Need a query to list all persons with $DD-ADM profile

Document ID : KB000040562
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:

I've been asked by auditors to provide a "system generated list" (ie, a query) of all users with administrative access.

I know people with administrative access have the $DD-ADM profile.

Can you help me with a DataQuery query or some command that will list PERSONS with the $DD-ADM profile.

 

Answer:

See below two ways to get the result via Data Query or DDUTILTY: 

The following Data Query SYSIN should do it: 
Continuation "+" in column 72 
----+----1----+----2----+----3----+----4----+----5----+----6----+----7-- 
//SYSIN DD * 
SIGN-ON DATACOM-INSTALL PASSWORD NEWUSER 
OPTION QUERYLANG=DQL 
FIND RELATIONSHIP RELATED BY SUBJ-OCC-NAME VIA ENTITY-NAME TO PERSON + 
WITH PERSON.ENTITY-VER = RELATIONSHIP.SUBJ-VRS-NUM                                           + 
AND PERSON.STATUS NOT = 'H'                                                                                                   + 
AND RELATIONSHIP.ENTITY-NAME = 'PER-ATZ-AUTH'                                                           + 
AND RELATIONSHIP.OBJ-OCC-NAME = '$DD-ADM'                                                                 + 
SORT RELATIONSHIP SUBJ-OCC-NAME OBJ-OCC-NAME                                                    + 
PRINT FROM RELATIONSHIP SUBJ-OCC-NAME 'USER NAME'                                            + 
OBJ-OCC-NAME 'AUTHORIZATION' 
EXECUTE * 

or 

The following DDUTILTY SYSIN should do it as well: 

//SYSIN DD * 
+USR DATACOM-INSTALL,NEWUSER 
-DEF PATH,PERATZ 
-DEF TRACE,AUTHORIZATION.PERSON,PER-ATZ-AUTH 
-END 
-RPT START,AUTHORIZATION,$DD-ADM(PROD,PRIV),PERATZ 
-RPT INDEX 
-END 
/*