Portal | Manuals | References | Downloads | Info | Programs | JCLs | Mainframe wiki | Quick Ref
IBM Mainframe Computers Forums Index
 
Register
 
IBM Mainframe Computers Forums Index Mainframe: Search IBM Mainframe Forum: FAQ Memberlist Profile Log in to check your private messages Log in
 
RACF- How to find the Last access of a DELETED RACF userid

 
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> All Other Mainframe Topics
View previous topic :: :: View next topic  
Author Message
rahul shanmuganatan

New User


Joined: 03 Jun 2016
Posts: 2
Location: kuwait

PostPosted: Thu Jun 21, 2018 3:19 pm    Post subject: RACF- How to find the Last access of a DELETED RACF userid
Reply with quote

Hello All,

I have a Audit requirement where i need to find a Last login of a Deleted userid.

We have Deleted the USERID 6 months back, but we need to know what was the last login date of the deleted id.

If there is any way kindly share.

Thanks Again..
icon_smile.gif
Rahul
Back to top
View user's profile Send private message

expat

Global Moderator


Joined: 14 Mar 2007
Posts: 8697
Location: Back in jolly old England

PostPosted: Thu Jun 21, 2018 3:25 pm    Post subject:
Reply with quote

SMF data would be my first call

Types 30 if I remember correctly.
This should get the address space name and date and time it started.
Back to top
View user's profile Send private message
Robert Sample

Global Moderator


Joined: 06 Jun 2008
Posts: 8361
Location: Dubuque, Iowa, USA

PostPosted: Thu Jun 21, 2018 6:00 pm    Post subject: Reply to: RACF- How to find the Last access of a DELETED RACF userid
Reply with quote

Or use type 32 SMF records which records TSO activity.
Back to top
View user's profile Send private message
nevilh

Active User


Joined: 01 Sep 2006
Posts: 262

PostPosted: Thu Jun 21, 2018 6:52 pm    Post subject: Reply to: RACF- How to find the Last access of a DELETED RACF userid
Reply with quote

Do you have zSecure (or equivalent) installed . If yes just ask your RACF Administrator.
if not ..... good luck
Back to top
View user's profile Send private message
vasanthz

Global Moderator


Joined: 28 Aug 2007
Posts: 1577
Location: Chennai

PostPosted: Fri Jun 22, 2018 2:02 am    Post subject:
Reply with quote

Hi,
Quote:
Or use type 32 SMF records which records TSO activity.

I understand SMF would have the data, but it would require processing really large amount of data to get TSO activity.
It might be easier to look at SYSLOG data if it is available for the message,
Code:
$HASP373 <USERID>   STARTED

However if the user logs onto CICS directly without TSO, then SYSLOG might not have the CICS logon. Also Type 30 might not capture CICS logon, I am not sure.

I think the sure fire way is to process SMF type 80, to catch all type of logons like Direct DB2 access, CICS logon, TSO etc..

Please correct me if I am wrong.
Regards,
Vasanth.S
Back to top
View user's profile Send private message
Robert Sample

Global Moderator


Joined: 06 Jun 2008
Posts: 8361
Location: Dubuque, Iowa, USA

PostPosted: Fri Jun 22, 2018 2:13 am    Post subject:
Reply with quote

Vasanthz, your approach would only work if the site retains the SYSLOG for more than 6 months; I'm not sure there's a lot of sites that do so. Most sites retain SMF records for quite a long time, but not SYSLOG. The topic started by asking about deleted userid, which I assume rules out CICS logons -- if not, then the answer becomes more complicated since the type 30 records do NOT include CICS logons.
Quote:
I understand SMF would have the data, but it would require processing really large amount of data to get TSO activity.
Processing the type 80 SMF records would require more -- last week we generated 343 type 32 records and 4,982 type 80 records so almost 15 times the type 80 records compared to type 32. And the type 80 records require more analysis since you have to extract the correct event / code qualifiers.
Back to top
View user's profile Send private message
vasanthz

Global Moderator


Joined: 28 Aug 2007
Posts: 1577
Location: Chennai

PostPosted: Fri Jun 22, 2018 2:57 am    Post subject:
Reply with quote

Quote:
your approach would only work if the site retains the SYSLOG for more than 6 months;

Yes :-) It would work only if the user is lucky to have SYSLOG for the required duration. We have it archived in SAR for 1 year. Which is the first point of investigation we use, before going to SMF.

Thanks for the information Robert.
Quote:
Processing the type 80 SMF records would require more -- last week we generated 343 type 32 records and 4,982 type 80 records so almost 15 times the type 80 records compared to type 32.
Ya I agree there are a lot of type 80 records for several events.

I just extracted only SMF type 80, Event 1 for a day and there were 86K records. which is kind of a lot.

Regards,
Vasanth.S
Back to top
View user's profile Send private message
rahul shanmuganatan

New User


Joined: 03 Jun 2016
Posts: 2
Location: kuwait

PostPosted: Mon Jun 25, 2018 12:10 pm    Post subject:
Reply with quote

Thanks All,

We used SMF record type 80 to 83 to find the last login , and Used ICETOOL to sort them properly.

Also we have a DB2 Table which contain all the CICS Programs and sessions used by User.

Were able to write some SQL and fetch the data from DB2 Table.

Thanks All ... It was really help full ..!

Regads,
Rahul
Back to top
View user's profile Send private message
View previous topic :: :: View next topic  
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> All Other Mainframe Topics All times are GMT + 6 Hours
Page 1 of 1

 

Search our Forum:

Similar Topics
Topic Author Forum Replies Posted
This topic is locked: you cannot edit posts or make replies. Rexx code to find greater then symobl... Bharath Vikraman CLIST & REXX 8 Tue May 29, 2018 9:40 am
No new posts Find & Replace string in CA-SORT mrgnndhmk CA Products 1 Fri Mar 30, 2018 12:58 am
No new posts Find a string in PS file opened in br... mukkas CLIST & REXX 3 Sat Feb 24, 2018 2:15 pm
No new posts RACF - Sub groups - how they work? vasanthz JCL & VSAM 1 Wed Jan 10, 2018 6:44 am
No new posts The same REXX program doesnt work for... jackzhang75 CLIST & REXX 5 Wed Dec 06, 2017 2:51 am

Facebook
Back to Top
 
Job Vacancies | Forum Rules | Bookmarks | Subscriptions | FAQ | Polls | Contact Us