Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
DFSORT: RACFICE query - how to extract all commands containing some text value
295 views
Skip to first unread message
Bruce Hewson
Dec 13, 2017, 4:48:56 AM12/13/17
to
A query for the ICETOOL/RACFICE experts,
I have been asked to extract all RACF commands issued relating to a specific USERID.
I am not knowledgable enough with ICETOOLS to code this myself quickly.
The current RACFICE examples do not provide a sample for this.
example.
Extract and report all commands, ADDUSER/ALTUSER/PASSWORD/PERMIT that reference USER(xyzzy)
Hopefully someone can help.
Thanks
Bruce Hewson
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to list...@listserv.ua.edu with the message: INFO IBM-MAIN
I have been asked to extract all RACF commands issued relating to a specific USERID.
I am not knowledgable enough with ICETOOLS to code this myself quickly.
The current RACFICE examples do not provide a sample for this.
example.
Extract and report all commands, ADDUSER/ALTUSER/PASSWORD/PERMIT that reference USER(xyzzy)
Hopefully someone can help.
Thanks
Bruce Hewson
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to list...@listserv.ua.edu with the message: INFO IBM-MAIN
Elardus Engelbrecht
Dec 13, 2017, 6:18:31 AM12/13/17
to
Bruce Hewson wrote:
>A query for the ICETOOL/RACFICE experts,
>I have been asked to extract all RACF commands issued relating to a specific USERID.
>I am not knowledgable enough with ICETOOLS to code this myself quickly.
You will have to learn it. Or post your queries on RACF-L. Perhaps someone from DFSORT support chimes in here.
>A query for the ICETOOL/RACFICE experts,
>I have been asked to extract all RACF commands issued relating to a specific USERID.
>I am not knowledgable enough with ICETOOLS to code this myself quickly.
This is a two step thing. You first use RACF SMF Unload and then you use the ICETOOL job.
This process is hungry hungry HUNGRY on disk space, because the compressed SMF records are expanded. Bit fields are expanded in a full 4 bytes per bit. say x'01' is expanded into 'YES ' and x'00' to 'NO '.
Or you can go the DB2 way. I have not done that way.
>The current RACFICE examples do not provide a sample for this.
Perhaps there are DB2 samples for that, I simply don't know or just don't care.
>Extract and report all commands, ADDUSER/ALTUSER/PASSWORD/PERMIT that reference USER(xyzzy)
Issuer is on a specific column, but the subject Userid is in a specific column or specific field depending on the command used.
For commands like PERMIT, you won't get a specific id, but you will need to examine the 'Keywords Used' and then there you examine the field.
Example for ADDUSER, I have this:
//TOOLIN DD *
SORT FROM(INDD) TO(TEMP0001) USING(ADD1)
DISPLAY FROM(TEMP0001) LIST(PRINT1) -
NOCC -
WIDTH(500) -
TITLE('RACF ADDUSER Report') -
DATE(4MD/) -
TIME(24:) -
PAGE -
BLANK -
ON(63,8,CH) HEADER('Issuer') -
ON(295,20,CH) HEADER('User Name') -
ON(72,8,CH) HEADER('Group') -
ON(32,10,CH) HEADER('Date') -
ON(23,8,CH) HEADER('Time') -
ON(508,8,CH) HEADER('User Id') -
ON(43,4,CH) HEADER('SMFID') -
ON(175,8,CH) HEADER('Terminal') -
ON(184,8,CH) HEADER('Jobname ') -
ON(14,8,CH) HEADER('Result') -
ON(517,200,CH) HEADER('Keywords')
//ADD1CNTL DD *
SORT FIELDS=(5,8,CH,A)
INCLUDE COND=(5,8,CH,EQ,C'ADDUSER ',AND,
32,10,CH,GE,C'2017-01',AND,
508,3,CH,EQ,C'ABC')
OPTION VLSHRT
For ALTUSER I have this example:
SORT FROM(INDD) TO(TEMP0001) USING(ULDF)
DISPLAY FROM(TEMP0001) LIST(PRINT) -
NOCC -
WIDTH(500) -
TITLE('Group Special Users Activity') -
DATE(4MD/) -
TIME(24:) -
PAGE -
BLANK -
ON(63,8,CH) HEADER('Issuer') -
ON(295,20,CH) HEADER('User Name') -
ON(72,8,CH) HEADER('Group') -
ON(32,10,CH) HEADER('Date') -
ON(23,8,CH) HEADER('Time') -
ON(522,8,CH) HEADER('User Id') -
ON(43,4,CH) HEADER('SMFID') -
ON(175,8,CH) HEADER('Terminal') -
ON(184,8,CH) HEADER('Job Name') -
ON(286,8,CH) HEADER('Owner ') -
ON(14,8,CH) HEADER('Result') -
ON(531,200,CH) HEADER('Keywords Used')
//ULDFCNTL DD *
SORT FIELDS=(5,8,CH,A)
INCLUDE COND=(5,8,CH,EQ,C'ALTUSER ',AND,
32,7,CH,GE,C'2017-01',AND,
522,3,CH,EQ,C'ABC')
OPTION VLSHRT
... and so on ...
Good luck. You will really need it! Just shout again if you need more help.
Groete / Greetings
Elardus Engelbrecht
R.S.
Dec 13, 2017, 6:25:47 AM12/13/17
to
Use SS. Of course I don't mean bad guys from WWII times, this is
SubString. ;-)
You can filter (INCLUDE/OMIT) any record containing given string
(userid) wherever in the record or some field of the record.
