Purpose:
- To verify all RACF profiles against a HR/CD/ID system and vice versa.
- To verify all RACF profiles against a set of user defined ‘rules’.
- To enforce naming conventions in a RACF environment without having to have any exits.
- To simplify and automate future audits.
- To reduce the immense costs of any internal or external RACF audits.
- To keep HR/CD and RACF information in sync based on installation standards.
- To have a better control over all RACF profiles.
- To be able to manage multiple clients.
- To verify SETROPTS settings.
- To verify IKJTSOXX settings (AUTHCMD, AUTHPGM, AUTHTSF, PLATPGM, PLATCMD, NOTBKGND)
- To verify PPT settings (SCHED=)
- To verify subsystems (SSN)
- To verify SVC Table
- To verify LINKLIST settings and its RACF protection
- To verify APFLIST settings and its RACF protection
- To verify LPALIST settings and its RACF protection
- To verify CATALOG and its RACF protection
- To verify SMF datasets and its RACF protection
- To verify user datasets and its RACF protection
Most RACF installations do no longer know why certain user-Ids are connected to various RACF Group-Ids. Even when installations utilize a corporate directory (ID or CD or HR) it never matches the RACF environment 100%. Ownership of profiles is not up-to-date either.
Especially large corporations with many decentralized RACF administrators face the immense problem to enforce standards. Manually controlling such RACF environments is almost impossible. Home-grown tools are in many cases no solution either to the well known problem.
This batch facility helps every RACF installation to verify corporate directories versus RACF. It lists all inconsistencies and generates the necessary RACF commands to alter/delete RACF profile information.
RRE consists of two parts:
-CD/ID/HR verification against RACF and vice versa
-Rules checking for RACF group-, user- (incl. connects), dataset- and general resource profiles
Purpose:
-Verify the HR/CD (corporate directory) against RACF and vice versa.
Note: It is the responsibility of each user to verify any generated RACF commands before executing them e.g. to alter or delete any user-Ids.
Run the following JCL (refer to the RA2002.SAMPLIB member DEB$SW1H ) to create the verification reports:
//RREVERIF EXEC PGM=DEB$SW1H
//STEPLIB DD DISP=SHR,DSN=RA2002.LINKLIB
//*
//* INPUT FILES
//*
//IRRI0200 DD DISP=SHR,DSN=your.IRRDBU.IRRI0200.VB(0)
//HRSI0200 DD DISP=SHR,DSN=your.MYCORP.HRS
//*
//* HRS RELATED INFORMATION (ALL HR IDS AND THEIR MISSING IDS IN RACF)
//*
//VERHRLST DD SYSOUT=* * HR HRSI0200 USERIDS LISTED "ASIS"
//VERHRMIS DD SYSOUT=* * HR USERIDS NOT FOUND IN RACF
//*
//* RACF RELATED INFORMATION (ALL RACF UIDS AND THEIR MISSING HR UIDS)
//*
//VERPRINT DD SYSOUT=* * PRINT +VERIFY CONTROL STATEMENTS
//VERRALST DD SYSOUT=* * RACF IRRI0200 USERIDS LISTED "ASIS"
//VERRAMIS DD SYSOUT=* * RACF LIST ALL MISSING USERIDS IN "HR"
//VERRANEV DD SYSOUT=* * RACF LIST ALL USERIDS NEVER USER "ASIS"
//VERRAREV DD SYSOUT=* * RACF LIST ALL REVOKED USERIDS
//VERRAOPR DD SYSOUT=* * RACF LIST ALL OPER/SPECIAL USERIDS "ASIS"
//VERRAPRO DD SYSOUT=* * RACF LIST ALL PROTECTED USERIDS "ASIS"
//VERRCDEL DD SYSOUT=* * RACF DELETE ALL USERIDS NOT FOUND IN "HR"
//VERRCREV DD SYSOUT=* * RACF REVOKE ALL USERIDS NOT FOUND IN "HR"
//VERRCALT DD SYSOUT=* * RACF ALU ALL USERIDS NOT FOUND IN "HR"
//VERINPUT DD * * FILTER CRITERIA FOR "HR" AND "RACF"
*
*OPTIONS HEADING=YES,PROTECTED=YES,REVOKE=YES,
*SPECIAL=YES,OPERATIONS=YES
+OPTIONS HEADING=YES
+VERIFY_INCLUDE USERID=@*,DFLTGRP=*,OWNER=STD*
*VERIFY_EXCLUDE USERID=*,DFLTGRP=*,OWNER=RACF*
RRE does not know any of your HR/CD/ID systems as they reside not the IBM Host. You can build via REXX and LDAP searches the //HRSI0200 input file.
