Re: tso session timeout
How's your short term memory - can you remember if you're in Sydney for the z Symposium next week ?. Shane ... On Sat, May 1st, 2010 at 3:32 PM, Greg Price wrote: At least, that's the way I remember it... -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: z/OS Unix and VBA files.
I think the explanation can be found in the C/C++ Programming Guide, in the chapter about Using ASA text files (Chapter 7 in the recent editions). http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/DOCNUM/SC09- 4765 After reading the chapter, I understand it to mean that when C/C++ programs (such as cp I presume) read an ASA file for text processing (rather than binary processing), they don't receive the ASA characters. The ASA characters are interpreted and removed, before the program receives the text, and what the program receives is the interpreted text, in which a line preceding one that had an ASA '1' is terminated not by '\n' but by '\f' (a formfeed, hex 0C I presume). Lines preceding those that had an ASA space are terminated by a '\n'. If the ASA file had any ASA '+' lines (not likely in IDCAMS), the line preceding it would end with '\r' instead of '\n'. If the ASA file had any ASA '0' or '-' lines, the line preceding it would be followed by 1 or 2 empty lines respectively, which the program would receive before it got the line that originally had the '0' or '-'. I suspect that the lines that appear to have the ASA '1' lines appended to the preceding line, minus the '1', contain a formfeed where the '1' was, and no newline preceding it. In the chapter I mentioned, it says: Records are terminated by writing a new-line ('\n'), carriage return ('\r'), or form feed ('\f') character. So a newline is not the only record terminator. If you use cat -v to display the unix file, a formfeed would show as ^L. If there is a formfeed there, one solution would be to use: tr '\f' '\n' to change the formfeeds to newlines. Bill On Sat, 1 May 2010 00:58:41 +1000, Shane Ginnane wrote: cp //'..' /tmp/file.txt and/or cat //'..' /tmp/file.txt Worked fine for VB input, not VBA. Hence my confusion. Shane ... On Sat, May 1st, 2010 at 12:46 AM, Hunkeler Peter (KIUP 4) wrote: [snip]A GENER of the files to VB prior to sending them to OMVS indeed confirmed this is what was happening. Anyone else seen this - or got an explanation ?. gil maybe ... ? How did you move the OFILE to the filesystem? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM- MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: z/OS Unix and VBA files.
Thanks Bill - I'm off next week (as my post to Greg that went public indicates), so I'll check this after I get back in the office. Cheers ... Shane On Sat, May 1st, 2010 at 4:29 PM, Bill Godfrey wrote: I think the explanation can be found in the C/C++ Programming Guide, in the chapter about Using ASA text files (Chapter 7 in the recent editions). -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
out of the office
I will be out of the office starting 04/30/2010 and will not return until 05/03/2010. /pre This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose such information for any purpose other than to provide the services for which you are receiving the information. 127 Public Square, Cleveland, OH 44114 pre If you prefer not to receive future e-mail offers for products or services from Key send an e-mail to mailto:dnereque...@key.com with 'No Promotional E-mails' in the SUBJECT line. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: RACF - Any way to find out before hand what the user's access is to a file
On 04/30/2010 07:43 PM, Edward Jaffe wrote: Stocker, Herman wrote: To answer the why needed question: On occasion security has stated that access has been given only later to find out that the incorrect access was granted or not granted at all. Causing jobs to fail and time to be lost, therefore the user wants away to check security. One of the problems of outsourcing. Most if not all of the security packages in use these days support a warn mode of operating for select profiles. But WARN also means any resources protected by that profile are not actually protected but can be accessed by anyone, only that the questionable access is logged after the fact as an attempt that would have been prevented had WARN not be in place. This may be useful in a shop that is turning on RACF restrictions for a new class of resources and wants to fix any major problems before going live, but is not something you would want to do in a production environment for types of resources that have always been restricted (and that you have assured to auditing to be restricted). In native RACF the LD command is probably the closest you can come. If you have access via a dataset profile, it will give you the level of access. If you don't have access (and are not RACF SPECIAL or AUDITOR), it won't tell you anything useful (from which you can conclude you don't have any access). Some vendor JCL checker Utilities (like JobScan) also have a mode of operation (with additional overhead) where they will check RACF authority to datasets referenced in the JCL. If you had one of these you could construct some dummy JCL that implies the required access to the datasets in question and use the JCL checker to verify access. Joel C Ewing -- Joel C. Ewing, Fort Smith, ARjremoveccapsew...