Yes. But to do this, you will need to switch off "list of groups" processing. This option was introduced in the 1980s and most shops decided to turn it on. The concept of the "connect group" as the group specified at logon time (or if you like RACINIT time) has largely gone. What you ask could also be performed in various RACF exits of course.
Lennie Dymoke-Bradshaw Consultant working on contract for BMC mainframe Services by RSM Partners 'Dance like no one is watching. Encrypt like everyone is.' -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Frank Swarbrick Sent: 26 October 2020 16:30 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: SMF to capture user login history Curious question. Is it possible to have a single user ID with different privileges depending on what group you specify when logging in (to TSO, for example)? ________________________________ From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of Seymour J Metz <sme...@gmu.edu> Sent: Sunday, October 25, 2020 8:05 AM To: IBM-MAIN@LISTSERV.UA.EDU <IBM-MAIN@LISTSERV.UA.EDU> Subject: Re: SMF to capture user login history > two sets of IDs Multiple ids can be very usefull. If you have a lot of privileges and write code that is supposed to work without those privileges, it's useful to have a bare bones userid. If you have work that requires privileges that you consider too dangerous for normal work, it's nice to have a more privileged userid and proxy permission. BTDT, GTTS. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 ________________________________________ From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of Steve Horein [steve.hor...@gmail.com] Sent: Sunday, October 25, 2020 9:00 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: SMF to capture user login history On Sun, Oct 25, 2020 at 1:11 AM kekronbekron < 000002dee3fcae33-dmarc-requ...@listserv.ua.edu> wrote: > I hope no one encourages this kind of snooping on the list. > Stinks of an attempt to police working hours. > > - KB > Meh. The first shop I worked in implemented something like that to track the use of privileged IDs that had elevated permissions to update production resources. At the time, the scope had been TSO, so I wrote some automation that would send an email to the "security operations center" if RACF IDs matching specific patterns generated an IEF125I, IEF126I, or an IEF45* message. The time frames from logon to logoff/abend needed to be justified with a change request or incident, otherwise it would be considered suspicious activity. Yes, it meant having to maintain two sets of IDs - a BAU ID for day to day work, and the privileged ID for changes or recovery support, but it satisfied someone's requirement. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