The //HRSI0200 file must have the same record format as the IRRDBU00 from IBM: RECFM=VB, LRECL=4096.
The record layout for the first two fields (record type and user-ID) has the same as the IBM IRRDBU00 user record type 0200.
Extract from your HR(human resources system)/CD(corporate directory)/ID(identity management) the user-Ids, which must have a RACF user-ID. Use REXX/LDAP or FTP the data to the host and modify the Host file to have the following format:
|
Pos. 1 – 4 |
record type |
0200 |
Fix value |
|
Pos. 6 – 13 |
User-ID |
e.g. IBMUSER |
|
|
Pos. 15 – 22 |
Status |
ENABLED or DISABLED |
DISABLED=REVOKED inactive ENABLED=active |
|
|
|
|
|
|
|
|
|
|
RRE does not know any of your HR/CD/ID system(S), as they reside not the IBM Host. You can build via REXX and LDAP searches the //HRSI0200 input file
e.g. use an LDAP search to obtain your data:
REXX LDAP sample:
/* REXX */
host = 'xxx.ch.swisscom.com'
portid = 389
ldap_o = "cn=RACF,cn=TargetSystems,cn=Intranet",
"cn=* objectclass=* dxrState dxrTSState"
/* */
/* -D binddn bind dn */
/* -w passwd bind passwd */
/* -s scope one of base, one, or sub (search scope) */
/* */
'GLDSRCH / -h 'host '-p 'portid' -l 120 -s sub',
'-D cn=XRZP001,cn=Users,cn=Intranet -w [password] -b 'ldap_o' >DD:HRSI0200'
If RC /= 0 Then Do
Say 'GLDSRCH ended with return code = 'RC
End
Exit RC
HR/CD verification against RACF and vice versa
Following control statements can be utilized to obtain the necessary HR versus RACF verification reports:
|
DDname |
Verbs |
Keywords |
Comment |
Default |
|
//VERINPUT |
* |
N/A |
Comment line |
N/A |
|
+OPTIONS
Note: only one statement allowed |
HEADING=YES or NO |
Print headings (title lines) |
YES |
|
|
PROTECTED=YES or NO or blank. The keyword is not required. |
Select only “RACF” user-Ids from //IRRI0200 DD DSN= marked as protected. This keyword is ignored by the selection process for //HRSI0200 records. |
N/A |
||
|
REVOKE=YES or NO or blank. The keyword is not required. |
Select only “RACF” user-Ids from //IRRI0200 DD DSN= marked as revoked. This keyword is ignored by the selection process for //HRSI0200 records. |
N/A |
||
|
SPECIAL=YES or NO or blank. The keyword is not required. |
Select only “RACF” user-Ids from //IRRI0200 DD DSN= marked as special This keyword is ignored by the selection process for //HRSI0200 records. |
N/A |
||
|
OPERATIONS=YES or NO or blank. The keyword is not required. |
Select only “RACF” user-Ids from //IRRI0200 DD DSN= marked as operations This keyword is ignored by the selection process for //HRSI0200 records. |
N/A |
||
|
+VERIFY_INCLUDE
Note: you can define as many +VERIFY_ statements as required. Make sure the region size is set to e.g. REGION=0M |
USERID= |
Select a user-ID. Generic Ids are supported incl. The ‘?’ as substitution character. Only the user-ID will be compared against the //HRSI0200 input file. |
Blanks=all
|
|
|
DFLTGRP= |
Select a default group-ID. Generic Ids are supported incl. The ‘?’ as substitution character. |
Blanks=all
|
||
|
OWNER= |
Select a default owner-ID. Generic Ids are supported incl. The ‘?’ as substitution character. |
Blanks=all |
||
|
|
|
|
||
|
+VERIFY_EXCLUDE |
