SYSIBM.SYS*AUTH tables hold all GRANTs currently in effect. Maybe if you have a periodic IC setup and a relatively recent IC, you could take a look at the list of users in that RACF group and compare to GRANTs?
- QG Horacio Luis Villa <[email protected]> ezt írta (időpont: 2022. jún. 16., Cs, 1:35): > You should query Sysibm.Sysuserauth > ________________________________ > De: IBM Mainframe Discussion List <[email protected]> en nombre de > Bob Bridges <[email protected]> > Enviado: miércoles, 15 de junio de 2022 20:14 > Para: [email protected] <[email protected]> > Asunto: [EXTERNAL] Re: DB2 and RACF entities > > I used to be a member of the DB2 listserv - maybe I still am - but they > fell silent a while ago and I quit expecting it to change. But yeah, you > should be able to find out from a DBA. > > As I tried to say in the last post (but I don't think I was very clear), > DB2 saves all its GRANTs in a table, or maybe in more than one table. You > should be able to write a query to look at that table (if you have the > right authorization) for any GRANTs for the ID that is the group you > deleted and restored - or, of course, any other GRANTs that interest you. > You just have to find out the name of the table(s), which would be some > standard documented table name. If I run across it I'll let you know, but > I'm sure it'll be in the DB2 documentation. > > --- > Bob Bridges, [email protected], cell 336 382-7313 > > /* We must picture Hell as a state where everyone is perpetually concerned > about his own dignity and advancement, where everyone has a grievance, and > where eveyone lives the deadly serious passions of envy, self-importance, > and resentment. -C S Lewis, preface to _The Screwtape Letters_ */ > > -----Original Message----- > From: IBM Mainframe Discussion List <[email protected]> On Behalf > Of Radoslaw Skorupka > Sent: Wednesday, June 15, 2022 16:59 > > It's the opposite: I deleted the group from RACF and some job failed. > I quickly re-created the group and connect and restarted job ended OK. > However I want to check out what GRANT or other was issued against the > group. Or more generally - I want to find out the groupname in DB2 catalog. > Not for this group, but for other groups and environments. > Yeah, I should ask DB2 admin... ;-) > > --- W dniu 13.06.2022 o 23:07, Bob Bridges pisze: > > RACF doesn't know, so once you've deleted the GRANT from DB2 I don’t > know of a way to find out what you lost (unless you can get it from a > backup). But there are tables in DB2 that list all GRANTs, so you can > export those to, say, Excel and do some sorting and other munging to get a > sensible list. It's been a while, but I did that as part of a project to > convert DB2 security to RACF. > > > > When I say "it's been a while", what I mean is that I don't remember > what that table or those tables were called. But I was able to find them > back then, so I'm sure it's documented in DB2 somewhere. > > > > -----Original Message----- > > From: IBM Mainframe Discussion List <[email protected]> On > Behalf Of Radoslaw Skorupka > > Sent: Monday, June 13, 2022 16:09 > > > > The following scenario: DB2 v12 using pre-RACF (GRANT/REVOKE) security. > Of course userids and groupids are taken from RACF. There are several > groups which are candidates to delete as they look as not needed. However > some of them have DB2 GRANTs, so those groups should not be deleted. > > > > So far, so good. Unfortunately some group was deleted, despite it was > used by DB2. I don't know details, but AFAIK probably it was something > related to SET SQL ID or so. > > > > Q: is there any method to find out *all* RACF users and groups used for > any authorisation in DB2? > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
