On 03/25/2015 04:03 PM, Shmuel Metz (Seymour J.) wrote: > In <[email protected]>, on > 03/25/2015 > at 01:21 PM, Vince Coen <[email protected]> said: > >> Anyone have the JCL to set up a new user for TSO and other services >> for both OS/390 and Z/OS. > > There is no "the JCL" for that; it depnds on the security setup, the > privileges you want the user to have and the release level. > > Assuming that for "JCL" he really meant "batch job", this can of course be done from a batch job running under a RACF-SPECIAL userid issuing RACF commands from a batch TSO job step; but coming up with the exact TSO command sequence needed is the hard part because that would be mostly unique to your installation.
Once you have determined all the commands to set up a new user manually, you could presumably come up with a batch job with batch TSO command sequence template to do everything required for your installation and just manually plug in different userids and other variable parameters at appropriate points in the commands before submitting; but if you do this, make sure any userid used for such batch jobs has its data in JES queues protected from viewing by others. Otherwise you may be allowing all sorts of people to view your job streams via SDSF and see what userids, passwords and authorizations you are granting, which would not please a competent auditor. That particular exposure doesn't exist when the commands are issued from an interactive TSO session, which is why we created REXX execs for the RACF administrator that prompts for all the required information and generates and issues the required sequence of RACF and other commands to set up a new user (plus catalog alias definitions) and enforce our installation conventions. You also need support for the inverse steps required to delete a user from the system, which can be equally complex and prone to error. And just a thought: If you are going to manually customize a bunch of TSO commands in a batch job stream, it may be just as easy to add a leading PROC statement and customize the commands in a member in a special CLIST library that is restricted to the RACF administrator, from which the sequence could be executed as a single CLIST command either in batch TSO or directly in TSO. I repeat the admonition of others that IBMUSER should only be used to create your own installation-specific RACF SPECIAL userid (which should normally not have OPERATIONS authority) and subsequently delete or disable the IBMUSER userid after verifying the new SPECIAL userid is functional for RACF updates. No need to make a potential compromise of z/OS easier by using a known administrator name. -- Joel C. Ewing, Bentonville, AR [email protected] ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