Note: the same rules apply like for +VERIFY_INCLUDE verb. |
|||
|
|
Note:
|
|||
Sample:
//VERINPUT DD *
*
+OPTIONS HEADING=YES
+VERIFY_INCLUDE USERID=@*,DFLTGRP=*,OWNER=mix*
+VERIFY_INCLUDE USERID=$*,DFLTGRP=*,OWNER=mAx*
*
+VERIFY_EXCLUDE USERID=*,DFLTGRP=*,OWNER=RACF*
+VERIFY_EXCLUDE USERID=*,DFLTGRP=HKROC,OWNER=TEST*
DDNAMES related to the HR/CD and RACF verification process
|
DDNAME |
Description |
|
VERINPUT |
Input file - Control statments |
|
VERPRINT |
Print file – lists all //VERINPUT control statements. If an error occurred please review this output. |
|
VERHRLST |
Print file – lists unfiltered all //HRSI0200 records “AS IS”. |
|
VERHRMIS |
Print file – lists all user-Ids from the //HRSI0200 file, which could not be found in RACF. This means you have defined user-Ids in your HR or CD, which do simply not exist in RACF or your +VERIFY_ verbs have excluded these IDS. |
|
VERRALST |
Print file – lists unfiltered all //IRRI0200 records “AS IS”. |
|
VERRAMIS |
Print file – lists all user-Ids from the //IRRI0200 file, which could not be found in HR/CD. This means you have defined user-Ids in your RACF, which do simply not exist in the HR/CD or your +VERIFY_ verbs have excluded these IDS. |
|
VERRANEV |
Print file – lists unfiltered all RACF user-Ids, which ‘never’ logged on (= never used). |
|
VERRAREV |
Print file – lists unfiltered all RACF user-Ids, which have the status ‘revoked’. |
|
VERRAOPR |
Print file – lists unfiltered all RACF user-Ids, which have the attribute ‘operations and/or special’. |
|
VERRAPRO |
Print file – lists unfiltered all RACF user-Ids, which have the attribute ‘protected’. |
|
VERRCDEL |
RACF command file (DCB=(RECFM=FB,LRECL=80)) – contains RACF delete user-ID commands for user-Ids not found in //HRSI0200. It is up to each installation to decide on what they want to do with user-Ids not found in the HR/CD system. |
|
VERRCREV |
RACF command file (DCB=(RECFM=FB,LRECL=80)) – contains RACF ALTUSER REVOKE user-ID commands for user-Ids not found in //HRSI0200. It is up to each installation to decide on what they want to do with user-Ids not found in the HR/CD system. |
|
VERRCALT |
RACF command file (DCB=(RECFM=FB,LRECL=80)) – contains RACF ALTUSER OWNER(new_ID) DFLTGRP(new_ID) REVOKE user-ID commands for user-Ids not found in //HRSI0200. It is up to each installation to decide on what they want to do with user-Ids not found in the HR/CD system. The user must modify the generated control statements accordingly. |
Output Samples:
//VERHRLST lists all HR/CD entries ‘as is’:
********************************* TOP OF DATA *************************************************************************************
DEB$SW15-10 HR USER-IDS ENTRIES AS IS (ALL) ALS(C) V3R4M0 07/03/05 12.33 RACF VERS 2608 PAGE: 1
DATE:2005-07-06
JOBNAME :XRZP001S STEPNAME:RA2VERIF PROCNAME: TIME: 8:10:01
USERID INFORMATION (ERROR MESSAGES ETC.)
-------- -------------------------------------------
VOGEL
TRXUMO
DEB$SW15-10 HR USER-IDS ENTRIES AS IS (ALL) ALS(C) V3R4M0 07/03/05 12.33 RACF VERS 2608 PAGE: 213
DATE:2005-07-06
JOBNAME :XRZP001S STEPNAME:RA2VERIF PROCNAME: TIME: 8:10:01
USERID INFORMATION (ERROR MESSAGES ETC.)
