Portal | Manuals | References | Downloads | Info | Programs | JCLs | Master the Mainframes
IBM Mainframe Computers Forums Index
 
Register
 
IBM Mainframe Computers Forums Index Mainframe: Search IBM Mainframe Forum: FAQ Memberlist Usergroups Profile Log in to check your private messages Log in
 

 

RACF utilities to get the access details

 
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> IBM Tools
View previous topic :: :: View next topic  
Author Message
Navdeep Aggarwal

New User


Joined: 27 Jun 2011
Posts: 8
Location: India

PostPosted: Tue May 22, 2012 8:33 pm    Post subject: RACF utilities to get the access details
Reply with quote

Hey All,
I wish to know about the RACF utility through which we can get the details of all the users who have accessed/browsed/viewed any particular dataset.

Thanks In advance

Navdeep Aggarwal
Back to top
View user's profile Send private message

Robert Sample

Global Moderator


Joined: 06 Jun 2008
Posts: 7913
Location: Bellevue, IA

PostPosted: Tue May 22, 2012 8:48 pm    Post subject:
Reply with quote

AFAIK, there is no RACF utility to "get the details of all the users who have accessed/browsed/viewed any particular dataset". Details about who accesses which data set are stored in the SMF records. Details about the different user ids that are in the SMF records are stored in the RACF data base.

Perhaps you should talk to your site support group about precisely what it is you are attempting to accomplish and see if they can help you?
Back to top
View user's profile Send private message
dbzTHEdinosauer

Global Moderator


Joined: 20 Oct 2006
Posts: 6966
Location: porcelain throne

PostPosted: Tue May 22, 2012 8:51 pm    Post subject:
Reply with quote

ever on the hunt
for those miscreants
that invade 'private' libraries that don't belong to them.
Back to top
View user's profile Send private message
dick scherrer

Site Director


Joined: 23 Nov 2006
Posts: 19270
Location: Inside the Matrix

PostPosted: Tue May 22, 2012 10:02 pm    Post subject:
Reply with quote

Hello,

If you have proper access and know-how, you might find what you are looking for in the SMF data. . .

Is there some business reason to do this or are you just curious? Wading thru SMF is not trivial - even if you know how . . .
Back to top
View user's profile Send private message
Navdeep Aggarwal

New User


Joined: 27 Jun 2011
Posts: 8
Location: India

PostPosted: Tue May 22, 2012 10:05 pm    Post subject:
Reply with quote

dick scherrer wrote:
Hello,

If you have proper access and know-how, you might find what you are looking for in the SMF data. . .

Is there some business reason to do this or are you just curious? Wading thru SMF is not trivial - even if you know how . . .


Hey,
Yes there is a business reason to do this to monitor users who goes to places where they are not used to. And yes we will have access to the SMF data, but how can we get the desired details from it ?
Back to top
View user's profile Send private message
Akatsukami

Global Moderator


Joined: 03 Oct 2009
Posts: 1738
Location: Bloomington, IL

PostPosted: Tue May 22, 2012 10:10 pm    Post subject:
Reply with quote

Navdeep Aggarwal wrote:
Hey,
Yes there is a business reason to do this to monitor users who goes to places where they are not used to.

And your RACF analysts are refusing to maintain profiles and monitor access attempts because...?
Back to top
View user's profile Send private message
dbzTHEdinosauer

Global Moderator


Joined: 20 Oct 2006
Posts: 6966
Location: porcelain throne

PostPosted: Tue May 22, 2012 10:14 pm    Post subject:
Reply with quote

Hey, the hammer worked on my car,
should work for my monitor also.
Back to top
View user's profile Send private message
dick scherrer

Site Director


Joined: 23 Nov 2006
Posts: 19270
Location: Inside the Matrix

PostPosted: Tue May 22, 2012 10:16 pm    Post subject:
Reply with quote

Hello,

If the security permissions are set up properly, there is no need to monitor. . .

People trying to access datasets improperly would be automatically rejected (which could (should) raise an alert to the security people).
Back to top
View user's profile Send private message
Navdeep Aggarwal

New User


Joined: 27 Jun 2011
Posts: 8
Location: India

PostPosted: Tue May 22, 2012 10:25 pm    Post subject:
Reply with quote

dick scherrer wrote:
Hello,

If the security permissions are set up properly, there is no need to monitor. . .

People trying to access datasets improperly would be automatically rejected (which could (should) raise an alert to the security people).