--
Radoslaw Skorupka
Lodz, Poland
W dniu 2017-12-13 o 10:48, Bruce Hewson pisze:
> .
>
======================================================================
--
Treść tej wiadomości może zawierać informacje prawnie chronione Banku przeznaczone wyłącznie do użytku służbowego adresata. Odbiorcą może być jedynie jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś adresatem niniejszej wiadomości lub pracownikiem upoważnionym do jej przekazania adresatowi, informujemy, że jej rozpowszechnianie, kopiowanie, rozprowadzanie lub inne działanie o podobnym charakterze jest prawnie zabronione i może być karalne. Jeżeli otrzymałeś tę wiadomość omyłkowo, prosimy niezwłocznie zawiadomić nadawcę wysyłając odpowiedź oraz trwale usunąć tę wiadomość włączając w to wszelkie jej kopie wydrukowane lub zapisane na dysku.
This e-mail may contain legally privileged information of the Bank and is intended solely for business use of the addressee. This e-mail may only be received by the addressee and may not be disclosed to any third parties. If you are not the intended addressee of this e-mail or the employee authorized to forward it to the addressee, be advised that any dissemination, copying, distribution or any other similar activity is legally prohibited and may be punishable. If you received this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software and delete permanently this e-mail including any copies of it either printed or saved to hard drive.
mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 Warszawa, www.mBank.pl, e-mail: kon...@mBank.plSąd Rejonowy dla m. st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, nr rejestru przedsiębiorców KRS 0000025237, NIP: 526-021-50-88. Według stanu na dzień 01.01.2016 r. kapitał zakładowy mBanku S.A. (w całości wpłacony) wynosi 168.955.696 złotych.
SubString. ;-)
You can filter (INCLUDE/OMIT) any record containing given string
(userid) wherever in the record or some field of the record.
--
Radoslaw Skorupka
Lodz, Poland
W dniu 2017-12-13 o 10:48, Bruce Hewson pisze:
>
======================================================================
--
Treść tej wiadomości może zawierać informacje prawnie chronione Banku przeznaczone wyłącznie do użytku służbowego adresata. Odbiorcą może być jedynie jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś adresatem niniejszej wiadomości lub pracownikiem upoważnionym do jej przekazania adresatowi, informujemy, że jej rozpowszechnianie, kopiowanie, rozprowadzanie lub inne działanie o podobnym charakterze jest prawnie zabronione i może być karalne. Jeżeli otrzymałeś tę wiadomość omyłkowo, prosimy niezwłocznie zawiadomić nadawcę wysyłając odpowiedź oraz trwale usunąć tę wiadomość włączając w to wszelkie jej kopie wydrukowane lub zapisane na dysku.
This e-mail may contain legally privileged information of the Bank and is intended solely for business use of the addressee. This e-mail may only be received by the addressee and may not be disclosed to any third parties. If you are not the intended addressee of this e-mail or the employee authorized to forward it to the addressee, be advised that any dissemination, copying, distribution or any other similar activity is legally prohibited and may be punishable. If you received this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software and delete permanently this e-mail including any copies of it either printed or saved to hard drive.
mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 Warszawa, www.mBank.pl, e-mail: kon...@mBank.plSąd Rejonowy dla m. st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, nr rejestru przedsiębiorców KRS 0000025237, NIP: 526-021-50-88. Według stanu na dzień 01.01.2016 r. kapitał zakładowy mBanku S.A. (w całości wpłacony) wynosi 168.955.696 złotych.
Elardus Engelbrecht
Dec 13, 2017, 6:36:16 AM12/13/17
to
Radoslaw Skorupka wrote:
>Use SS. Of course I don't mean bad guys from WWII times, this is SubString. ;-)
>You can filter (INCLUDE/OMIT) any record containing given string (userid) wherever in the record or some field of the record.
Yes, I forgot about that advanced helpful command SS! It is a long time ago, I used that little gem. ;-)
>Use SS. Of course I don't mean bad guys from WWII times, this is SubString. ;-)
>You can filter (INCLUDE/OMIT) any record containing given string (userid) wherever in the record or some field of the record.
Here is a crude ugly example:
//SELECT EXEC PGM=ICETOOL
//TOOLMSG DD SYSOUT=*
//DFSMSG DD SYSOUT=*
//PRINT DD SYSOUT=*,LRECL=8192
//INVOER DD DISP=SHR,DSN=???.RACF.ALLCMDS
//TEMP0001 DD DISP=(NEW,DELETE),SPACE=(CYL,(100,100,0)),
// UNIT=3390
//TOOLIN DD *
COPY FROM(INVOER) TO(PRINT) USING(TELB)
//TELBCNTL DD *
OPTION VLSCMP
OUTFILE FNAMES=PRINT,
INCLUDE=(1,8192,SS,EQ,C'<userid>')
This will pick up and "copy/print" any line containing that search argument.
Groete / Greetings
Elardus Engelbrecht
Martin Packer
Dec 13, 2017, 8:07:09 AM12/13/17
to
I don't think he'll mind me mentioning it but Mark Nelson was the
originator of RACFICE - but that was LONG ago.
He might well have a view.
And the advice to learn some DFSORT is good.
