Deleting User from CICS/TS
Louis Callari
I went into the IUI 211 panel and deleted the users from the VSE Control File, but then I can still log on with the deleted user id, I get a message that there is no profile defined for the deleted user, but it leaves me logged into CICS. Do user ids need to be deleted from somewhere else?
Thanks...
Louie Callari
716-871-2939
--
_______________________________________________
Get your free email from http://mail.buffalo.com
Kevin Corkery
It is more appropriate to REVOKE the user's access as of a certain date.
--
Kevin Corkery
Independent Consultant
Voorhees, New Jersey
Wakser, David
Ron Ashley
the control file. It also asks to disc dtsfile. You have to then key in //
disc dtsfile. At the end of the program you have to do // conn dtsfile.
-----Original Message-----
From: owner...@Lehigh.EDU [mailto:owner...@Lehigh.EDU] On Behalf Of
Louis Callari
Sent: Tuesday, July 08, 2008 9:06 AM
To: VSE Discussion List
Subject: Deleting User from CICS/TS
indust...@winwholesale.com
> Did you get a program starting in BG partition that deletes the user
from
> the control file. It also asks to disc dtsfile. You have to then key in
//
> disc dtsfile. At the end of the program you have to do // conn dtsfile.
That is only (close to) correct for a user whom has ICCF
privileges. The correct ICCF console commands are /disc and /conn instead
of two slashes and a space.
Sincerely,
Dave Clark
WinWholesale Group Services
3110 Kettering Boulevard
Dayton, Ohio 45439 USA
(937) 294-5331
This email message and any attachments is for use only by the named
addressee(s) and may contain confidential, privileged and/or proprietary
information. If you have received this message in error, please
immediately notify the sender and delete and destroy the message and all
copies. All unauthorized direct or indirect use or disclosure of this
message is strictly prohibited. No right to confidentiality or privilege
is waived or lost by any error in transmission.
Louis Callari
I ran the DTSDUSER job, but that only deletes ICCF users, not the general users.
The user id and password has to be saved somewhere in the system after deleting the user id because if I enter an incorrect password the IUI login screen tells me so, if I enter the correct login and password it logs me into CICS but displays the following panel. If I look at the Maintain User Profile list the user is no longer there.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. .
. There is no profile information for your user ID. .
. .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. .
. You are authorized to use the system, however no user profile .
. was found. You cannot use functions of the Interactive Interface. .
. .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. .
. Specifics about the error have been logged for .
. analysis and action by your System Administrator. .
. .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
> ----- Original Message -----
> From: indust...@winwholesale.com
> To: "VSE Discussion List" <vs...@Lehigh.EDU>
> Subject: RE: Deleting User from CICS/TS
> Date: Tue, 8 Jul 2008 10:49:36 -0400
>
>
> owner...@Lehigh.EDU wrote on 07/08/2008 10:20:22 AM:
> > Did you get a program starting in BG partition that deletes the user
> from
> > the control file. It also asks to disc dtsfile. You have to then key in
> //
> > disc dtsfile. At the end of the program you have to do // conn dtsfile.
>
> That is only (close to) correct for a user whom has ICCF
> privileges. The correct ICCF console commands are /disc and /conn instead
> of two slashes and a space.
>
> Sincerely,
>
> Dave Clark
>
Wakser, David
If the record is there, for some reason it was not deleted.
David Wakser
-----Original Message-----
From: owner...@Lehigh.EDU [mailto:owner...@Lehigh.EDU] On Behalf
Of Louis Callari
Randy Evans
will probably also need to delete the userid involved from that package
using whatever method is provided by the vendor.
Randy Evans, Viaserv, Inc.
> -----Original Message-----
> From: owner...@Lehigh.EDU [mailto:owner...@Lehigh.EDU] On Behalf
Of
> Louis Callari
> Sent: Tuesday, July 08, 2008 10:02 AM
> To: VSE Discussion List
indust...@winwholesale.com
> The user id and password has to be saved somewhere in the system
> after deleting the user id because if I enter an incorrect password
> the IUI login screen tells me so, if I enter the correct login and
> password it logs me into CICS but displays the following panel. If I
> look at the Maintain User Profile list the user is no longer there.
