Re: USER MDISK and DIRMAINT Question

[Jim Bohnsack]

I have trouble remembering the rather arcane syntax involved in most RACF incantations.  I've used the following two execs for at least 15 years to define a user in CLASS(SURROGAT) and to PERMIT a user to access that LOGONBY profile.  type raclgdef exec                                                                                                                                             /* Define a surrogat profile */                                                 /* rac rlist surrogat logonby.wsa1 all  */                                      parse upper arg shared_id                                                       if shared_id = '' then do                                                         say 'You must enter the id of the machine you are setting up as a'              say 'shared userid.'                                                            exit                                                                          end                                                                             'EXEC RAC RDEFINE SURROGAT LOGONBY.'shared_id 'UACC(NONE)'                      say 'The exec to permit surrogate access is RACLGPRM shared_id surrogate'       exit                                                                                                                                                            Ready; T=0.01/0.01 21:23:35                                                      type raclgprm exec                                                                                                                                             /* Permit an id to share an id */                                               /* rac rlist surrogat logonby.wsa1 all   */                                     parse upper arg shared_id logon_by_id                                           if logond_by_id = '' then do                                                      say 'You must enter both the shared_id and the logon_by_id'                     exit                                                                          end                                                                             'EXEC RAC PERMIT LOGONBY.'shared_id 'CLASS(SURROGAT) ID('logon_by_id') ACCESS(RE AD)'                                                                            'EXEC RAC SETROPTS RACLIST(SURROGAT) REFRESH'                                   exit                                                                                                                                                            Ready; T=0.01/0.01 21:24:19 Jim Bohnsack                                                    Alan Altmark wrote: On Thursday, 04/09/2009 at 06:24 EDT, Kris Buelens <kris.buel...@gmail.com> wrote: I'm 100% sure about this: with a profile in class SURROGAT, the user becomes LOGON BY only, it has been that way since RACF 1.9 or (arrived later in VM/SP R6 or VM/ESA 1.0). Maybe your installation has a generic profile, or things have changed since the NOPASSWORD attribute was added (z/VM 5.3 or 5.4). Once a SURROGAT definition is made for a user, it is "lbyonly" by default. To allow the ID to logon *without* LOGON BY, you must also PERMIT LOGONBY.userid CLASS(SURROGAT) ACCESS(READ) ID(userid) This idiom should be used only when you want to give someone else access to a *personal* id. That is, it isn't a peer relationship - rather, one person acting on behalf of another. -- Jim Bohnsack Cornell University (972) 596-6377 home/office (972) 342-5823 cell jab...@cornell.edu