Cheers, Martin
Martin Packer
zChampion, Systems Investigator & Performance Troubleshooter, IBM
+44-7802-245-584
email: martin...@uk.ibm.com
Twitter / Facebook IDs: MartinPacker
Blog:
https://www.ibm.com/developerworks/mydeveloperworks/blogs/MartinPacker
Podcast Series (With Marna Walle): https://developer.ibm.com/tv/mpt/ or
https://itunes.apple.com/gb/podcast/mainframe-performance-topics/id1127943573?mt=2
Youtube channel: https://www.youtube.com/channel/UCu_65HaYgksbF6Q8SQ4oOvA
From: Elardus Engelbrecht <elardus.e...@SITA.CO.ZA>
To: IBM-...@LISTSERV.UA.EDU
Date: 13/12/2017 11:18
Subject: Re: DFSORT: RACFICE query - how to extract all commands
containing some text value
Sent by: IBM Mainframe Discussion List <IBM-...@LISTSERV.UA.EDU>
Bruce Hewson wrote:
>A query for the ICETOOL/RACFICE experts,
>I have been asked to extract all RACF commands issued relating to a
specific USERID.
>I am not knowledgable enough with ICETOOLS to code this myself quickly.
IBM United Kingdom Limited - Registered in England and Wales with number
741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
originator of RACFICE - but that was LONG ago.
He might well have a view.
And the advice to learn some DFSORT is good.
Cheers, Martin
Martin Packer
zChampion, Systems Investigator & Performance Troubleshooter, IBM
+44-7802-245-584
email: martin...@uk.ibm.com
Twitter / Facebook IDs: MartinPacker
Blog:
https://www.ibm.com/developerworks/mydeveloperworks/blogs/MartinPacker
Podcast Series (With Marna Walle): https://developer.ibm.com/tv/mpt/ or
https://itunes.apple.com/gb/podcast/mainframe-performance-topics/id1127943573?mt=2
Youtube channel: https://www.youtube.com/channel/UCu_65HaYgksbF6Q8SQ4oOvA
From: Elardus Engelbrecht <elardus.e...@SITA.CO.ZA>
To: IBM-...@LISTSERV.UA.EDU
Date: 13/12/2017 11:18
Subject: Re: DFSORT: RACFICE query - how to extract all commands
containing some text value
Sent by: IBM Mainframe Discussion List <IBM-...@LISTSERV.UA.EDU>
Bruce Hewson wrote:
>A query for the ICETOOL/RACFICE experts,
>I have been asked to extract all RACF commands issued relating to a
specific USERID.
>I am not knowledgable enough with ICETOOLS to code this myself quickly.
You will have to learn it. Or post your queries on RACF-L. Perhaps someone
from DFSORT support chimes in here.
This is a two step thing. You first use RACF SMF Unload and then you use
the ICETOOL job.
This process is hungry hungry HUNGRY on disk space, because the compressed
SMF records are expanded. Bit fields are expanded in a full 4 bytes per
bit. say x'01' is expanded into 'YES ' and x'00' to 'NO '.
Or you can go the DB2 way. I have not done that way.
from DFSORT support chimes in here.
This is a two step thing. You first use RACF SMF Unload and then you use
the ICETOOL job.
This process is hungry hungry HUNGRY on disk space, because the compressed
SMF records are expanded. Bit fields are expanded in a full 4 bytes per
bit. say x'01' is expanded into 'YES ' and x'00' to 'NO '.
Or you can go the DB2 way. I have not done that way.
>The current RACFICE examples do not provide a sample for this.
I am not surprised, but I started my life from that RACFICE examples and
moved on.
Perhaps there are DB2 samples for that, I simply don't know or just don't
care.
moved on.
Perhaps there are DB2 samples for that, I simply don't know or just don't
care.
>Extract and report all commands, ADDUSER/ALTUSER/PASSWORD/PERMIT that
reference USER(xyzzy)
reference USER(xyzzy)
Groete / Greetings
Elardus Engelbrecht
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to list...@listserv.ua.edu with the message: INFO IBM-MAIN
Unless stated otherwise above:
Elardus Engelbrecht
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to list...@listserv.ua.edu with the message: INFO IBM-MAIN
IBM United Kingdom Limited - Registered in England and Wales with number
741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
Ron hawkins
Dec 13, 2017, 9:22:21 AM12/13/17
to
Bruce,
You used to have access to SAS and MXG. Have you looked at this as an alternative to processing RACFICE?
If you use the TYPS80A member, I think you can piece together what you are looking for. For example, the ADDUSER command is type80 subtype 10, and therefore TYPE8010 in the PDB.
Some simple SQL WHERE statements against the relevant text fields looking for the would quickly find what you are looking for.
Ron
You used to have access to SAS and MXG. Have you looked at this as an alternative to processing RACFICE?
If you use the TYPS80A member, I think you can piece together what you are looking for. For example, the ADDUSER command is type80 subtype 10, and therefore TYPE8010 in the PDB.
Some simple SQL WHERE statements against the relevant text fields looking for the would quickly find what you are looking for.
