I have trouble remembering the rather arcane syntax involved in most
RACF incantations. I've used the following two execs for at least 15
years to define a user in CLASS(SURROGAT) and to PERMIT a user to
access that LOGONBY profile. type raclgdef exec /* Define a surrogat profile */ /* rac rlist surrogat logonby.wsa1 all */ parse upper arg shared_id if shared_id = '' then do say 'You must enter the id of the machine you are setting up as a' say 'shared userid.' exit end 'EXEC RAC RDEFINE SURROGAT LOGONBY.'shared_id 'UACC(NONE)' say 'The exec to permit surrogate access is RACLGPRM shared_id surrogate' exit Ready; T=0.01/0.01 21:23:35 type raclgprm exec /* Permit an id to share an id */ /* rac rlist surrogat logonby.wsa1 all */ parse upper arg shared_id logon_by_id if logond_by_id = '' then do say 'You must enter both the shared_id and the logon_by_id' exit end 'EXEC RAC PERMIT LOGONBY.'shared_id 'CLASS(SURROGAT) ID('logon_by_id') ACCESS(RE AD)' 'EXEC RAC SETROPTS RACLIST(SURROGAT) REFRESH' exit Ready; T=0.01/0.01 21:24:19 Jim Bohnsack Alan Altmark wrote: On Thursday, 04/09/2009 at 06:24 EDT, Kris Buelens <kris.buel...@gmail.com> wrote:I'm 100% sure about this: with a profile in class SURROGAT, the user becomes LOGON BY only, it has been that way since RACF 1.9 or (arrived later in VM/SP R6 or VM/ESA 1.0). Maybe your installation has a generic profile, or things have changed since the NOPASSWORD attribute was added (z/VM 5.3 or 5.4).Once a SURROGAT definition is made for a user, it is "lbyonly" by default. To allow the ID to logon *without* LOGON BY, you must also PERMIT LOGONBY.userid CLASS(SURROGAT) ACCESS(READ) ID(userid)This idiom should be used only when you want to give someone else access to a *personal* id. That is, it isn't a peer relationship - rather, one person acting on behalf of another. -- Jim Bohnsack Cornell University (972) 596-6377 home/office (972) 342-5823 cell jab...@cornell.edu |
- USER MDISK and DIRMAINT Question Le Grande Valerie
- Re: USER MDISK and DIRMAINT Question Mary Anne Matyaz
- Re: USER MDISK and DIRMAINT Question Kris Buelens
- Re: USER MDISK and DIRMAINT Question Mike Harding
- Re: USER MDISK and DIRMAINT Question Kris Buelens
- Re: USER MDISK and DIRMAINT Question Huegel, Thomas
- Re: USER MDISK and DIRMAINT Question Le Grande Valerie
- Re: USER MDISK and DIRMAINT Question Huegel, Thomas
- Re: USER MDISK and DIRMAINT Question Alan Altmark
- Re: USER MDISK and DIRMAINT Question Jim Bohnsack
- Re: USER MDISK and DIRMAINT Question Le Grande Valerie
- Re: USER MDISK and DIRMAINT Question Alan Altmark