about the owner of a resource profile from the user or group that owns the pertinent profile.

Compare more than four user IDs

This program shows you how to customize the standard zSecure compare IDs report to include more than the supported four user IDs or groups in the ISPF panel.

Compare RACF databases


  • Know how to  compare profiles from two RACF information sources


15 minutes

Compare RACF databases - show added or deleted user profiles only


  • Understand how to generate a report that compares RACF databases which had user profiles that were added or deleted


15 minutes

Convert automatically UACC access to a PERMIT to ID(*)

This program lets you generate RACF commands that automatically convert access to resources through UACC settings that exceed NONE to a permit to ID(*).

Deleting inactive user IDs

This course details how to delete those user IDs that are inactive for a long period of time. 

{GENERICO:type="hints",style="Tip",text="After the revocation of the inactive user IDs, it is suggested you consider a contingency period from the time of revocation to the time of actual deletion."}{GENERICO:type="hints_end"}

Duration: 15 minutes

Find permissions that are the same as the UACC setting

 This program lets you identify whether resource profiles exist that contain ACL entries where the permitted access level is equal to the UACC level that is set for that resource profile.

Find profiles with a high UACC values

This program allows you to find resource profiles where the universal access defined allows update or higher access.

Generate a summary report of user IDs

This course details how to produce a report of all user IDs per default group that has two or more user IDs assigned to their name.

Generate a Write to Operator (WTO) message

This course explains how to build a watchdog CARLa program that verifies that the most vital general resource classes on your z/OS system are active.

Duration: 15 minutes

Generate an SNMP message to a UNIX system log

This course describes how to build a watchdog CARLa program that verifies that no started task is defined on your system that is assigned the PRIVILEGED attribute.

Duration: 15 minutes

Generate RACF commands

You will learn how to generate commands to change the TSO segments of multiple user IDs. This way, you can perform mass updates to the RACF database.

Generate z/OS UNIX System Services (USS) commands

 This program lets you generate a set of USS commands to apply against a set of USS files.

Include and combine system and class settings in profile reports

This course explains how to generate a report about profiles that general resource class XFACILIT stores and includes some XFACILIT class settings from the Class Descriptor Table (CDT).

Duration: 15 minutes

Monitor access by OPERATIONS user IDs

The purpose of this example is to show the use of the OPERATIONS attribute by user IDs that are assigned the OPERATIONS attribute.

Perform mass updates to the RACF database (mass user cloning)

 With IBM Security zSecure Admin option RA.4, you can run mass updates to the RACF database. The Mass update feature supports the following for RACF profiles:

  • mass copy
  • mass delete
  • mass recreates

Prevent OPERATIONS users from accessing system sensitive data sets

This course provides details on how to prevent OPERATIONS users from accessing system sensitive data sets using the zSecure CARLa auditing and reporting language.

You can prevent OPERATIONS user IDs from accessing your sensitive resources as follows:

  1. Create an additional RACF group profile (for example, OPSATTR).
  2. Connect all user IDs that have the OPERATIONS or GROUPOPERATIONS attribute to this OPSATTR group. A CARLa program to assist you with this task is shown in this course.
  3. Permit the defined and populated group to the access control list of all sensitive resource profiles with an access level of “NONE”.

It is suggested to run this next CARLa program on a regular basis through your job scheduler (for example, Tivoli Workload Scheduler). That procedure ensures that this suggested OPERATIONS control is automatically enforced and maintained.

Produce an SMF report showing UNIX superuser resource access

This course shows you how to produce a report from system management facility (SMF) records showing attempts to access resources as UNIX superuser.

Report direct permissions to user IDs

This course shows you how to generate a report that shows all resources that have permissions directly to a user ID.

Report resource class profiles statistics

This course shows you how to produce a report of all user IDs per default group that has two or more user IDs assigned to their name.

With the SUMMARY statement, the CARLa programming language supports a range of statistical functions.

  • You can use these functions to enhance your reports with extra statistical information or generated summary overviews.
  • You can use DEFINE statements with functions such as MAXIMUM, MINIMUM, AVERAGE, FREQUENCY, and more to create all kinds of statistics.

Report the number of user IDs with UPDATE access to Authorized Program Facility (APF) libraries

This courses explains how to produce statistics about the number of user IDs that have update access to one or more APF-authorized libraries.

  • You can use zSecure Audit to produce a detailed listing of all users with access to an APF-authorized library

Report user dataset profiles with high universal access (UACC) or access to ID(*)


Shows you how to generate a report that shows all dataset profiles that start with a user ID and allow access through UACC or ID(*).


15 minutes

Report users with direct and indirect RACF system-wide privileges

This program shows the user IDs that have system-wide privileges which includes:


Report USS ACLs with orphan entries

This course shows you how to report UNIX System Services (USS) files and directories that store extended Access Control List (ACL) entries for RACF IDs that no longer exist in the RACF database.

Duration: 15 minutes

Reporting on inactive user IDs

This document explains how to create reports on user ID inactivity using zSecure CARLa.

Duration: 15 minutes

Reporting on user IDs with custom fields

This course details how to create a report on user IDs with custom fields.

RACF supports the definition of custom fields and storing values for them in the CSDATA segment of user and group profiles.

Before you can use custom fields, the fields must first be defined in the CFIELD resource class.

The detailed characteristics of the custom fields are defined in the CFDEF segment of the corresponding CFIELD profiles.

Duration: 15 minutes

Reporting user ID password interval settings in zSecure

The following CARLa program shows the password interval for all existing user IDs.

With regards to the password interval, two settings exist that are of particular interest to most auditors:

  • User IDs that are assigned the PROTECTED attribute do not have a password interval
  • Some user IDs might be assigned a password value that never expires. In that case, users can use the same password value infinitely. For these user IDs, by default, the password interval is reported as 255. The value 255 means that a user must never change their password value. 
Time: 20 minutes

Show effective resource access after RACLIST processing

This program reports the effective access that is defined to resources that are RACLISTed.

Show separate segment information of a profile in a single line

This command shows profile information that is stored in several application segments of a RACF profile in a single output line of a CARLa report.

  • With the standard IBM Security zSecure Admin panels, you can list profiles based on values that the BASE or other application segments store. It is even supported to report the information from multiple segments.
  • However, in the zSecure ISPF interface or when you use the Print format, this information is shown in separate reports (ISPF) or report lines (Print format).
  • For example, what if you decide to generate a user ID overview that shows the user name, default group, revoke status, TSO region size, and assigned UID value. This example means that you must extract information from the BASE, TSO, and OMVS segments simultaneously. 

Use cross-NEWLIST LOOKUP in SELECT statement

This course details how to generate a scope report for a user that shows permissions to profiles that are defined in resource classes that, according to the Class Descriptor Table (CDT) settings, are inactive.

Duration: 15 minutes

Use of System Management Facility (SMF) report commands

This course details how to report all RACF commands that are issued during a certain timeslot that the SMF data sets cover.