Ron
Lizette Koehler
Dec 13, 2017, 10:16:22 AM12/13/17
to
Two suggestions
The RACF List might be helpful with this question. To join, if you have not done so, use this URL
RACF http://www.listserv.uga.edu/archives/racf-l.html
Next, there is a DFSORT HOTLINE from IBM who can always help with DFSORT coding. Send an email to dfs...@us.ibm.com
Hope this helps
Lizette
> -----Original Message-----
> From: IBM Mainframe Discussion List [mailto:IBM-...@LISTSERV.UA.EDU] On
> Behalf Of Bruce Hewson
> Sent: Wednesday, December 13, 2017 2:49 AM
> To: IBM-...@LISTSERV.UA.EDU
> Subject: DFSORT: RACFICE query - how to extract all commands containing some
> text value
>
The RACF List might be helpful with this question. To join, if you have not done so, use this URL
RACF http://www.listserv.uga.edu/archives/racf-l.html
Next, there is a DFSORT HOTLINE from IBM who can always help with DFSORT coding. Send an email to dfs...@us.ibm.com
Hope this helps
Lizette
> -----Original Message-----
> From: IBM Mainframe Discussion List [mailto:IBM-...@LISTSERV.UA.EDU] On
> Behalf Of Bruce Hewson
> Sent: Wednesday, December 13, 2017 2:49 AM
> To: IBM-...@LISTSERV.UA.EDU
> Subject: DFSORT: RACFICE query - how to extract all commands containing some
> text value
>
Sri h Kolusu
Dec 13, 2017, 12:21:02 PM12/13/17
to
Bruce,
You extract the SMF80 records and process it thru DFSORT. You can also
use RACFRW to report
https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.icha800/racfrw.htm
Example :
This file produces a report of failed logons for user Smith.
RACFRW TITLE('REPORT ON FAILED LOGONS FOR USER SMITH')
SELECT PROCESS USER(DUMMY)
EVENT LOGON
SUMMARY USER NEWPAGE
END
You can use EVENT to list all of your event and generate a report
https://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.icha800/racfrw.htm#racfrw__eventsub
If you still need help please feel free to send your questions to DFSORT
hotline (dfs...@us.ibm.com) along with a sample input file and desired
output report.
Thank you Lizette for directing the users to our hotline
Thanks,
Kolusu
DFSORT Development
IBM Corporation
From: Bruce Hewson <bruce_...@HOTMAIL.COM>
To: IBM-...@LISTSERV.UA.EDU
Date: 12/13/2017 02:50 AM
Subject: DFSORT: RACFICE query - how to extract all commands
containing some text value
You extract the SMF80 records and process it thru DFSORT. You can also
use RACFRW to report
https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.icha800/racfrw.htm
Example :
This file produces a report of failed logons for user Smith.
RACFRW TITLE('REPORT ON FAILED LOGONS FOR USER SMITH')
SELECT PROCESS USER(DUMMY)
EVENT LOGON
SUMMARY USER NEWPAGE
END
You can use EVENT to list all of your event and generate a report
https://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.icha800/racfrw.htm#racfrw__eventsub
If you still need help please feel free to send your questions to DFSORT
hotline (dfs...@us.ibm.com) along with a sample input file and desired
output report.
Thank you Lizette for directing the users to our hotline
Thanks,
Kolusu
DFSORT Development
IBM Corporation
From: Bruce Hewson <bruce_...@HOTMAIL.COM>
To: IBM-...@LISTSERV.UA.EDU
Date: 12/13/2017 02:50 AM
Subject: DFSORT: RACFICE query - how to extract all commands
containing some text value
Bruce Hewson
Dec 14, 2017, 12:53:57 AM12/14/17
to
Thanks all, especially to Kolusu & Elardus.
My final JCL:-
//*******************************************************************
//EXTRACT EXEC PGM=ICETOOL
//IRRADU00 DD DISP=OLD,DSN=XYZZY.RACFICE.IRRADU00.ALL
//EXTRACT DD DISP=OLD,DSN=XYZZY.RACFICE.IRRADU00.EXTRACT