-------- -------------------------------------------
===> TOTAL NUMBER OF USER-IDS READ : 10.553
//VERHRMIS lists all HR/CD entries missing in RACF based on filter criteria’s:
********************************* TOP OF DATA *************************************************************************************
DEB$SW17-10 HR USER-IDS MISSING IN THE "RACF" SYSTEM(S) ALS(C) V3R4M0 07/03/05 12.34 RACF VERS 2608 PAGE: 1
DATE:2005-07-06
JOBNAME :XRZP001S STEPNAME:RA2VERIF PROCNAME: TIME: 8:14:17
USERID INFORMATION (ERROR MESSAGES ETC.)
-------- -------------------------------------------
ARM3SE
ART3SS
DEB$SW17-10 HR USER-IDS MISSING IN THE "RACF" SYSTEM(S) ALS(C) V3R4M0 07/03/05 12.34 RACF VERS 2608 PAGE: 2
DATE:2005-07-06
JOBNAME :XRZP001S STEPNAME:RA2VERIF PROCNAME: TIME: 8:14:17
USERID INFORMATION (ERROR MESSAGES ETC.)
-------- -------------------------------------------
===> TOTAL NUMBER OF USER-IDS VERIFIED : 10.552
===> TOTAL NUMBER OF USER-IDS MISSING : 23
//VERPRINT lists all filter statements:
VERPRINT-10 CONTROL STATEMENTS (COMPARE HR:RACF AND RACF:HR) ALS(C) V3R4M0 07/03/05 12.40 RACF VER:2608 PAGE: 1
DATE:2005-07-06
JOBNAME :XRZP001S STEPNAME:RA2VERIF PROCNAME: TIME: 8:10:01
CONTROL CARD(S) READ VIA //VERINPUT ERROR MESSAGE
------------------------------------------------------------------------ -------------------------------------------------
*
*OPTIONS HEADING=YES,PROTECTED=YES,REVOKE=YES,
*SPECIAL=YES,OPERATIONS=YES
+OPTIONS HEADING=YES
+VERIFY_INCLUDE USERID=@*,DFLTGRP=*,OWNER=STD*
+VERIFY_EXCLUDE USERID=*,DFLTGRP=RACFTUID,OWNER=*
>-- EXCLUDE OF "*" OR "**" FOR USERID= WILL BE IGNORED.
THIS RESTRICTION APPLIES ONLY TO "HR" DATA
//VERRALST lists all RACF user-IDS ‘as is’:
DEB$SW14-10 RACF IRRDBU00 TYPE 0200 USER RECORDS (ALL) ALS(C) V3R4M0 07/03/05 12.33 RACF VERS 2608 PAGE: 1
DATE:2005-07-06
JOBNAME :XRZP001S STEPNAME:RA2VERIF PROCNAME: TIME: 8:10:01
USERID USER NAME AUTHDATE OWNER P S O R G ATTR DFLTGRP. LAST-LOGON TIME INSTALLATION DATA
-------- -------------------- ---------- -------- - - - - - ---- -------- ---------- -------- --------------------------------------
FIATFIAT Intercept 2000-07-17 MERCURY N N N Y N RACFCICS 2000-07-17 14:17:46 JDBC-access
Etc.
