RES: RES: RES: Rexx or similar to clone a RACF user?
Sri, Amazing JOB. Sort is really a magic tool. Thank you Atenciosamente / Regards / Saludos Ituriel do Nascimento Neto 4250/DITI Engenharia de Software Tel: +55 11 3684-9602 Canal de voz 23-1404 E-mail: ituriel.nascime...@bradesco.com.br BANCO BRADESCO S.A. Cidade de Deus, Osasco, Prédio Vermelho -Mensagem original- De: IBM Mainframe Discussion List Em nome de Sri h Kolusu Enviada em: quarta-feira, 29 de janeiro de 2020 11:38 Para: IBM-MAIN@LISTSERV.UA.EDU Assunto: Re: RES: RES: Rexx or similar to clone a RACF user? Ituriel do Nascimento Neto, Here is the JCL that I was talking about. You pass the the exiting userid that you need to clone as a parm named BASEUSER and the new userid as another parm CLONUSER. I split the statements into different files , so that you can run them in the sequence you want to. // SET BASEUSER='KOLUSU' // SET CLONUSER='ITURIEL' //* //* create Racf statements to clone the userid ** //* //STEP0100 EXEC PGM=SORT,PARM='JP1"",JP2""' //SYSOUT DD SYSOUT=* //SORTIN DD DISP=SHR,DSN=Your RACF unload Database file //ADDUSER DD SYSOUT=* //ALTUSER DD SYSOUT=* //CONNECT DD SYSOUT=* //PERMIT DD SYSOUT=* //SYSINDD * OPTION COPY,VLSCMP INCLUDE COND=((005,4,CH,EQ,C'0200',AND,010,8,CH,EQ,JP1),OR, (005,4,CH,EQ,C'0220',AND,010,8,CH,EQ,JP1),OR, (005,4,CH,EQ,C'0270',AND,010,8,CH,EQ,JP1),OR, (005,4,CH,EQ,C'0102',AND,019,8,CH,EQ,JP1),OR, (005,4,CH,EQ,C'0404',AND,062,8,CH,EQ,JP1),OR, (005,4,CH,EQ,C'0505',AND,266,8,CH,EQ,JP1)) INREC IFTHEN=(WHEN=INIT, BUILD=(001,004, 005,1100)), IFTHEN=(WHEN=(5,4,CH,EQ,C'0200'), BUILD=(1,4, C' ADDUSER ', JP2,C' OWNER(',30,8,C') DFLTGRP(',100,8,C') + ', 85:C' PASSWORD(',10,8,C') ', C'NAME(''',79,20,C''')')), IFTHEN=(WHEN=(5,4,CH,EQ,C'0220'), BUILD=(1,4, C' ALTUSER ', JP2,C' TSO(PROC(',154,8,C')) ', C' ACCTNUM(',19,8,C') + ', 85:C' SIZE(',163,8,C') ', C' MAXSIZE(',176,10,C') ', C' UNIT(',209,8,C') )')), IFTHEN=(WHEN=(5,4,CH,EQ,C'0270'), BUILD=(1,4, C' ALTUSER ', JP2,C' OMVS(UID(',15,10,C') ', C' HOME(',30,10,C') ', C' PROGRAM(',1054,8,C') )')), IFTHEN=(WHEN=(5,4,CH,EQ,C'0102'), BUILD=(1,4, C' CONNECT ', JP2,C' GROUP(',10,8,C') ', C'OWNER(',10,8,C') ', C'AUTHORITY(',28,8,C') ')), IFTHEN=(WHEN=(5,4,CH,EQ,C'0404'), BUILD=(1,4, C' PERMIT ', C' ',10,44,C' GEN + ', 85:C' CLASS(DATASET ) ', C'ID(',62,8,C') ', C'ACCESS(',71,8,C') ')), IFTHEN=(WHEN=(5,4,CH,EQ,C'0505'), BUILD=(1,4, C' PERMIT ', C' ',10,44,C' + ', 85:C' CLASS(',257,8,C') ', C'ID(',266,8,C') ', C'ACCESS(',275,8,C') ')) OUTFIL FNAMES=ADDUSER,INCLUDE=(5,8,CH,EQ,C' ADDUSER '), VTOF,BUILD=(5,80,/,85,80) OUTFIL FNAMES=ALTUSER,INCLUDE=(5,8,CH,EQ,C' ALTUSER '), VTOF,BUILD=(5,80,/,85,80) OUTFIL FNAMES=CONNECT,INCLUDE=(5,8,CH,EQ,C' CONNECT '), VTOF,BUILD=(5,80) OUTFIL FNAMES=PERMIT,INCLUDE=(5,8,CH,EQ,C' PERMIT '), VTOF,BUILD=(5,80,/,85,80) /* Further if you have any questions please let me know Thanks, Kolusu DFSORT Development IBM Corporation -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN AVISO LEGAL ...Esta mensagem é destinada exclusivamente para a(s) pessoa(s) a quem é dirigida, podendo conter informação confidencial e/ou legalmente privilegiada. Se você não for destinatário desta mensagem, desde já fica notificado de abster-se a divulgar, copiar, distribuir, examinar ou, de qualquer forma, utilizar a informação contida nesta mensagem, por ser ilegal. Caso você tenha recebido esta mensagem por engano, pedimos que nos retorne este E-Mail, promovendo, desde logo, a eliminação do seu conteúdo em sua base de dados, registros ou sistema de controle. Fica desprovida de eficácia e validade a mensagem que contiver vínculos obrigacionais, expedida por quem não detenha poderes de representação. LEGAL ADVICE...This message is exclusively destined for the people to whom it is directed, and it can bear private and/or legally exceptional information. If you are not addressee of this message, since now you are advised to not
Re: RES: RES: Rexx or similar to clone a RACF user?