//PRINT DD DISP=(MOD,DELETE),
// UNIT=3390,
// LRECL=500,RECFM=FB,BLKSIZE=0,
// SPACE=(TRK,(15,15)),
// DSN=XYZZY.RACFICE.REPORT.CSMADMIN
//TOOLMSG DD DUMMY
//DFSMSG DD DUMMY
//SYSIN DD *
/*
//*------------------------------------------------------------------
//TOOLIN DD *
COPY FROM(IRRADU00) TO(EXTRACT) USING(RACF)
/*
//*------------------------------------------------------------------
//RACFCNTL DD *
OUTFILE FNAMES=EXTRACT,
INCLUDE=(1,8192,SS,EQ,C'XYZZY')
OPTION VLSCMP
/*
//REPORT EXEC PGM=ICETOOL
//EXTRACT DD DISP=OLD,DSN=XYZZY.RACFICE.IRRADU00.EXTRACT
//TEMP0001 DD DISP=(NEW,DELETE,DELETE),SPACE=(0,(1000,350))
//TEMP0002 DD DISP=(NEW,DELETE,DELETE),SPACE=(0,(1000,350))
//TEMP0003 DD DISP=(NEW,DELETE,DELETE),SPACE=(0,(1000,350))
//TEMP0004 DD DISP=(NEW,DELETE,DELETE),SPACE=(0,(1000,350))
//TEMP0005 DD DISP=(NEW,DELETE,DELETE),SPACE=(0,(1000,350))
//TEMP0006 DD DISP=(NEW,DELETE,DELETE),SPACE=(0,(1000,350))
//TEMP0007 DD DISP=(NEW,DELETE,DELETE),SPACE=(0,(1000,350))
//PRINT DD DISP=(MOD,CATLG),
// UNIT=3390,
// LRECL=500,RECFM=FB,BLKSIZE=0,
// SPACE=(TRK,(15,15)),
// DSN=XYZZY.RACFICE.REPORT.CSMADMIN
//TOOLMSG DD DUMMY
//DFSMSG DD DUMMY
//SYSIN DD *
/*
//*------------------------------------------------------------------
//TOOLIN DD *
SORT FROM(EXTRACT) TO(TEMP0001) USING(ADDU)
ON(23,8,CH) HEADER('TIME') -
ON(5,8,CH) HEADER('COMMAND') -
ON(508,8,CH) HEADER('USER ID') -
ON(517,138,CH) HEADER('KEYWORDS') -
ON(63,8,CH) HEADER('ISSUER') -
ON(72,8,CH) HEADER('GROUP') -
ON(175,8,CH) HEADER('TERMINAL') -
ON(184,8,CH) HEADER('JOB NAME') -
ON(295,20,CH) HEADER('USER NAME')
SORT FROM(EXTRACT) TO(TEMP0002) USING(ALTU)
DISPLAY FROM(TEMP0002) LIST(PRINT) -
NOCC -
WIDTH(500) -
TITLE('RACF ALTUSER Command Report') -
ON(23,8,CH) HEADER('TIME') -
ON(5,8,CH) HEADER('COMMAND') -
ON(522,8,CH) HEADER('USER ID') -
ON(286,8,CH) HEADER('OWNER ') -
ON(531,127,CH) HEADER('KEYWORDS USED') -
ON(63,8,CH) HEADER('ISSUER') -
ON(72,8,CH) HEADER('GROUP') -
ON(175,8,CH) HEADER('TERMINAL') -
ON(184,8,CH) HEADER('JOB NAME') -
ON(295,20,CH) HEADER('USER NAME')
SORT FROM(EXTRACT) TO(TEMP0003) USING(CONU)
DISPLAY FROM(TEMP0003) LIST(PRINT) -
NOCC -
WIDTH(500) -
TITLE('RACF CONNECT Command Report') -
ON(23,8,CH) HEADER('TIME') -
ON(5,8,CH) HEADER('COMMAND') -
ON(498,8,CH) HEADER('USER ID') -
ON(507,138,CH) HEADER('KEYWORDS USED') -
ON(63,8,CH) HEADER('ISSUER') -
ON(72,8,CH) HEADER('GROUP') -
ON(175,8,CH) HEADER('TERMINAL') -
ON(184,8,CH) HEADER('JOB NAME') -
ON(295,20,CH) HEADER('USER NAME')
SORT FROM(EXTRACT) TO(TEMP0004) USING(PSWD)
DISPLAY FROM(TEMP0004) LIST(PRINT) -
NOCC -
WIDTH(500) -
TITLE('RACF PASSWORD Command Report') -
ON(23,8,CH) HEADER('TIME') -
ON(5,8,CH) HEADER('COMMAND') -
ON(286,8,CH) HEADER('OWNER ') -
ON(498,138,CH) HEADER('KEYWORDS USED') -
ON(63,8,CH) HEADER('ISSUER') -
ON(72,8,CH) HEADER('GROUP') -
ON(175,8,CH) HEADER('TERMINAL') -
ON(184,8,CH) HEADER('JOB NAME') -
ON(295,20,CH) HEADER('USER NAME')
SORT FROM(EXTRACT) TO(TEMP0005) USING(PRMT)
DISPLAY FROM(TEMP0005) LIST(PRINT) -
NOCC -
WIDTH(500) -
TITLE('RACF PERMIT Command Report') -
ON(23,8,CH) HEADER('TIME') -
ON(5,8,CH) HEADER('COMMAND') -
ON(286,8,CH) HEADER('CLASS ') -
ON(507,35,CH) HEADER('RESOURCE') -
ON(763,100,CH) HEADER('KEYWORDS USED') -
ON(63,8,CH) HEADER('ISSUER') -
ON(72,8,CH) HEADER('GROUP') -
ON(175,8,CH) HEADER('TERMINAL') -
ON(184,8,CH) HEADER('JOB NAME') -
ON(304,20,CH) HEADER('USER NAME')
SORT FROM(EXTRACT) TO(TEMP0006) USING(RALT)
DISPLAY FROM(TEMP0006) LIST(PRINT) -
NOCC -
WIDTH(500) -
