|
View previous topic :: View next topic
|
| Author |
Message |
aprocon
New User
Joined: 26 Oct 2010
Posts: 41
Location: chennai
|
|
|
|
Hi,
We had a situation wherein many of our jobs failing because a group id was revoked. We figured out somoeone had changed the password (by checking the PASSDATE column from TSO LU command output). Our RACF administrators do not admit that they changed the password. We asked them to run an audit but the whole RACF administration team is very young and they have no idea about the Audits (sounds scary. huh?!!).
Is it possible to check who changed the password? Does anybody have any JCL which you could share with me to identify who changed it? I am a mainframe administrator and have most of the RACF privileges. (I did not change the password, though.. lol)
Please let me know should you have any questions.
Thanks in advance for your help! |
|
| Back to top |
|
 |
Pete Wilson
Active Member
Joined: 31 Dec 2009
Posts: 580
Location: London
|
|
|
|
Perhaps the group ID had an end date set for it at the time it was defined and just naturally revoked itself when it reached that date?
But my money would be on someone you've already asked lying.  |
|
| Back to top |
|
|
aprocon
New User
Joined: 26 Oct 2010
Posts: 41
Location: chennai
|
|
|
|
It had non expiry password. When we had failure for the first time we just resumed the id and did nothing to the password. Jobs failed when they tried to access with the original password. Later we had resumed and set the id back to the original password. since then we had no issues.
Yeah, I would bet my money on them too because they do not know what they are doing  |
|
| Back to top |
|
|
Willy Jensen
Active Member
Joined: 01 Sep 2015
Posts: 712
Location: Denmark
|
|
|
|
You can probably get the info from SMF type 80.
//*
//SMFFLT1A EXEC PGM=IFASMFDP
//SMFIN DD DSN=SMF.HISTORY,DISP=SHR
//SMFOUT DD DSN=&&EXTRACT,
// RECFM=VB,LRECL=27998,BLKSIZE=0,
// UNIT=SYSDA,DISP=(,PASS),SPACE=(CYL,(100,200),RLSE)
//SYSPRINT DD SYSOUT=*
INDD(SMFIN,OPTIONS(DUMP))
OUTDD(SMFOUT,TYPE(80))
DATE(2012348,2012348)
START(1615)
END(1630)
//*
//* REPORT
//*
//REPORT EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSPRINT DD SYSOUT=*
//SORTWK01 DD UNIT=SYSDA,SPACE=(CYL,(5,5))
//SORTWK02 DD UNIT=SYSDA,SPACE=(CYL,(5,5))
//SORTWK03 DD UNIT=SYSDA,SPACE=(CYL,(5,5))
//RSMFIN DD DISP=SHR,DSN=&&EXTRACT
//SYSTSIN DD *
RACFRW
SELECT USER(XX00001)
LIST
END |
|
| Back to top |
|
|
aprocon
New User
Joined: 26 Oct 2010
Posts: 41
Location: chennai
|
|
|
|
| Thanks Willy Jensen. let me try it and update you. |
|
| Back to top |
|
|
steve-myers
Active Member
Joined: 30 Nov 2013
Posts: 917
Location: The Universe
|
|
|
|
| Mr. Jensen has a good idea, but I don't think RACF writes an SMF 80 record for a user initiated change. In other words, if XX00001 changed his own password, either through ALTUSER or the TSO-E LOGON panel, it won't be there. |
|
| Back to top |
|
|
aprocon
New User
Joined: 26 Oct 2010
Posts: 41
Location: chennai
|
|
|
|
Yeah, I can confirm your words, Steve-Myers. I ran the job against SMF record type 80 as Jensen suggested but I do not see any hits for ALTUser command. I could see hits for successful dataset access and dataset delete and one hit for RACINIT.
So no other way to identify who changed the password? |
|
| Back to top |
|
|
|
|
