McKown, John wrote:
-----Original Message-----
From: IBM Mainframe Discussion List
[mailto:[EMAIL PROTECTED] On Behalf Of Jacky Bright
Sent: Monday, February 12, 2007 11:43 AM
To: [email protected]
Subject: Re: RACF Surrogate Authority
Only in batch environment ??
How am I going to hold XYZ user responsible for his activities in case
surrogate userid is being used ?
In case XYZ is submitting job then in spool or in syslog we
will get name of
the submitter as XYZ and not ABC.
I don't understand. Surrogate works only in batch, AFAIK. That's becasue it is
the only environment, where username without password is accepted. However you
can easily put TSO in batch, as well as ISPF, some DB2 and CICS functionality...
Most of the RACF SMF records will record the actual ID which submitted
the job as well as the id under which it ran. For example, in the JOB
INITIATION record produced by IRRADU00, there is the field
INIT_UTK_SUSER_ID, which is the actual RACF ID of the person which
submitted the job, not the surrogate id.
John, it can be more complex:
//JOB1 JOB ...USER=ABC
...
//STEP1 EXEC PGM=IKJEFT01
...
//SYSTSIN DD *
SUMBIT XYZ.USER.PDS(SOMEJOB)
Question: who submitted SOMEJOB, who is execution userid of the job, last but
not least: what's inside SOMEJOB member ???
--
Radoslaw Skorupka
Lodz, Poland
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