TITLE('RACF RALTER Command Report') -
ON(23,8,CH) HEADER('TIME') -
ON(5,8,CH) HEADER('COMMAND') -
ON(295,8,CH) HEADER('OWNER ') -
ON(286,8,CH) HEADER('CLASS ') -
ON(516,24,CH) HEADER('RESOURCE') -
ON(772,100,CH) HEADER('KEYWORDS USED') -
ON(63,8,CH) HEADER('ISSUER') -
ON(72,8,CH) HEADER('GROUP') -
ON(175,8,CH) HEADER('TERMINAL') -
ON(184,8,CH) HEADER('JOB NAME') -
ON(304,20,CH) HEADER('USER NAME')
SORT FROM(EXTRACT) TO(TEMP0007) USING(RDEF)
DISPLAY FROM(TEMP0007) LIST(PRINT) -
NOCC -
WIDTH(500) -
TITLE('RACF RDEFINE Command Report') -
ON(23,8,CH) HEADER('TIME') -
ON(5,8,CH) HEADER('COMMAND') -
ON(295,8,CH) HEADER('OWNER ') -
ON(286,8,CH) HEADER('CLASS ') -
ON(516,24,CH) HEADER('RESOURCE') -
ON(772,100,CH) HEADER('KEYWORDS USED') -
ON(63,8,CH) HEADER('ISSUER') -
ON(72,8,CH) HEADER('GROUP') -
ON(175,8,CH) HEADER('TERMINAL') -
ON(184,8,CH) HEADER('JOB NAME') -
ON(304,20,CH) HEADER('USER NAME')
/*
//ADDUCNTL DD *
SORT FIELDS=(5,8,CH,A)
INCLUDE COND=(5,8,CH,EQ,C'ADDUSER ')
OPTION VLSHRT
/*
//ALTUCNTL DD *
SORT FIELDS=(5,8,CH,A)
INCLUDE COND=(5,8,CH,EQ,C'ALTUSER ')
OPTION VLSHRT
/*
//CONUCNTL DD *
SORT FIELDS=(5,8,CH,A)
INCLUDE COND=(5,8,CH,EQ,C'CONNECT ')
OPTION VLSHRT
/*
//PSWDCNTL DD *
SORT FIELDS=(5,8,CH,A)
INCLUDE COND=(5,8,CH,EQ,C'PASSWORD')
OPTION VLSHRT
/*
//PRMTCNTL DD *
SORT FIELDS=(5,8,CH,A)
INCLUDE COND=(5,8,CH,EQ,C'PERMIT ')
OPTION VLSHRT
/*
//RALTCNTL DD *
SORT FIELDS=(5,8,CH,A)
INCLUDE COND=(5,8,CH,EQ,C'RALTER ')
OPTION VLSHRT
/*
//RDEFCNTL DD *
SORT FIELDS=(5,8,CH,A)
INCLUDE COND=(5,8,CH,EQ,C'RDEFINE ')
OPTION VLSHRT
/*
My final JCL:-
//*******************************************************************
//EXTRACT EXEC PGM=ICETOOL
//IRRADU00 DD DISP=OLD,DSN=XYZZY.RACFICE.IRRADU00.ALL
//EXTRACT DD DISP=OLD,DSN=XYZZY.RACFICE.IRRADU00.EXTRACT
//PRINT DD DISP=(MOD,DELETE),
// UNIT=3390,
// LRECL=500,RECFM=FB,BLKSIZE=0,
// SPACE=(TRK,(15,15)),
// DSN=XYZZY.RACFICE.REPORT.CSMADMIN
//TOOLMSG DD DUMMY
//DFSMSG DD DUMMY
//SYSIN DD *
/*
//*------------------------------------------------------------------
//TOOLIN DD *
COPY FROM(IRRADU00) TO(EXTRACT) USING(RACF)
/*
//*------------------------------------------------------------------
//RACFCNTL DD *
OUTFILE FNAMES=EXTRACT,
INCLUDE=(1,8192,SS,EQ,C'XYZZY')
OPTION VLSCMP
/*
//REPORT EXEC PGM=ICETOOL
//EXTRACT DD DISP=OLD,DSN=XYZZY.RACFICE.IRRADU00.EXTRACT
//TEMP0001 DD DISP=(NEW,DELETE,DELETE),SPACE=(0,(1000,350))
//TEMP0002 DD DISP=(NEW,DELETE,DELETE),SPACE=(0,(1000,350))
//TEMP0003 DD DISP=(NEW,DELETE,DELETE),SPACE=(0,(1000,350))
//TEMP0004 DD DISP=(NEW,DELETE,DELETE),SPACE=(0,(1000,350))
//TEMP0005 DD DISP=(NEW,DELETE,DELETE),SPACE=(0,(1000,350))
//TEMP0006 DD DISP=(NEW,DELETE,DELETE),SPACE=(0,(1000,350))
//TEMP0007 DD DISP=(NEW,DELETE,DELETE),SPACE=(0,(1000,350))
//PRINT DD DISP=(MOD,CATLG),
// UNIT=3390,
// LRECL=500,RECFM=FB,BLKSIZE=0,
// SPACE=(TRK,(15,15)),
// DSN=XYZZY.RACFICE.REPORT.CSMADMIN
//TOOLMSG DD DUMMY
//DFSMSG DD DUMMY
//SYSIN DD *
/*
//*------------------------------------------------------------------
//TOOLIN DD *
SORT FROM(EXTRACT) TO(TEMP0001) USING(ADDU)
DISPLAY FROM(TEMP0001) LIST(PRINT) -
NOCC -
WIDTH(500) -
TITLE('RACF ADDUSER Command Report') -
NOCC -
WIDTH(500) -
DATE(4MD/) -
TIME(24:) -
PAGE -
BLANK -
ON(32,10,CH) HEADER('DATE') -
TIME(24:) -
PAGE -
BLANK -
ON(23,8,CH) HEADER('TIME') -
ON(43,4,CH) HEADER('SMFID') -
ON(14,8,CH) HEADER('RESULT') -
ON(5,8,CH) HEADER('COMMAND') -
ON(508,8,CH) HEADER('USER ID') -
ON(517,138,CH) HEADER('KEYWORDS') -
ON(63,8,CH) HEADER('ISSUER') -
ON(72,8,CH) HEADER('GROUP') -
ON(175,8,CH) HEADER('TERMINAL') -