Sri h Kolusu wrote: >Here is the JCL that I was talking about. You pass the the exiting userid >that you need to clone as a parm named BASEUSER and the new userid as another >parm CLONUSER. I split the statements into different files , so that you can >run them in the sequence you want to. Amazing! That is a magic wand with all these useful IFTHEN, BUILD and OUTFIL statements. (Yes, zSecure or DBSYNC are good for cloning ids, but one more tool can't hurt at all!) One correction, - for Ituriel do Nascimento Neto - if you don't mind please: > IFTHEN=(WHEN=(5,4,CH,EQ,C'0270'), > BUILD=(1,4, >C' ALTUSER ', >JP2,C' OMVS(UID(',15,10,C') ', >C' HOME(',30,10,C') ', >C' PROGRAM(',1054,8,C') )')), Should rather be this: IFTHEN=(WHEN=(5,4,CH,EQ,C'0270'), BUILD=(1,4, C' ALTUSER ', JP2,C' OMVS(AUTOUID ', C' HOME(',30,??,C') ', C' PROGRAM(',1054,8,C') )')), AUTOUID should rather be used if you want to have RACF generate UID value instead of copying/cloning the UID. The HOME is not 10 characters long, it is just over 1000 characters long. You need to change the '??' to something useful. See for description of the IRRDBU00 output (watch the wrap): https://www.ibm.com/support/knowledgecenter/SSLTBW_2.4.0/com.ibm.zos.v2r4.icha300/usr.htm#idg66559 Of course, it is up to you to accept Sri h Kolusu magic wand just as it is provided. Groete / Greetings Elardus Engelbrecht -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RES: RES: Rexx or similar to clone a RACF user?
Ituriel do Nascimento Neto, Here is the JCL that I was talking about. You pass the the exiting userid that you need to clone as a parm named BASEUSER and the new userid as another parm CLONUSER. I split the statements into different files , so that you can run them in the sequence you want to. // SET BASEUSER='KOLUSU' // SET CLONUSER='ITURIEL' //* //* create Racf statements to clone the userid ** //* //STEP0100 EXEC PGM=SORT,PARM='JP1"",JP2""' //SYSOUT DD SYSOUT=* //SORTIN DD DISP=SHR,DSN=Your RACF unload Database file //ADDUSER DD SYSOUT=* //ALTUSER DD SYSOUT=* //CONNECT DD SYSOUT=* //PERMIT DD SYSOUT=* //SYSINDD * OPTION COPY,VLSCMP INCLUDE COND=((005,4,CH,EQ,C'0200',AND,010,8,CH,EQ,JP1),OR, (005,4,CH,EQ,C'0220',AND,010,8,CH,EQ,JP1),OR, (005,4,CH,EQ,C'0270',AND,010,8,CH,EQ,JP1),OR, (005,4,CH,EQ,C'0102',AND,019,8,CH,EQ,JP1),OR, (005,4,CH,EQ,C'0404',AND,062,8,CH,EQ,JP1),OR, (005,4,CH,EQ,C'0505',AND,266,8,CH,EQ,JP1)) INREC IFTHEN=(WHEN=INIT, BUILD=(001,004, 005,1100)), IFTHEN=(WHEN=(5,4,CH,EQ,C'0200'), BUILD=(1,4, C' ADDUSER ', JP2,C' OWNER(',30,8,C') DFLTGRP(',100,8,C') + ', 85:C' PASSWORD(',10,8,C') ', C'NAME(''',79,20,C''')')), IFTHEN=(WHEN=(5,4,CH,EQ,C'0220'), BUILD=(1,4, C' ALTUSER ', JP2,C' TSO(PROC(',154,8,C')) ', C' ACCTNUM(',19,8,C') + ', 85:C' SIZE(',163,8,C') ', C' MAXSIZE(',176,10,C') ', C' UNIT(',209,8,C') )')), IFTHEN=(WHEN=(5,4,CH,EQ,C'0270'), BUILD=(1,4, C' ALTUSER ', JP2,C' OMVS(UID(',15,10,C') ', C' HOME(',30,10,C') ', C' PROGRAM(',1054,8,C') )')), IFTHEN=(WHEN=(5,4,CH,EQ,C'0102'), BUILD=(1,4, C' CONNECT ', JP2,C' GROUP(',10,8,C') ', C'OWNER(',10,8,C') ', C'AUTHORITY(',28,8,C') ')), IFTHEN=(WHEN=(5,4,CH,EQ,C'0404'), BUILD=(1,4, C' PERMIT ', C' ',10,44,C' GEN + ', 85:C' CLASS(DATASET ) ', C'ID(',62,8,C') ', C'ACCESS(',71,8,C') ')), IFTHEN=(WHEN=(5,4,CH,EQ,C'0505'), BUILD=(1,4, C' PERMIT ', C' ',10,44,C' + ', 85:C' CLASS(',257,8,C') ', C'ID(',266,8,C') ', C'ACCESS(',275,8,C') ')) OUTFIL FNAMES=ADDUSER,INCLUDE=(5,8,CH,EQ,C' ADDUSER '), VTOF,BUILD=(5,80,/,85,80) OUTFIL FNAMES=ALTUSER,INCLUDE=(5,8,CH,EQ,C' ALTUSER '), VTOF,BUILD=(5,80,/,85,80) OUTFIL FNAMES=CONNECT,INCLUDE=(5,8,CH,EQ,C' CONNECT '), VTOF,BUILD=(5,80) OUTFIL FNAMES=PERMIT,INCLUDE=(5,8,CH,EQ,C' PERMIT '), VTOF,BUILD=(5,80,/,85,80) /* Further if you have any questions please let me know Thanks, Kolusu DFSORT Development IBM Corporation -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
RES: Rexx or similar to clone a RACF user?
