Hi, If you want to trace a specific userid you will have to set it with the UAUDIT attribute. That way, all of its accesses will be recorded on SMF type 80 and you will be able to analyze it using ICETOOL or a similar tool. There are several examples on the SYS1.SAMPLIB(IRRICE) that is shipped with z/OS.
Best Regards João Bentes de Jesus "Do the difficult things while they are easy and do the great things while they are small. A journey of a thousand miles must begin with a single step." Laozi From: Sean Gleann <sean.gle...@gmail.com> To: IBM-MAIN@LISTSERV.UA.EDU Date: 2019-09-25 12:06 Subject: [EXTERNAL] Tracing RACF? Sent by: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> Following a set of somewhat distressing events here, I discovered - the hard way - that our master catalog was poorly protected, and so I now have to fix it. The situation is that all users of the my system can create, read, write, update, delete files that are cataloged in the MasterCat. The original intention was that each user-id is defined in the MCat as an alias that points to one of several User Catalogs, depending on the user's 'department' within the company. That way, user id 'X1' creates 'X1.TEST', and it gets cataloged in a UCAT. So far, so good. Now I've found that if 'X1' creates file 'TEST1', it gets cataloged in the MCAT. In order to prevent this, I've used existing information to act as a model for permit 'MASTERV.CATALOG' generic id(X1) access(read) and specified that. Now, if user X1 tries to create 'X1.TEST', the result is a RACF authorisation failure. Again, so far, so good Taking the test a bit further though, I've now found that user X1 is allowed to delete file 'TEST1' from the MCat! My conclusion so far is that X1 must be getting the required access rights from another user id/group/etc, but I can't see anything apposite in any examination I do of the RACF rules (I use output from the DBSYNC Rexx procedure for this). So... Can anyone spot my error and suggest a different 'permit' command, please? Alternatively, I looked at the idea of tracing RACF activity on behalf of a specific user with SET TRACE(USERID(X1)) - but I can't see where generated output goes to nor how to interrogate it. I *have* seen mention of using GTF for this purpose, along with IPCS, but my experience with both those tools is so limited that I didn't look much further in those references - skipped on past them, looking for other possibilities but not finding any. Any help gratefully appreciated Sean ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN Salvo disposto de outra forma acima: / Unless stated otherwise above: Companhia IBM Portuguesa, S.A. Sociedade Anónima com o Capital Social de ? 15.000.000 Registada na Conservatória do Registo Comercial de Lisboa, sob o número único fiscal e de matrícula 500068801 Edifício ?Office Oriente? Rua do Mar da China, Nº 3 Parque das Nações, 1990-138 LISBOA ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
