|
View previous topic :: View next topic
|
| Author |
Message |
vinit_infy
Warnings : 1
New User
Joined: 07 Apr 2005
Posts: 56
|
|
|
|
How do i know till what date my mainframe id will work? I mean do you have any idea to get the accessor id expiration date?
Any suggestion is most appreciated..
Many Thanks.
Vinit
Warning: Title Edited |
|
| Back to top |
|
 |
cpuhawg
Active User
Joined: 14 Jun 2006
Posts: 331
Location: Jacksonville, FL
|
|
|
|
If your shop uses RACF, you can display your own RACF parameters by entering TSO LU USERID on the command line where USERID is equal to your own ID.
You should get results:
| Code: |
USER=AB1234 NAME=ANALYST NAME OWNER=SYSADM CREATED=04.265
DEFAULT-GROUP=SYS1 PASSDATE=07.005 PASS-INTERVAL= 30
ATTRIBUTES=NONE
REVOKE DATE=NONE RESUME DATE=NONE
LAST-ACCESS=07.029/08:15:12
|
Look at REVOKE DATE. If it is equal to NONE, there is no set expiration date for your ID and it will stay active until the Security administrator removes it. If there is a date there instead of NONE, the date specifies when your ID will become REVOKED. |
|
| Back to top |
|
|
vinit_infy
Warnings : 1
New User
Joined: 07 Apr 2005
Posts: 56
|
|
|
|
| I dont have the RACF product enabled. Is there any other ways or commands to see the expiration details please? |
|
| Back to top |
|
|
cpuhawg
Active User
Joined: 14 Jun 2006
Posts: 331
Location: Jacksonville, FL
|
|
|
|
| What is your security product on the mainframe? ACF2, Top Secret, or something else. |
|
| Back to top |
|
|
vijikesavan
Active User
Joined: 04 Oct 2006
Posts: 118
Location: NJ, USA
|
|
|
|
Hi,
I need to know the same information as how long my user id is active.
Then I can renew it accordingly.
The commane TSO LU "userid" didnt work for me. gave error "command LU not found"
We have ACF2 installed.
Can anyone please let me know the command to check?
Thanks,
Viji |
|
| Back to top |
|
|
expat
Global Moderator
Joined: 14 Mar 2007
Posts: 8797
Location: Welsh Wales
|
|
|
|
| Ever thought of just emailing your security admin people ? |
|
| Back to top |
|
|
enrico-sorichetti
Superior Member
Joined: 14 Mar 2007
Posts: 10873
Location: italy
|
|
|
|
it depends on your position within the company...
if You are a full time employee, the userid should not expire
if You are a consultant, usually, Your userid will not expire,
somebody will take care of disabling it at contract end
if You are in a group of contractors then Your contract/project manager should have already given You such info,
together with a document containing Your work/behavior standards and practices
in some cases You might also have been given an internal email address
and personal badge for access control |
|
| Back to top |
|
|
Agni
New User
Joined: 22 Nov 2007
Posts: 83
Location: Chennai
|
|
|
|
Hi cpuhawg,
Can you tell me how to know that which security product is installed in my shop? When I tried the "TSO LU USERID" i got the message as follows:
RACF PRODUCT DISABLED: COMMAND ENDED.
***
Thanks in advance
Agni. |
|
| Back to top |
|
|
vijikesavan
Active User
Joined: 04 Oct 2006
Posts: 118
Location: NJ, USA
|
|
|
|
Thanks for the reply.
I was a consultant and recently got converted to full time employee. So I was not sure whether my TSO userid is changed to "no expiration date"..
Just thought if I can find out before contacting system admin.
If there is no way, then I'll contact them.
Thanks,
Viji |
|
| Back to top |
|
|
HappySrinu
Active User
Joined: 22 Jan 2008
Posts: 194
Location: India
|
|
|
|
In Acf you can try with below commands
1.TSO ACF (Mostly every one have access to see their own id's info
2. L <space> userid youwill get some info which has your privileges etc but not sure whether it has your end date of your access.
give a try |
|
| Back to top |
|
|
Anuj Dhawan
Superior Member
Joined: 22 Apr 2006
Posts: 6250
Location: Mumbai, India
|
|
|
|
Hi,
is it a valid TSO command, doesn't work for me.. |
|
| Back to top |
|
|
sri_mf
Active User
Joined: 31 Aug 2006
Posts: 218
Location: India
|
|
|
|
| HappySrinu wrote: |
In Acf you can try with below commands
1.TSO ACF (Mostly every one have access to see their own id's info
2. L <space> userid youwill get some info which has your privileges etc but not sure whether it has your end date of your access.
give a try |
Srinu the two commands are not working in my shop. |
|
| Back to top |
|
|
dick scherrer
Moderator Emeritus
Joined: 23 Nov 2006
Posts: 19244
Location: Inside the Matrix
|
|
|
|
Hello,
As was suggested before, talk with the security admin people.
They can tell you which security product is being used, how long your id will "survive" (if it even has an "end date"), and any command you might use to look at your own id (if it is permitted).
One thing that will "time out" is your password and need to be changed periodically. |
|
| Back to top |
|
|
XOpen
New User
Joined: 19 Mar 2008
Posts: 11
Location: Russia
|
|
|
|
interested in - why do you need such info ???
Just work and don't think about it. One day you will not be able to logon, will be the right day to ask sec admins - why ?
There are many ways, your userid can be revoked. I beleive, it's not your bussiness to check one of them.