After deleting the users in the IUI, did you try running the BSM
Rebuild job from the IUI Administrator Fastpath 283?
Mohammed Imam
Mohammed Imam
Edward M. Martin
I am migrating to 4.1 and am on 2.6.1 but did you
Do MSG FB,DATA=CLOSECNTL and the MSG FB,DATA=OPENCNTL (or the 4.1
version) to update the security managers version?
Ed Martin
330-588-4723
ext 40441
-----Original Message-----
From: owner...@Lehigh.EDU [mailto:owner...@Lehigh.EDU] On Behalf
Of Louis Callari
Sent: Tuesday, July 08, 2008 12:02 PM
To: VSE Discussion List
Jan Canavan
I have been reading about the BSM, for CICS it's chapter 8 in the VSE Admin guide
So, it says you have to add the id for each group, so, if you remove it I would "assume" you would have to remove it from each group (cics) and then re-build the security.
Also, once you got back to the full list there was a PF6 that says groups, hit that one as well.
Hopes this helps.
-----Original Message-----
>From: indust...@winwholesale.com
>Sent: Jul 8, 2008 9:08 AM
>To: VSE Discussion List <vs...@Lehigh.EDU>
>Subject: RE: Deleting User from CICS/TS
>
>owner...@Lehigh.EDU wrote on 07/08/2008 12:01:49 PM:
>> The user id and password has to be saved somewhere in the system
>> after deleting the user id because if I enter an incorrect password
>> the IUI login screen tells me so, if I enter the correct login and
>> password it logs me into CICS but displays the following panel. If I
>> look at the Maintain User Profile list the user is no longer there.
>
> After deleting the users in the IUI, did you try running the BSM
>Rebuild job from the IUI Administrator Fastpath 283?
>
>Sincerely,
>
>Dave Clark
>
>WinWholesale Group Services
>3110 Kettering Boulevard
>Dayton, Ohio 45439 USA
>(937) 294-5331
>This email message and any attachments is for use only by the named
>addressee(s) and may contain confidential, privileged and/or proprietary
>information. If you have received this message in error, please
>immediately notify the sender and delete and destroy the message and all
>copies. All unauthorized direct or indirect use or disclosure of this
>message is strictly prohibited. No right to confidentiality or privilege
>is waived or lost by any error in transmission.
Jan Canavan
j_ca...@earthlink.net
VSE/VM SYSTEMS PROGRAMMER
Louis Callari
Thanks to everyone that answered.
Louie Callari
>
indust...@winwholesale.com
> So, it says you have to add the id for each group, so, if you
> remove it I would "assume" you would have to remove it from
> each group (cics) and then re-build the security.
This is why I wrote my own CICS application for maintaining the
BSM definitions in the BSTCNTL file. IBM provided means of singly adding
and deleting these definitions but no means of finding all the places a
resource is defined -- such as a user id. So I have this functionality,
plus a whole lot more, built into my security maintenance application. One
of the nice things it does is, when you delete a non-ICCF user from its
user id list, it automatically finds and deletes everywhere that user id
has been given permission to other resources -- including user groups.
Another of the nice things it does is to automatically submit a BSM
rebuild job when changes have been made and you exit from one of its
maintenance screens.
Max Singley
Did you do the security rebuild like Jan suggested?
CEMT PERF SECURITY REBUILD
for the CICS partition you're dealing with?
have fun,
max
-----Original Message-----
From: owner...@Lehigh.EDU [mailto:owner...@Lehigh.EDU] On Behalf
Of Louis Callari
Sent: Tuesday, July 08, 2008 1:52 PM
To: VSE Discussion List
K Meyer
Ken Meyer
CSI
David Stuart
Define hoops.
I can read them just fine, using the County's 'standard' email system.
