And if it's inactive?
-- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 ________________________________________ From: IBM Mainframe Discussion List [[email protected]] on behalf of Gibney, Dave [[email protected]] Sent: Monday, October 26, 2020 5:35 PM To: [email protected] Subject: Re: SMF to capture user login history In general and with list of groups active, no. The only case of specific logon group dependency I know of is the DFHSM situation Radoslaw mentioned. > -----Original Message----- > From: IBM Mainframe Discussion List <[email protected]> On > Behalf Of Seymour J Metz > Sent: Monday, October 26, 2020 1:35 PM > To: [email protected] > Subject: Re: SMF to capture user login history > > If foo is connected to groups bar and baz, don't you get different permissions > with LOGON FOO GROUP(BAR) and LOGON FOO GROUP(BAZ)? > > > -- > Shmuel (Seymour J.) Metz > https://urldefense.com/v3/__http://mason.gmu.edu/*smetz3__;fg!!JmPEg > BY0HMszNaDT!6A2a7swnD99n20E9woQiB5vEDqC1oZzshsL6LOJZdhrQIdFEepZ > i5aTQDQEx9A$ > > ________________________________________ > From: IBM Mainframe Discussion List [[email protected]] on > behalf of Allan Staller [[email protected]] > Sent: Monday, October 26, 2020 3:03 PM > To: [email protected] > Subject: Re: SMF to capture user login history > > Classification: Internal > > That would require an additional longon ID with a different default > group/grouplist. > This is a fairly common practice. One ID for everyday use and another with > elevated privileges when needed. > > HTH, > > -----Original Message----- > From: IBM Mainframe Discussion List <[email protected]> On > Behalf Of Frank Swarbrick > Sent: Monday, October 26, 2020 1:47 PM > To: [email protected] > Subject: Re: SMF to capture user login history > > [CAUTION: This Email is from outside the Organization. Unless you trust the > sender, Don't click links or open attachments as it may be a Phishing email, > which can steal your Information and compromise your Computer.] > > Thanks. > Looks like there is not a way to do what I was hoping for, which would allow > for a set of default groups for a user, along with one or more groups that > require a user to explicitly log in to use them. For example, I am a member > of > 3 groups right now, and we must use GRPLIST because I don't have to specify > a particular group to have my rights for all three. I would like to have an > additional group available to me, but only if I explicitly specify it. In > that case I > would want to have the rights for all four groups. I would also want to be > able to "log" any time I (or any user) log in to this "special access" fourth > group. > > Sounds like I am out of luck here, but someone correct me if I'm wrong. > > ________________________________ > From: IBM Mainframe Discussion List <[email protected]> on > behalf of R.S. <[email protected]> > Sent: Monday, October 26, 2020 11:18 AM > To: [email protected] <[email protected]> > Subject: Re: SMF to capture user login history > > Yes, obviously! > But ...no. > > To explain: there is an option in RACF, called GRPLIST. Vast majority of > installations use GRPLIST, but few use NOGRPLIST. > > 1. YES > For NOGRPLIST you may belong to meny group, but only one connection at > the time is "active" - that means you logon as Frank, FRANK1 (that's the > password) and NETADM - that's the group. > And you have all the authorities given to user FRANK and to group NETADM. > However you are member of SMSADM as well - but this group gives you no > authorities, because only one group is taken. > Is it stupid? Some people say it is good. Let's leave it. > > > 2. NO > In typical GRPLIST world you logon as FRANK/FRANK1 and (usually) it doesn't > matter what group you provide, if any. > And you have all the authorities given to FRANK, NETADM, SMSADM and all > other