Robert, As I said, it is old stuff. I'll follow your recommendation. Thanks Atenciosamente / Regards / Saludos Ituriel do Nascimento Neto 4250/DITI Engenharia de Software Tel: +55 11 3684-9602 Canal de voz 23-1404 E-mail: ituriel.nascime...@bradesco.com.br BANCO BRADESCO S.A. Cidade de Deus, Osasco, Prédio Vermelho -Mensagem original- De: IBM Mainframe Discussion List Em nome de Robert S. Hansel (RSH) Enviada em: terça-feira, 28 de janeiro de 2020 08:53 Para: IBM-MAIN@LISTSERV.UA.EDU Assunto: Re: Rexx or similar to clone a RACF user? Ituriel, Very clever. However, I recommend using the 0203 record for group connections instead of the 0102 record. If the user is connected to a UNIVERSAL group, there won't be a 0102 record unless the user has an authority greater than USE. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.twitter.com/RSH_RACF www.rshconsulting.com --- Upcoming RSH RACF Training - WebEx - RACF Audit & Compliance Roadmap - MAR 23-27, 2020 - RACF Level I Administration - APR 27 - MAY 1, 2020 - RACF Level II Administration - APR 6-10, 2020 - RACF Level III Admin, Audit, & Compliance - MAR 9-13, 2020 - RACF - Securing z/OS UNIX - FEB 10-14, 2020 --- -Original Message- Date:Mon, 27 Jan 2020 17:39:29 + From:ITURIEL DO NASCIMENTO NETO Subject: RES: Rexx or similar to clone a RACF user? Hi, In the past i've developed a small ICETOOL that uses output from IRRDBU00 to clone a USERID. Here follows the JCL: //TSL1USER JOB (),CLASS=S,MSGCLASS=T,MSGLEVEL=(1,1), // COND=(0,NE), // REGION=0M,NOTIFY= //* //*CLONE RACF USERID //* //*CHANGE "USERID" TO YOUR USERID TO BE COPIED //* // EXEC RACFCLON,DBU=AT.UNLOAD.RACF //SEPARA.SYSIN DD * OPTION COPY,VLSHRT,SPANINC=RC0 OUTFIL INCLUDE=(005,4,CH,EQ,C'0200',AND, 010,8,CH,EQ,C'USERID'),FILES=1, CONVERT,OUTREC=(5,300),VLFILL=C' ' OUTFIL INCLUDE=(005,4,CH,EQ,C'0220',AND, 010,8,CH,EQ,C'USERID'),FILES=2, CONVERT,OUTREC=(5,300),VLFILL=C' ' OUTFIL INCLUDE=(005,4,CH,EQ,C'0270',AND, 010,8,CH,EQ,C'USERID'),FILES=3, CONVERT,OUTREC=(5,1100),VLFILL=C' ' OUTFIL INCLUDE=(005,4,CH,EQ,C'0102',AND, 019,8,CH,EQ,C'USERID'),FILES=4, CONVERT,OUTREC=(5,300),VLFILL=C' ' OUTFIL INCLUDE=(005,4,CH,EQ,C'0404',AND, 062,8,CH,EQ,C'USERID'),FILES=5, CONVERT,OUTREC=(5,300),VLFILL=C' ' OUTFIL INCLUDE=(005,4,CH,EQ,C'0505',AND, 266,8,CH,EQ,C'USERID'),FILES=6, CONVERT,OUTREC=(5,300),VLFILL=C' ' //RACFCLON PROC DBU= //* //*FILTRA REGISTROS //* //SEPARAEXEC PGM=SORT //SYSOUTDD DUMMY //SORTINDD DSN=,DISP=SHR //SORTOF1 DD DSN=&,DISP=(,PASS), // UNIT=(3390),SPACE=(CYL,(1,10),RLSE) //SORTOF2 DD DSN=&,DISP=(,PASS), // UNIT=(3390),SPACE=(CYL,(1,10),RLSE) //SORTOF3 DD DSN=&,DISP=(,PASS), // UNIT=(3390),SPACE=(CYL,(1,10),RLSE) //SORTOF4 DD DSN=&,DISP=(,PASS), // UNIT=(3390),SPACE=(CYL,(1,10),RLSE) //SORTOF5 DD DSN=&,DISP=(,PASS), // UNIT=(3390),SPACE=(CYL,(1,10),RLSE) //SORTOF6 DD DSN=&,DISP=(,PASS), // UNIT=(3390),SPACE=(CYL,(1,10),RLSE) //* //ADDUSER EXEC PGM=SORT //SYSOUTDD DUMMY //SORTINDD DSN=&,DISP=SHR //SORTOUT DD SYSOUT=* //SYSIN DD * SORTFIELDS=COPY OUTFIL OUTREC=(C' ADDUSER ', 06,8,C' OWNER(',26,8,C') DFLTGRP(',096,8,C') + ', /, C' PASSWORD(',06,8,C') ', C'NAME(''',75,20,C''')') END //* //ALTUTSO EXEC PGM=SORT //SYSOUTDD DUMMY //SORTINDD DSN=&,DISP=SHR //SORTOUT DD SYSOUT=* //SYSIN DD * SORTFIELDS=COPY OUTFIL OUTREC=(C' ALTUSER ', 06,8,C' TSO(PROC(',150,8,C')) ', C' ACCTNUM(',15,8,C') + ', /, C' SIZE(',159,8,C') ', C' MAXSIZE(',172,10,C') ', C' UNIT(',205,8,C') )') END //* //ALTUOMVS EXEC PGM=SORT //SYSOUTDD DUMMY //SORTINDD DSN=&,DISP=SHR //SORTOUT DD SYSOUT=* //SYSIN DD * SORTFIELDS=COPY OUTREC FIELDS=(C' ALTUSER ', 06,8,C' OMVS(UID(',15,10,C') ', C' HOME(',26,10,C') ', C' PROGRAM(',1050,8,C') )') END //* //CONNECT EXEC PGM=SORT //SYSOUTDD DUMMY //SORTINDD DSN=&,DISP=SHR //SORTOUT DD SYSOUT=* //SYSIN DD * SORTFIELDS=COPY OUTREC FIELDS=(C' CONNECT ', 15,8,C'GROUP(',06,8,C') ', C'OWNER(',06,8,C') ', C'AUTHORITY(',24,8,C') ') END //* //PERMITEXEC PGM=SORT //SYSOUT
RES: RES: Rexx or similar to clone a RACF user?
