Portal | Manuals | References | Downloads | Info | Programs | JCLs | Mainframe wiki | Quick Ref
IBM Mainframe Computers Forums Index
 
Register
 
IBM Mainframe Computers Forums Index Mainframe: Search IBM Mainframe Forum: FAQ Memberlist Profile Log in to check your private messages Log in
 
RACF- How to find the Last access of a DELETED RACF userid

 
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> All Other Mainframe Topics
View previous topic :: :: View next topic  
Author Message
rahul shanmuganatan

New User


Joined: 03 Jun 2016
Posts: 2
Location: kuwait

PostPosted: Thu Jun 21, 2018 3:19 pm    Post subject: RACF- How to find the Last access of a DELETED RACF userid
Reply with quote

Hello All,

I have a Audit requirement where i need to find a Last login of a Deleted userid.

We have Deleted the USERID 6 months back, but we need to know what was the last login date of the deleted id.

If there is any way kindly share.

Thanks Again..
icon_smile.gif
Rahul
Back to top
View user's profile Send private message

expat

Global Moderator


Joined: 14 Mar 2007
Posts: 8744
Location: Welsh Wales

PostPosted: Thu Jun 21, 2018 3:25 pm    Post subject:
Reply with quote

SMF data would be my first call

Types 30 if I remember correctly.
This should get the address space name and date and time it started.
Back to top
View user's profile Send private message
Robert Sample

Global Moderator


Joined: 06 Jun 2008
Posts: 8410
Location: Dubuque, Iowa, USA

PostPosted: Thu Jun 21, 2018 6:00 pm    Post subject: Reply to: RACF- How to find the Last access of a DELETED RACF userid
Reply with quote

Or use type 32 SMF records which records TSO activity.
Back to top
View user's profile Send private message
nevilh

Active User


Joined: 01 Sep 2006
Posts: 262

PostPosted: Thu Jun 21, 2018 6:52 pm    Post subject: Reply to: RACF- How to find the Last access of a DELETED RACF userid
Reply with quote

Do you have zSecure (or equivalent) installed . If yes just ask your RACF Administrator.
if not ..... good luck
Back to top
View user's profile Send private message
vasanthz

Global Moderator


Joined: 28 Aug 2007
Posts: 1621
Location: Oregon

PostPosted: Fri Jun 22, 2018 2:02 am    Post subject:
Reply with quote

Hi,
Quote:
Or use type 32 SMF records which records TSO activity.

I understand SMF would have the data, but it would require processing really large amount of data to get TSO activity.
It might be easier to look at SYSLOG data if it is available for the message,
Code:
$HASP373 <USERID>   STARTED

However if the user logs onto CICS directly without TSO, then SYSLOG might not have the CICS logon. Also Type 30 might not capture CICS logon, I am not sure.

I think the sure fire way is to process SMF type 80, to catch all type of logons like Direct DB2 access, CICS logon, TSO etc..

Please correct me if I am wrong.
Regards,
Vasanth.S
Back to top
View user's profile Send private message
Robert Sample

Global Moderator


Joined: 06 Jun 2008
Posts: 8410
Location: Dubuque, Iowa, USA

PostPosted: Fri Jun 22, 2018 2:13 am    Post subject:
Reply with quote

Vasanthz, your approach would only work if the site retains the SYSLOG for more than 6 months; I'm not sure there's a lot of sites that do so. Most sites retain SMF records for quite a long time, but not SYSLOG. The topic started by asking about deleted userid, which I assume rules out CICS logons -- if not, then the answer becomes more complicated since the type 30 records do NOT include CICS logons.
Quote:
I understand SMF would have the data, but it would require processing really large amount of data to get TSO activity.
Processing the type 80 SMF records would require more -- last week we generated 343 type 32 records and 4,982 type 80 records so almost 15 times the type 80 records compared to type 32. And the type 80 records require more analysis since you have to extract the correct event / code qualifiers.
Back to top
View user's profile Send private message
vasanthz

Global Moderator


Joined: 28 Aug 2007
Posts: 1621
Location: Oregon

PostPosted: Fri Jun 22, 2018 2:57 am    Post subject:
Reply with quote

Quote:
your approach would only work if the site retains the SYSLOG for more than 6 months;

Yes :-) It would work only if the user is lucky to have SYSLOG for the required duration. We have it archived in SAR for 1 year. Which is the first point of investigation we use, before going to SMF.

Thanks for the information Robert.
Quote:
Processing the type 80 SMF records would require more -- last week we generated 343 type 32 records and 4,982 type 80 records so almost 15 times the type 80 records compared to type 32.
Ya I agree there are a lot of type 80 records for several events.

I just extracted only SMF type 80, Event 1 for a day and there were 86K records. which is kind of a lot.

Regards,
Vasanth.S
Back to top
View user's profile Send private message
rahul shanmuganatan

New User


Joined: 03 Jun 2016
Posts: 2
Location: kuwait

PostPosted: Mon Jun 25, 2018 12:10 pm    Post subject:
Reply with quote

Thanks All,

We used SMF record type 80 to 83 to find the last login , and Used ICETOOL to sort them properly.

Also we have a DB2 Table which contain all the CICS Programs and sessions used by User.

Were able to write some SQL and fetch the data from DB2 Table.

Thanks All ... It was really help full ..!

Regads,
Rahul
Back to top
View user's profile Send private message
View previous topic :: :: View next topic  
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> All Other Mainframe Topics All times are GMT + 6 Hours
Page 1 of 1

 

Search our Forum:

Similar Topics
Topic Author Forum Replies Posted
No new posts Find out which PSB is currently sched... Andi1982 IMS DB/DC 0 Mon Sep 24, 2018 3:16 pm
No new posts How to find if segment is read in any... Priyanka AR IMS DB/DC 12 Thu Sep 20, 2018 1:34 pm
No new posts Sort card to find duplicates, without... anand1204 DFSORT/ICETOOL 15 Fri Aug 31, 2018 12:13 am
No new posts RACF requesting ICH588A datashare/nod... Alan Playford All Other Mainframe Topics 4 Thu Aug 02, 2018 10:46 pm
No new posts USS: Find and replace string within a... vasanthz All Other Mainframe Topics 5 Thu Aug 02, 2018 4:01 am

Facebook
Back to Top
 
Job Vacancies | Forum Rules | Bookmarks | Subscriptions | FAQ | Polls | Contact Us