groups you are connected to. > So, it in this case privileges are not different. > > Exception: there are very few, very rare cases when "current connect group" > is important even in GRPLIST. See ARCCATGP (DFSMShsm manual). > However AFAIR it is enough to provide this groupname during logon. > > Remark: no group provided = default group. Every RACF user has default > group assigned. And of course the user is connected to this group. > > HTH > > -- > Radoslaw Skorupka > Lodz, Poland > > > > > > > W dniu 26.10.2020 o 17:30, Frank Swarbrick pisze: > > Curious question. Is it possible to have a single user ID with different > privileges depending on what group you specify when logging in (to TSO, for > example)? > > > > ________________________________ > > From: IBM Mainframe Discussion List <[email protected]> on > > behalf of Seymour J Metz <[email protected]> > > Sent: Sunday, October 25, 2020 8:05 AM > > To: [email protected] <[email protected]> > > Subject: Re: SMF to capture user login history > > > >> two sets of IDs > > Multiple ids can be very usefull. If you have a lot of privileges and write > code that is supposed to work without those privileges, it's useful to have a > bare bones userid. If you have work that requires privileges that you > consider too dangerous for normal work, it's nice to have a more privileged > userid and proxy permission. BTDT, GTTS. > > > > > > -- > > Shmuel (Seymour J.) Metz > > > https://urldefense.com/v3/__https://apc01.safelinks.protection.outlook.co > m/?url=http:*2F*2Fmason.g__;JSU!!JmPEgBY0HMszNaDT!6A2a7swnD99n20 > E9woQiB5vEDqC1oZzshsL6LOJZdhrQIdFEepZi5aR-F74EKQ$ > > > mu.edu%2F~smetz3&data=04%7C01%7Callan.staller%40HCL.COM%7C0 > eaac4d6 > > > fb9245e9d75c08d879df9a98%7C189de737c93a4f5a8b686f4ca9941912%7C0%7 > C0%7C > > > 637393349175371164%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM > DAiLCJQIjo > > > iV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=ew8aS0s > A5X7qu > > EdwJZayOILNENkQsBhqgCYRSDOqkeQ%3D&reserved=0 > > > > ________________________________________ > > From: IBM Mainframe Discussion List [[email protected]] on > > behalf of Steve Horein [[email protected]] > > Sent: Sunday, October 25, 2020 9:00 AM > > To: [email protected] > > Subject: Re: SMF to capture user login history > > > > On Sun, Oct 25, 2020 at 1:11 AM kekronbekron < > > [email protected]> wrote: > > > >> I hope no one encourages this kind of snooping on the list. > >> Stinks of an attempt to police working hours. > >> > >> - KB > >> > > > > ========================================================== > ============ > > Jeśli nie jesteś adresatem tej wiadomości: > > - powiadom nas o tym w mailu zwrotnym (dziękujemy!), > - usuń trwale tę wiadomość (i wszystkie kopie, które wydrukowałeś lub > zapisałeś na dysku). > Wiadomość ta może zawierać chronione prawem informacje, które może > wykorzystać tylko adresat.Przypominamy, że każdy, kto rozpowszechnia > (kopiuje, rozprowadza) tę wiadomość lub podejmuje podobne działania, > narusza prawo i może podlegać karze. > > mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 > Warszawa,https://urldefense.com/v3/__https://apc01.safelinks.protection. > outlook.com/?url=http*3A*2F*2Fhttp://secure-web.cisco.com/1_X1fe_pNGy17DhkOqomtknEUafaW0YUuNC-bAR5r1ueSrjTg7hNBw4tPV7yLmcX4l9PYvoYkSQXUCqIn0CrxfmAyLUfn3UQww2ZcXQAfjrp8o3r9MVGG5YSZXlaM6hGi3A-3Hu4Mq-Zd5i0aUh0YG1yqt_BbyYpV0Do64fGklCNhr0UlXOno17hSFuKF_8R8vdbTasJEpSPWnggCs5DBeuPZ-sp1Ofh4-7OiLULuMZRUlKrXsaxEWl82znAXnUCn5P2-yQImfN7mBGL7aRazOrcsHtU6t3D3eTx21hDofPdxkt99DPHgXidct5BiZbkqD4aJUpQfi23YT4mR-ZmeNPrfwd75cV0KrSaGb7E-NS4iUd67cTv2ZecsHTONgCSnYcRhsXdHpl0uxZYwlD10Aum7rzwntyjS5w5sETJm60Xs8hvKPOgCSoCDKmtF1GUK/http%3A%2F%2Fwww.mbank.pl*2F&data=04*7C01*7 > Callan.staller*40HCL.COM*7C0eaac4d6fb9245e9d75c08d879df9a98*7C189de > 737c93a4f5a8b686f4ca9941912*7C0*7C0*7C637393349175371164*7CUnknow > n*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1ha > WwiLCJXVCI6Mn0*3D*7C2000&sdata=316N5XpueW0NYyydhwy*2FZIw > 6sOk*2FKlXGe1DroQh3*2BLM*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJ > SUlJSU!!JmPEgBY0HMszNaDT!6A2a7swnD99n20E9woQiB5vEDqC1oZzshsL6LO > JZdhrQIdFEepZi5aQMyLHAvw$ , e-mail: [email protected]. Sąd Rejonowy > dla m. st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, > KRS 0000025237, NIP: 526-021-50-88. Kapitał zakładowy (opłacony w całości) > według stanu na 01.01.2020 r. wynosi 169.401.468 złotych. > > If you are not the addressee of this message: > > - let us know by replying to this e-mail (thank you!), > - delete this message permanently (including all the copies which you have > printed out or saved). > This message may contain legally protected information, which may be used > exclusively by the addressee.Please be reminded that anyone who > disseminates (copies, distributes) this message or takes any similar action, > violates the law and may be penalised. > > mBank S.A. with its registered office in Warsaw, ul. Senatorska 18, 00-950 > Warszawa,https://urldefense.com/v3/__https://apc01.safelinks.protection. > outlook.com/?url=http*3A*2F*2Fhttp://secure-web.cisco.com/1_X1fe_pNGy17DhkOqomtknEUafaW0YUuNC-bAR5r1ueSrjTg7hNBw4tPV7yLmcX4l9PYvoYkSQXUCqIn0CrxfmAyLUfn3UQww2ZcXQAfjrp8o3r9MVGG5YSZXlaM6hGi3A-3Hu4Mq-Zd5i0aUh0YG1yqt_BbyYpV0Do64fGklCNhr0UlXOno17hSFuKF_8R8vdbTasJEpSPWnggCs5DBeuPZ-sp1Ofh4-7OiLULuMZRUlKrXsaxEWl82znAXnUCn5P2-yQImfN7mBGL7aRazOrcsHtU6t3D3eTx21hDofPdxkt99DPHgXidct5BiZbkqD4aJUpQfi23YT4mR-ZmeNPrfwd75cV0KrSaGb7E-NS4iUd67cTv2ZecsHTONgCSnYcRhsXdHpl0uxZYwlD10Aum7rzwntyjS5w5sETJm60Xs8hvKPOgCSoCDKmtF1GUK/http%3A%2F%2Fwww.mbank.pl*2F&data=04*7C01*7 > Callan.staller*40HCL.COM*7C0eaac4d6fb9245e9d75c08d879df9a98*7C189de > 737c93a4f5a8b686f4ca9941912*7C0*7C0*7C637393349175371164*7CUnknow > n*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1ha > WwiLCJXVCI6Mn0*3D*7C2000&sdata=316N5XpueW0NYyydhwy*2FZIw > 6sOk*2FKlXGe1DroQh3*2BLM*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJ > SUlJSU!!JmPEgBY0HMszNaDT!6A2a7swnD99n20E9woQiB5vEDqC1oZzshsL6LO > JZdhrQIdFEepZi5aQMyLHAvw$ , e-mail: [email protected]. District Court for > the Capital City of Warsaw, 12th Commercial Division of the National Court > Register, KRS 0000025237, NIP: 526-021-50-88. Fully paid-up share capital > amounting to PLN 169.401.468 as at 1 January 2020. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send email to > [email protected] with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send email to > [email protected] with the message: INFO IBM-MAIN > ::DISCLAIMER:: > ________________________________ > The contents of this e-mail and any attachment(s) are confidential and > intended for the named recipient(s) only. E-mail transmission is not > guaranteed to be secure or error-free as information could be intercepted, > corrupted, lost, destroyed, arrive late or incomplete, or may contain viruses > in transmission. The e mail and its contents (with or without referred errors) > shall therefore not attach any liability on the originator or HCL or its > affiliates. > Views or opinions, if any, presented in this email are solely those of the > author and may not necessarily reflect the views or opinions of HCL or its > affiliates. Any form of reproduction, dissemination, copying, disclosure, > modification, distribution and / or publication of this message without the > prior written consent of authorized representative of HCL is strictly > prohibited. If you have received this email in error please delete it and > notify > the sender immediately. Before opening any email and/or attachments, > please check them for viruses and other defects. > ________________________________ > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