Sri, Thank you, i'll give it a try. Atenciosamente / Regards / Saludos Ituriel do Nascimento Neto 4250/DITI Engenharia de Software Tel: +55 11 3684-9602 Canal de voz 23-1404 E-mail: ituriel.nascime...@bradesco.com.br BANCO BRADESCO S.A. Cidade de Deus, Osasco, Prédio Vermelho -Mensagem original- De: IBM Mainframe Discussion List Em nome de Sri h Kolusu Enviada em: segunda-feira, 27 de janeiro de 2020 16:31 Para: IBM-MAIN@LISTSERV.UA.EDU Assunto: Re: RES: Rexx or similar to clone a RACF user? > In the past i've developed a small ICETOOL that uses output from > IRRDBU00 to clone a USERID. Ituriel do Nascimento Neto Just so you know, the JCL can be simplified into a single step with single pass of data. Thanks, Kolusu DFSORT Development IBM Corporation -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN AVISO LEGAL ...Esta mensagem é destinada exclusivamente para a(s) pessoa(s) a quem é dirigida, podendo conter informação confidencial e/ou legalmente privilegiada. Se você não for destinatário desta mensagem, desde já fica notificado de abster-se a divulgar, copiar, distribuir, examinar ou, de qualquer forma, utilizar a informação contida nesta mensagem, por ser ilegal. Caso você tenha recebido esta mensagem por engano, pedimos que nos retorne este E-Mail, promovendo, desde logo, a eliminação do seu conteúdo em sua base de dados, registros ou sistema de controle. Fica desprovida de eficácia e validade a mensagem que contiver vínculos obrigacionais, expedida por quem não detenha poderes de representação. LEGAL ADVICE...This message is exclusively destined for the people to whom it is directed, and it can bear private and/or legally exceptional information. If you are not addressee of this message, since now you are advised to not release, copy, distribute, check or, otherwise, use the information contained in this message, because it is illegal. If you received this message by mistake, we ask you to return this email, making possible, as soon as possible, the elimination of its contents of your database, registrations or controls system. The message that bears any mandatory links, issued by someone who has no representation powers, shall be null or void. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Rexx or similar to clone a RACF user?
Ituriel, Very clever. However, I recommend using the 0203 record for group connections instead of the 0102 record. If the user is connected to a UNIVERSAL group, there won't be a 0102 record unless the user has an authority greater than USE. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.twitter.com/RSH_RACF www.rshconsulting.com --- Upcoming RSH RACF Training - WebEx - RACF Audit & Compliance Roadmap - MAR 23-27, 2020 - RACF Level I Administration - APR 27 - MAY 1, 2020 - RACF Level II Administration - APR 6-10, 2020 - RACF Level III Admin, Audit, & Compliance - MAR 9-13, 2020 - RACF - Securing z/OS UNIX - FEB 10-14, 2020 --- -Original Message- Date:Mon, 27 Jan 2020 17:39:29 + From:ITURIEL DO NASCIMENTO NETO Subject: RES: Rexx or similar to clone a RACF user? Hi, In the past i've developed a small ICETOOL that uses output from IRRDBU00 to clone a USERID. Here follows the JCL: //TSL1USER JOB (),CLASS=S,MSGCLASS=T,MSGLEVEL=(1,1), // COND=(0,NE), // REGION=0M,NOTIFY= //* //*CLONE RACF USERID //* //*CHANGE "USERID" TO YOUR USERID TO BE COPIED //* // EXEC RACFCLON,DBU=AT.UNLOAD.RACF //SEPARA.SYSIN DD * OPTION COPY,VLSHRT,SPANINC=RC0 OUTFIL INCLUDE=(005,4,CH,EQ,C'0200',AND, 010,8,CH,EQ,C'USERID'),FILES=1, CONVERT,OUTREC=(5,300),VLFILL=C' ' OUTFIL INCLUDE=(005,4,CH,EQ,C'0220',AND, 010,8,CH,EQ,C'USERID'),FILES=2, CONVERT,OUTREC=(5,300),VLFILL=C' ' OUTFIL INCLUDE=(005,4,CH,EQ,C'0270',AND, 010,8,CH,EQ,C'USERID'),FILES=3, CONVERT,OUTREC=(5,1100),VLFILL=C' ' OUTFIL INCLUDE=(005,4,CH,EQ,C'0102',AND, 019,8,CH,EQ,C'USERID'),FILES=4, CONVERT,OUTREC=(5,300),VLFILL=C' ' OUTFIL