|
|
| Author |
Message |
XOpen
New User
Joined: 19 Mar 2008
Posts: 24
Location: Russia
|
|
|
|
I mean:
/D O
| Code: |
IEE603I 12.01.39 OPDATA DISPLAY 654
PREFIX OWNER SYSTEM SCOPE REMOVE FAILDSP
$ JES2 E07 SYSTEM NO SYSPURGE
% RACF E07 SYSTEM NO PURGE |
you can execute /%LISTUSER userid
Any SDSF;LOG command is issued as it was entered from system console. So it will be executed with default authority(in most cases under IBMUSER)
Sure you can protect which command user are allowed to enter in console. |
|
| Back to top |
|
 |
References
|
 Posted: Mon Mar 24, 2008 9:40 pm Post subject: Re: |
|
|
|
|
enrico-sorichetti
Global Moderator
Joined: 14 Mar 2007
Posts: 2292
Location: italy
|
|
|
|
| Quote: |
| you can execute /%LISTUSER userid |
when ( from any sdsf panel ) typing something prefixed with the "/" ,
the typed string will be considered a console command and it will be processed as such
typing /%LISTUSER will result in the error message
IEE305I %LISTUSE COMMAND INVALID |
|
| Back to top |
|
|
XOpen
New User
Joined: 19 Mar 2008
Posts: 24
Location: Russia
|
|
|
|
| Hm.. I might be wrong, sorry, can't test in my current environment... |
|
| Back to top |
|
|
XOpen
New User
Joined: 19 Mar 2008
Posts: 24
Location: Russia
|
|
|
|
No, no...
I mean, it can be possible that it checks my userid authority, but I do enter RACF commands via console.
Please refer to
4.0 Chapter 4. RACF operator commands
in
Security Server RACF
Command Language Reference |
|
| Back to top |
|
|
XOpen
New User
Joined: 19 Mar 2008
Posts: 24
Location: Russia
|
|
|
|
I did it:
| Code: |
0210 D O
0010 IEE603I 12.01.39 OPDATA DISPLAY 654
0010 PREFIX OWNER SYSTEM SCOPE
0010 $ JES2 E07 SYSTEM
0010 %SYSNAME RACF E07 SYSTEM |
Output:
| Code: |
0210 %SYSNAMELISTUSER SPOSPEL
0010 IRRA011I (%SYSNAME) OUTPUT FROM LISTUSER: 768
0010 USER=SPOSPEL NAME=SERGEY POSPELOV OWNER=QA CREATED=07.220
0010 DEFAULT-GROUP=QA PASSDATE=07.221 PASS-INTERVAL=N/A
0010 ATTRIBUTES=NONE
0010 REVOKE DATE=NONE RESUME DATE=NONE
0010 LAST-ACCESS=08.084/12:34:50
|
| Code: |
0210 %SYSNAMELISTUSER IYASCHU
0010 IRRA011I (%SYSNAME) OUTPUT FROM LISTUSER: 781
0010 ICH30002I NOT AUTHORIZED TO LIST IYASCHU |
I don't have SPECIAL, so can't check which userid caused a reject. (my or default) |
|
| Back to top |
|
|
XOpen
New User
Joined: 19 Mar 2008
Posts: 24
Location: Russia
|
|
|
|
Enrico, please check your RACF sub-prefix, before enter command.
If I use /%LISTUSER instead of /%SYSNAMELISTUSER I also get
IEE305I %LISTUSE COMMAND INVALID
, without R at the end 
ps: why I can't change my previous posts ?  |
|
| Back to top |
|
|
Anuj D.
Senior Member
Joined: 22 Apr 2006
Posts: 1252
Location: Mumbai, India
|
|
|
|
| XOpen wrote: |
| ps: why I can't change my previous posts ? |
Because only Moderators has rights to modify a post, if it's essential then you can send an PM (Private Message) to some Moderator here. |
|
| Back to top |
|
|
enrico-sorichetti
Global Moderator
Joined: 14 Mar 2007
Posts: 2292
Location: italy
|
|
|
|
I just checked any user can issue a LU/LISTUSER fro ispf optio 6 to see his/her attributes
Your setup is peculiar, for example there is a glitch in the prefix used for RACF
the command prefix for a subsystem is a string or a single char ( check the db2 / ims setup )
somebody setting up Your racf subsytem name had a finger check,
thinking that %SYSNAME would be substituted by the corresponding system symbol ( maybe )
look at the INITPARM('.....') of the active iefssnxx member and substitute a single char or a meaningful string
anyway I just checked
all the racf commands issued thru the sdsf interface "/" are issued with the userid of the corresponding tso session
and to issue racf controlled commands thru the console a "LOGON" is required
and in the particular case racf commands to the racf subsystem
after all the possibility to issue racf commands thru the console is more a trouble than an advantage
logon needed in any case |
|
| Back to top |
|
|
enrico-sorichetti
Global Moderator
Joined: 14 Mar 2007
Posts: 2292
Location: italy
|
|
|
|
the % in your previous posts had mislead me,
a % is the manner of telling TSO that what follows is a rexx or a clist not a command
( but since I was having a brain check I had mixed up the behavior )
no need to send racf command thru the operator interface, You will not have any authority other than Your own, |
|
| Back to top |
|
|
|
|
