Hi Mike, We occasionally come across undefined-users, and they are usually the result of errors in setting up STARTED profiles. On rare occasions, we encounter installations that have not activated SETROPTS JES(BATCHALLRACF), which, as you point out, if not activated, can allow undefined-user batch jobs to execute. Most installations do not generate daily/weekly reports on undefined users, so they go unnoticed unless the lack of an ID causes a security violation.
Regards, Bob Robert S. Hansel 2024 IBM Champion Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com -----Original Message----- Date: Tue, 25 Jun 2024 11:22:17 -0500 From: Mike Cairns <m...@mikecairns.com> Subject: Re: Data Set Commander Monitor (DSCMON) Access Authority Hi Peter, Radoslaw and I probably spend more time over on the RACF_L list than here on IBM-MAIN, but I still like to keep an eye open here. The use of ID(*) ACCESS(READ) is well known among the RACF community as the 'preferred' option to UACC nowadays, and the reason you cite is indeed mentioned in the literature. Though I'm not sure about the NJE port of entry still being able to actually get a batch job running under the JES UNDEFINEDUSER, I have a recollection that the RACF SETROPTS setting BATCHALLRACF(YES) should prevent a batch job from initiating with the UNDEFINEDUSER value, though I have a vague recollection that BATCHALLRACF itself has been redundant also for many years now as well. I'm intrigued generally to ask of this community, just how often does anyone observe work executing on their system *without* a valid RACF (or ACF2 or TopSecret) identity associated with it? I think there might still be one or two started tasks, probably running as TRUSTED or PRIVILEGED, that are initiated in nucleus initialisation that may still run with traditionally either the 8 plusses or the 8 question marks as their ID, we can see them in SDSF, but realistically I don't believe that we see work running under the UNDEFINEDUSER in modern systems for a long time nowadays. I'd be keen to hear otherwise if there is though. Cheers - Mike ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
