Re: Cloning a RACF user profile
Ituriel, You may want to include the processing of 0205 User Group Connect Detail Records. By relying solely on 0102 records, you will miss any connections to Global groups. Perhaps what you could do is process the 0205 records first to create the group connects followed by the 0102 records to modify the connects with any AUTHORITY of other than USE. Regards, Bob Robert S. Hansel | 2008 RACF Training (January - July) Lead RACF Specialist | Intro Basic Admin - Boston - APR 29 - MAY 1 RSH Consulting, Inc. | Audit for Results - Boston - MAY 20-22 www.rshconsulting.com | 617-969-8211 | Visit our website for registration details -Original Message- Date:Mon, 24 Mar 2008 15:17:00 -0300 From:ITURIEL DO NASCIMENTO NETO [EMAIL PROTECTED] Subject: RES: Cloning a RACF user profile As suggested by someone, you can use SORT to generate the appropriate commands. I've build the following JCL, which you can use as a starting point to your needs. ... (snip) //SORTOF4 DD DSN=SO.S1.RACF.REG102,DISP=(,CATLG), // UNIT=(3390),SPACE=(CYL,(1,10),RLSE) ... OUTFIL INCLUDE=(005,4,CH,EQ,C'0102',AND, 019,8,CH,EQ,C'USERID'),FILES=4, CONVERT,OUTREC=(5,300),VLFILL=C' ' ... //CONNECT EXEC PGM=SORT //SYSOUTDD SYSOUT=* //SORTINDD DSN=SO.S1.RACF.REG102,DISP=SHR //SORTOUT DD SYSOUT=* //SYSIN DD * SORTFIELDS=COPY OUTREC FIELDS=(C' CONNECT ', 15,8,C'GROUP(',06,8,C') ', C'OWNER(',06,8,C') ', C'AUTHORITY(',24,8,C') ') END ... Atenciosamente / Regards / Saludos Ituriel do Nascimento Neto Banco Bradesco S/A 4254/DPCD Alphaville Engenharia de Software - Sistemas Operacionais Mainframes Tel: 55 11 4197-2021 Fax: 55 11 4197-2814 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Cloning a RACF user profile
I use a rexx-based ISPF application from Nigel Pentland's: http://www.nigelpentland.co.uk/racf/index.htm I find it handy and useful, it covers most of our cloning-IDs needs. Walter Marguccio z/OS Systems Programmer Munich - Germany - Original Message From: Stephen Y Odo [EMAIL PROTECTED] To: IBM-MAIN@bama.ua.edu Sent: Tuesday, 18 March, 2008 7:35:41 PM Subject: Re: Cloning a RACF user profile I use DBSYNC which can be used to read your IRRDBU00 output file and generates the necessary commands to re-build the database. I then edit the resulting REXX files to pull out the commands I need and edit then execute them. You might get better responses from the RACF-L list ([EMAIL PROTECTED]). --Stephen -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ___ Rise to the challenge for Sport Relief with Yahoo! For Good http://uk.promotions.yahoo.com/forgood/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Cloning a RACF user profile
David, That did the trick. A big thanks and a virtual beer to you. And thanks to the other responders, as always. Jerry On Mon, 17 Mar 2008 20:25:48 -0400, David Andrews [EMAIL PROTECTED] wrote: On Mon, 2008-03-17 at 17:26 -0500, Support, DUNNIT SYSTEMS LTD. wrote: --- TSO/E LOGON -- IKJ56487I THE ACCOUNT NUMBER ACCT# HAS NOT BEEN AUTHORIZED FOR THIS USERID What am I doing wrong or what else needs to be done or is there a surefire way to clone a new userid from an existing one? RDEF ACCTNUM UACC(NONE) AU ... TSO(ACCTNUM()...) PE CL(ACCTNUM) ID() SETR REFR RACL(ACCTNUM) -- David Andrews A. Duda and Sons, Inc. [EMAIL PROTECTED] -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Cloning a RACF user profile
A big thanks and a virtual beer to you. And thanks to the other responders, as always. What am I doing wrong or what else needs to be done or is there a surefire way to clone a new userid from an existing one? Being confronted with similar issue, I would like to know if indeed there is a sure-fire way of cloning a userid and all of its permissions from an existing one? How would one go about that? Thanks, Jantje. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Cloning a RACF user profile
We're fortunate enough to have the Vanguard products which do this easily. I did write a process that read through the IRRDBU00 output for all instances of the user profile from which you wish to clone. Once the data is collected it's simple enough to create commands from the output. A 2 step dfsort job can do it all. -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Jan MOEYERSONS Sent: Tuesday, March 18, 2008 3:25 AM To: IBM-MAIN@bama.ua.edu Subject: Re: Cloning a RACF user profile A big thanks and a virtual beer to you. And thanks to the other responders, as always. What am I doing wrong or what else needs to be done or is there a surefire way to clone a new userid from an existing one? Being confronted with similar issue, I would like to know if indeed there is a sure-fire way of cloning a userid and all of its permissions from an existing one? How would one go about that? Thanks, Jantje. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Cloning a RACF user profile
