IBM Mainframe Forum Index
 
Log In
 
IBM Mainframe Forum Index Mainframe: Search IBM Mainframe Forum: FAQ Register
 

RACF utilities to get the access details


IBM Mainframe Forums -> IBM Tools
Post new topic   Reply to topic
View previous topic :: View next topic  
Author Message
Navdeep Aggarwal

New User


Joined: 27 Jun 2011
Posts: 8
Location: India

PostPosted: Tue May 22, 2012 8:33 pm
Reply with quote

Hey All,
I wish to know about the RACF utility through which we can get the details of all the users who have accessed/browsed/viewed any particular dataset.

Thanks In advance

Navdeep Aggarwal
Back to top
View user's profile Send private message
Robert Sample

Global Moderator


Joined: 06 Jun 2008
Posts: 8700
Location: Dubuque, Iowa, USA

PostPosted: Tue May 22, 2012 8:48 pm
Reply with quote

AFAIK, there is no RACF utility to "get the details of all the users who have accessed/browsed/viewed any particular dataset". Details about who accesses which data set are stored in the SMF records. Details about the different user ids that are in the SMF records are stored in the RACF data base.

Perhaps you should talk to your site support group about precisely what it is you are attempting to accomplish and see if they can help you?
Back to top
View user's profile Send private message
dbzTHEdinosauer

Global Moderator


Joined: 20 Oct 2006
Posts: 6966
Location: porcelain throne

PostPosted: Tue May 22, 2012 8:51 pm
Reply with quote

ever on the hunt
for those miscreants
that invade 'private' libraries that don't belong to them.
Back to top
View user's profile Send private message
dick scherrer

Moderator Emeritus


Joined: 23 Nov 2006
Posts: 19243
Location: Inside the Matrix

PostPosted: Tue May 22, 2012 10:02 pm
Reply with quote

Hello,

If you have proper access and know-how, you might find what you are looking for in the SMF data. . .

Is there some business reason to do this or are you just curious? Wading thru SMF is not trivial - even if you know how . . .
Back to top
View user's profile Send private message
Navdeep Aggarwal

New User


Joined: 27 Jun 2011
Posts: 8
Location: India

PostPosted: Tue May 22, 2012 10:05 pm
Reply with quote

dick scherrer wrote:
Hello,

If you have proper access and know-how, you might find what you are looking for in the SMF data. . .

Is there some business reason to do this or are you just curious? Wading thru SMF is not trivial - even if you know how . . .


Hey,
Yes there is a business reason to do this to monitor users who goes to places where they are not used to. And yes we will have access to the SMF data, but how can we get the desired details from it ?
Back to top
View user's profile Send private message
Akatsukami

Global Moderator


Joined: 03 Oct 2009
Posts: 1787
Location: Bloomington, IL

PostPosted: Tue May 22, 2012 10:10 pm
Reply with quote

Navdeep Aggarwal wrote:
Hey,
Yes there is a business reason to do this to monitor users who goes to places where they are not used to.

And your RACF analysts are refusing to maintain profiles and monitor access attempts because...?
Back to top
View user's profile Send private message
dbzTHEdinosauer

Global Moderator


Joined: 20 Oct 2006
Posts: 6966
Location: porcelain throne

PostPosted: Tue May 22, 2012 10:14 pm
Reply with quote

Hey, the hammer worked on my car,
should work for my monitor also.
Back to top
View user's profile Send private message
dick scherrer

Moderator Emeritus


Joined: 23 Nov 2006
Posts: 19243
Location: Inside the Matrix

PostPosted: Tue May 22, 2012 10:16 pm
Reply with quote

Hello,

If the security permissions are set up properly, there is no need to monitor. . .

People trying to access datasets improperly would be automatically rejected (which could (should) raise an alert to the security people).
Back to top
View user's profile Send private message
Navdeep Aggarwal

New User


Joined: 27 Jun 2011
Posts: 8
Location: India

PostPosted: Tue May 22, 2012 10:25 pm
Reply with quote

dick scherrer wrote:
Hello,

If the security permissions are set up properly, there is no need to monitor. . .

People trying to access datasets improperly would be automatically rejected (which could (should) raise an alert to the security people).