DEB$SW14-10 RACF IRRDBU00 TYPE 0200 USER RECORDS (ALL) ALS(C) V3R4M0 07/03/05 12.33 RACF VERS 2608 PAGE: 284
DATE:2005-07-06
JOBNAME :XRZP001S STEPNAME:RA2VERIF PROCNAME: TIME: 8:10:01
USERID USER NAME AUTHDATE OWNER P S O R G ATTR DFLTGRP. LAST-LOGON TIME INSTALLATION DATA
-------- -------------------- ---------- -------- - - - - - ---- -------- ---------- -------- --------------------------------------
===> TOTAL NUMBER OF USER-IDS READ : 14.138
===> TOTAL NUMBER OF USER-IDS PROTECTED : 820
===> TOTAL NUMBER OF USER-IDS SPECIAL : 10
===> TOTAL NUMBER OF USER-IDS OPERATIONS: 3
===> TOTAL NUMBER OF USER-IDS REVOKED : 1.377
===> TOTAL NUMBER OF USER-IDS NEVER USED: 931
//VERRAMIS lists all RACF user-IDS missing in HR/CD (HRSI0200) based on filter criteria’s:
DEB$SW16-10 RACF USER-IDS MISSING IN THE "HR" SYSTEM(S) ALS(C) V3R4M0 07/03/05 12.34 RACF VERS 2608 PAGE: 1
DATE:2005-07-06
JOBNAME :XRZP001S STEPNAME:RA2VERIF PROCNAME: TIME: 8:14:16
USERID USER NAME AUTHDATE OWNER P S O R G ATTR DFLTGRP. LAST-LOGON TIME INFORMATION (ERROR MESSAGES ETC.)
-------- -------------------- ---------- -------- - - - - - ---- -------- ---------- -------- --------------------------------------
AGR100 Mike Norton 2005-05-20 TETRAPAK N N N N N TETRAPAK ? NO DESCRIPTION
USER NEVER LOGGED ON
MILE07 LEADS Bill 2005-05-24 TETRAPAK N N N N N TETRAPAK ? NO DESCRIPTION
PROTECTED USER
DEB$SW16-10 RACF USER-IDS MISSING IN THE "HR" SYSTEM(S) ALS(C) V3R4M0 07/03/05 12.34 RACF VERS 2608 PAGE: 43
DATE:2005-07-06
JOBNAME :XRZP001S STEPNAME:RA2VERIF PROCNAME: TIME: 8:14:16
USERID USER NAME AUTHDATE OWNER P S O R G ATTR DFLTGRP. LAST-LOGON TIME INFORMATION (ERROR MESSAGES ETC.)
-------- -------------------- ---------- -------- - - - - - ---- -------- ---------- -------- --------------------------------------
===> TOTAL NUMBER OF USER-IDS VERIFIED : 12.287
===> TOTAL NUMBER OF USER-IDS MISSING : 1.754
===> TOTAL NUMBER OF USER-IDS PROTECTED : 20
===> TOTAL NUMBER OF USER-IDS SPECIAL : 10
===> TOTAL NUMBER OF USER-IDS OPERATIONS: 0
===> TOTAL NUMBER OF USER-IDS REVOKED : 1.166
Sample creating a PDF to Email it:
The XMITIP program is public domain to create a PDF and is not included on the product CD/TAPE:
//GETUSER EXEC PGM=IKJEFT1B,DYNAMNBR=200
//SYSEXEC DD DISP=SHR,DSN=FERRARI.REXX.LIB
//SYSTSPRT DD SYSOUT=*
//HRSI0200 DD DISP=(,PASS),DSN=&&TEMP,LRECL=80,RECFM=FB
//SYSTSIN DD *
%CDSEARCH
/*
//*
//* FILTER THE USERS (ONLY ENABLED ONES) AND OUTPUT '0200' RECORDS
//*
//FILTER EXEC PGM=IKJEFT1B,COND=(0,LT),DYNAMNBR=200
//SYSEXEC DD DISP=SHR,DSN=FERRARI.REXX.LIB
//HRSI0200 DD DISP=(,PASS),DSN=&&TEMP2,LRECL=4096,RECFM=VB
//INPUT DD DSN=&&TEMP,DISP=(OLD,DELETE,DELETE)
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
%CDFILTER
/*
//RA2VERIF EXEC PGM=DEB$SW1H,COND=(0,LT)
//STEPLIB DD DISP=SHR,DSN=RA2002.LINKLIB
//*
//* INPUT FILES
//*
//IRRI0200 DD DISP=SHR,DSN=RA2.IRRDBU.IRRI0200.VB(-0)
//HRSI0200 DD DSN=&&TEMP2,DISP=(OLD,DELETE,DELETE)
//*
//* HRS RELATED INFORMATION (ALL HR IDS AND THEIR MISSING IDS IN RACF)
