Greg, If the RACF database is shared across several LPARs, does the input to your daily RACFRW report include SMF data from all the LPARs?
If SETROPTS AUDIT is not active for class USER and the OWNER of this CICS ID is a non-SPECIAL USERID, the later could execute an ALTUSER that wouldn't be logged. Another possibility is this ID was being listed as REVOKED by LU because it had crossed the threshold set by SETROPTS INACTIVE but was able to logon via some mechanism that circumvented the INACTIVE limit. Here are some related questions. 1) Do you have SETROPTS INACTIVE set and to what number of days? 2) Was this ID listed as REVOKED prior to July 8? 3) Do you have a backup copy of the RACF database prior to July 8 from when the ID was showing up as REVOKED, and if you generate an IRRDBU00 database unload from this copy, does it show the ID as REVOKED? (An ID displayed as REVOKED by LU due to INACTIVE will not show up as REVOKED in the unload.) 4) What is the nature of this ID and how is it likely to be used? Is it hardcoded in any CICS CSD resource definitions such as those for SESSION, CONNECTION, TDQUEUE, or TERMINAL? Is it coded as the USERID in any EXEC CICS START commands within a program? Might Digital Certificates or PassTickets be involved in logging it on? 5) Do you have multiple RACF databases and is this ID defined and active on these other databases? Was it active on another system around the time of this logon? 6) What are the full details of its logon on the 9th. Does it show an associated TERMINAL, APPL, or JESINPUT node? (If it shows JESINPUT, then we might want to explore your RACFVARS &RACLNDE profile and NODES profiles.) Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel https://twitter.com/RSH_RACF www.rshconsulting.com --------------------------------------------------------------------- 2013 RACF Training - Audit & Compliance Roadmap - Boston - NOV 5-8 - Intro & Basic Admin - WebEx - OCT 21-25 - Securing z/OS UNIX - WebEx - SEPT 17-20 - Securing z/OS UNIX - WebEx - DEC 3-6 --------------------------------------------------------------------- -----Original Message----- Date: Wed, 7 Aug 2013 11:33:24 -0500 From: Greg Shirey <wgshi...@benekeith.com> Subject: RACF User ID resumed without an SMF record? Hello group, Does anyone know of a method to resume a RACF revoked ID without having an SMF record be written? We produce a daily listing of RACF commands from our SMF type 80s (using RACFRW) and we list ADDUSER ADDGROUP ALTUSER ALTGROUP CONNECT DELUSER DELGROUP PASSWORD PERMIT RALTER RDEFINE REMOVE. We also produce a daily listing of our CICS user IDs and their RACF status. On July 8 we had a user ID on our report that was listed as REVOKED and a LAST-ACCESS date and time of 07/17/07 17:01:28. On July 9, the report showed the ID was no longer revoked and the LAST-ACCESS reported as 07/08/13 19:24:14. However, our SMF report listed no ALTUSER command or any other command against this ID. (No DELUSER or ADDUSER, for instance). I dumped the SMF records for both July 7 and July 8 and ran a RACFRW to list all the records and there is no reference to this User ID. I'm a sysprog, so I can't blame it on magic or elves - I could try blaming it on the software, but I'm finding that hard to believe - so I have to think there's something I'm missing. I've just looked at everything I know to look at. (Did someone modify SMF for a period? No. Does the COBOL program that lists the RACF users have a bug in it? No.) If anyone has a suggestion for what to look for, I'd appreciate hearing about it. Thanks, Greg Shirey Ben E. Keith Company ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
