Peter, Suggest to the ADCD owners that they make an IRRDBU00 unload of the RACF database and then run the IRRRID00 Remove ID utility with the unload as input to find and remove references to deleted users and groups. Instructions, examples, guidelines, and tips for running these utilities are provided in our presentation "RACF Utilities", available on our website via the RACF Center webpage.
Also suggest the them that they run ICHDSM00 (a.k.a. DSMON) to identify system datasets that may not be properly protected and incomplete STARTED profiles. The aforementioned presentation has information on DSMON. Further suggest to them that they make an IRRHFSU unload of the entire Unix file system and examine the results to identify orphaned Owner UIDs and Group GIDs. Information for obtaining and running the IRRHFSU utility are provided in our presentation "IRRHFSU", also available on our website. This presentation includes a sample ICETOOL report for finding orphaned IDs. If the ADCD owners have any problems or questions when trying to run the reports or need help interpreting the results, have them contact me directly. We have use of an ADCD system in Dallas, so helping them clean this up would benefit us as well. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com --------------------------------------------------------------------- 2013 RACF Training - Securing z/OS UNIX - WebEx - JAN 15-17 - Intro & Basic Admin - WebEx - FEB 4-8 - Audit for Results - Boston - APR 24-26 - Intro & Basic Admin - Boston - MAY 21-23 - Securing z/OS UNIX - WebEx - JUL 23-25 --------------------------------------------------------------------- -----Original Message----- Date: Fri, 4 Jan 2013 08:13:24 -0500 From: Peter Relson <rel...@us.ibm.com> Subject: Re: DFSMRCL0 usermod - was: I broke it The ADCD owners confirm that they do now have plans to run IBM HealthChecker for z/OS against the ADCD (at least for the newer releases of z/OS that they support). Whether that was a direct result of this thread or not, I am not sure. It remains to be seen how much they take advantage of the exceptions that initially are reported. Once that is underway, I expect, at least, that the DFSMRCL0 usermod will not be applied when a z/OS 1.13 ADCD system is subsequently built. I mention 1.13 only because that is the release where the HC of IEAVTRML is introduced and thus that is the release where the presence of DFSMRCL0 usermod would be flagged. Quite possibly they will be able to apply that "knowledge" to earlier releases that have IMS V9 or later (that being the release where the need for DFSMRCL0 went away, and knowing that earlier IMS versions are no longer supported). If any of you care to "contribute" by running HC yourself on the ADCD system and reporting things that both are flagged as exceptions and that in all likelihood would help just about the entire ADCD community to have changed, feel free to send me a note (but not that IEAVTRML one, please!). I mention the "entire ADCD community" only because I can imagine some exception situations being left alone in order to accommodate a subset of users who might need the flagged behavior. I have no specific examples of such things with respect to ADCD. I do also have hope that some information would accompany the distribution, setting the "expectation" for what exceptions one might see if running HC. Peter Relson z/OS Core Technology Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN