Portal | Manuals | References | Downloads | Info | Programs | JCLs | Mainframe wiki | Quick Ref
IBM Mainframe Forum Index
 
Register
 
IBM Mainframe Forum Index Mainframe: Search IBM Mainframe Forum: FAQ Memberlist Profile Log in to check your private messages Log in
 
RACF- How to find the Last access of a DELETED RACF userid

 
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> All Other Mainframe Topics
View previous topic :: :: View next topic  
Author Message
rahul shanmuganatan

New User


Joined: 03 Jun 2016
Posts: 2
Location: kuwait

PostPosted: Thu Jun 21, 2018 3:19 pm    Post subject: RACF- How to find the Last access of a DELETED RACF userid
Reply with quote

Hello All,

I have a Audit requirement where i need to find a Last login of a Deleted userid.

We have Deleted the USERID 6 months back, but we need to know what was the last login date of the deleted id.

If there is any way kindly share.

Thanks Again..
icon_smile.gif
Rahul
Back to top
View user's profile Send private message

expat

Global Moderator


Joined: 14 Mar 2007
Posts: 8783
Location: Welsh Wales

PostPosted: Thu Jun 21, 2018 3:25 pm    Post subject:
Reply with quote

SMF data would be my first call

Types 30 if I remember correctly.
This should get the address space name and date and time it started.
Back to top
View user's profile Send private message
Robert Sample

Global Moderator


Joined: 06 Jun 2008
Posts: 8465
Location: Dubuque, Iowa, USA

PostPosted: Thu Jun 21, 2018 6:00 pm    Post subject: Reply to: RACF- How to find the Last access of a DELETED RACF userid
Reply with quote

Or use type 32 SMF records which records TSO activity.
Back to top
View user's profile Send private message
nevilh

Active User


Joined: 01 Sep 2006
Posts: 262

PostPosted: Thu Jun 21, 2018 6:52 pm    Post subject: Reply to: RACF- How to find the Last access of a DELETED RACF userid
Reply with quote

Do you have zSecure (or equivalent) installed . If yes just ask your RACF Administrator.
if not ..... good luck
Back to top
View user's profile Send private message
vasanthz

Global Moderator


Joined: 28 Aug 2007
Posts: 1635
Location: Oregon

PostPosted: Fri Jun 22, 2018 2:02 am    Post subject:
Reply with quote

Hi,
Quote:
Or use type 32 SMF records which records TSO activity.

I understand SMF would have the data, but it would require processing really large amount of data to get TSO activity.
It might be easier to look at SYSLOG data if it is available for the message,
Code:
$HASP373 <USERID>   STARTED

However if the user logs onto CICS directly without TSO, then SYSLOG might not have the CICS logon. Also Type 30 might not capture CICS logon, I am not sure.

I think the sure fire way is to process SMF type 80, to catch all type of logons like Direct DB2 access, CICS logon, TSO etc..

Please correct me if I am wrong.
Regards,
Vasanth.S
Back to top
View user's profile Send private message
Robert Sample

Global Moderator


Joined: 06 Jun 2008
Posts: 8465
Location: Dubuque, Iowa, USA

PostPosted: Fri Jun 22, 2018 2:13 am    Post subject:
Reply with quote

Vasanthz, your approach would only work if the site retains the SYSLOG for more than 6 months; I'm not sure there's a lot of sites that do so. Most sites retain SMF records for quite a long time, but not SYSLOG. The topic started by asking about deleted userid, which I assume rules out CICS logons -- if not, then the answer becomes more complicated since the type 30 records do NOT include CICS logons.
Quote:
I understand SMF would have the data, but it would require processing really large amount of data to get TSO activity.
Processing the type 80 SMF records would require more -- last week we generated 343 type 32 records and 4,982 type 80 records so almost 15 times the type 80 records compared to type 32. And the type 80 records require more analysis since you have to extract the correct event / code qualifiers.
Back to top
View user's profile Send private message
vasanthz

Global Moderator


Joined: 28 Aug 2007
Posts: 1635
Location: Oregon

PostPosted: Fri Jun 22, 2018 2:57 am    Post subject:
Reply with quote

Quote:
your approach would only work if the site retains the SYSLOG for more than 6 months;

Yes :-) It would work only if the user is lucky to have SYSLOG for the required duration. We have it archived in SAR for 1 year. Which is the first point of investigation we use, before going to SMF.

Thanks for the information Robert.
Quote:
Processing the type 80 SMF records would require more -- last week we generated 343 type 32 records and 4,982 type 80 records so almost 15 times the type 80 records compared to type 32.
Ya I agree there are a lot of type 80 records for several events.

I just extracted only SMF type 80, Event 1 for a day and there were 86K records. which is kind of a lot.

Regards,
Vasanth.S
Back to top
View user's profile Send private message
rahul shanmuganatan

New User


Joined: 03 Jun 2016
Posts: 2
Location: kuwait

PostPosted: Mon Jun 25, 2018 12:10 pm    Post subject:
Reply with quote

Thanks All,

We used SMF record type 80 to 83 to find the last login , and Used ICETOOL to sort them properly.

Also we have a DB2 Table which contain all the CICS Programs and sessions used by User.

Were able to write some SQL and fetch the data from DB2 Table.

Thanks All ... It was really help full ..!

Regads,
Rahul
Back to top
View user's profile Send private message
View previous topic :: :: View next topic  
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> All Other Mainframe Topics All times are GMT + 6 Hours
Page 1 of 1

 

Search our Forum:

Similar Topics
Topic Author Forum Replies Posted
No new posts RACF RANGE TABLE Martin Wickenden All Other Mainframe Topics 1 Mon Jul 08, 2019 9:06 pm
No new posts Access file which has DSNTYPE=LIBRARY maxsubrat JCL & VSAM 11 Fri Jun 21, 2019 4:09 pm
No new posts how to interrogate an Optim Access De... jzhardy DB2 2 Fri Apr 05, 2019 4:05 pm
No new posts SDSF limit access to specifc output c... David Beckham All Other Mainframe Topics 1 Thu Mar 21, 2019 10:29 pm
No new posts WSL-ADSL conversion in Webservice acc... eanupama DB2 0 Wed Jan 30, 2019 4:36 pm

Facebook
Back to Top
 
Job Vacancies | Forum Rules | Bookmarks | Subscriptions | FAQ | Polls | Contact Us