On Tue, 18 Mar 2008 03:25:05 -0500, Jan MOEYERSONS [EMAIL PROTECTED] wrote: A big thanks and a virtual beer to you. And thanks to the other responders, as always. What am I doing wrong or what else needs to be done or is there a surefire way to clone a new userid from an existing one? Being confronted with similar issue, I would like to know if indeed there is a sure-fire way of cloning a userid and all of its permissions from an existing one? How would one go about that? The IBM Tivoli zSecure Admin product can clone users for you. Alternatively, you can get the DBSYNC tool from the RACF Downloads page at http://www-03.ibm.com/servers/eserver/zseries/zos/racf/goodies.html and with a bit of work it can do what you want. It will take as input the flat file generated by IRRDBU00, and then generate commands to recreate the database. From those commands, you could select all the commands that reference the existing user ID, and then change the ID to a new one, and run the commands. Then you'd have a user just like the original one, except for the password that you'd have to specify. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Cloning a RACF user profile
On Tue, 18 Mar 2008 03:25:05 -0500, Jan MOEYERSONS [EMAIL PROTECTED] wrote: Being confronted with similar issue, I would like to know if indeed there is a sure-fire way of cloning a userid and all of its permissions from an existing one? How would one go about that? Not that I know of, unless you have one of the ISV RACF admin products like BETA88, Vanguard, Consul/RACF (purchased by IBM, now Tivoli RACF admin). That is one of the things I always liked about ACF2. You just copy a userid, or add a new one with the correct UID and everything works. Every shop I've ever been at (and I've been at a lot - especially when I was consulting), it was always a battle after my userid was added. A permit here, a permit there and eventually I got everything I needed. Mark -- Mark Zelden Sr. Software and Systems Architect - z/OS Team Lead Zurich North America / Farmers Insurance Group - ZFUS G-ITO mailto:[EMAIL PROTECTED] z/OS Systems Programming expert at http://expertanswercenter.techtarget.com/ Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Cloning a RACF user profile
---snip Not that I know of, unless you have one of the ISV RACF admin products like BETA88, Vanguard, Consul/RACF (purchased by IBM, now Tivoli RACF admin). That is one of the things I always liked about ACF2. You just copy a userid, or add a new one with the correct UID and everything works. Every shop I've ever been at (and I've been at a lot - especially when I was consulting), it was always a battle after my userid was added. A permit here, a permit there and eventually I got everything I needed. unsnip- Mark, that's why I'm such a strong advocate of the use of user groups in RACF. Add the user, connect him to the right groups, anv voila, you're done. And I always put an entry in the GLOBAL DATASET table such that he has ALTER access to datasets that start with his own userid. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Cloning a RACF user profile
On Tue, 18 Mar 2008 08:49:09 -0500, Rick Fochtman [EMAIL PROTECTED] wrote: ---snip Not that I know of, unless you have one of the ISV RACF admin products like BETA88, Vanguard, Consul/RACF (purchased by IBM, now Tivoli RACF admin). That is one of the things I always liked about ACF2. You just copy a userid, or add a new one with the correct UID and everything works. Every shop I've ever been at (and I've been at a lot - especially when I was consulting), it was always a battle after my userid was added. A permit here, a permit there and eventually I got everything I needed. unsnip- Mark, that's why I'm such a strong advocate of the use of user groups in RACF. Add the user, connect him to the right groups, anv voila, you're done. And I always put an entry in the GLOBAL DATASET table such that he has ALTER access to datasets that start with his own userid. Most shops use groups properly. But the connecting to the right groups is the part that is the problem. Some RACF admins have a template by