IBM Z Software
Hide about this portal
This portal is to open public enhancement requests against IBM Z Software products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).
Shape the future of IBM!
We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:
Search existing ideas
Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,
Post your ideas
Post an idea.
Get feedback from the IBM team and other customers to refine your idea.
Follow the idea through the IBM Ideas process.
Specific links you will want to bookmark for future use
Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.
IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.
ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.
Hans, thanks for the comment, but maybe the reasoning for my request was not clear.
My concern was with REPORT SCOPE=userid. If I have a manager reviewing his employee's access and it shows that the employee has access to some CICS Transactions via GROUP1, that manager might request removing the connection to GROUP1 or deleting the permissions to GROUP1 should no longer allow the employee access to the CICS transactions.
However the employee may have another group connection with similar access to the CICS transactions via GROUP2. The manager would not know that the employee "still retained" the access, because the manager might not know GROUP2 also had the access. The only way to know is to have the reports run again after GROUP1 was removed or wait till the next access certification cycle.
It really has nothing to do with sensitive resources, and I think I would not want to classify virtually anything as sensitive to deal with a reporting situation. I felt if the user was connected to more than one group, and more than one group granted access to the same profile, the SCOPE report should show both groups granting the access.
Thank you for your time and attention.
The report designed to show all access paths to sensitive resource is TRUSTED, in the UI under RE.T. But then you might need to classify the resources you want to look at as sensitive. The RA.3.4 report is designed to show RACF profiles in scope but not all the hundreds of reasons why. We feel it makes more sense to make sure RE.T can do the type of selection and classifications you want. Would it be helpful if we add a panel to RE.T to classify a resource as sensitive so that it pops up in the report?