Dave
Dave Stuart
Prin. Info. Systems Support Analyst
County of Ventura, CA
805-662-6731
David....@ventura.org
>>> "K Meyer" <kme...@csi-international.com> 7/8/2008 11:01 AM >>>
Andy Engels
--------------------------------------------
Andy Engels
IS Team Leader - Technical Services
Illinois Municipal Retirement Fund
Oak Brook, IL
630-368-5346
-----Original Message-----
From: owner...@Lehigh.EDU [mailto:owner...@Lehigh.EDU] On Behalf
Of K Meyer
Sent: Tuesday, July 08, 2008 1:01 PM
To: VSE Discussion List
K Meyer
except Louis's. For his, I have to open the email and then click on a txt file
attachment to see what he wrote.
Ken Meyer
CSI
*********** REPLY SEPARATOR ***********
On 7/8/2008 at 11:02 AM David Stuart wrote:
>Ken,
>
>Define hoops.
snip..
Louis Callari
Yes I have done the security rebuild, and I also cycled CICS, but no luck.
> ----- Original Message -----
> From: "Max Singley" <MSin...@alexlee.com>
> To: "VSE Discussion List" <vs...@Lehigh.EDU>
> Subject: RE: Deleting User from CICS/TS
> Date: Tue, 8 Jul 2008 14:00:38 -0400
>
>
>
> Did you do the security rebuild like Jan suggested?
>
> CEMT PERF SECURITY REBUILD
>
> for the CICS partition you're dealing with?
>
> have fun,
> max
>
> -----Original Message-----
> From: owner...@Lehigh.EDU [mailto:owner...@Lehigh.EDU] On Behalf
> Of Louis Callari
> Sent: Tuesday, July 08, 2008 1:52 PM
> To: VSE Discussion List
Louis Callari
Would you be willing to share your application?
Louie Callari
716-871-2939
> ----- Original Message -----
> From: indust...@winwholesale.com
> To: "VSE Discussion List" <vs...@Lehigh.EDU>
> Subject: RE: Deleting User from CICS/TS
> Date: Tue, 8 Jul 2008 13:57:38 -0400
>
>
> owner...@Lehigh.EDU wrote on 07/08/2008 01:00:42 PM:
> > So, it says you have to add the id for each group, so, if you
> > remove it I would "assume" you would have to remove it from
> > each group (cics) and then re-build the security.
>
> This is why I wrote my own CICS application for maintaining the
> BSM definitions in the BSTCNTL file. IBM provided means of singly adding
> and deleting these definitions but no means of finding all the places a
> resource is defined -- such as a user id. So I have this functionality,
> plus a whole lot more, built into my security maintenance application. One
> of the nice things it does is, when you delete a non-ICCF user from its
> user id list, it automatically finds and deletes everywhere that user id
> has been given permission to other resources -- including user groups.
> Another of the nice things it does is to automatically submit a BSM
> rebuild job when changes have been made and you exit from one of its
> maintenance screens.
>
> Sincerely,
>
> Dave Clark
>
> WinWholesale Group Services
> 3110 Kettering Boulevard
> Dayton, Ohio 45439 USA
> (937) 294-5331
>
>
> This email message and any attachments is for use only by the named
> addressee(s) and may contain confidential, privileged and/or proprietary
> information. If you have received this message in error, please
> immediately notify the sender and delete and destroy the message and all
> copies. All unauthorized direct or indirect use or disclosure of this
> message is strictly prohibited. No right to confidentiality or privilege
> is waived or lost by any error in transmission.
>
David Stuart
We're running Novell's Groupwise, v7.0.
Ken,
What email client are you using?
Dave
Dave Stuart
Prin. Info. Systems Support Analyst
County of Ventura, CA
805-662-6731
David....@ventura.org
>>> "Louis Callari" <louie_...@buffalo.com> 7/8/2008 11:21 AM >>>
Andy Engels
TBird..........
