Thanks. Looks like there is not a way to do what I was hoping for, which would allow for a set of default groups for a user, along with one or more groups that require a user to explicitly log in to use them. For example, I am a member of 3 groups right now, and we must use GRPLIST because I don't have to specify a particular group to have my rights for all three. I would like to have an additional group available to me, but only if I explicitly specify it. In that case I would want to have the rights for all four groups. I would also want to be able to "log" any time I (or any user) log in to this "special access" fourth group.
Sounds like I am out of luck here, but someone correct me if I'm wrong. ________________________________ From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of R.S. <r.skoru...@bremultibank.com.pl> Sent: Monday, October 26, 2020 11:18 AM To: IBM-MAIN@LISTSERV.UA.EDU <IBM-MAIN@LISTSERV.UA.EDU> Subject: Re: SMF to capture user login history Yes, obviously! But ...no. To explain: there is an option in RACF, called GRPLIST. Vast majority of installations use GRPLIST, but few use NOGRPLIST. 1. YES For NOGRPLIST you may belong to meny group, but only one connection at the time is "active" - that means you logon as Frank, FRANK1 (that's the password) and NETADM - that's the group. And you have all the authorities given to user FRANK and to group NETADM. However you are member of SMSADM as well - but this group gives you no authorities, because only one group is taken. Is it stupid? Some people say it is good. Let's leave it. 2. NO In typical GRPLIST world you logon as FRANK/FRANK1 and (usually) it doesn't matter what group you provide, if any. And you have all the authorities given to FRANK, NETADM, SMSADM and all other groups you are connected to. So, it in this case privileges are not different. Exception: there are very few, very rare cases when "current connect group" is important even in GRPLIST. See ARCCATGP (DFSMShsm manual). However AFAIR it is enough to provide this groupname during logon. Remark: no group provided = default group. Every RACF user has default group assigned. And of course the user is connected to this group. HTH -- Radoslaw Skorupka Lodz, Poland W dniu 26.10.2020 o 17:30, Frank Swarbrick pisze: > Curious question. Is it possible to have a single user ID with different > privileges depending on what group you specify when logging in (to TSO, for > example)? > > ________________________________ > From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of > Seymour J Metz <sme...@gmu.edu> > Sent: Sunday, October 25, 2020 8:05 AM > To: IBM-MAIN@LISTSERV.UA.EDU <IBM-MAIN@LISTSERV.UA.EDU> > Subject: Re: SMF to capture user login history > >> two sets of IDs > Multiple ids can be very usefull. If you have a lot of privileges and write > code that is supposed to work without those privileges, it's useful to have a > bare bones userid. If you have work that requires privileges that you > consider too dangerous for normal work, it's nice to have a more privileged > userid and proxy permission. BTDT, GTTS. > > > -- > Shmuel (Seymour J.) Metz > http://mason.gmu.edu/~smetz3 > > ________________________________________ > From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of > Steve Horein [steve.hor...@gmail.com] > Sent: Sunday, October 25, 2020 9:00 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: SMF to capture user login history > > On Sun, Oct 25, 2020 at 1:11 AM kekronbekron < > 000002dee3fcae33-dmarc-requ...@listserv.ua.edu> wrote: > >> I hope no one encourages this kind of snooping on the list. >> Stinks of an attempt to police working hours. >> >> - KB >> ====================================================================== Jeśli nie jesteś adresatem tej wiadomości: - powiadom nas o tym w mailu zwrotnym (dziękujemy!), - usuń trwale tę wiadomość (i wszystkie kopie, które wydrukowałeś lub zapisałeś na dysku). Wiadomość ta może zawierać chronione prawem informacje, które może wykorzystać tylko adresat.Przypominamy, że każdy, kto rozpowszechnia (kopiuje, rozprowadza) tę wiadomość lub podejmuje podobne działania, narusza prawo i może podlegać karze. mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 Warszawa,www.mBank.pl, e-mail: kont...@mbank.pl. Sąd Rejonowy dla m. st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, KRS 0000025237, NIP: 526-021-50-88. Kapitał zakładowy (opłacony w całości) według stanu na 01.01.2020 r. wynosi 169.401.468 złotych. If you are not the addressee of this message: - let us know by replying to this e-mail (thank you!), - delete this message permanently (including all the copies which you have printed out or saved). This message may contain legally protected information, which may be used exclusively by the addressee.Please be reminded that anyone who disseminates (copies, distributes) this message or takes any similar action, violates the law and may be penalised. mBank S.A. with its registered office in Warsaw, ul. Senatorska 18, 00-950 Warszawa,www.mBank.pl, e-mail: kont...@mbank.pl. District Court for the Capital City of Warsaw, 12th Commercial Division of the National Court Register, KRS 0000025237, NIP: 526-021-50-88. Fully paid-up share capital amounting to PLN 169.401.468 as at 1 January 2020. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