INCLUDE=(005,4,CH,EQ,C'0404',AND, 062,8,CH,EQ,C'USERID'),FILES=5, CONVERT,OUTREC=(5,300),VLFILL=C' ' OUTFIL INCLUDE=(005,4,CH,EQ,C'0505',AND, 266,8,CH,EQ,C'USERID'),FILES=6, CONVERT,OUTREC=(5,300),VLFILL=C' ' //RACFCLON PROC DBU= //* //*FILTRA REGISTROS //* //SEPARAEXEC PGM=SORT //SYSOUTDD DUMMY //SORTINDD DSN=,DISP=SHR //SORTOF1 DD DSN=&,DISP=(,PASS), // UNIT=(3390),SPACE=(CYL,(1,10),RLSE) //SORTOF2 DD DSN=&,DISP=(,PASS), // UNIT=(3390),SPACE=(CYL,(1,10),RLSE) //SORTOF3 DD DSN=&,DISP=(,PASS), // UNIT=(3390),SPACE=(CYL,(1,10),RLSE) //SORTOF4 DD DSN=&,DISP=(,PASS), // UNIT=(3390),SPACE=(CYL,(1,10),RLSE) //SORTOF5 DD DSN=&,DISP=(,PASS), // UNIT=(3390),SPACE=(CYL,(1,10),RLSE) //SORTOF6 DD DSN=&,DISP=(,PASS), // UNIT=(3390),SPACE=(CYL,(1,10),RLSE) //* //ADDUSER EXEC PGM=SORT //SYSOUTDD DUMMY //SORTINDD DSN=&,DISP=SHR //SORTOUT DD SYSOUT=* //SYSIN DD * SORTFIELDS=COPY OUTFIL OUTREC=(C' ADDUSER ', 06,8,C' OWNER(',26,8,C') DFLTGRP(',096,8,C') + ', /, C' PASSWORD(',06,8,C') ', C'NAME(''',75,20,C''')') END //* //ALTUTSO EXEC PGM=SORT //SYSOUTDD DUMMY //SORTINDD DSN=&,DISP=SHR //SORTOUT DD SYSOUT=* //SYSIN DD * SORTFIELDS=COPY OUTFIL OUTREC=(C' ALTUSER ', 06,8,C' TSO(PROC(',150,8,C')) ', C' ACCTNUM(',15,8,C') + ', /, C' SIZE(',159,8,C') ', C' MAXSIZE(',172,10,C') ', C' UNIT(',205,8,C') )') END //* //ALTUOMVS EXEC PGM=SORT //SYSOUTDD DUMMY //SORTINDD DSN=&,DISP=SHR //SORTOUT DD SYSOUT=* //SYSIN DD * SORTFIELDS=COPY OUTREC FIELDS=(C' ALTUSER ', 06,8,C' OMVS(UID(',15,10,C') ', C' HOME(',26,10,C') ', C' PROGRAM(',1050,8,C') )') END //* //CONNECT EXEC PGM=SORT //SYSOUTDD DUMMY //SORTINDD DSN=&,DISP=SHR //SORTOUT DD SYSOUT=* //SYSIN DD * SORTFIELDS=COPY OUTREC FIELDS=(C' CONNECT ', 15,8,C'GROUP(',06,8,C') ', C'OWNER(',06,8,C') ', C'AUTHORITY(',24,8,C') ') END //* //PERMITEXEC PGM=SORT //SYSOUTDD DUMMY //SORTINDD DSN=&,DISP=SHR //SORTOUT DD SYSOUT=* //SYSIN DD * SORTFIELDS=COPY OUTFIL OUTREC=(C' PERMIT ', C' ',6,44,C' GEN + ', /, C' CLASS(DATASET ) ', C'ID(',58,8,C') ', C'ACCESS(',67,8,C') ') END //* //PERMITEXEC PGM=SORT //SYSOUTDD DUMMY //SORTINDD DSN=&,DISP=SHR //SORTOUT DD SYSOUT=* //SYSIN DD * SORTFIELDS=COPY OUTFIL OUTREC=(C' PERMIT ', C' ',6,44,C' + ',
Re: RES: Rexx or similar to clone a RACF user?
> In the past i've developed a small ICETOOL that uses output from > IRRDBU00 to clone a USERID. Ituriel do Nascimento Neto Just so you know, the JCL can be simplified into a single step with single pass of data. Thanks, Kolusu DFSORT Development IBM Corporation -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
RES: Rexx or similar to clone a RACF user?
Hi, In the past i've developed a small ICETOOL that uses output from IRRDBU00 to clone a USERID. Here follows the JCL: //TSL1USER JOB (),CLASS=S,MSGCLASS=T,MSGLEVEL=(1,1), // COND=(0,NE), // REGION=0M,NOTIFY= //* //*CLONE RACF USERID //* //*CHANGE "USERID" TO YOUR USERID TO BE COPIED //* // EXEC RACFCLON,DBU=AT.UNLOAD.RACF //SEPARA.SYSIN DD * OPTION COPY,VLSHRT,SPANINC=RC0 OUTFIL INCLUDE=(005,4,CH,EQ,C'0200',AND, 010,8,CH,EQ,C'USERID'),FILES=1, CONVERT,OUTREC=(5,300),VLFILL=C' ' OUTFIL INCLUDE=(005,4,CH,EQ,C'0220',AND, 010,8,CH,EQ,C'USERID'),FILES=2, CONVERT,OUTREC=(5,300),VLFILL=C' ' OUTFIL INCLUDE=(005,4,CH,EQ,C'0270',AND, 010,8,CH,EQ,C'USERID'),FILES=3, CONVERT,OUTREC=(5,1100),VLFILL=C' ' OUTFIL INCLUDE=(005,4,CH,EQ,C'0102',AND, 019,8,CH,EQ,C'USERID'),FILES=4, CONVERT,OUTREC=(5,300),VLFILL=C' ' OUTFIL INCLUDE=(005,4,CH,EQ,C'0404',AND, 062,8,CH,EQ,C'USERID'),FILES=5, CONVERT,OUTREC=(5,300),VLFILL=C' ' OUTFIL INCLUDE=(005,4,CH,EQ,C'0505',AND, 266,8,CH,EQ,C'USERID'),FILES=6, CONVERT,OUTREC=(5,300),VLFILL=C' ' //RACFCLON PROC DBU= //* //*FILTRA REGISTROS //* //SEPARAEXEC PGM=SORT //SYSOUTDD DUMMY //SORTINDD DSN=,DISP=SHR //SORTOF1 DD DSN=&,DISP=(,PASS), // UNIT=(3390),SPACE=(CYL,(1,10),RLSE) //SORTOF2 DD DSN=&,DISP=(,PASS), // UNIT=(3390),SPACE=(CYL,(1,10),RLSE) //SORTOF3 DD