Hi Nick, As a way to avoid problems to begin with, does your routine first check to see if there is an existing user ID or group that matches the ID it is about to create, that the ID is syntactically correct, and that the default group exists?
What RACF authority is the IMS address space using to create IDs? What if any segments is it creating along with the ID? There may be other pre-command checks we can recommend. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. *** Celebrating our 25th Year *** 617-969-8211 www.linkedin.com/in/roberthansel http://twitter.com/RSH_RACF www.rshconsulting.com ---------------------------------------------------------------------------- Upcoming RSH RACF Training - WebEx - RACF Audit & Compliance Roadmap - FEB 5-9, 2018 - RACF Level I Administration - DEC 5-8, 2017 - RACF Level II Administration - NOV 13-17, 2017 - RACF Level III Admin, Audit, & Compliance - OCT 2-6, 2017 - RACF - Securing z/OS UNIX - OCT 23-27, 2017 ---------------------------------------------------------------------------- -----Original Message----- Date: Thu, 26 Oct 2017 07:30:07 +0000 From: "Baguley, Nicholas: Absa" <[email protected]> Subject: Batch TSO command (ADDUSER) tracing and diagnostics Hi List We need to echo or trace the TSO commands processed in a batch TSO process... We are issuing an ADDUSER command under TSO and it returns a RC=8. In itself not a "biggie". We run TSO via an ATTACH of IKJEFTnn(1B in this case) so it is a subtask of an IMS address space. The ADDUSER command is passed to IKJEFT as a PARM on the attach svc/macro as opposed to SYSTSIN. We don't see the command "echoed" to SYSTSPRT as you "normally" do when using SYSTSIN. Is anyone aware of a mechanism of switching on tracing or diagnosing PARM= input to IKJ? NB - this works fine in 99% of cases. We suspect either we are not building up the ADDUSER command correctly(syntax error) or we have a RACF issue. Unfortunately my next opportunity to make a program change and <SPLAT> the command to the syslog is a couple of weeks away. Maybe the assumption within the the bowels of TSO was that if input is via PARM then there would be a jcl deck or job output to inspect. TIA Nick ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
