This is an assumption, not a rule. The program should see all possible resources for the access list and can't assume that someone did not use the user in acl.
ITschak *| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux and IBM I **| * *|* *Email**: [email protected] **|* *Mob**: +972 522 986404 **|* *Skype**: ItschakMugzach **|* *Web**: www.Securiteam.co.il **|* On Thu, Mar 5, 2026 at 4:58 PM Colin Paice < [email protected]> wrote: > Lennie, > > I know about not giving userids access to resources (see Jump up and down: > Do not give userids access to resources! > < > https://colinpaice.blog/2025/05/25/jump-up-and-down-do-not-give-userids-access-to-resources/ > > > ) I've been dealing with the zD&T system from IBM with resources like > > - FACILITY BPX.CONSOLE with access to IBMUSER, IZUSVR, CFZSRV, > TCPIP and > - FACILITY BPX.DAEMON with 10 userids and no groups! > > I wrote my program to extract the userid profiles for this environment. > > Colin > > > On Thu, 5 Mar 2026 at 11:13, Lennie Bradshaw <[email protected]> > wrote: > > > Colin, > > > > Most well-organised RACF shops will not allow RACF users in access lists. > > Access is manipulated using permits to groups and group connects to RACF > > users. > > That makes cloning a user far easier as for access purposes you identify > > the group connects. > > > > Lennie > > > > -----Original Message----- > > From: IBM Mainframe Discussion List <[email protected]> On Behalf > > Of Colin Paice > > Sent: 05 March 2026 09:56 > > To: [email protected] > > Subject: Re: Mainframe ID's > > > > I understand. > > > > I used my code to replicate a userid by running my program and changing > > COLIN to COLIN1 in the output. > > My program will not help if individual userids (rather than groups) have > > access to a resource; you have to look at every resource to find the id's > > access. > > > > Colin > > > > On Thu, 5 Mar 2026 at 08:35, ITschak Mugzach < > > [email protected]> wrote: > > > > > Colin, > > > > > > I think that Steve talked about copying a user, not just create one. > > > In racf it is a two step task, first collect information from the name > > > utility and than look which authority the user have on the resource. > > > Alternatively usr the unload utility > > > > > > *| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere > > > Platform* *|* *Information Security Continuous Monitoring for Z/OS, > > > zLinux and IBM I **| * > > > > > > *|* *Email**: [email protected] **|* *Mob**: +972 522 986404 > > > **|* > > > *Skype**: ItschakMugzach **|* *Web**: www.Securiteam.co.il **|* > > > > > > > > > > > > > > > > > > בתאריך יום ה׳, 5 במרץ 2026 ב-9:42 מאת Colin Paice < > > > [email protected]>: > > > > > > > I have a program (under development) which recreates the RACF > > > > command > > > used > > > > to create a used/dataset/resource profile. > > > > You pass parameters U COLIN > > > > It generates > > > > ADDUSER COLIN > > > > > > > > CONNECT COLIN GROUP(IZUADMIN) UACC(READ) SPECIAL AUDITOR - > > > > REVOKE(01/01/27) - > > > > RESUME(01/02/27) > > > > CONNECT COLIN GROUP(IZUUSER) UACC(NONE) > > > > CONNECT COLIN GROUP(SYS1) UACC(NONE) - > > > > REVOKE(01/01/27) - > > > > RESUME(01/02/27) > > > > > > > > ALTUSER - > > > > COLIN - > > > > OWNER (COLIN) - > > > > NOADSP - > > > > NOOPERATIONS - > > > > NOGRPACC - > > > > NAME ('CCPAICE') - > > > > DFLTGRP (TEST) - > > > > DATA ('COLIN''S WITH A QUOTE') - > > > > NOAUDITOR - > > > > CLAUTH (CSFSERV) - > > > > NOREST - > > > > NOROAUDIT - > > > > WHEN( - > > > > DAYS (SUNDAY - > > > > MONDAY - > > > > TUESDAY - > > > > WEDNESDAY - > > > > THURSDAY - > > > > FRIDAY - > > > > SATURDAY) - > > > > TIME (ANYTIME)) > > > > ALTUSER - > > > > COLIN - > > > > TSO (ACCTNUM ('ACCT#') - > > > > COMMAND ('ex ''colin.zlogon.clist''') - > > > > PROC (ISPFPROC) - > > > > SIZE (2096128) - > > > > MAXSIZE (2096128) - > > > > USERDATA (0000) - > > > > UNIT (3390)) > > > > ALTUSER - > > > > COLIN - > > > > OMVS (UID (990021) - > > > > HOME ('/u/tmp/zowet/colin') - > > > > PROGRAM ('/u/zopen/usr/local/bin/bash') - > > > > MMAPAREAMAX (16777216) - > > > > SHMEMMAX (300M)) > > > > > > > > > > > > Is this what you are after ? > > > > > > > > Colin > > > > > > > > > > > > On Wed, 4 Mar 2026 at 20:35, Steve Beaver < > > > > [email protected]> wrote: > > > > > > > > > We have all struggled with replicating a TSO id without something > > > > > like > > > > VRA > > > > > or zSecure > > > > > > > > > > > > > > > > > > > > I'm learning more about TSS - it has a convent command > > > > > > > > > > > > > > > > > > > > TSS RENAME(acid) ACID(new acid) > > > > > > > > > > > > > > > > > > > > That works nicely. The only thing you really need to do is DEFINE > > > > > an > > > > ALIAS > > > > > and rename the datasets provided there are no a billion of them > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------ > > > > > ---- For IBM-MAIN subscribe / signoff / archive access > > > > > instructions, send email to [email protected] with the > > > > > message: INFO IBM-MAIN > > > > > > > > > > > > > -------------------------------------------------------------------- > > > > -- For IBM-MAIN subscribe / signoff / archive access instructions, > > > > send email to [email protected] with the message: INFO > > > > IBM-MAIN > > > > > > > > > > ---------------------------------------------------------------------- > > > For IBM-MAIN subscribe / signoff / archive access instructions, send > > > email to [email protected] with the message: INFO IBM-MAIN > > > > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, send > email > > to [email protected] with the message: INFO IBM-MAIN > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to [email protected] with the message: INFO IBM-MAIN > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