@acm.org -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: RACF - Any way to find out before hand what the user's access is to a file
wants away to check security. Coming from a Banking background, I believe a user should not have the ability to check beforehand. That's a security exposure, because the user may find something that they normally wouldn't. Also, don't blame it on out-sourcing. I've seen incompetent in-house security staff, as well. - Too busy driving to stop for gas! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: RACF password rules
Serenity schriebam 26.04.2010 16:47: SETR PASSWORD( RULE1( LENGTH(8) ALPHANUM(1:8))) As I read it, this sets an 8 char password with an alphanumeric in any of the 8 positions. I'd like to require at least one numeric, but in any position. Can this be done without an exit? As others already mentioned, the rule I proposed requires 8-char. passwords with at least one alphabetic and one numeric character. The letters and digits can be in any position of the password, but there must be at least one of each. Basically, it allows any combination of seven letters with one digit to one letter with seven digits and anything in-between. This may not be exactly what you're looking for, but it is a nit to implement in comparison with writing, installing and maintaining a new-password exit in RACF. If you also want to allow 7-char. passwords, add the following additional rule: SETR PASSWORD( RULE2( LENGTH(7) ALPHANUM(1:7))) But remember that allowing 7-char. passwords in addition to 8-char. passwords is unlikely to improve your security: the total no. of possible passwords increases just marginally but your users might opt for the easiest way out and use the shorter passwords to a large proportion. -- Ulrich Boche SVA GmbH, Germany IBM Premier Business Partner -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: How many mainframes are there?
I missed both operations and applications programming. I was a field engineer when the division took over responsibility for maintenance of OS/360. They sent a couple hundred of us who scored well on the programmer's aptitude test to Poughkeepsie, where we spent six months learning assembler, JCL, utilities, dump reading, the hardware and software architecture of the 360 and OS/360 (PCP). Afterwards, we were assigned to several different system programming groups in the Poughkeepsie lab for the remainder of our 2 years there. At the end, we were to return to the field as Program Support Reps (PSRs). Instead, I stayed in Poughkeepsie as an instructor at the Field Engineering education center where I taught OS/360. BDAM and ISAM internals for the next 3 years. I then moved back to the lab just in time to join the MVS design team (1971). There were others I recall who took similar paths from FE to sysprogs, some of whom were also involved in MVS design or development for its first release. Mike Myers Mentor Services Corporation On 4/12/2010 10:40 AM, Greg Shirey wrote: An instructor from Verhoef made the observation in a class I attended that he had never met a mainframe systems programmer whose first job was as a systems programmer, and his students invariably would say that they were invited to become a systems programmer. So, he always said Welcome to the club when someone in his class would admit that they'd just begun as a systems programmer. Greg Shirey Ben E. Keith Co. -Original Message- From: IBM Mainframe Discussion List On Behalf Of Jim Marshall Sent: Sunday, April 11, 2010 6:34 PM To: IBM-MAIN@bama.ua.edu Subject: Re: How many mainframes are there? If you want to consider this a club, then no one admits you. snip -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: RACF - Any way to find out before hand what the user's access is to a file