For RACF users, in some systems, you can use sdsf;log to enter LU. It will be executed under operator authority, not your's... |
|
| Back to top |
|
|
enrico-sorichetti
Superior Member
Joined: 14 Mar 2007
Posts: 10873
Location: italy
|
|
|
|
| Quote: |
| For RACF users, in some systems, you can use sdsf;log to enter LU. It will be executed under operator authority, not your's... |
NO !
any command will be executed under the authorization of TSO user
BUT if things have been properly setup the
LU command will be available to list each user attributes regardless of the racf attributes ( tested ) |
|
| Back to top |
|
|
XOpen
New User
Joined: 19 Mar 2008
Posts: 11
Location: Russia
|
|
|
|
I mean:
/D O
| Code: |
IEE603I 12.01.39 OPDATA DISPLAY 654
PREFIX OWNER SYSTEM SCOPE REMOVE FAILDSP
$ JES2 E07 SYSTEM NO SYSPURGE
% RACF E07 SYSTEM NO PURGE |
you can execute /%LISTUSER userid
Any SDSF;LOG command is issued as it was entered from system console. So it will be executed with default authority(in most cases under IBMUSER)
Sure you can protect which command user are allowed to enter in console. |
|
| Back to top |
|
|
enrico-sorichetti
Superior Member
Joined: 14 Mar 2007
Posts: 10873
Location: italy
|
|
|
|
| Quote: |
| you can execute /%LISTUSER userid |
when ( from any sdsf panel ) typing something prefixed with the "/" ,
the typed string will be considered a console command and it will be processed as such
typing /%LISTUSER will result in the error message
IEE305I %LISTUSE COMMAND INVALID |
|
| Back to top |
|
|
XOpen
New User
Joined: 19 Mar 2008
Posts: 11
Location: Russia
|
|
|
|
| Hm.. I might be wrong, sorry, can't test in my current environment... |
|
| Back to top |
|
|
XOpen
New User
Joined: 19 Mar 2008
Posts: 11
Location: Russia
|
|
|
|
No, no...
I mean, it can be possible that it checks my userid authority, but I do enter RACF commands via console.
Please refer to
4.0 Chapter 4. RACF operator commands
in
Security Server RACF
Command Language Reference |
|
| Back to top |
|
|
XOpen
New User
Joined: 19 Mar 2008
Posts: 11
Location: Russia
|
|
|
|
I did it:
| Code: |
0210 D O
0010 IEE603I 12.01.39 OPDATA DISPLAY 654
0010 PREFIX OWNER SYSTEM SCOPE
0010 $ JES2 E07 SYSTEM
0010 %SYSNAME RACF E07 SYSTEM |
Output:
| Code: |
0210 %SYSNAMELISTUSER SPOSPEL
0010 IRRA011I (%SYSNAME) OUTPUT FROM LISTUSER: 768
0010 USER=SPOSPEL NAME=SERGEY POSPELOV OWNER=QA CREATED=07.220
0010 DEFAULT-GROUP=QA PASSDATE=07.221 PASS-INTERVAL=N/A
0010 ATTRIBUTES=NONE
0010 REVOKE DATE=NONE RESUME DATE=NONE
0010 LAST-ACCESS=08.084/12:34:50
|
| Code: |
0210 %SYSNAMELISTUSER IYASCHU
0010 IRRA011I (%SYSNAME) OUTPUT FROM LISTUSER: 781
0010 ICH30002I NOT AUTHORIZED TO LIST IYASCHU |
I don't have SPECIAL, so can't check which userid caused a reject. (my or default) |
|
| Back to top |
|
|
XOpen
New User
Joined: 19 Mar 2008
Posts: 11
Location: Russia
|
|
|
|
Enrico, please check your RACF sub-prefix, before enter command.
If I use /%LISTUSER instead of /%SYSNAMELISTUSER I also get
IEE305I %LISTUSE COMMAND INVALID
, without R at the end 
ps: why I can't change my previous posts ?  |
|
| Back to top |
|
|
Anuj Dhawan
Superior Member
Joined: 22 Apr 2006
Posts: 6250
Location: Mumbai, India
|
|
|
|
| XOpen wrote: |
| ps: why I can't change my previous posts ? |
Because only Moderators has rights to modify a post, if it's essential then you can send an PM (Private Message) to some Moderator here. |
|
| Back to top |
|
|
enrico-sorichetti
Superior Member
Joined: 14 Mar 2007
Posts: 10873
Location: italy
|
|
|
|
I just checked any user can issue a LU/LISTUSER fro ispf optio 6 to see his/her attributes
Your setup is peculiar, for example there is a glitch in the prefix used for RACF
the command prefix for a subsystem is a string or a single char ( check the db2 / ims setup )
somebody setting up Your racf subsytem name had a finger check,
thinking that %SYSNAME would be substituted by the corresponding system symbol ( maybe )
look at the INITPARM('.....') of the active iefssnxx member and substitute a single char or a meaningful string
anyway I just checked
all the racf commands issued thru the sdsf interface "/" are issued with the userid of the corresponding tso session
and to issue racf controlled commands thru the console a "LOGON" is required
and in the particular case racf commands to the racf subsystem
after all the possibility to issue racf commands thru the console is more a trouble than an advantage
logon needed in any case |
|
| Back to top |
|
|
enrico-sorichetti
Superior Member
Joined: 14 Mar 2007
Posts: 10873
Location: italy
|
|
|
|
the % in your previous posts had mislead me,
a % is the manner of telling TSO that what follows is a rexx or a clist not a command
( but since I was having a brain check I had mixed up the behavior )
no need to send racf command thru the operator interface, You will not have any authority other than Your own, |
|
| Back to top |
|
|
|
|
