There might be other db2 configuration tables that hold identities such as IPNAMES.
ITschak *| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux and IBM I **| * *|* *Email**: [email protected] **|* *Mob**: +972 522 986404 **|* *Skype**: ItschakMugzach **|* *Web**: www.Securiteam.co.il **|* On Thu, Jun 16, 2022 at 8:09 AM Áron Kalapos <[email protected]> wrote: > SYSIBM.SYS*AUTH tables hold all GRANTs currently in effect. Maybe if you > have a periodic IC setup and a relatively recent IC, you could take a look > at the list of users in that RACF group and compare to GRANTs? > > - QG > > Horacio Luis Villa <[email protected]> ezt írta (időpont: > 2022. jún. 16., Cs, 1:35): > > > You should query Sysibm.Sysuserauth > > ________________________________ > > De: IBM Mainframe Discussion List <[email protected]> en nombre > de > > Bob Bridges <[email protected]> > > Enviado: miércoles, 15 de junio de 2022 20:14 > > Para: [email protected] <[email protected]> > > Asunto: [EXTERNAL] Re: DB2 and RACF entities > > > > I used to be a member of the DB2 listserv - maybe I still am - but they > > fell silent a while ago and I quit expecting it to change. But yeah, you > > should be able to find out from a DBA. > > > > As I tried to say in the last post (but I don't think I was very clear), > > DB2 saves all its GRANTs in a table, or maybe in more than one table. > You > > should be able to write a query to look at that table (if you have the > > right authorization) for any GRANTs for the ID that is the group you > > deleted and restored - or, of course, any other GRANTs that interest you. > > You just have to find out the name of the table(s), which would be some > > standard documented table name. If I run across it I'll let you know, > but > > I'm sure it'll be in the DB2 documentation. > > > > --- > > Bob Bridges, [email protected], cell 336 382-7313 > > > > /* We must picture Hell as a state where everyone is perpetually > concerned > > about his own dignity and advancement, where everyone has a grievance, > and > > where eveyone lives the deadly serious passions of envy, self-importance, > > and resentment. -C S Lewis, preface to _The Screwtape Letters_ */ > > > > -----Original Message----- > > From: IBM Mainframe Discussion List <[email protected]> On Behalf > > Of Radoslaw Skorupka > > Sent: Wednesday, June 15, 2022 16:59 > > > > It's the opposite: I deleted the group from RACF and some job failed. > > I quickly re-created the group and connect and restarted job ended OK. > > However I want to check out what GRANT or other was issued against the > > group. Or more generally - I want to find out the groupname in DB2 > catalog. > > Not for this group, but for other groups and environments. > > Yeah, I should ask DB2 admin... ;-) > > > > --- W dniu 13.06.2022 o 23:07, Bob Bridges pisze: > > > RACF doesn't know, so once you've deleted the GRANT from DB2 I don’t > > know of a way to find out what you lost (unless you can get it from a > > backup). But there are tables in DB2 that list all GRANTs, so you can > > export those to, say, Excel and do some sorting and other munging to get > a > > sensible list. It's been a while, but I did that as part of a project to > > convert DB2 security to RACF. > > > > > > When I say "it's been a while", what I mean is that I don't remember > > what that table or those tables were called. But I was able to find them > > back then, so I'm sure it's documented in DB2 somewhere. > > > > > > -----Original Message----- > > > From: IBM Mainframe Discussion List <[email protected]> On > > Behalf Of Radoslaw Skorupka > > > Sent: Monday, June 13, 2022 16:09 > > > > > > The following scenario: DB2 v12 using pre-RACF (GRANT/REVOKE) security. > > Of course userids and groupids are taken from RACF. There are several > > groups which are candidates to delete as they look as not needed. However > > some of them have DB2 GRANTs, so those groups should not be deleted. > > > > > > So far, so good. Unfortunately some group was deleted, despite it was > > used by DB2. I don't know details, but AFAIK probably it was something > > related to SET SQL ID or so. > > > > > > Q: is there any method to find out *all* RACF users and groups used for > > any authorisation in DB2? > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to [email protected] with the message: INFO IBM-MAIN > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to [email protected] with the message: INFO IBM-MAIN > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
