Classification: Internal That would require an additional longon ID with a different default group/grouplist. This is a fairly common practice. One ID for everyday use and another with elevated privileges when needed.
HTH, -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Frank Swarbrick Sent: Monday, October 26, 2020 1:47 PM To: [email protected] Subject: Re: SMF to capture user login history [CAUTION: This Email is from outside the Organization. Unless you trust the sender, Don’t click links or open attachments as it may be a Phishing email, which can steal your Information and compromise your Computer.] Thanks. Looks like there is not a way to do what I was hoping for, which would allow for a set of default groups for a user, along with one or more groups that require a user to explicitly log in to use them. For example, I am a member of 3 groups right now, and we must use GRPLIST because I don't have to specify a particular group to have my rights for all three. I would like to have an additional group available to me, but only if I explicitly specify it. In that case I would want to have the rights for all four groups. I would also want to be able to "log" any time I (or any user) log in to this "special access" fourth group. Sounds like I am out of luck here, but someone correct me if I'm wrong. ________________________________ From: IBM Mainframe Discussion List <[email protected]> on behalf of R.S. <[email protected]> Sent: Monday, October 26, 2020 11:18 AM To: [email protected] <[email protected]> Subject: Re: SMF to capture user login history Yes, obviously! But ...no. To explain: there is an option in RACF, called GRPLIST. Vast majority of installations use GRPLIST, but few use NOGRPLIST. 1. YES For NOGRPLIST you may belong to meny group, but only one connection at the time is "active" - that means you logon as Frank, FRANK1 (that's the password) and NETADM - that's the group. And you have all the authorities given to user FRANK and to group NETADM. However you are member of SMSADM as well - but this group gives you no authorities, because only one group is taken. Is it stupid? Some people say it is good. Let's leave it. 2. NO In typical GRPLIST world you logon as FRANK/FRANK1 and (usually) it doesn't matter what group you provide, if any. And you have all the authorities given to FRANK, NETADM, SMSADM and all other groups you are connected to. So, it in this case privileges are not different. Exception: there are very few, very rare cases when "current connect group" is important even in GRPLIST. See ARCCATGP (DFSMShsm manual). However AFAIR it is enough to provide this groupname during logon. Remark: no group provided = default group. Every RACF user has default group assigned. And of course the user is connected to this group. HTH -- Radoslaw Skorupka Lodz, Poland W dniu 26.10.2020 o 17:30, Frank Swarbrick pisze: > Curious question. Is it possible to have a single user ID with different > privileges depending on what group you specify when logging in (to TSO, for > example)? > > ________________________________ > From: IBM Mainframe Discussion List <[email protected]> on > behalf of Seymour J Metz <[email protected]> > Sent: Sunday, October 25, 2020 8:05 AM > To: [email protected] <[email protected]> > Subject: Re: SMF to capture user login history > >> two sets of IDs > Multiple ids can be very usefull. If you have a lot of privileges and write > code that is supposed to work without those privileges, it's useful to have a > bare bones userid. If you have work that requires privileges that you > consider too dangerous for normal work, it's nice to have a more privileged > userid and proxy permission. BTDT, GTTS. > > > -- > Shmuel (Seymour J.) Metz > https://apc01.safelinks.protection.outlook.com/?url=http:%2F%2Fmason.g > mu.edu%2F~smetz3&data=04%7C01%7Callan.staller%40HCL.COM%7C0eaac4d6 > fb9245e9d75c08d879df9a98%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C > 637393349175371164%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjo > iV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=ew8aS0sA5X7qu > EdwJZayOILNENkQsBhqgCYRSDOqkeQ%3D&reserved=0 > > ________________________________________ > From: IBM Mainframe Discussion List [[email protected]] on > behalf of Steve Horein [[email protected]] > Sent: Sunday, October 25, 2020 9:00 AM > To: [email protected] > Subject: Re: SMF to capture user login history > > On Sun, Oct 25, 2020 at 1:11 AM kekronbekron < > [email protected]> wrote: > >> I hope no one encourages this kind of snooping on the list. >> Stinks of an attempt to police working hours. >> >> - KB >> ====================================================================== Jeśli nie jesteś adresatem tej wiadomości: - powiadom nas o tym w mailu zwrotnym (dziękujemy!), - usuń trwale tę wiadomość (i wszystkie kopie, które wydrukowałeś lub zapisałeś na dysku). Wiadomość ta może zawierać chronione prawem informacje, które może wykorzystać tylko adresat.Przypominamy, że każdy, kto rozpowszechnia (kopiuje, rozprowadza) tę wiadomość lub podejmuje podobne działania, narusza prawo i może podlegać karze. mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 Warszawa,https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.mbank.pl%2F&data=04%7C01%7Callan.staller%40HCL.COM%7C0eaac4d6fb9245e9d75c08d879df9a98%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C637393349175371164%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=316N5XpueW0NYyydhwy%2FZIw6sOk%2FKlXGe1DroQh3%2BLM%3D&reserved=0, e-mail: [email protected]. Sąd Rejonowy dla m. st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, KRS 0000025237, NIP: 526-021-50-88. Kapitał zakładowy (opłacony w całości) według stanu na 01.01.2020 r. wynosi 169.401.468 złotych. If you are not the addressee of this message: - let us know by replying to this e-mail (thank you!), - delete this message permanently (including all the copies which you have printed out or saved). This message may contain legally protected information, which may be used exclusively by the addressee.Please be reminded that anyone who disseminates (copies, distributes) this message or takes any similar action, violates the law and may be penalised. mBank S.A. with its registered office in Warsaw, ul. Senatorska 18, 00-950 Warszawa,https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.mbank.pl%2F&data=04%7C01%7Callan.staller%40HCL.COM%7C0eaac4d6fb9245e9d75c08d879df9a98%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C637393349175371164%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=316N5XpueW0NYyydhwy%2FZIw6sOk%2FKlXGe1DroQh3%2BLM%3D&reserved=0, e-mail: [email protected]. District Court for the Capital City of Warsaw, 12th Commercial Division of the National Court Register, KRS 0000025237, NIP: 526-021-50-88. Fully paid-up share capital amounting to PLN 169.401.468 as at 1 January 2020. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ::DISCLAIMER:: ________________________________ The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only. E-mail transmission is not guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or may contain viruses in transmission. The e mail and its contents (with or without referred errors) shall therefore not attach any liability on the originator or HCL or its affiliates. Views or opinions, if any, presented in this email are solely those of the author and may not necessarily reflect the views or opinions of HCL or its affiliates. Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of this message without the prior written consent of authorized representative of HCL is strictly prohibited. If you have received this email in error please delete it and notify the sender immediately. Before opening any email and/or attachments, please check them for viruses and other defects. ________________________________ ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