Hello,
Yes you are right Dick that the security people should be informed. I just want to know that process as to how we can inform the security people, when such activity happens.
Back to top
View user's profile Send private message
dbzTHEdinosauer

Global Moderator


Joined: 20 Oct 2006
Posts: 6966
Location: porcelain throne

PostPosted: Tue May 22, 2012 10:34 pm
Reply with quote

wow, this really is rookie day!

if the proper RACF security is in place,
the security people will notify you!!!!!!!!!!!!!!!!!!!!!!

these 'who did this and who did that' problems are nonsense.

have proper security, and you won't be asking,
because the security will inhibit those who should not see, from seeing.

if it is members of your team, (who obviously can not be inhibited)
you have bigger problems on your hands.
fire the idiots.
either that or purchase/build a repository to safeguard all these treasures.
Back to top
View user's profile Send private message
Akatsukami

Global Moderator


Joined: 03 Oct 2009
Posts: 1787
Location: Bloomington, IL

PostPosted: Tue May 22, 2012 10:38 pm
Reply with quote

Navdeep Aggarwal wrote:
dick scherrer wrote:
Hello,

If the security permissions are set up properly, there is no need to monitor. . .

People trying to access datasets improperly would be automatically rejected (which could (should) raise an alert to the security people).


Hello,
Yes you are right Dick that the security people should be informed. I just want to know that process as to how we can inform the security people, when such activity happens.

You are once again missing the point. RACF itself automatically informs the security analysts. If they are ignoring those notifications, there is nothing that you can do (unless you have been promoted to CIO since your last post) to make them pay attention.
Back to top
View user's profile Send private message
dick scherrer

Moderator Emeritus


Joined: 23 Nov 2006
Posts: 19243
Location: Inside the Matrix

PostPosted: Wed May 23, 2012 12:07 am
Reply with quote

Hello,

You (or the true owner of the file(s)) need to communicate with the security people to define which people (or groups) may have which access to these datasets (read, write, etc).

Then you should not have to do anything else. The security people should contact or report any offenders when the attempt is made by someone not authorized..
Back to top
View user's profile Send private message
vasanthz

Global Moderator


Joined: 28 Aug 2007
Posts: 1744
Location: Tirupur, India

PostPosted: Wed May 23, 2012 1:18 am
Reply with quote

I put together a JCL sometime back from Frank's samples on Beyond Sorting for datasets browse stats from SMF rectype 14. Cant resist posting eventhough there is a lot of questions need answered by the topic starter's original intention. Hope it helps someone.
Code:
//SORT  EXEC PGM=SORT,REGION=5000K                 
//SYSPRINT DD  SYSOUT=*                             
//SYSOUT   DD  SYSOUT=*                             
//SORTIN   DD  DISP=SHR,DSN=SMF DUMP DATASET       
//SORTOUT  DD  DISP=(NEW,PASS),DSN=&&TEMP,         
//             SPACE=(CYL,(50,20),RLSE),DCB=*.SORTIN
//SYSIN    DD   *                                   
   SORT FIELDS=COPY                                 
   INCLUDE COND=(6,1,BI,EQ,X'0E',&,69,44,CH,EQ,     
               C'DSN.NAME.UNDER.SCRUTINY')         
/*                                                 
//JS020    EXEC PGM=ICETOOL                         
//TOOLMSG  DD SYSOUT=*                             
//DFSMSG   DD SYSOUT=*                             
//SMF14    DD DSN=&&TEMP,DISP=(OLD,DELETE,DELETE)   
//SMF14RPT DD SYSOUT=*                             
//SYSOUT   DD SYSOUT=*                             
//TOOLIN   DD *                                     
  DISPLAY FROM(SMF14) LIST(SMF14RPT) -             
  TITLE('SMF TYPE-14 RECORDS') DATE(4MD/) -         
  HEADER('DATE') ON(11,4,DT1,E'9999/99/99') -       
  HEADER('TIME') ON(7,4,TM1,E'99:99:99') -         
  HEADER('SYS') ON(15,4,CH) -                       
  HEADER('JOBNAME') ON(19,8,CH) -                   
  HEADER('DATASETNAME') ON(69,44,CH)               
/*         

Output:
Code:
      DATE       TIME   SYS    JOBNAME    DATASETNAME           
----------   --------   ----   --------   ----------------------
2011/08/04   13:02:31   XXXX   USERID1    FILE.UNDER.SCRUTINY   
2011/08/04   13:02:31   XXXX   USERID1    FILE.UNDER.SCRUTINY   
2011/08/04   15:03:58   XXXX   USERID2    FILE.UNDER.SCRUTINY   
2011/08/04   15:03:59   XXXX   USERID2    FILE.UNDER.SCRUTINY   
2011/08/04   15:04:23   XXXX   USERID2    FILE.UNDER.SCRUTINY   
2011/08/04   15:04:23   XXXX   USERID2    FILE.UNDER.SCRUTINY   
Back to top
View user's profile Send private message
Navdeep Aggarwal