Hello,
Yes you are right Dick that the security people should be informed. I just want to know that process as to how we can inform the security people, when such activity happens.
Back to top
View user's profile Send private message
dbzTHEdinosauer

Global Moderator


Joined: 20 Oct 2006
Posts: 6966
Location: porcelain throne

PostPosted: Tue May 22, 2012 10:34 pm    Post subject:
Reply with quote

wow, this really is rookie day!

if the proper RACF security is in place,
the security people will notify you!!!!!!!!!!!!!!!!!!!!!!

these 'who did this and who did that' problems are nonsense.

have proper security, and you won't be asking,
because the security will inhibit those who should not see, from seeing.

if it is members of your team, (who obviously can not be inhibited)
you have bigger problems on your hands.
fire the idiots.
either that or purchase/build a repository to safeguard all these treasures.
Back to top
View user's profile Send private message
Akatsukami

Global Moderator


Joined: 03 Oct 2009
Posts: 1738
Location: Bloomington, IL

PostPosted: Tue May 22, 2012 10:38 pm    Post subject:
Reply with quote

Navdeep Aggarwal wrote:
dick scherrer wrote:
Hello,

If the security permissions are set up properly, there is no need to monitor. . .

People trying to access datasets improperly would be automatically rejected (which could (should) raise an alert to the security people).


Hello,
Yes you are right Dick that the security people should be informed. I just want to know that process as to how we can inform the security people, when such activity happens.

You are once again missing the point. RACF itself automatically informs the security analysts. If they are ignoring those notifications, there is nothing that you can do (unless you have been promoted to CIO since your last post) to make them pay attention.
Back to top
View user's profile Send private message
dick scherrer

Site Director


Joined: 23 Nov 2006
Posts: 19270
Location: Inside the Matrix

PostPosted: Wed May 23, 2012 12:07 am    Post subject:
Reply with quote

Hello,

You (or the true owner of the file(s)) need to communicate with the security people to define which people (or groups) may have which access to these datasets (read, write, etc).

Then you should not have to do anything else. The security people should contact or report any offenders when the attempt is made by someone not authorized..
Back to top
View user's profile Send private message
vasanthz

Global Moderator


Joined: 28 Aug 2007
Posts: 1445
Location: Azeroth

PostPosted: Wed May 23, 2012 1:18 am    Post subject:
Reply with quote

I put together a JCL sometime back from Frank's samples on Beyond Sorting for datasets browse stats from SMF rectype 14. Cant resist posting eventhough there is a lot of questions need answered by the topic starter's original intention. Hope it helps someone.
Code:
//SORT  EXEC PGM=SORT,REGION=5000K                 
//SYSPRINT DD  SYSOUT=*                             
//SYSOUT   DD  SYSOUT=*                             
//SORTIN   DD  DISP=SHR,DSN=SMF DUMP DATASET       
//SORTOUT  DD  DISP=(NEW,PASS),DSN=&&TEMP,         
//             SPACE=(CYL,(50,20),RLSE),DCB=*.SORTIN
//SYSIN    DD   *                                   
   SORT FIELDS=COPY                                 
   INCLUDE COND=(6,1,BI,EQ,X'0E',&,69,44,CH,EQ,     
               C'DSN.NAME.UNDER.SCRUTINY')         
/*                                                 
//JS020    EXEC PGM=ICETOOL                         
//TOOLMSG  DD SYSOUT=*                             
//DFSMSG   DD SYSOUT=*                             
//SMF14    DD DSN=&&TEMP,DISP=(OLD,DELETE,DELETE)   
//SMF14RPT DD SYSOUT=*                             
//SYSOUT   DD SYSOUT=*                             
//TOOLIN   DD *                                     
  DISPLAY FROM(SMF14) LIST(SMF14RPT) -             
  TITLE('SMF TYPE-14 RECORDS') DATE(4MD/) -         
  HEADER('DATE') ON(11,4,DT1,E'9999/99/99') -       
  HEADER('TIME') ON(7,4,TM1,E'99:99:99') -         
  HEADER('SYS') ON(15,4,CH) -                       
  HEADER('JOBNAME') ON(19,8,CH) -                   
  HEADER('DATASETNAME') ON(69,44,CH)               
/*         

Output:
Code:
      DATE       TIME   SYS    JOBNAME    DATASETNAME           
----------   --------   ----   --------   ----------------------
2011/08/04   13:02:31   XXXX   USERID1    FILE.UNDER.SCRUTINY   
2011/08/04   13:02:31   XXXX   USERID1    FILE.UNDER.SCRUTINY   
2011/08/04   15:03:58   XXXX   USERID2    FILE.UNDER.SCRUTINY   
2011/08/04   15:03:59   XXXX   USERID2    FILE.UNDER.SCRUTINY   
2011/08/04   15:04:23   XXXX   USERID2    FILE.UNDER.SCRUTINY   
2011/08/04   15:04:23   XXXX   USERID2    FILE.UNDER.SCRUTINY   
Back to top
View user's profile Send private message
Navdeep Aggarwal

New User


Joined: 27 Jun 2011
Posts: 8
Location: India

PostPosted: Wed May 23, 2012 1:44 am    Post subject:
Reply with quote

Thanks vasanthz for this input. May i ask, what clarifications do you require from my side regarding my query ?
Back to top
View user's profile Send private message
dick scherrer

Site Director


Joined: 23 Nov 2006
Posts: 19270
Location: Inside the Matrix

PostPosted: Wed May 23, 2012 1:56 am    Post subject:
Reply with quote

Hello,

I do not believe Vasanth is looking for any clarification. He provided some sample code for your use. . . And further modification as needed.