//*
//VERHRLST DD SYSOUT=* * HR HRSI0200 USERIDS LISTED "ASIS"
//VERHRMIS DD DISP=(,PASS),DSN=&&VERHRMIS
//*
//* RACF RELATED INFORMATION (ALL RACF UIDS AND THEIR MISSING HR UIDS)
//*
//VERINPUT DD DISP=SHR,DSN=RA2002.RULEDATA(R001VER)
//VERPRINT DD SYSOUT=* * PRINT +VERIFY CONTROL STATEMENTS
//VERRALST DD SYSOUT=* * RACF IRRI0200 USERIDS LISTED "ASIS"
//VERRAMIS DD DISP=(,PASS),DSN=&&VERRAMIS
//VERRANEV DD SYSOUT=* * RACF LIST ALL USERIDS NEVER USER "ASIS"
//VERRAOPR DD SYSOUT=* * RACF LIST ALL OPER/SPECIAL USERIDS "ASIS"
//VERRAPRO DD SYSOUT=* * RACF LIST ALL PROTECTED USERIDS "ASIS"
//VERRAPRO DD SYSOUT=* * RACF LIST ALL REVOKED USERIDS "ASIS"
//*
//* USER RACF COMMANDS BASED ON VERIFICATION PROCESSING
//* - AN INSTALLATION MUST DECIDE WHAT TO DO WITH USERIDS NOT FOUND
//* IN THE "HR" (HRSI0200) FILE.
//* - EITHER YOU DELETE, REVOKE AND OR ALTER THE USERIDS
//* - YOU MIGHT AS WELL CHANGE THE +VERIFIY STATEMENTS TO EXCLUDE
//* CERTAIN USERIDS
//*
//VERRCDEL DD SYSOUT=* * RACF DELETE ALL USERIDS NOT FOUND IN "HR"
//VERRCREV DD SYSOUT=* * RACF REVOKE ALL USERIDS NOT FOUND IN "HR"
//VERRCALT DD SYSOUT=* * RACF ALU ALL USERIDS NOT FOUND IN "HR"
//* EMAIL ACCOUNTS THAT ARE IN CD (WITH RACF ROLE) BUT NOT IN RACF
//*
//EMAIL1 EXEC BATCHTMP
//TEMPDD DD DISP=(OLD,DELETE),DSN=&&VERHRMIS
//SYSIN DD *
xmitip Marcel_Schmidt@swissCOM.com +
subject 'CD to RACF verification - missing accounts in RACF' +
from Marcel_Schmidt@swissCOM.com +
msgds 'FERRARI.XMITIP.LIB(ivpmsg)' +
filedd tempdd +
format pdf/ds:'FERRARI.XMITIP.LIB(cdcfg)'
/*
Config for PDF:
* TXT2PDF Configuration File created on 8 Oct 2002 06:51:28 by %txt2pdfi
CC Yes
COMPRESS 9
ENCRYPT ST/FERRARI/cdteam/128/ne/nc
ORIENT Landscape
PAPER A4/GreenBar/Holed
CONFIRM Yes
OUTLINE RC/0/3/5
This e-mail, including attachments, is intended for the person(s) or
company named and may contain confidential and/or legally privileged
information. Unauthorized disclosure, copying or use of this information
may be unlawful and is prohibited. If you are not the intended recipient,
please delete this message and notify the sender
Purpose:
-Verify/test the RACF password rules.
-Some installations have to prove to corporate Audit, that the implemented RACF password rules really do work. To simplify this process a special program has been developed allowing an installation to test the password rules.
Password validation (NEWPASSW=) can be performed without having to know the current password. However only authorized users can perform such a task. The following RACF profile(s) must be present:
|
RACF class |
Resource Profile (UACC=NONE) |
Comment |
|
FACILITY |
RA2SOX.DEB$SI13.userid |
If the keyword PASSWORD= is missing on the +VERIFY statement the RACF User-Id selected will be resumed and the password set to a specific value. This has to be done to avoid that during the testing the User-ID does not get revoked. If you test password rules there may be dozens of combinations possible you might have to test.
