We had a situation wherein many of our jobs failing because a group id was revoked. We figured out somoeone had changed the password (by checking the PASSDATE column from TSO LU command output). Our RACF administrators do not admit that they changed the password. We asked them to run an audit but the whole RACF administration team is very young and they have no idea about the Audits (sounds scary. huh?!!).
Is it possible to check who changed the password? Does anybody have any JCL which you could share with me to identify who changed it? I am a mainframe administrator and have most of the RACF privileges. (I did not change the password, though.. lol)
It had non expiry password. When we had failure for the first time we just resumed the id and did nothing to the password. Jobs failed when they tried to access with the original password. Later we had resumed and set the id back to the original password. since then we had no issues.
Yeah, I would bet my money on them too because they do not know what they are doing
Joined: 30 Nov 2013 Posts: 708 Location: The Universe
Mr. Jensen has a good idea, but I don't think RACF writes an SMF 80 record for a user initiated change. In other words, if XX00001 changed his own password, either through ALTUSER or the TSO-E LOGON panel, it won't be there.
Yeah, I can confirm your words, Steve-Myers. I ran the job against SMF record type 80 as Jensen suggested but I do not see any hits for ALTUser command. I could see hits for successful dataset access and dataset delete and one hit for RACINIT.
So no other way to identify who changed the password?