--------------------------------------------
Andy Engels
IS Team Leader - Technical Services
Illinois Municipal Retirement Fund
Oak Brook, IL
630-368-5346
-----Original Message-----
From: owner...@Lehigh.EDU [mailto:owner...@Lehigh.EDU] On Behalf
Of K Meyer
Sent: Tuesday, July 08, 2008 1:14 PM
To: VSE Discussion List
K Meyer
Billy R. Bingham
bILLY
indust...@winwholesale.com
> Would you be willing to share your application?
Yes, I'm willing, however, it (VSEC) is rather complex and
includes some dependency upon our environment. I have also not yet made
the effort to bring all of the pieces together into an installable
package. It is also rather new even to our environment and, though it
works perfectly for me, it has not yet undergone the rigorous type of
testing which users unfamiliar with the application can put it through.
VSEC has four levels of built-in security (application, section, generic,
and resource level) based upon custom BSM resource definitions. To give
you an idea of what I mean, the following is the job to set up the basic
security access to just the VSEC application. This is necessary because
it is our plan to have end users responsible for maintaining their own
application resource security permissions. So, if you want it, send me an
off-list email for when I have a chance to build the installable package
to send you.
// JOB BSTADMIN VSEC Internal Security
// EXEC PGM=BSTADMIN
AG @WGSITMG DATA('WGS I/T Management ')
PE FACILITY WINROLE.300.CRP.IT.MGR ID(@WGSITMG) ACC(R)
CO @WGSITMG JCDANA
CO @WGSITMG KMCLAY
CO @WGSITMG SLHANGEN
AG @WGSIT DATA('WGS I/T Employees ')
PE FACILITY WINROLE.350.CRP.IT.EMP ID(@WGSIT) ACC(R)
CO @WGSIT DLCLARK
CO @WGSIT DRROBERT
CO @WGSIT JPDUNLEV
CO @WGSIT RAHALE
CO @WGSIT WCWASHBU
AD FACILITY WINVSEC.APPS UACC(N) DATA('Appl. Security Maint')
AD FACILITY WINVSEC.CORP UACC(N) DATA('Corp. Security Maint')
AD FACILITY WINVSEC.ROLE UACC(N) DATA('Roles Security Maint')
AD FACILITY WINVSEC.TRAN UACC(N) DATA('Tran. Security Maint')
AD FACILITY WINVSEC.UGRP UACC(N) DATA('Group Security Maint')
AD FACILITY WINVSEC.USER UACC(N) DATA('Users Security Maint')
AD FACILITY WINVSEC.VSEC UACC(N) DATA('VSec. Security Maint')
AD FACILITY WINAPPS. GEN UACC(N) DATA('WINAPPS Generic Accs')
AD FACILITY WINCORP. GEN UACC(N) DATA('WINCORP Generic Accs')
AD FACILITY WINROLE. GEN UACC(N) DATA('WINROLE Generic Accs')
AD TCICSTRN '' GEN UACC(N) DATA('CICSTRN Generic Accs')
AD FACILITY WINVSEC. GEN UACC(N) DATA('VSec. Applic. Access')
PE FACILITY WINVSEC.APPS ID(@WGSIT) ACC(U)
PE FACILITY WINVSEC.CORP ID(@WGSIT) ACC(U)
PE FACILITY WINVSEC.ROLE ID(@WGSIT) ACC(U)
PE FACILITY WINVSEC.TRAN ID(@WGSIT) ACC(U)
PE FACILITY WINVSEC.UGRP ID(@WGSIT) ACC(U)
PE FACILITY WINVSEC.USER ID(@WGSIT) ACC(U)
PE FACILITY WINVSEC. GEN ID(@WGSIT) ACC(R)
PE FACILITY WINVSEC. GEN ID(@WGSITMG) ACC(A)
PF DATASPACE REFRESH
/* EOD
/& EOJ
Jan Canavan
that would show you how the groups and users were layed out.
I checked the security presentation, but I don't see anything.
Does this ring anybody else's memory?
