View previous topic :: View next topic
|
Author |
Message |
Navdeep Aggarwal
New User
Joined: 27 Jun 2011 Posts: 8 Location: India
|
|
|
|
Hey All,
I wish to know about the RACF utility through which we can get the details of all the users who have accessed/browsed/viewed any particular dataset.
Thanks In advance
Navdeep Aggarwal |
|
Back to top |
|
|
Robert Sample
Global Moderator
Joined: 06 Jun 2008 Posts: 8700 Location: Dubuque, Iowa, USA
|
|
|
|
AFAIK, there is no RACF utility to "get the details of all the users who have accessed/browsed/viewed any particular dataset". Details about who accesses which data set are stored in the SMF records. Details about the different user ids that are in the SMF records are stored in the RACF data base.
Perhaps you should talk to your site support group about precisely what it is you are attempting to accomplish and see if they can help you? |
|
Back to top |
|
|
dbzTHEdinosauer
Global Moderator
Joined: 20 Oct 2006 Posts: 6966 Location: porcelain throne
|
|
|
|
ever on the hunt
for those miscreants
that invade 'private' libraries that don't belong to them. |
|
Back to top |
|
|
dick scherrer
Moderator Emeritus
Joined: 23 Nov 2006 Posts: 19243 Location: Inside the Matrix
|
|
|
|
Hello,
If you have proper access and know-how, you might find what you are looking for in the SMF data. . .
Is there some business reason to do this or are you just curious? Wading thru SMF is not trivial - even if you know how . . . |
|
Back to top |
|
|
Navdeep Aggarwal
New User
Joined: 27 Jun 2011 Posts: 8 Location: India
|
|
|
|
dick scherrer wrote: |
Hello,
If you have proper access and know-how, you might find what you are looking for in the SMF data. . .
Is there some business reason to do this or are you just curious? Wading thru SMF is not trivial - even if you know how . . . |
Hey,
Yes there is a business reason to do this to monitor users who goes to places where they are not used to. And yes we will have access to the SMF data, but how can we get the desired details from it ? |
|
Back to top |
|
|
Akatsukami
Global Moderator
Joined: 03 Oct 2009 Posts: 1787 Location: Bloomington, IL
|
|
|
|
Navdeep Aggarwal wrote: |
Hey,
Yes there is a business reason to do this to monitor users who goes to places where they are not used to. |
And your RACF analysts are refusing to maintain profiles and monitor access attempts because...? |
|
Back to top |
|
|
dbzTHEdinosauer
Global Moderator
Joined: 20 Oct 2006 Posts: 6966 Location: porcelain throne
|
|
|
|
Hey, the hammer worked on my car,
should work for my monitor also. |
|
Back to top |
|
|
dick scherrer
Moderator Emeritus
Joined: 23 Nov 2006 Posts: 19243 Location: Inside the Matrix
|
|
|
|
Hello,
If the security permissions are set up properly, there is no need to monitor. . .
People trying to access datasets improperly would be automatically rejected (which could (should) raise an alert to the security people). |
|
Back to top |
|
|
Navdeep Aggarwal
New User
Joined: 27 Jun 2011 Posts: 8 Location: India
|
|
|
|
dick scherrer wrote: |
Hello,
If the security permissions are set up properly, there is no need to monitor. . .
People trying to access datasets improperly would be automatically rejected (which could (should) raise an alert to the security people). |
Hello,
Yes you are right Dick that the security people should be informed. I just want to know that process as to how we can inform the security people, when such activity happens. |
|
Back to top |
|
|
dbzTHEdinosauer
Global Moderator
Joined: 20 Oct 2006 Posts: 6966 Location: porcelain throne
|
|
|
|
wow, this really is rookie day!
if the proper RACF security is in place,
the security people will notify you!!!!!!!!!!!!!!!!!!!!!!
these 'who did this and who did that' problems are nonsense.
have proper security, and you won't be asking,
because the security will inhibit those who should not see, from seeing.
if it is members of your team, (who obviously can not be inhibited)
you have bigger problems on your hands.
fire the idiots.
either that or purchase/build a repository to safeguard all these treasures. |
|
Back to top |
|
|
Akatsukami
Global Moderator
Joined: 03 Oct 2009 Posts: 1787 Location: Bloomington, IL
|
|
|
|
Navdeep Aggarwal wrote: |
dick scherrer wrote: |
Hello,
If the security permissions are set up properly, there is no need to monitor. . .
People trying to access datasets improperly would be automatically rejected (which could (should) raise an alert to the security people). |
Hello,
Yes you are right Dick that the security people should be informed. I just want to know that process as to how we can inform the security people, when such activity happens. |
You are once again missing the point. RACF itself automatically informs the security analysts. If they are ignoring those notifications, there is nothing that you can do (unless you have been promoted to CIO since your last post) to make them pay attention. |
|
Back to top |
|
|
dick scherrer
Moderator Emeritus
Joined: 23 Nov 2006 Posts: 19243 Location: Inside the Matrix
|
|
|
|
Hello,
You (or the true owner of the file(s)) need to communicate with the security people to define which people (or groups) may have which access to these datasets (read, write, etc).
Then you should not have to do anything else. The security people should contact or report any offenders when the attempt is made by someone not authorized.. |
|
Back to top |
|
|
vasanthz
Global Moderator
Joined: 28 Aug 2007 Posts: 1744 Location: Tirupur, India
|
|
|
|
I put together a JCL sometime back from Frank's samples on Beyond Sorting for datasets browse stats from SMF rectype 14. Cant resist posting eventhough there is a lot of questions need answered by the topic starter's original intention. Hope it helps someone.