DSN=&,DISP=(,PASS), // UNIT=(3390),SPACE=(CYL,(1,10),RLSE) //SORTOF4 DD DSN=&,DISP=(,PASS), // UNIT=(3390),SPACE=(CYL,(1,10),RLSE) //SORTOF5 DD DSN=&,DISP=(,PASS), // UNIT=(3390),SPACE=(CYL,(1,10),RLSE) //SORTOF6 DD DSN=&,DISP=(,PASS), // UNIT=(3390),SPACE=(CYL,(1,10),RLSE) //* //ADDUSER EXEC PGM=SORT //SYSOUTDD DUMMY //SORTINDD DSN=&,DISP=SHR //SORTOUT DD SYSOUT=* //SYSIN DD * SORTFIELDS=COPY OUTFIL OUTREC=(C' ADDUSER ', 06,8,C' OWNER(',26,8,C') DFLTGRP(',096,8,C') + ', /, C' PASSWORD(',06,8,C') ', C'NAME(''',75,20,C''')') END //* //ALTUTSO EXEC PGM=SORT //SYSOUTDD DUMMY //SORTINDD DSN=&,DISP=SHR //SORTOUT DD SYSOUT=* //SYSIN DD * SORTFIELDS=COPY OUTFIL OUTREC=(C' ALTUSER ', 06,8,C' TSO(PROC(',150,8,C')) ', C' ACCTNUM(',15,8,C') + ', /, C' SIZE(',159,8,C') ', C' MAXSIZE(',172,10,C') ', C' UNIT(',205,8,C') )') END //* //ALTUOMVS EXEC PGM=SORT //SYSOUTDD DUMMY //SORTINDD DSN=&,DISP=SHR //SORTOUT DD SYSOUT=* //SYSIN DD * SORTFIELDS=COPY OUTREC FIELDS=(C' ALTUSER ', 06,8,C' OMVS(UID(',15,10,C') ', C' HOME(',26,10,C') ', C' PROGRAM(',1050,8,C') )') END //* //CONNECT EXEC PGM=SORT //SYSOUTDD DUMMY //SORTINDD DSN=&,DISP=SHR //SORTOUT DD SYSOUT=* //SYSIN DD * SORTFIELDS=COPY OUTREC FIELDS=(C' CONNECT ', 15,8,C'GROUP(',06,8,C') ', C'OWNER(',06,8,C') ', C'AUTHORITY(',24,8,C') ') END //* //PERMITEXEC PGM=SORT //SYSOUTDD DUMMY //SORTINDD DSN=&,DISP=SHR //SORTOUT DD SYSOUT=* //SYSIN DD * SORTFIELDS=COPY OUTFIL OUTREC=(C' PERMIT ', C' ',6,44,C' GEN + ', /, C' CLASS(DATASET ) ', C'ID(',58,8,C') ', C'ACCESS(',67,8,C') ') END //* //PERMITEXEC PGM=SORT //SYSOUTDD DUMMY //SORTINDD DSN=&,DISP=SHR //SORTOUT DD SYSOUT=* //SYSIN DD * SORTFIELDS=COPY OUTFIL OUTREC=(C' PERMIT ', C' ',6,44,C' + ', /, C' CLASS(',253,8,C') ', C'ID(',262,8,C') ', C'ACCESS(',271,8,C') ') END Atenciosamente / Regards / Saludos Ituriel do Nascimento Neto 4250/DITI Engenharia de Software Tel: +55 11 3684-9602 Canal de voz 23-1404 E-mail: ituriel.nascime...@bradesco.com.br BANCO BRADESCO S.A. Cidade de Deus, Osasco, Prédio Vermelho -Mensagem original- De: IBM Mainframe Discussion List Em nome de Charles Mills Enviada em: sexta-feira, 17 de janeiro de 2020 15:26 Para: IBM-MAIN@LISTSERV.UA.EDU Assunto: Rexx or similar to clone a RACF user? X-posted RACF-L and IBM-MAIN. A Google search reveals that the question "how do I clone a user in RACF?" has been asked before and the answer is basically "buy Vanguard, Beta88 or zSecure." People also mentioned "you might write a Rexx script to do this." Not having one of those proprietary products I searched the CBT tape to see if such a Rexx script were to be found there, without success.
Re: Rexx or similar to clone a RACF user?
Sorry, IRRDUB00 is not sufficient. It's the first step used by a REXX program named DBSYNC. You'll need to download it and use IRRDUB00's output from your current RACF database as the "old file" (INDD1) and a dummy file as the "new file" (INDD2) as input to DBSYNC. It's DBSYNC that generates the RACF statements. Googling "RACF" "DBSYNC" will get you the information you need. Wendell Lovewell -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Rexx or similar to clone a RACF user?
It's might be a bit excessive, but if you have RACF administrator authority, and an editor that will edit what might be a very large file, you could run IRRDBU00 and create a sequential file containing definitions of pretty much everything in your database except certificates and passwords. Edit the output and look for all of the statements that have the userid in them. Extract them to another file, change all the old userid to new userid, and run them through a batch TSO step to create the new user. I use a PC editor named Kedit that will edit a file with millions of lines and quickly find all occurrences of a string. YMMV. Hope this helps, Wendell Lovewell -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Rexx or similar to clone a RACF user?