ON(184,8,CH) HEADER('JOB NAME') -
ON(295,20,CH) HEADER('USER NAME')
SORT FROM(EXTRACT) TO(TEMP0002) USING(ALTU)
DISPLAY FROM(TEMP0002) LIST(PRINT) -
NOCC -
WIDTH(500) -
TITLE('RACF ALTUSER Command Report') -
DATE(4MD/) -
TIME(24:) -
PAGE -
BLANK -
ON(32,10,CH) HEADER('DATE') -
TIME(24:) -
PAGE -
BLANK -
ON(23,8,CH) HEADER('TIME') -
ON(43,4,CH) HEADER('SMFID') -
ON(14,8,CH) HEADER('RESULT') -
ON(5,8,CH) HEADER('COMMAND') -
ON(522,8,CH) HEADER('USER ID') -
ON(286,8,CH) HEADER('OWNER ') -
ON(531,127,CH) HEADER('KEYWORDS USED') -
ON(63,8,CH) HEADER('ISSUER') -
ON(72,8,CH) HEADER('GROUP') -
ON(175,8,CH) HEADER('TERMINAL') -
ON(184,8,CH) HEADER('JOB NAME') -
ON(295,20,CH) HEADER('USER NAME')
SORT FROM(EXTRACT) TO(TEMP0003) USING(CONU)
DISPLAY FROM(TEMP0003) LIST(PRINT) -
NOCC -
WIDTH(500) -
TITLE('RACF CONNECT Command Report') -
DATE(4MD/) -
TIME(24:) -
PAGE -
BLANK -
ON(32,10,CH) HEADER('DATE') -
TIME(24:) -
PAGE -
BLANK -
ON(23,8,CH) HEADER('TIME') -
ON(43,4,CH) HEADER('SMFID') -
ON(14,8,CH) HEADER('RESULT') -
ON(5,8,CH) HEADER('COMMAND') -
ON(498,8,CH) HEADER('USER ID') -
ON(507,138,CH) HEADER('KEYWORDS USED') -
ON(63,8,CH) HEADER('ISSUER') -
ON(72,8,CH) HEADER('GROUP') -
ON(175,8,CH) HEADER('TERMINAL') -
ON(184,8,CH) HEADER('JOB NAME') -
ON(295,20,CH) HEADER('USER NAME')
SORT FROM(EXTRACT) TO(TEMP0004) USING(PSWD)
DISPLAY FROM(TEMP0004) LIST(PRINT) -
NOCC -
WIDTH(500) -
TITLE('RACF PASSWORD Command Report') -
DATE(4MD/) -
TIME(24:) -
PAGE -
BLANK -
ON(32,10,CH) HEADER('DATE') -
TIME(24:) -
PAGE -
BLANK -
ON(23,8,CH) HEADER('TIME') -
ON(43,4,CH) HEADER('SMFID') -
ON(14,8,CH) HEADER('RESULT') -
ON(5,8,CH) HEADER('COMMAND') -
ON(286,8,CH) HEADER('OWNER ') -
ON(498,138,CH) HEADER('KEYWORDS USED') -
ON(63,8,CH) HEADER('ISSUER') -
ON(72,8,CH) HEADER('GROUP') -
ON(175,8,CH) HEADER('TERMINAL') -
ON(184,8,CH) HEADER('JOB NAME') -
ON(295,20,CH) HEADER('USER NAME')
SORT FROM(EXTRACT) TO(TEMP0005) USING(PRMT)
DISPLAY FROM(TEMP0005) LIST(PRINT) -
NOCC -
WIDTH(500) -
TITLE('RACF PERMIT Command Report') -
DATE(4MD/) -
TIME(24:) -
PAGE -
BLANK -
ON(32,10,CH) HEADER('DATE') -
TIME(24:) -
PAGE -
BLANK -
ON(23,8,CH) HEADER('TIME') -
ON(43,4,CH) HEADER('SMFID') -
ON(14,8,CH) HEADER('RESULT') -
ON(5,8,CH) HEADER('COMMAND') -
ON(286,8,CH) HEADER('CLASS ') -
ON(507,35,CH) HEADER('RESOURCE') -
ON(763,100,CH) HEADER('KEYWORDS USED') -
ON(63,8,CH) HEADER('ISSUER') -
ON(72,8,CH) HEADER('GROUP') -
ON(175,8,CH) HEADER('TERMINAL') -
ON(184,8,CH) HEADER('JOB NAME') -
ON(304,20,CH) HEADER('USER NAME')
SORT FROM(EXTRACT) TO(TEMP0006) USING(RALT)
DISPLAY FROM(TEMP0006) LIST(PRINT) -
NOCC -
WIDTH(500) -
TITLE('RACF RALTER Command Report') -
DATE(4MD/) -
TIME(24:) -
PAGE -
BLANK -
ON(32,10,CH) HEADER('DATE') -
TIME(24:) -
PAGE -
BLANK -
ON(23,8,CH) HEADER('TIME') -
ON(43,4,CH) HEADER('SMFID') -
ON(14,8,CH) HEADER('RESULT') -
ON(5,8,CH) HEADER('COMMAND') -
ON(295,8,CH) HEADER('OWNER ') -
ON(286,8,CH) HEADER('CLASS ') -
ON(516,24,CH) HEADER('RESOURCE') -
ON(772,100,CH) HEADER('KEYWORDS USED') -
ON(63,8,CH) HEADER('ISSUER') -
ON(72,8,CH) HEADER('GROUP') -
ON(175,8,CH) HEADER('TERMINAL') -
ON(184,8,CH) HEADER('JOB NAME') -
ON(304,20,CH) HEADER('USER NAME')
SORT FROM(EXTRACT) TO(TEMP0007) USING(RDEF)
DISPLAY FROM(TEMP0007) LIST(PRINT) -
NOCC -
WIDTH(500) -
TITLE('RACF RDEFINE Command Report') -
DATE(4MD/) -
TIME(24:) -
PAGE -
BLANK -
ON(32,10,CH) HEADER('DATE') -
TIME(24:) -
PAGE -
BLANK -
ON(23,8,CH) HEADER('TIME') -
ON(43,4,CH) HEADER('SMFID') -
ON(14,8,CH) HEADER('RESULT') -
ON(5,8,CH) HEADER('COMMAND') -