Code: |
//SORT EXEC PGM=SORT,REGION=5000K
//SYSPRINT DD SYSOUT=*
//SYSOUT DD SYSOUT=*
//SORTIN DD DISP=SHR,DSN=SMF DUMP DATASET
//SORTOUT DD DISP=(NEW,PASS),DSN=&&TEMP,
// SPACE=(CYL,(50,20),RLSE),DCB=*.SORTIN
//SYSIN DD *
SORT FIELDS=COPY
INCLUDE COND=(6,1,BI,EQ,X'0E',&,69,44,CH,EQ,
C'DSN.NAME.UNDER.SCRUTINY')
/*
//JS020 EXEC PGM=ICETOOL
//TOOLMSG DD SYSOUT=*
//DFSMSG DD SYSOUT=*
//SMF14 DD DSN=&&TEMP,DISP=(OLD,DELETE,DELETE)
//SMF14RPT DD SYSOUT=*
//SYSOUT DD SYSOUT=*
//TOOLIN DD *
DISPLAY FROM(SMF14) LIST(SMF14RPT) -
TITLE('SMF TYPE-14 RECORDS') DATE(4MD/) -
HEADER('DATE') ON(11,4,DT1,E'9999/99/99') -
HEADER('TIME') ON(7,4,TM1,E'99:99:99') -
HEADER('SYS') ON(15,4,CH) -
HEADER('JOBNAME') ON(19,8,CH) -
HEADER('DATASETNAME') ON(69,44,CH)
/* |
Output:
Code: |
DATE TIME SYS JOBNAME DATASETNAME
---------- -------- ---- -------- ----------------------
2011/08/04 13:02:31 XXXX USERID1 FILE.UNDER.SCRUTINY
2011/08/04 13:02:31 XXXX USERID1 FILE.UNDER.SCRUTINY
2011/08/04 15:03:58 XXXX USERID2 FILE.UNDER.SCRUTINY
2011/08/04 15:03:59 XXXX USERID2 FILE.UNDER.SCRUTINY
2011/08/04 15:04:23 XXXX USERID2 FILE.UNDER.SCRUTINY
2011/08/04 15:04:23 XXXX USERID2 FILE.UNDER.SCRUTINY |
|
|
Back to top |
|
|
Navdeep Aggarwal
New User
Joined: 27 Jun 2011 Posts: 8 Location: India
|
|
|
|
Thanks vasanthz for this input. May i ask, what clarifications do you require from my side regarding my query ? |
|
Back to top |
|
|
dick scherrer
Moderator Emeritus
Joined: 23 Nov 2006 Posts: 19243 Location: Inside the Matrix
|
|
|
|
Hello,
I do not believe Vasanth is looking for any clarification. He provided some sample code for your use. . . And further modification as needed.
Is there some good reason why this is not addressed properly thru security?
I suspect you don't realize how much data you will probably need to look at to get what you want. . . |
|
Back to top |
|
|
Navdeep Aggarwal
New User
Joined: 27 Jun 2011 Posts: 8 Location: India
|
|
|
|
dick scherrer wrote: |
Hello,
I do not believe Vasanth is looking for any clarification. He provided some sample code for your use. . . And further modification as needed.
Is there some good reason why this is not addressed properly thru security?
I suspect you don't realize how much data you will probably need to look at to get what you want. . . |
Hello,
All this I am asking is because there is no security person in the team. The system is running fine on old profiles/rules , however a new requirement has made us to look for this in RACF. |
|
Back to top |
|
|
dbzTHEdinosauer
Global Moderator
Joined: 20 Oct 2006 Posts: 6966 Location: porcelain throne
|
|
|
|
Quote: |
seee? I'm right, you are wrong!
the situation at my site requires that i follow this route.
now, there! |
|
|
Back to top |
|
|
dick scherrer
Moderator Emeritus
Joined: 23 Nov 2006 Posts: 19243 Location: Inside the Matrix
|
|
|
|
Hello,
Quote: |
The system is running fine on old profiles/rules |
If the old security profiles/rules do not provide security, we cannot believe the system is running fine. . .
If the organization was audited, there might be some very unpleasant experiences.
Good luck with pulling what you want from SMF. |
|
Back to top |
|
|
Pedro
Global Moderator
Joined: 01 Sep 2006 Posts: 2594 Location: Silicon Valley
|
|
|
|
I used to be in charge of security at our site, many years ago.
Pedro's recommendations:
1. make sure all userids and RACF groups have a generic profile, and the appropriate people are authorized, such as:
Code: |
ADDSD 'PEDRO.*' UACC(NONE) NOTIFY(PEDRO)
PERMIT 'PEDRO.*' ID(mydept) ACCESS(READ)
PERMIT 'PEDRO.*' ID(billy) ACCESS(UPDATE) |
The key thing regarding this thread is the NOTIFY parameter. The person will get a broadcast message when there is a security violation.
2. turn on PROTECTALL (might already be on)
Code: |
SETROPTS PROTECTALL(FAILURES) |
RACF security admins can still get their info from SMF type 80 records and such. But with NOTIFY(), it sort of decentralizes the security administration. You will get notified when someone not authorized tries to read your file. |
|
Back to top |
|
|
vasanthz
Global Moderator
Joined: 28 Aug 2007 Posts: 1744 Location: Tirupur, India
|
|
|
|
Pedro's suggestion seems to be the simplest and the correct way of doing this.
The SMF option is not recommended and "highly not recommended" if you do not know the time interval in which the event might have occured. Else you have to plough through Gigabytes of SMF data to retrieve what you are looking for. |
|
Back to top |
|
|
|