Curious question. Is it possible to have a single user ID with different privileges depending on what group you specify when logging in (to TSO, for example)?
________________________________ From: IBM Mainframe Discussion List <[email protected]> on behalf of Seymour J Metz <[email protected]> Sent: Sunday, October 25, 2020 8:05 AM To: [email protected] <[email protected]> Subject: Re: SMF to capture user login history > two sets of IDs Multiple ids can be very usefull. If you have a lot of privileges and write code that is supposed to work without those privileges, it's useful to have a bare bones userid. If you have work that requires privileges that you consider too dangerous for normal work, it's nice to have a more privileged userid and proxy permission. BTDT, GTTS. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 ________________________________________ From: IBM Mainframe Discussion List [[email protected]] on behalf of Steve Horein [[email protected]] Sent: Sunday, October 25, 2020 9:00 AM To: [email protected] Subject: Re: SMF to capture user login history On Sun, Oct 25, 2020 at 1:11 AM kekronbekron < [email protected]> wrote: > I hope no one encourages this kind of snooping on the list. > Stinks of an attempt to police working hours. > > - KB > Meh. The first shop I worked in implemented something like that to track the use of privileged IDs that had elevated permissions to update production resources. At the time, the scope had been TSO, so I wrote some automation that would send an email to the "security operations center" if RACF IDs matching specific patterns generated an IEF125I, IEF126I, or an IEF45* message. The time frames from logon to logoff/abend needed to be justified with a change request or incident, otherwise it would be considered suspicious activity. Yes, it meant having to maintain two sets of IDs - a BAU ID for day to day work, and the privileged ID for changes or recovery support, but it satisfied someone's requirement. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
