It is permissions granted to users who are not enrolled that is the issue. Here is the scenario:
User Richard is enrolled User Les is not enrolled Richard grants Les some SFS authorities. DELETE USER LES is issued without enrolling LES (or no DELETE USER is issued for LES) The authorities granted to LES by RICHARD are left hanging and will be applied to any newly created LES regardless of the identity of the owner. If LES is enrolled before the DELETE USER, those authorities granted to LES by others are removed. By doing the ENROLL for 0 blocks for any userid that is to be deleted, no ghost authorities are given to new users. The userids are unconditionally enrolled. If the user has already been enrolled and owns a file space, the enroll will fail. Because all I care about is that the user be enrolled, I ignore that failure. Regards, Richard Schuh > -----Original Message----- > From: The IBM z/VM Operating System > [mailto:[email protected]] On Behalf Of Les Koehler > Sent: Tuesday, March 01, 2011 1:24 PM > To: [email protected] > Subject: Re: CMS SFS Question > > I guess there's something implied there that I don't get. > Scenario, from your note: > > Your task is to delete LES, who is enrolled, from the SFS > system LES has granted rights to RICHARD but RICHARD is not enrolled > > How does enrolling LES for 0 blocks do anything about the > granted rights that RICHARD has? > > Les > > Schuh, Richard wrote: > > I simply enroll any user to be deleted for 0 blocks. The > alternative is to scan the sfs directories and files looking > for such users. It is much easier to attempt the enroll. If > it fails, it is because the user is already enrolled. > > > > Regards, > > Richard Schuh > > > > > > > >> -----Original Message----- > >> From: The IBM z/VM Operating System > >> [mailto:[email protected]] On Behalf Of Les Koehler > >> Sent: Tuesday, March 01, 2011 12:22 PM > >> To: [email protected] > >> Subject: Re: CMS SFS Question > >> > >> I'm curious: How do you find the user who is not enrolled, but > >> granted rights to the target user to be deleted? > >> > >> Les > >> > >> Schuh, Richard wrote: > >>> The Pipe is the easiest. > >>> > >>> PIPE < user list | spec /delete user/ 1 w1 nw | cms | > > delete log a > >>> > >>> Note, however, that if you have an SFS that has a lot of > >> files and permissions, each DELETE USER can take a long > time, so you > >> do not want to do this on an id that you might need soon after you > >> enter the PIPE command. In our shop, an individual DELETE USER can > >> take upwards of 10 minutes. > >>> Cleaning up SFS when a userid is deleted is important from > >> a security standpoint. If the same id should be given to a > different > >> person, it would automatically inherit permissions from the prior > >> owner. You should be doing a DELETE USER every time that a > userid is > >> deleted from the directory. > >>> It is possible for one user to grant access to other users > >> who are not enrolled. DELETE USER does not clean up these > >> permissions. To get rid of them, you have to first enroll > the user in > >> the pool even if it is for 0 blocks. To solve this in our > automated > >> process, each user to be deleted is enrolled for 0 blocks, > ignoring > >> the return code. We don't care if the user is already > enrolled, the > >> attempt does no harm. After the enroll, the deletion will > clean out > >> all permissions granted to or by the user being deleted. > >>> > >>> Regards, > >>> Richard Schuh > >>> > >>> > >>> > >>>> -----Original Message----- > >>>> From: The IBM z/VM Operating System > >>>> [mailto:[email protected]] On Behalf Of Rick Troth > >>>> Sent: Tuesday, March 01, 2011 10:54 AM > >>>> To: [email protected] > >>>> Subject: Re: CMS SFS Question > >>>> > >>>> Nahh ... even easier ... Pipes. > >>>> I'm thinking two pipes. One to gather the Q ENROLL > output then a > >>>> second to actually perform the deletes. In between shove that Q > >>>> ENROLL output into a file, manually edit for confirmation, > >> then feed > >>>> the selected content into DELETE USER. > >>>> > >>>> -- R; > >>>> Rick Troth > >>>> Velocity Software > >>>> http://www.velocitysoftware.com/ > >>>> > >>>> > >>>> > >>>> On Tue, 1 Mar 2011, Rich Smrcina wrote: > >>>> > >>>>> REXX? > >>>>> > >>>>> On 03/01/2011 12:35 PM, Wandschneider, Scott wrote: > >>>>>> Is there a way to delete multiple users at once or create > >>>> a "batch" job to delete multiple users that are enrolled in SFS? > >>>>>> Thank you, > >>>>>> Scott R Wandschneider > >>>>>> Systems Programmer 3|| Infocrossing, a Wipro Company || 11707 > >>>>>> Miracle Hills Drive, Omaha, NE, 68154-4457|| ': 402.963.8905 || > >>>>>> Ë:847.849.7223 || : > >>>> [email protected] **Think > >>>>>> Green - Please print responsibly** > >>>>>> > >>>>>> > >>>>>> > >>>>>> Confidentiality Note: This e-mail, including any > >>>> attachment to it, may contain material that is confidential, > >>>> proprietary, privileged and/or "Protected Health > >> Information," within > >>>> the meaning of the regulations under the Health Insurance > >>>> Portability& Accountability Act as amended. > >>>> If it is not clear that you are the intended recipient, you are > >>>> hereby notified that you have received this transmittal in > >> error, and > >>>> any review, dissemination, distribution or copying of > this e-mail, > >>>> including any attachment to it, is strictly prohibited. If > >> you have > >>>> received this e-mail in error, please immediately return > it to the > >>>> sender and delete it from your system. Thank you. > >>>>> -- > >>>>> Rich Smrcina > >>>>> Velocity Software, Inc. > >>>>> http://www.velocitysoftware.com > >>>>> > >>>>> Catch the WAVV! http://www.wavv.org WAVV 2011 - April > 15-19, 2011 > >>>>> Colorado Springs, CO > >>>>> > >>>>> >