Who cares if there is decent logging in place. I also have a banking background (amongst others), and there were situations where I preferred not to have code fail unnecessarily. Particularly exits that were checking using some elses ACEE. ISTR ACF2 made this more do-able than RACF. No news there - happened often when I had to dabble in ACF2 exits (some time ago). Shane ... On Sat, May 1st, 2010 at 11:01 PM, Ted MacNEIL eamacn...@yahoo.ca wrote: Coming from a Banking background, I believe a user should not have the ability to check beforehand. That's a security exposure, because the user may find something that they normally wouldn't. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: RACF - Any way to find out before hand what the user's access is to a file
On Sat, 1 May 2010 13:01:24 +, Ted MacNEIL wrote: wants away to check security. Coming from a Banking background, I believe a user should not have the ability to check beforehand. That's a security exposure, because the user may find something that they normally wouldn't. I was hoping someone would point that out. Or, any attempt to check security with a negative reply should trigger the same security alerts as an attempted intrusion. This renders moot the FAQ, How can I check security without raising intrusion alerts? The same should apply to Joel Ewing's suggestion of using a JCL checker. And both are susceptible to TOCTTOU inaccuracies as well as not accounting for the actions of user exits. Also, don't blame it on out-sourcing. I've seen incompetent in-house security staff, as well. I took the OP's concern to be not new security staff but new JCL coding and batch administration staff. And the primary motive to be avoiding termination of production jobs after partial completion. Does RACF or any alternative have not only a WARN but also a WARN and EXPLAIN mode that can tell an auditor what rule was operative in the final disposition of an access request? This should be equally effective whether access is granted or denied -- suppose a conscientious programmer reports that he inadvertently accessed a resource to which he believes that he (and his peers) should have no access. Can security admin easily determine what rule (or absence of rule) allowed the access? I had this problem with an ISV security product. I reported to the admin: The outcome of an attempted access was not what I wanted or expected. How can we determine what rule was operative? Well, you can review all security rules [to many of which rules I properly had no access], and infer which one operated. Unsatisfactory answer, albeit factually true. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: TBDISPL, TBSORT, TBSCAN
Thanks for the help Alan, working the way I want it to now. --Dave -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
LOGONHERE with TSO/E for z/OS V1R11 (Was: tso session timeout)
zMan As John Chase indicated you need to be using z/OS V1R11 or later in order to benefit from so-called logonhere support - just like VM has had for ages and ages. This TSO/E enhancement did get covered thoroughly in a post not so long ago: Re: TSO reconnect (ikjefln2) reject by RACF From: Chris Mason chrisma...@belgacom.net Reply-To: IBM Mainframe Discussion List IBM-MAIN@BAMA.UA.EDU Date: Tue, 23 Feb 2010 15:03:06 -0600 Chris Mason On Fri, 30 Apr 2010 10:29:02 -0400, zMan zedgarhoo...@gmail.com wrote: On Fri, Apr 30, 2010 at 9:04 AM, Graeme Gibson gra...@ase.com.au wrote: Does the TSO session timeout get its value from SMFPRM00 JWT(0030) Which reminds me: I work remotely a lot, and if my connectivity burps, I get disconnected. Sometimes TSO notices, and when I reconnect I get reconnected (or it starts my session over, if I don't do it fast enough). Other times, I get ALREADY LOGGED ON and have to wait a while (or logon as another privileged ID and Cancel myself). Is there a better way? On z/VM I'd do a LOGON HERE. Is there some way to make TSO notice that I'm not there? Thanks in advance. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SDSF and MQ
The z/OS 1.12 preview announcement letter states the following: SDSF is designed to support displaying information about printers for JES3, and to eliminate the requirement for WebSphere® MQ when displaying JES2 MAS-wide data on the initiator panel for JES2 once all systems in the MAS are at z/OS V1.12 JES2. Also, displaying MAS-wide data on the printer panel for JES2 is planned not to require WebSphere MQ when all systems in the JES2 MAS are at or above z/OS V1.11 JES2. - Don Imbriale On Fri, Apr 30, 2010 at 12:32 PM, Richards, Robert B. robert.richa...@opm.gov wrote: My boss asked if I could canvass this esteemed group as to whether or not it still makes sense to implement the MQ portion of SDSF. We are z/OS 1.10 going to either 1.11 or 1.12. I've never implemented it before and am wondering if I should. All replies are greatly appreciated. Bob - Robert B. Richards(Bob) US Office of Personnel Management 1900 E Street NW Room: BH04L Washington, D.C. 20415 Phone: (202) 606-1195 Email: robert.richa...@opm.govmailto:robert.richa...@opm.gov - -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: RACF - Any way to find out before hand what the user's access is to a file