Please note that the User-ID you have used becomes unusable concerning the PASSWORD. You must assign a new PASSWORD via the RACF ALU command.
We highly recommend to utilize a special test User-ID to perform the validation process.
Note: When using PASSWORD=x,NEWPASSW=y fails after n-1 attempts, the User-ID gets automatically revoked by RACF. |
Note:
Each failed attempt concerning the password validation will be listed.
09.22.12 JOB06972 ICH408I USER(E ) GROUP(SYS ) NAME(####################)
LOGON/JOB INITIATION - INVALID PASSWORD ENTERED AT TERMINAL
09.22.12 JOB06972 IRR013I VERIFICATION FAILED. INVALID PASSWORD GIVEN.
09.22.12 JOB06972 ICH408I USER(C ) GROUP(SYS1 ) NAME(####################)
LOGON/JOB INITIATION - REVOKED USER ACCESS ATTEMPT
09.22.12 JOB06972 ICH408I USER(XRZP001 ) GROUP(SYS ) NAME(RAND )
RA2002.DEB$SI13.C CL(FACILITY)
INSUFFICIENT ACCESS AUTHORITY
FROM RA2002.* (G)
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )
09.22.12 JOB06972 ICH408I USER(F ) GROUP( ) NAME(??? )
LOGON/JOB INITIATION - USER AT TERMINAL NOT RACF-DEFINED
Run the following JCL (refer to the RA2002.SAMPLIB member DEB$SI10 ) to create the verification reports:
//PASSWORD EXEC PGM=DEB$SI10
//STEPLIB DD DISP=SHR,DSN=RA2002.LINKLIB
//VERPRINT DD SYSOUT=* * PRINT CONTROL STATEMENTS
//VERINPUT DD *
+OPTIONS HEADING=YES
*
* VERIFY FOLLOWING USERIDS WITH A GIVEN PASSWORD
*
+VERIFY USERID=E,NEWPASSW=SYS1
+VERIFY USERID=E,NEWPASSW=SYS2
+VERIFY USERID=E,NEWPASSW=EUGENE
+VERIFY USERID=B,PASSWORD=SYS1,NEWPASSW=SYS2,
SUSERID=GAGA,SGROUPID=BANANA,
JOBNAME=MYJOB,
APPL=MYAPPL,
LOGSTR=LOGSTRIN,
PGMNAME=PGMNAME,
POE=JES2,
SGROUPID=SGRUPPE,
SESSION=APPC,
SNODE=NODESUB
+VERIFY USERID=B,PASSWORD=SYS2,NEWPASSW=SYS3
+VERIFY USERID=B,PASSWORD=SYS3,NEWPASSW=SYS4
+VERIFY USERID=B,PASSWORD=SYS4,NEWPASSW=SYS5
+VERIFY USERID=B,PASSWORD=SYS5,NEWPASSW=SYS6
+VERIFY USERID=B,PASSWORD=SYS6,NEWPASSW=SYS7
+VERIFY USERID=B,PASSWORD=SYS7,NEWPASSW=SYS8
+VERIFY USERID=B,PASSWORD=SYS8,NEWPASSW=SYS9
+VERIFY USERID=B,PASSWORD=SYS9,NEWPASSW=SYSA
+VERIFY USERID=B,PASSWORD=SYSA,NEWPASSW=SYSB
+VERIFY USERID=B,PASSWORD=SYSB,NEWPASSW=SYSC
+VERIFY USERID=B,PASSWORD=SYSC,NEWPASSW=SYSD
+VERIFY USERID=B,PASSWORD=SYSD,NEWPASSW=SYSE
+VERIFY USERID=B,PASSWORD=SYSE,NEWPASSW=SYS1
RACF password validation
Following control statements can be utilized to obtain the RACF verification reports:
|
DDname |
Verbs |
Keywords |
Comment |
Default |
|
//VERINPUT |
* |
N/A |
Comment line |
N/A |
|
+OPTIONS
Note: only one statement allowed |
HEADING=YES or NO |
Print headings (title lines) |
YES |
|
|
|
||||
|
+VERIFY
Note: you can define as many +VERIFY statements as required. Make sure the region size is set to e.g. REGION=0M |
USERID= |
Specifies the user identification of the user who has entered the system.