That's only one of the reasons for creating group definitions. A group can "own" other groups as a way of documenting structural relationships even when resource permissions are not directly involved. A group can "own" resource profiles as a way of granting non-SPECIAL users the ability to manage permissions for very specific resources (group-SPECIAL). A group may be required In order to control/allow data sets with a that HLQ, when it does not make sense for that HLQ to be the name of a User profile. There will always be some permission requirements that arise that are at least initially unique to one specific user, which makes it tempting to expend less effort and assign those permissions directly to the user rather than creating a new group for a new work role which hasn't yet been formalized -- especially when the requirement may have been described as "temporary". With 20/20 hindsight one realizes that perhaps installation standards should always require creating a new group when needed to avoid direct permits to user profiles; but then you should also initiate a periodic review process for such groups to see if they have become obsolete, need to be merged with other groups, or need to be better-named to reflect a now-formalized work role. Joel C Ewing On 1/20/20 8:21 AM, Allan Staller wrote: Isn't this the reason for group definitions. If done properly, just connect the "new" user to the same groups as the "old" user and all should be ok. If not done properly, this is still a big leg up over "starting from scratch". -Original Message- From: IBM Mainframe Discussion List On Behalf Of Jesse 1 Robinson Sent: Friday, January 17, 2020 3:58 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Rexx or similar to clone a RACF user? [CAUTION: This Email is from outside the Organization. Do not click links or open attachments unless you trust the sender.] Cloning a userid is a very tricky proposition. For one thing, what does 'clone' mean to the requestor? If the userids have to be functionally identical/interchangeable, a great many paths and a cross tracks have to be explored. We don't have a program product to do this either, so it's a hit or miss exercise that involves a lot of tweaking when divergences are discovered. As Joel says, preference for groups over individual permissions is highly desirable, but that may be like remodeling the barn after the horse has escaped. Again. . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-543-6132 Office ⇐=== NEW robin...@sce.com -Original Message- From: IBM Mainframe Discussion List On Behalf Of Joel C. Ewing Sent: Friday, January 17, 2020 1:19 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: (External):Re: Rexx or similar to clone a RACF user? Unless things have changed, the problem is that RACF permissions granted directly to a user to a dataset profile or other resource profile are stored as part of that resource profile, not as part of a user profile. While user attributes and group connections to a user are easy to clone just by looking at or parsing a display of the to-be-cloned user profile, unless your installation only grants permissions via groups that are then connected to users, in the worst case you are forced to examine ALL resource profiles to see which ones had permissions for the to-be-cloned user profile and grant similar permits to the new user profile. While it could be done, It was judged impractical to examine all resource-to-user permissions from the actual RACF database; so we used a standard RACF utility to dump the RACF database in a format that could then be uploaded into DB2 tables every night. The DB2 tables could be efficiently queried to find what resource permits were granted to a specific user and needed to be cloned, and we just cloned from userids that we knew hadn't been changed since the last RACF DB2 table build. We did use REXX code to do the cloning, but it used a combination of RACF commands and DB2 queries to determine what needed to be done. Our Rexx code was not completely generic, but was customized for our installation's RACF standards and conventions, which meant that some classes of resource profiles were only granted to group profiles and could be safely ignored when cloning a user as they would be covered by replicating the group connects for the user. Joel C Ewing On 1/17/20 12:25 PM, Charles Mills wrote: X-posted RACF-L and IBM-MAIN. A Google search reveals that the question "how do I clone a user in RACF?" has been asked before and the answer is basically "buy Vanguard, Beta88 or zSecure." People also mentioned "you might write a Rexx script to do this." Not having one of those proprietary products I searched the CBT tape to see if such a Rexx script were to be found there, without success. So my question is: does anyone know of
Re: Rexx or similar to clone a RACF user?
Isn't this the reason for group definitions. If done properly, just connect the "new" user to the same groups as the "old" user and all should be ok. If not done properly, this is still a big leg up over "starting from scratch". -Original Message- From: IBM Mainframe Discussion List On Behalf Of Jesse 1 Robinson Sent: Friday, January 17, 2020 3:58 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Rexx or similar to clone a RACF user? [CAUTION: This Email is from outside the Organization. Do not click links or open attachments unless you trust the sender.] Cloning a userid is a very tricky proposition. For one thing, what does 'clone' mean to the requestor? If the userids have to be functionally identical/interchangeable, a great many paths and a cross tracks have to be explored. We don't have a program product to do this either, so it's a hit or miss exercise that involves a lot of tweaking when divergences are discovered. As Joel says, preference for groups over individual permissions is highly desirable, but that may be like remodeling the barn after the horse has escaped. Again. . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-543-6132 Office ⇐=== NEW robin...@sce.com -Original Message- From: IBM Mainframe Discussion List On Behalf Of Joel C. Ewing Sent: Friday, January 17, 2020 1:19 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: (External):Re: Rexx or similar to clone a RACF user? Unless things have changed, the problem is that RACF permissions granted directly to a user to a dataset profile or other resource profile are stored as part of that resource profile, not as part of a user profile. While user attributes and group connections to a user are easy to clone just by looking at or parsing a display of the to-be-cloned user profile, unless your installation only grants permissions via groups that are then connected to users, in the worst case you are forced to examine ALL resource profiles to see which ones had permissions for the to-be-cloned user profile and grant similar permits to the new user profile. While it could be done, It was judged impractical to examine all resource-to-user permissions from the actual RACF database; so we used a standard RACF utility to dump the RACF database in a format that could then be uploaded into DB2 tables every night. The DB2 tables could be efficiently queried to find what resource permits were granted to a specific user and needed to be cloned, and we just cloned from userids that we knew hadn't been changed since the last RACF DB2 table build. We did use REXX code to do the cloning, but it used a combination of RACF commands and DB2 queries to determine what needed to be done. Our Rexx code was not completely generic, but was customized for our installation's RACF standards and conventions, which meant that some classes of resource profiles were only granted to group profiles and could be safely ignored when cloning a user as they would be covered by replicating the group connects for the user. Joel C Ewing On 1/17/20 12:25 PM, Charles Mills wrote: > X-posted RACF-L and IBM-MAIN. > > > > A Google search reveals that the question "how do I clone a user in RACF?" > has been asked before and the answer is basically "buy Vanguard, > Beta88 or zSecure." People also mentioned "you might write a Rexx script to > do this." > > > > Not having one of those proprietary products I searched the CBT tape > to see if such a Rexx script were to be found there, without success. > > > > So my question is: does anyone know of a CBT or similar tool to clone > a RACF user, or does anyone have a Rexx script that they might be willing to > share? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ::DISCLAIMER:: The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only. E-mail transmission is not guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or may contain viruses in transmission. The e mail and its contents (with or without referred errors) shall therefore not attach any liability on the originator or HCL or its affiliates. Views or opinions, if any, presented in this email are solely those of the author and may not necessarily reflect the views or opinions of HCL or its affiliates. Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of this message without the prior written consent of authorized representative of HCL is strictly prohibited. If you have received this email in error please delete it and notify the sender immediately. Before
Re: Rexx or similar to clone a RACF user?