Way back when we converted to RACF from Top Secret we received a number of requests, often from dis-belief that access was still there. What we did to quickly check that USER1 had access to the HLQ1.NODE2.WHATEVER.** (the user was connected to multiple groups that made checking timeconsuming) was: 1. rdef a surrogat profile USER1.submit and permit ourselves to it. 2. run a batch job as user=USER1 that would attempt to allocate HLQ1.NODE2.WHATEVER.TESTRACF.FILE. 3. run another job to load a record into said file. 4. run another job to delete the file. Any failures would have created ICH408I messages. Users (and auditors who never seem to understand zOS) iked this approach because it creates its own proof of access. I then cobbled up something similar to test CICS transactions via a product we had that runs CICS transactions in batch. DB2 tables can be likewise tested. Simple, and the price is right. -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Joel C. Ewing Sent: Saturday, May 01, 2010 7:46 AM To: IBM-MAIN@bama.ua.edu Subject: Re: RACF - Any way to find out before hand what the user's access is to a file On 04/30/2010 07:43 PM, Edward Jaffe wrote: Stocker, Herman wrote: To answer the why needed question: On occasion security has stated that access has been given only later to find out that the incorrect access was granted or not granted at all. Causing jobs to fail and time to be lost, therefore the user wants away to check security. One of the problems of outsourcing. Most if not all of the security packages in use these days support a warn mode of operating for select profiles. But WARN also means any resources protected by that profile are not actually protected but can be accessed by anyone, only that the questionable access is logged after the fact as an attempt that would have been prevented had WARN not be in place. This may be useful in a shop that is turning on RACF restrictions for a new class of resources and wants to fix any major problems before going live, but is not something you would want to do in a production environment for types of resources that have always been restricted (and that you have assured to auditing to be restricted). In native RACF the LD command is probably the closest you can come. If you have access via a dataset profile, it will give you the level of access. If you don't have access (and are not RACF SPECIAL or AUDITOR), it won't tell you anything useful (from which you can conclude you don't have any access). Some vendor JCL checker Utilities (like JobScan) also have a mode of operation (with additional overhead) where they will check RACF authority to datasets referenced in the JCL. If you had one of these you could construct some dummy JCL that implies the required access to the datasets in question and use the JCL checker to verify access. Joel C Ewing -- Joel C. Ewing, Fort Smith, ARjremoveccapsew...@acm.org -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SDSF and MQ
When did JES3 work with SDSF? What year and what MVS release? I remember the shock when I left a JES2 shop in the mid 80's and went to a JES3 shop and I couldn't use SDSF. The horror! I had to use the ISPF output command. I took 2 JES3 classes the year I was there. The JES3 internals class was the the only IBM class that I couldn't figure out. Each day of the class seemed to get more confusing. I'm glad SDSF is now available for JES3. Eric Bielefeld Sr. Systems Programmer IBM Global Services Division Dubuque, Iowa 414-477-7259 - Original Message - From: Don Imbriale don.imbri...@gmail.com Newsgroups: bit.listserv.ibm-main To: IBM-MAIN@bama.ua.edu Sent: Saturday, May 01, 2010 11:09 AM Subject: Re: SDSF and MQ The z/OS 1.12 preview announcement letter states the following: SDSF is designed to support displaying information about printers for JES3, and to eliminate the requirement for WebSphere® MQ when displaying JES2 MAS-wide data on the initiator panel for JES2 once all systems in the MAS are at z/OS V1.12 JES2. Also, displaying MAS-wide data on the printer panel for JES2 is planned not to require WebSphere MQ when all systems in the JES2 MAS are at or above z/OS V1.11 JES2. - Don Imbriale -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SDSF and MQ