job function or perhaps list an existing user and then connect the new user to those groups. But I don't see all users are created equally in the same job function in my experience. I challenge you or anyone else on this list who can, to get a list of connect groups for their own userid and several sysprogs with the same job function. I'll bet you will find differences in many cases. The same could happen with ACF2, but in my experience I don't see ACF2 rules being written down to the specific userid level in the UID string. Mark -- Mark Zelden Sr. Software and Systems Architect - z/OS Team Lead Zurich North America / Farmers Insurance Group - ZFUS G-ITO mailto:[EMAIL PROTECTED] z/OS Systems Programming expert at http://expertanswercenter.techtarget.com/ Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Cloning a RACF user profile
The add on products make this effortless but it's really not that hard to develop yourself. We're doing this now regularly as part of a large Top Secret to RACF conversion. Conceptually one should know the layout of the unload file, IRRDBU00 or TSSCFILE (which are somewhat architecturally similar) , find the records from which to clone, format the commands and apply them. I have some of my old RACF to RACF cloning JCL still around somewhere, I'll go check my diskettes! -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Mark Zelden Sent: Tuesday, March 18, 2008 8:34 AM To: IBM-MAIN@bama.ua.edu Subject: Re: Cloning a RACF user profile On Tue, 18 Mar 2008 03:25:05 -0500, Jan MOEYERSONS [EMAIL PROTECTED] wrote: Being confronted with similar issue, I would like to know if indeed there is a sure-fire way of cloning a userid and all of its permissions from an existing one? How would one go about that? Not that I know of, unless you have one of the ISV RACF admin products like BETA88, Vanguard, Consul/RACF (purchased by IBM, now Tivoli RACF admin). That is one of the things I always liked about ACF2. You just copy a userid, or add a new one with the correct UID and everything works. Every shop I've ever been at (and I've been at a lot - especially when I was consulting), it was always a battle after my userid was added. A permit here, a permit there and eventually I got everything I needed. Mark -- Mark Zelden Sr. Software and Systems Architect - z/OS Team Lead Zurich North America / Farmers Insurance Group - ZFUS G-ITO mailto:[EMAIL PROTECTED] z/OS Systems Programming expert at http://expertanswercenter.techtarget.com/ Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Cloning a RACF user profile
In a message dated 3/18/2008 8:52:01 A.M. Central Daylight Time, [EMAIL PROTECTED] writes: Mark, that's why I'm such a strong advocate of the use of user groups in RACF. Add the user, connect him to the right groups, anv voila, you're done. Isn't it just easier to add USER002 model USER001 to Group User? There used to be a TSOADD clist with SystemPAC that would add UADS and RACF ID's but don't think it used the model. Anyway think it was easily fixable. **It's Tax Time! Get tips, forms, and advice on AOL Money Finance. (http://money.aol.com/tax?NCID=aolprf000301) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Cloning a RACF user profile
--snip Most shops use groups properly. But the connecting to the right groups is the part that is the problem. Some RACF admins have a template by job function or perhaps list an existing user and then connect the new user to those groups. But I don't see all users are created equally in the same job function in my experience. I challenge you or anyone else on this list who can, to get a list of connect groups for their own userid and several sysprogs with the same job function. I'll bet you will find differences in many cases. The same could happen with ACF2, but in my experience I don't see ACF2 rules being written down to the specific userid level in the UID string. --unsnip-- True, there might be some differences. I've found that a simple LU command will tell me what groups to connect the new id into. Helps to keep adjustments to a minimum. :-) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Cloning a RACF user profile
