To complement:
Last access is not last activity.
Depending on many factors user can be logged on for a long time, even
months.
In the past I had found a TSO session still logged on, several weeks
after the user left the company. Despite JWT/TWT settings (cancel
session for inactivity).
--
Radoslaw Skorupka
Lodz, Poland
W dniu 11.01.2024 o 14:10, Chalk, Shelia pisze:
Thank you so much. I pulled smf-type 80 records and found it.
Thanks again.
Shelia Chalk
Mainframe System Programmer
[email protected]
-----Original Message-----
From: IBM Mainframe Discussion List<[email protected]> On Behalf Of
Robert S. Hansel (RSH)
Sent: Thursday, January 11, 2024 7:02 AM
To:[email protected]
Subject: [EXT] Re: Racf Userid
Please Note: This email is from an [EXTERNAL] sender. Do not click on links or
attachments unless you expect them from the sender and know the content is
safe. Please contact the Service Desk if you have any concerns regarding this
message.
Hi Shelia,
First off, in output of the LISTUSER command, find the most recent LAST-CONNECT
date/time in the group connect information for all ID's groups. Most likely it
will be associated with the ID's default group. If it is the same as the
LAST-ACCESS date/time, then the later was updated due to a logon. If the
LAST-ACCESS date/time is later, then someone did an ALTUSER RESUME on the ID,
in which case you'll want to examine SMF type 80 records for ALTUSER events.
If it appears to be a logon, you will want to examine SMF type 80 records for
event JOBINIT (logon) and INITOEDP (Unix dub) as well as type 30 subtype 1
records (TSO, Batch, and Started Task logons). Note that successful logons are
often not logged. It all depends on how the resource manager processing the
logon is designed and configured.
The SMF event names I'm referring to appear in the output of RACF's SMF unload
utility. This utility converts raw SMF 80 and 30 records into text or XML
output. If you have RACF administration add-on product such as zSecure, it will
provide its own mechanisms for reporting from SMF data.
If the above doesn't yield any useful information, try adding the UAUDIT
attribute to the ID to record all its access activity. This activity might
provide some clues as to how and from where the ID is being used. If you have
zSecure Access Monitor, it can also provide helpful access activity information.
Regards, Bob
Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
http://www.linkedin.com/in/roberthansel
http://www.rshconsulting.com/
-----Original Message-----
Date: Wed, 10 Jan 2024 21:37:46 +0000
From: "Chalk, Shelia"<[email protected]>
Subject: Racf Userid
Hello,
I have a userid abc that was last access in racf on 1/7/24 at 5:06 a.m. Is
there a report or something that will tell me who (batch job, script, etc..) is
using this userid?
Thanks
Shelia Chalk
Mainframe System Programmer
[email protected]
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