z/OS 1.10 Link: http://www-01.ibm.com/common/ssi/rep_ca/6/897/ENUS208-186/ENUS208-186.PDF Birger Heede who has lost his z/OS access On 01-05-2010 18:28, Eric Bielefeld wrote: When did JES3 work with SDSF? What year and what MVS release? I remember the shock when I left a JES2 shop in the mid 80's and went to a JES3 shop and I couldn't use SDSF. The horror! I had to use the ISPF output command. I took 2 JES3 classes the year I was there. The JES3 internals class was the the only IBM class that I couldn't figure out. Each day of the class seemed to get more confusing. I'm glad SDSF is now available for JES3. Eric Bielefeld Sr. Systems Programmer IBM Global Services Division Dubuque, Iowa 414-477-7259 - Original Message - From: Don Imbriale don.imbri...@gmail.com Newsgroups: bit.listserv.ibm-main To: IBM-MAIN@bama.ua.edu Sent: Saturday, May 01, 2010 11:09 AM Subject: Re: SDSF and MQ The z/OS 1.12 preview announcement letter states the following: SDSF is designed to support displaying information about printers for JES3, and to eliminate the requirement for WebSphere® MQ when displaying JES2 MAS-wide data on the initiator panel for JES2 once all systems in the MAS are at z/OS V1.12 JES2. Also, displaying MAS-wide data on the printer panel for JES2 is planned not to require WebSphere MQ when all systems in the JES2 MAS are at or above z/OS V1.11 JES2. - Don Imbriale -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: RACF - Any way to find out before hand what the user's access is to a file
Some shops allow the use of an API to the security system in order to allow applications to determine if a user has access to a resource or not. This can be used to control application behaviour by limiting the data displayed or the actions available. To cite a trivial example, an application that normally opens a data set for update may instead open it for read-only if it can determine that the user does not have update access. This can reduce the number of security violations caused by an inadvertent attempt to update data. On Sat, May 1, 2010 at 09:01, Ted MacNEIL eamacn...@yahoo.ca wrote: wants away to check security. Coming from a Banking background, I believe a user should not have the ability to check beforehand. That's a security exposure, because the user may find something that they normally wouldn't. Also, don't blame it on out-sourcing. I've seen incompetent in-house security staff, as well. - Too busy driving to stop for gas! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: RACF - Any way to find out before hand what the user's access is to a file
Some shops allow the use of an API to the security system in order to allow applications to determine if a user has access to a resource or not. This can be used to control application behaviour by limiting the data displayed or the actions available. That is a different situation. That is controlled access by a (hopefully) tested production application. The concern I was addressing was where the user attempts to find out if they have access before allocating resources, in an uncontrolled manner. - Too busy driving to stop for gas! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: RACF - Any way to find out before hand what the user's access is to a file
On Sat, 1 May 2010 17:02:39 -0400 Don Leahy don.le...@leacom.ca wrote: :Some shops allow the use of an API to the security system in order to :allow applications to determine if a user has access to a resource or :not. This can be used to control application behaviour by limiting :the data displayed or the actions available. Very different. A windowing application should not present options that the end user cannot use. :To cite a trivial example, an application that normally opens a data :set for update may instead open it for read-only if it can determine :that the user does not have update access. This can reduce the number :of security violations caused by an inadvertent attempt to update :data. That is a bad design. If the user has access to the dataset he need not access via this application. If the data is application controlled a resource rather than DATASET should be used. -- Binyamin Dissen bdis...@dissensoftware.com http://www.dissensoftware.com Director, Dissen Software, Bar Grill - Israel Should you use the mailblocks package and expect a response from me, you should preauthorize the dissensoftware.com domain. I very rarely bother responding to challenge/response systems, especially those from irresponsible companies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: RACF - Any way to find out before hand what the user's access is to a file
On Sat, 1 May 2010 11:12:00 -0500, Tony wrote: 1. rdef a surrogat profile USER1.submit and permit ourselves to it. 2. run a batch job as user=USER1 that would attempt to allocate HLQ1.NODE2.WHATEVER.TESTRACF.FILE. 3. run another job to load a record into said file. 4. run another job to delete the file. Any failures would have created ICH408I messages. Simple, and the price is right. Does it identify the rule by which access was granted? -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html