New User


Joined: 27 Jun 2011
Posts: 8
Location: India

PostPosted: Wed May 23, 2012 1:44 am
Reply with quote

Thanks vasanthz for this input. May i ask, what clarifications do you require from my side regarding my query ?
Back to top
View user's profile Send private message
dick scherrer

Moderator Emeritus


Joined: 23 Nov 2006
Posts: 19243
Location: Inside the Matrix

PostPosted: Wed May 23, 2012 1:56 am
Reply with quote

Hello,

I do not believe Vasanth is looking for any clarification. He provided some sample code for your use. . . And further modification as needed.

Is there some good reason why this is not addressed properly thru security?

I suspect you don't realize how much data you will probably need to look at to get what you want. . .
Back to top
View user's profile Send private message
Navdeep Aggarwal

New User


Joined: 27 Jun 2011
Posts: 8
Location: India

PostPosted: Wed May 23, 2012 2:02 am
Reply with quote

dick scherrer wrote:
Hello,

I do not believe Vasanth is looking for any clarification. He provided some sample code for your use. . . And further modification as needed.

Is there some good reason why this is not addressed properly thru security?

I suspect you don't realize how much data you will probably need to look at to get what you want. . .


Hello,
All this I am asking is because there is no security person in the team. The system is running fine on old profiles/rules , however a new requirement has made us to look for this in RACF.
Back to top
View user's profile Send private message
dbzTHEdinosauer

Global Moderator


Joined: 20 Oct 2006
Posts: 6966
Location: porcelain throne

PostPosted: Wed May 23, 2012 2:23 am
Reply with quote

Quote:
seee? I'm right, you are wrong!
the situation at my site requires that i follow this route.
now, there!
Back to top
View user's profile Send private message
dick scherrer

Moderator Emeritus


Joined: 23 Nov 2006
Posts: 19243
Location: Inside the Matrix

PostPosted: Wed May 23, 2012 2:23 am
Reply with quote

Hello,

Quote:
The system is running fine on old profiles/rules
If the old security profiles/rules do not provide security, we cannot believe the system is running fine. . .

If the organization was audited, there might be some very unpleasant experiences.

Good luck with pulling what you want from SMF.
Back to top
View user's profile Send private message
Pedro

Global Moderator


Joined: 01 Sep 2006
Posts: 2594
Location: Silicon Valley

PostPosted: Wed May 23, 2012 3:43 am
Reply with quote

I used to be in charge of security at our site, many years ago.

Pedro's recommendations:

1. make sure all userids and RACF groups have a generic profile, and the appropriate people are authorized, such as:
Code:
ADDSD 'PEDRO.*' UACC(NONE) NOTIFY(PEDRO)
PERMIT 'PEDRO.*'  ID(mydept) ACCESS(READ)
PERMIT 'PEDRO.*'  ID(billy) ACCESS(UPDATE)

The key thing regarding this thread is the NOTIFY parameter. The person will get a broadcast message when there is a security violation.

2. turn on PROTECTALL (might already be on)
Code:
SETROPTS PROTECTALL(FAILURES)


RACF security admins can still get their info from SMF type 80 records and such. But with NOTIFY(), it sort of decentralizes the security administration. You will get notified when someone not authorized tries to read your file.
Back to top
View user's profile Send private message
vasanthz

Global Moderator


Joined: 28 Aug 2007
Posts: 1744
Location: Tirupur, India

PostPosted: Wed May 23, 2012 11:16 am
Reply with quote

Pedro's suggestion seems to be the simplest and the correct way of doing this.

The SMF option is not recommended and "highly not recommended" if you do not know the time interval in which the event might have occured. Else you have to plough through Gigabytes of SMF data to retrieve what you are looking for.
Back to top
View user's profile Send private message
View previous topic :: :: View next topic  
Post new topic   Reply to topic View Bookmarks
All times are GMT + 6 Hours
Forum Index -> IBM Tools

 


Similar Topics
Topic Forum Replies
No new posts Access to macro definitions PL/I & Assembler 4
No new posts RACF - Rebuild SETROPTS command which... All Other Mainframe Topics 3
No new posts Access to non cataloged VSAM file JCL & VSAM 18
No new posts How to access web services/website? Mainframe Interview Questions 4
No new posts RACF cost vs. ACF2 cost IBM Tools 2
Search our Forums:

Back to Top