--snip--- The IBM Tivoli zSecure Admin product can clone users for you. Alternatively, you can get the DBSYNC tool from the RACF Downloads page at http://www-03.ibm.com/servers/eserver/zseries/zos/racf/goodies.html and with a bit of work it can do what you want. It will take as input the flat file generated by IRRDBU00, and then generate commands to recreate the database. From those commands, you could select all the commands that reference the existing user ID, and then change the ID to a new one, and run the commands. Then you'd have a user just like the original one, except for the password that you'd have to specify. ---unsnip-- Walt, I've used that tool for exactly this purpose. I would suggest a single improvement: let me specify a single userid as a parm field and select out only records that contain that userid. Could save a LOT of edit time. Other than that, the tool works very well and I've been very pleased with the results. Feel free to share my Well Done with all involved in its development. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Cloning a RACF user profile
Forgive me, Walt. I was referring to the DBSYNC tool. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Cloning a RACF user profile
On Tue, 18 Mar 2008 11:08:14 -0500, Rick Fochtman [EMAIL PROTECTED] wrote: Forgive me, Walt. I was referring to the DBSYNC tool. I figured that's what you meant, Rick :-) I'm glad you have found it useful. I've thought about an enhancement such as you suggested, but have never taken the time to implement it. I'll put it on the list, though. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Cloning a RACF user profile
I use DBSYNC which can be used to read your IRRDBU00 output file and generates the necessary commands to re-build the database. I then edit the resulting REXX files to pull out the commands I need and edit then execute them. You might get better responses from the RACF-L list ([EMAIL PROTECTED]). --Stephen -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Cloning a RACF user profile
Did you do PERMIT? - Original Message - From: Support, DUNNIT SYSTEMS LTD. [EMAIL PROTECTED] Newsgroups: bit.listserv.ibm-main To: IBM-MAIN@bama.ua.edu Sent: Monday, March 17, 2008 5:26 PM Subject: Cloning a RACF user profile I'm using the RACF ISPF interface under z/OS 1.8 on our ADCD system. Duplicate all the settings from the system's main default user and I still get this: --- TSO/E LOGON -- IKJ56487I THE ACCOUNT NUMBER ACCT# HAS NOT BEEN AUTHORIZED FOR THIS USERID IKJ56429A REENTER - Enter LOGON parameters below: RACF LOGON parameters: Userid=== USER77 Password === New Password === Procedure === ISPFPROC Group Ident === Acct Nmbr === ACCT# Size === Perform === Command === ISPF I did define that account number ACCT# in the user profile's TSO settings and that's exactly what the system's default userid has defined for its account, too. What am I doing wrong or what else needs to be done or is there a surefire way to clone a new userid from an existing one? TIA, Jerry -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Cloning a RACF user profile
Have you checked general resource profile ACCTNUM in RACF? David Logan Product Manager, Pitney Bowes Software http://centrus.com 4750 Walnut St, Suite 200 Boulder, CO 80301 W: (720) 564-3056 C: (303) 818-8222 -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Support, DUNNIT SYSTEMS LTD. Sent: Monday, March 17, 2008 4:26 PM To: IBM-MAIN@bama.ua.edu Subject: Cloning a RACF user profile I'm using the RACF ISPF interface under z/OS 1.8 on our ADCD system. Duplicate all the settings from the system's main default user and I still get this: --- TSO/E LOGON -- IKJ56487I THE ACCOUNT NUMBER ACCT# HAS NOT BEEN AUTHORIZED FOR THIS USERID IKJ56429A REENTER - Enter LOGON parameters below: RACF LOGON parameters: Userid=== USER77 Password === New Password === Procedure === ISPFPROC Group Ident === Acct Nmbr === ACCT# Size === Perform === Command === ISPF I did define that account number ACCT# in the user profile's TSO settings and that's exactly what the system's default userid has defined for its account, too. What am I doing wrong or what else needs to be done or is there a surefire way to clone a new userid from an existing one? TIA, Jerry -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Cloning a RACF user profile
On Mon, 2008-03-17 at 17:26 -0500, Support, DUNNIT SYSTEMS LTD. wrote: --- TSO/E LOGON -- IKJ56487I THE ACCOUNT NUMBER ACCT# HAS NOT BEEN AUTHORIZED FOR THIS USERID What am I doing wrong or what else needs to be done or is there a surefire way to clone a new userid from an existing one? RDEF ACCTNUM UACC(NONE) AU ... TSO(ACCTNUM()...) PE CL(ACCTNUM) ID() SETR REFR RACL(ACCTNUM) -- David Andrews A. Duda and Sons, Inc. [EMAIL PROTECTED] -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html