Is there some good reason why this is not addressed properly thru security?

I suspect you don't realize how much data you will probably need to look at to get what you want. . .
Back to top
View user's profile Send private message
Navdeep Aggarwal

New User


Joined: 27 Jun 2011
Posts: 8
Location: India

PostPosted: Wed May 23, 2012 2:02 am    Post subject:
Reply with quote

dick scherrer wrote:
Hello,

I do not believe Vasanth is looking for any clarification. He provided some sample code for your use. . . And further modification as needed.

Is there some good reason why this is not addressed properly thru security?

I suspect you don't realize how much data you will probably need to look at to get what you want. . .


Hello,
All this I am asking is because there is no security person in the team. The system is running fine on old profiles/rules , however a new requirement has made us to look for this in RACF.
Back to top
View user's profile Send private message
dbzTHEdinosauer

Global Moderator


Joined: 20 Oct 2006
Posts: 6966
Location: porcelain throne

PostPosted: Wed May 23, 2012 2:23 am    Post subject:
Reply with quote

Quote:
seee? I'm right, you are wrong!
the situation at my site requires that i follow this route.
now, there!
Back to top
View user's profile Send private message
dick scherrer

Site Director


Joined: 23 Nov 2006
Posts: 19270
Location: Inside the Matrix

PostPosted: Wed May 23, 2012 2:23 am    Post subject:
Reply with quote

Hello,

Quote:
The system is running fine on old profiles/rules
If the old security profiles/rules do not provide security, we cannot believe the system is running fine. . .

If the organization was audited, there might be some very unpleasant experiences.

Good luck with pulling what you want from SMF.
Back to top
View user's profile Send private message
Pedro

Senior Member


Joined: 01 Sep 2006
Posts: 2019
Location: Silicon Valley

PostPosted: Wed May 23, 2012 3:43 am    Post subject: Reply to: RACF utilities to get the access details
Reply with quote

I used to be in charge of security at our site, many years ago.

Pedro's recommendations:

1. make sure all userids and RACF groups have a generic profile, and the appropriate people are authorized, such as:
Code:
ADDSD 'PEDRO.*' UACC(NONE) NOTIFY(PEDRO)
PERMIT 'PEDRO.*'  ID(mydept) ACCESS(READ)
PERMIT 'PEDRO.*'  ID(billy) ACCESS(UPDATE)

The key thing regarding this thread is the NOTIFY parameter. The person will get a broadcast message when there is a security violation.

2. turn on PROTECTALL (might already be on)
Code:
SETROPTS PROTECTALL(FAILURES)


RACF security admins can still get their info from SMF type 80 records and such. But with NOTIFY(), it sort of decentralizes the security administration. You will get notified when someone not authorized tries to read your file.
Back to top
View user's profile Send private message
vasanthz

Global Moderator


Joined: 28 Aug 2007
Posts: 1445
Location: Azeroth

PostPosted: Wed May 23, 2012 11:16 am    Post subject:
Reply with quote

Pedro's suggestion seems to be the simplest and the correct way of doing this.

The SMF option is not recommended and "highly not recommended" if you do not know the time interval in which the event might have occured. Else you have to plough through Gigabytes of SMF data to retrieve what you are looking for.
Back to top
View user's profile Send private message
View previous topic :: :: View next topic  
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> IBM Tools All times are GMT + 6 Hours
Page 1 of 1

 

Search our Forum:

Similar Topics
Topic Author Forum Replies Posted
No new posts IMS DC screen Access sivasaras IMS DB/DC 3 Fri Nov 18, 2016 6:38 pm
No new posts Access SQLCA fields inside a stored p... gangapd DB2 4 Thu Oct 27, 2016 10:20 am
No new posts RACF profile access vasanthz All Other Mainframe Topics 11 Fri Sep 23, 2016 5:51 am
No new posts hot to get details when "EXEC CI... Andi1982 CICS 11 Tue Sep 20, 2016 5:01 pm
No new posts RACF Easytrieve Plus macro Susan Jackson CA Products 0 Fri Jun 03, 2016 8:25 pm


Facebook
Back to Top
 
Mainframe Wiki | Forum Rules | Bookmarks | Subscriptions | FAQ | Tutorials | Contact Us