Userids which have the attribute SPECIAL, OPERATIONS, AUDIT or privileged will be ignored for security reasons. Userid=IBMUSER will be ignored as well.
|
N/A
|
|
|
PASSWORD= |
Specifies the currently defined password of the user who has entered the system.
|
Note 1
|
||
|
NEWPASSW= |
Specifies the password that is to replace the user’s currently defined password. With the assignment of a new password all the relevant RACF password rules checking will take place.
|
optional |
||
|
APPL= |
Specifies the name of the application issuing the RACROUTE REQUEST=VERIFY to verify the user’s authority to access the application.
|
optional |
||
|
GROUPID= |
Specifies the group specified by the user who has entered the system.
|
optional |
||
|
JOBNAME= |
Specifies the job name of a background job.
|
optional |
||
|
LOGSTR= |
Specifies character data to be written to the system-management-facilities (SMF) data set together with any RACF audit information, if logged.
|
optional |
||
|
PGMNAME= |
Specifies the address of the name of the user who has entered the system. This 20-byte area is passed to the RACINIT installation exit routine; it is not used by the RACROUTE REQUEST=VERIFY routine.
|
optional |
||
|
POE= |
Specifies the address of the port of entry into the system. The address points to the name of the input device through which the user or job entered the system. For example, this could be the name of the input device through which the job was submitted or the terminal logged onto. The port of entry is an 8-character field that is left-justified and padded with blanks.
|
optional |
||
|
SGROUPID= |
Specifies the address of an area that contains the group name of the user who submitted the unit of work. The group ID cannot exceed eight bytes.
|
optional |
||
|
SUSERID= |
Specifies the address of an area that contains the user ID of the user who submitted the unit of work. The user ID cannot exceed eight bytes.
|
optional |
||
|
TERMID= |
Specifies the address of the identifier for the terminal through which the user is accessing the system.
|
optional |
||
|
|
Note:
|
|||
To perform the password validation, standard IBM functions will be invoked. In case of RACF errors the following return and reason codes should be observed to resolve any problems. The RACF errors will be listed in //VERUSERS as follows: xxyyzz. All return and reason codes are shown in hexadecimal. Also, please note that SAF return code is presented as SAF RC and RACF return code is presented as RACF RC in the following section.
|
SAF R15
xx |
Description |
RACF RC
yy |
Description |
RACF RS
zz |
Description |
|
04 |
Requested function could not be completed. |
00 |
No security decision could be made.
|
00 |
RACF was not called to process the request.
|
|
04 |
The user profile is not defined to RACF.
|
|
|
||
|
20 |
RACF is not active.
|
|
|
||
|
58 |
RJE or NJE operator FACILITY class profile not found.
|
|
|
||
|
08 |
Requested function has failed.
|
04 |
The user profile is not defined to RACF. |
|
|
|
08 |
The password is not authorized |
|
|
||
|
0C |
The password has expired |
|
|
||
|
10 |
The new password is not valid. |
|
* failing password rule |
||
|
14 |
The user is not defined to the group. |
|
|
||
|
18 |
RACROUTE REQUEST=VERIFY was failed by the installation exit routine. |
|
|
||
|
1C |
The user’s access has been revoked. |
|
|
||
|
24 |
The user’s access to the specified group has been revoked. |
|
|
||
|
28 |
OIDCARD parameter is required but not supplied. |
|
|
||
|
2C |
OIDCARD parameter is not valid for specified user. |
|
|
||
|
30 |
The user is not authorized to the port of entry in the TERMINAL, JESINPUT, or CONSOLE class. |
00 |
Indicates the user is not authorized to the port of entry. |
||
|
04 |
Indicates the user is not authorized to access the system on this day, or at this time of day. |
||||
|
08 |
Indicates the port of entry cannot be used on this day, or at this time of day. |
||||
|
34 |