-----Original Message-----
>From: Louis Callari <louie_...@buffalo.com>
>Sent: Jul 8, 2008 11:20 AM
>To: VSE Discussion List <vs...@Lehigh.EDU>
>Subject: RE: Deleting User from CICS/TS
>
>Hi Max,
>
>Yes I have done the security rebuild, and I also cycled CICS, but no luck.
>> ----- Original Message -----
>> From: "Max Singley" <MSin...@alexlee.com>
>> To: "VSE Discussion List" <vs...@Lehigh.EDU>
>> Subject: RE: Deleting User from CICS/TS
>> Date: Tue, 8 Jul 2008 14:00:38 -0400
>>
>>
>>
>> Did you do the security rebuild like Jan suggested?
>>
>> CEMT PERF SECURITY REBUILD
>>
>> for the CICS partition you're dealing with?
>>
>> have fun,
>> max
>>
>> -----Original Message-----
>> From: owner...@Lehigh.EDU [mailto:owner...@Lehigh.EDU] On Behalf
>> Of Louis Callari
>> Sent: Tuesday, July 08, 2008 1:52 PM
>> To: VSE Discussion List
>> Subject: RE: Deleting User from CICS/TS
>>
>> Looking into Jan's suggestion I see that each user id is defined to each
>> of the 64 groups, so I guess I'll take Kevin's suggestion and just
>> revoke the user ids I want to get rid of.
>>
>> Thanks to everyone that answered.
>>
>> Louie Callari
>> > ----- Original Message -----
>> > From: "Jan Canavan" <j_ca...@earthlink.net>
>> > To: "VSE Discussion List" <vs...@Lehigh.EDU>
>> > Subject: RE: Deleting User from CICS/TS
>> > Date: Tue, 8 Jul 2008 10:00:42 -0700 (GMT-07:00)
>> >
>> >
>> >
>> > I have been reading about the BSM, for CICS it's chapter 8 in the
>> > VSE Admin guide So, it says you have to add the id for each
>> > group, so, if you remove it I would "assume" you would have to
>> > remove it from each group (cics) and then re-build the security.
>> >
>> > Also, once you got back to the full list there was a PF6 that
>> > says groups, hit that one as well.
>> >
>> > Hopes this helps.
>> >
>> >
>> > -----Original Message-----
>> > > From: indust...@winwholesale.com
>> > > Sent: Jul 8, 2008 9:08 AM
>> > > To: VSE Discussion List <vs...@Lehigh.EDU>
>> > > Subject: RE: Deleting User from CICS/TS
>> > >
>> > > owner...@Lehigh.EDU wrote on 07/08/2008 12:01:49 PM:
>> > >> The user id and password has to be saved somewhere in the
>> > system >> after deleting the user id because if I enter an
>> > incorrect password
>>
>> > >> the IUI login screen tells me so, if I enter the correct login
>> > and >> password it logs me into CICS but displays the following
>> > panel. If >> I look at the Maintain User Profile list the user is
>> > no longer >> there.
>> > >
>> > > After deleting the users in the IUI, did you try running
>> > the > BSM Rebuild job from the IUI Administrator Fastpath 283?
>> > >
>> > > Sincerely,
>> > >
>> > > Dave Clark
>> > >
>> > > WinWholesale Group Services
>> > > 3110 Kettering Boulevard
>> > > Dayton, Ohio 45439 USA
>> > > (937) 294-5331
>> > > This email message and any attachments is for use only by the
>> > named > addressee(s) and may contain confidential, privileged
>> > and/or > proprietary information. If you have received this
>> > message in error,
>>
>> > > please immediately notify the sender and delete and destroy the
>> > > message and all copies. All unauthorized direct or indirect use
>> > or > disclosure of this message is strictly prohibited. No right
>> > to > confidentiality or privilege is waived or lost by any error
>> > in > transmission.
>> >
>> >
>> > Jan Canavan
>> > j_ca...@earthlink.net
>> > VSE/VM SYSTEMS PROGRAMMER
>>
>> >
>>
>>
>> --
>> _______________________________________________
>> Get your free email from http://mail.buffalo.com
>
>>
>
>
>--
>_______________________________________________
>Get your free email from http://mail.buffalo.com
Randy Evans
all groups and their users.
But I doubt that Louis problem is related to USER/GROUP associations as
maintained in BSTCNTL. He stated that the userid/password was still
being verified and that incorrect passwords yielded an invalid password
response. Passwords are only maintained in IESCNTL for BSM and not
BSTCNTL the last time I looked at it. So, there must still be a 'US'
record in the IESCNTL file containing that user's password for that to
happen.
David Wakser earlier suggested checking the contents of the IESCNTL file
for the 'US' record with the idea that perhaps some error occurred
during the delete request that was unreported. I think it would have to
be something like that or else a problem with the caching mechanism used
by BSM that has left an image of the record in use by the BSM partition
even tho it has been deleted from the IESCNTL file itself.
Randy Evans, Viaserv, Inc.
Jan Canavan
I also found this:
Ensure that you have removed the // EXEC IESIRCVT statement in the procedure USERBG.PROC. To do so, use skeleton SKUSERBG (located in ICCF library 59). If this statement is contained in USERBG.PROC, the settings specified by the PERFORM PASSWORD ... command will be overwritten by the IESIRCVT settings!
and note there is a
STATUS | ST Command Use the STATUS command to obtain the status information of the BSM. Here is an example of using the STATUS command and the output it produces:
This is on page 213 of the manual, and pdf 237
Randy Evans
because of this information? If so, then I disagree with that specific
conclusion. The BSTCNTL contains control information that governs how
the passwords are maintained as documented in the references you
provided, but not the actual user passwords themselves. If you find
evidence to the contrary, in either the documentation or actual contents
from your IESCNTL or BSTCNTL files I would be very interested in hearing
about it.
Randy Evans, Viaserv, Inc.
> -----Original Message-----
> From: owner...@Lehigh.EDU [mailto:owner...@Lehigh.EDU] On Behalf
Of
> Jan Canavan
> Sent: Tuesday, July 08, 2008 5:29 PM
> To: VSE Discussion List
> Subject: RE: Deleting User from CICS/TS
>
>
>
Jan Canavan
The perform command says that it is used to ACTIVE OR DEACTIVE resouRce OR REFRESH CONTENTS THE DATA SPACES. That makes more sense. If the user id has been deleted, but the data space has NOT been refresh.
can be done via back, and this is were that note is, right BEFORE THE status
Rich Smrcina
Are you referring to the BSM Cross Reference tool?
Check here:
http://www.ibm.com/servers/eserver/zseries/zvse/downloads/tools.html#bsmxref
Jan Canavan wrote:
> After reading all of this, I remember at WAVV Ingo said there was a NEW REPORT you could run
> that would show you how the groups and users were layed out.
>
> I checked the security presentation, but I don't see anything.
>
> Does this ring anybody else's memory?
>
--
Rich Smrcina
VM Assist, Inc.
Phone: 414-491-6001
Ans Service: 360-715-2467
rich.smrcina at vmassist.com
http://www.linkedin.com/in/richsmrcina
Catch the WAVV! http://www.wavv.org
WAVV 2009 - Orlando, FL - May 15-19, 2009
Jan Canavan
this must be it.
It's talking about insuring you "completely" delete a user.
"The z/VSE BSM Cross Reference Tool is intended to help administrators control the profile definitions in the BSM control file. In particular when you delete a user ID, you can use it to ensure that you have removed the user ID from all access lists and groups."
-----Original Message-----
>From: Rich Smrcina <rsmr...@wi.rr.com>
>Sent: Jul 8, 2008 7:58 PM
>To: VSE Discussion List <vs...@Lehigh.EDU>
indust...@winwholesale.com
Louie,
I have an installation package created now -- if you're
interested.