On Fri, 17 Jan 2020 10:25:57 -0800, Charles Mills wrote: >So my question is: does anyone know of a CBT or similar tool to clone a RACF >user, or does anyone have a Rexx script that they might be willing to share? > I don't have a script. I do recommend you stick to granting access to group profiles only. I have found the IEERID00 utility very useful in investigating what permissions and other stuff a given user has. It produces CLIST that lets you delete the user ID and all related. I found those CLISTs (with some editing, of course!) handy. Cheers, Jantje. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Rexx or similar to clone a RACF user?
Cloning a userid is a very tricky proposition. For one thing, what does 'clone' mean to the requestor? If the userids have to be functionally identical/interchangeable, a great many paths and a cross tracks have to be explored. We don't have a program product to do this either, so it's a hit or miss exercise that involves a lot of tweaking when divergences are discovered. As Joel says, preference for groups over individual permissions is highly desirable, but that may be like remodeling the barn after the horse has escaped. Again. . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-543-6132 Office ⇐=== NEW robin...@sce.com -Original Message- From: IBM Mainframe Discussion List On Behalf Of Joel C. Ewing Sent: Friday, January 17, 2020 1:19 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: (External):Re: Rexx or similar to clone a RACF user? Unless things have changed, the problem is that RACF permissions granted directly to a user to a dataset profile or other resource profile are stored as part of that resource profile, not as part of a user profile. While user attributes and group connections to a user are easy to clone just by looking at or parsing a display of the to-be-cloned user profile, unless your installation only grants permissions via groups that are then connected to users, in the worst case you are forced to examine ALL resource profiles to see which ones had permissions for the to-be-cloned user profile and grant similar permits to the new user profile. While it could be done, It was judged impractical to examine all resource-to-user permissions from the actual RACF database; so we used a standard RACF utility to dump the RACF database in a format that could then be uploaded into DB2 tables every night. The DB2 tables could be efficiently queried to find what resource permits were granted to a specific user and needed to be cloned, and we just cloned from userids that we knew hadn't been changed since the last RACF DB2 table build. We did use REXX code to do the cloning, but it used a combination of RACF commands and DB2 queries to determine what needed to be done. Our Rexx code was not completely generic, but was customized for our installation's RACF standards and conventions, which meant that some classes of resource profiles were only granted to group profiles and could be safely ignored when cloning a user as they would be covered by replicating the group connects for the user. Joel C Ewing On 1/17/20 12:25 PM, Charles Mills wrote: > X-posted RACF-L and IBM-MAIN. > > > > A Google search reveals that the question "how do I clone a user in RACF?" > has been asked before and the answer is basically "buy Vanguard, > Beta88 or zSecure." People also mentioned "you might write a Rexx script to > do this." > > > > Not having one of those proprietary products I searched the CBT tape > to see if such a Rexx script were to be found there, without success. > > > > So my question is: does anyone know of a CBT or similar tool to clone > a RACF user, or does anyone have a Rexx script that they might be willing to > share? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Rexx or similar to clone a RACF user?
Unless things have changed, the problem is that RACF permissions granted directly to a user to a dataset profile or other resource profile are stored as part of that resource profile, not as part of a user profile. While user attributes and group connections to a user are easy to clone just by looking at or parsing a display of the to-be-cloned user profile, unless your installation only grants permissions via groups that are then connected to users, in the worst case you are forced to examine ALL resource profiles to see which ones had permissions for the to-be-cloned user profile and grant similar permits to the new user profile. While it could be done, It was judged impractical to examine all resource-to-user permissions from the actual RACF database; so we used a standard RACF utility to dump the RACF database in a format that could then be uploaded into DB2 tables every night. The DB2 tables could be efficiently queried to find what resource permits were granted to a specific user and needed to be cloned, and we just cloned from userids that we knew hadn't been changed since the last RACF DB2 table build. We did use REXX code to do the cloning, but it used a combination of RACF commands and DB2 queries to determine what needed to be done. Our Rexx code was not completely generic, but was customized for our installation's RACF standards and conventions, which meant that some classes of resource profiles were only granted to group profiles and could be safely ignored when cloning a user as they would be covered by replicating the group connects for the user. Joel C Ewing On 1/17/20 12:25 PM, Charles Mills wrote: X-posted RACF-L and IBM-MAIN. A Google search reveals that the question "how do I clone a user in RACF?" has been asked before and the answer is basically "buy Vanguard, Beta88 or zSecure." People also mentioned "you might write a Rexx script to do this." Not having one of those proprietary products I searched the CBT tape to see if such a Rexx script were to be found there, without success. So my question is: does anyone know of a CBT or similar tool to clone a RACF user, or does anyone have a Rexx script that they might be willing to share? Thanks, Charles -- Joel C. Ewing -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Rexx or similar to clone a RACF user?
X-posted RACF-L and IBM-MAIN. A Google search reveals that the question "how do I clone a user in RACF?" has been asked before and the answer is basically "buy Vanguard, Beta88 or zSecure." People also mentioned "you might write a Rexx script to do this." Not having one of those proprietary products I searched the CBT tape to see if such a Rexx script were to be found there, without success. So my question is: does anyone know of a CBT or similar tool to clone a RACF user, or does anyone have a Rexx script that they might be willing to share? Thanks, Charles -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN