IBM Mainframe Forum Index
 
Log In
 
IBM Mainframe Forum Index Mainframe: Search IBM Mainframe Forum: FAQ Register
 

RACF- How to find the Last access of a DELETED RACF userid


IBM Mainframe Forums -> All Other Mainframe Topics
Post new topic   Reply to topic
View previous topic :: View next topic  
Author Message
rahul shanmuganatan

New User


Joined: 03 Jun 2016
Posts: 2
Location: kuwait

PostPosted: Thu Jun 21, 2018 3:19 pm
Reply with quote

Hello All,

I have a Audit requirement where i need to find a Last login of a Deleted userid.

We have Deleted the USERID 6 months back, but we need to know what was the last login date of the deleted id.

If there is any way kindly share.

Thanks Again..
icon_smile.gif
Rahul
Back to top
View user's profile Send private message
expat

Global Moderator


Joined: 14 Mar 2007
Posts: 8797
Location: Welsh Wales

PostPosted: Thu Jun 21, 2018 3:25 pm
Reply with quote

SMF data would be my first call

Types 30 if I remember correctly.
This should get the address space name and date and time it started.
Back to top
View user's profile Send private message
Robert Sample

Global Moderator


Joined: 06 Jun 2008
Posts: 8696
Location: Dubuque, Iowa, USA

PostPosted: Thu Jun 21, 2018 6:00 pm
Reply with quote

Or use type 32 SMF records which records TSO activity.
Back to top
View user's profile Send private message
nevilh

Active User


Joined: 01 Sep 2006
Posts: 262

PostPosted: Thu Jun 21, 2018 6:52 pm
Reply with quote

Do you have zSecure (or equivalent) installed . If yes just ask your RACF Administrator.
if not ..... good luck
Back to top
View user's profile Send private message
vasanthz

Global Moderator


Joined: 28 Aug 2007
Posts: 1742
Location: Tirupur, India

PostPosted: Fri Jun 22, 2018 2:02 am
Reply with quote

Hi,
Quote:
Or use type 32 SMF records which records TSO activity.

I understand SMF would have the data, but it would require processing really large amount of data to get TSO activity.
It might be easier to look at SYSLOG data if it is available for the message,
Code:
$HASP373 <USERID>   STARTED

However if the user logs onto CICS directly without TSO, then SYSLOG might not have the CICS logon. Also Type 30 might not capture CICS logon, I am not sure.

I think the sure fire way is to process SMF type 80, to catch all type of logons like Direct DB2 access, CICS logon, TSO etc..

Please correct me if I am wrong.
Regards,
Vasanth.S
Back to top
View user's profile Send private message
Robert Sample

Global Moderator


Joined: 06 Jun 2008
Posts: 8696
Location: Dubuque, Iowa, USA

PostPosted: Fri Jun 22, 2018 2:13 am
Reply with quote

Vasanthz, your approach would only work if the site retains the SYSLOG for more than 6 months; I'm not sure there's a lot of sites that do so. Most sites retain SMF records for quite a long time, but not SYSLOG. The topic started by asking about deleted userid, which I assume rules out CICS logons -- if not, then the answer becomes more complicated since the type 30 records do NOT include CICS logons.
Quote:
I understand SMF would have the data, but it would require processing really large amount of data to get TSO activity.
Processing the type 80 SMF records would require more -- last week we generated 343 type 32 records and 4,982 type 80 records so almost 15 times the type 80 records compared to type 32. And the type 80 records require more analysis since you have to extract the correct event / code qualifiers.
Back to top
View user's profile Send private message
vasanthz

Global Moderator


Joined: 28 Aug 2007
Posts: 1742
Location: Tirupur, India

PostPosted: Fri Jun 22, 2018 2:57 am
Reply with quote

Quote:
your approach would only work if the site retains the SYSLOG for more than 6 months;

Yes :-) It would work only if the user is lucky to have SYSLOG for the required duration. We have it archived in SAR for 1 year. Which is the first point of investigation we use, before going to SMF.

Thanks for the information Robert.
Quote:
Processing the type 80 SMF records would require more -- last week we generated 343 type 32 records and 4,982 type 80 records so almost 15 times the type 80 records compared to type 32.
Ya I agree there are a lot of type 80 records for several events.

I just extracted only SMF type 80, Event 1 for a day and there were 86K records. which is kind of a lot.

Regards,
Vasanth.S
Back to top
View user's profile Send private message
rahul shanmuganatan

New User


Joined: 03 Jun 2016
Posts: 2
Location: kuwait

PostPosted: Mon Jun 25, 2018 12:10 pm
Reply with quote

Thanks All,

We used SMF record type 80 to 83 to find the last login , and Used ICETOOL to sort them properly.

Also we have a DB2 Table which contain all the CICS Programs and sessions used by User.

Were able to write some SQL and fetch the data from DB2 Table.

Thanks All ... It was really help full ..!

Regads,
Rahul
Back to top
View user's profile Send private message
View previous topic :: :: View next topic  
Post new topic   Reply to topic View Bookmarks
All times are GMT + 6 Hours
Forum Index -> All Other Mainframe Topics

 


Similar Topics
Topic Forum Replies
No new posts RACF - Rebuild SETROPTS command which... All Other Mainframe Topics 3
No new posts Access to non cataloged VSAM file JCL & VSAM 18
No new posts How to access web services/website? Mainframe Interview Questions 4
No new posts To find whether record count are true... DFSORT/ICETOOL 6
No new posts RACF cost vs. ACF2 cost IBM Tools 2
Search our Forums:

Back to Top