ON(295,8,CH) HEADER('OWNER ') -
ON(286,8,CH) HEADER('CLASS ') -
ON(516,24,CH) HEADER('RESOURCE') -
ON(772,100,CH) HEADER('KEYWORDS USED') -
ON(63,8,CH) HEADER('ISSUER') -
ON(72,8,CH) HEADER('GROUP') -
ON(175,8,CH) HEADER('TERMINAL') -
ON(184,8,CH) HEADER('JOB NAME') -
ON(304,20,CH) HEADER('USER NAME')
/*
//ADDUCNTL DD *
SORT FIELDS=(5,8,CH,A)
INCLUDE COND=(5,8,CH,EQ,C'ADDUSER ')
OPTION VLSHRT
/*
//ALTUCNTL DD *
SORT FIELDS=(5,8,CH,A)
INCLUDE COND=(5,8,CH,EQ,C'ALTUSER ')
OPTION VLSHRT
/*
//CONUCNTL DD *
SORT FIELDS=(5,8,CH,A)
INCLUDE COND=(5,8,CH,EQ,C'CONNECT ')
OPTION VLSHRT
/*
//PSWDCNTL DD *
SORT FIELDS=(5,8,CH,A)
INCLUDE COND=(5,8,CH,EQ,C'PASSWORD')
OPTION VLSHRT
/*
//PRMTCNTL DD *
SORT FIELDS=(5,8,CH,A)
INCLUDE COND=(5,8,CH,EQ,C'PERMIT ')
OPTION VLSHRT
/*
//RALTCNTL DD *
SORT FIELDS=(5,8,CH,A)
INCLUDE COND=(5,8,CH,EQ,C'RALTER ')
OPTION VLSHRT
/*
//RDEFCNTL DD *
SORT FIELDS=(5,8,CH,A)
INCLUDE COND=(5,8,CH,EQ,C'RDEFINE ')
OPTION VLSHRT
/*
Martin Packer
Dec 14, 2017, 2:00:24 AM12/14/17
to
This, I think, could use some Symbols love.
Cheers, Martin
Martin Packer
>Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number 741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
IBM United Kingdom Limited - Registered in England and Wales with number 741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
Robert S. Hansel , RSH
Dec 14, 2017, 6:26:39 AM12/14/17
to
Kolusu,
I would not recommend the use of RACFRW. It was stabilized in 1992 and won't report on the use of newer command operands such as NOEXPIRE. Bruce is better off using ICETOOL.
Bruce,
Our presentation on DFSORT and ICETOOL and its use with RACF might be of help. You'll find it on our "RACF Center" webpage along with other useful RACF information.
http://www.rshconsulting.com/racfres.htm
Regards, Bob
Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc. *** Celebrating our 25th Year ***
617-969-8211
www.linkedin.com/in/roberthansel
http://twitter.com/RSH_RACF
www.rshconsulting.com
--------------------------------------------------------------------------------
Upcoming RSH RACF Training - WebEx
- RACF Audit & Compliance Roadmap - FEB 5-9, 2018
- RACF Level I Administration - APR 3-6, 2018
- RACF Level II Administration - JUN 4-8, 2018
- RACF Level III Admin, Audit, & Compliance - FEB 26-MAR 2, 2018
- RACF - Securing z/OS UNIX - APR 23-27, 2018
--------------------------------------------------------------------------------
I would not recommend the use of RACFRW. It was stabilized in 1992 and won't report on the use of newer command operands such as NOEXPIRE. Bruce is better off using ICETOOL.
Bruce,
Our presentation on DFSORT and ICETOOL and its use with RACF might be of help. You'll find it on our "RACF Center" webpage along with other useful RACF information.
http://www.rshconsulting.com/racfres.htm
Regards, Bob
Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc. *** Celebrating our 25th Year ***
617-969-8211
www.linkedin.com/in/roberthansel
http://twitter.com/RSH_RACF
www.rshconsulting.com
--------------------------------------------------------------------------------
Upcoming RSH RACF Training - WebEx
- RACF Audit & Compliance Roadmap - FEB 5-9, 2018
- RACF Level I Administration - APR 3-6, 2018
- RACF Level II Administration - JUN 4-8, 2018
- RACF Level III Admin, Audit, & Compliance - FEB 26-MAR 2, 2018
- RACF - Securing z/OS UNIX - APR 23-27, 2018
--------------------------------------------------------------------------------
Elardus Engelbrecht
Dec 14, 2017, 6:56:18 AM12/14/17
to
Robert S. Hansel (RSH) wrote:
>Kolusu,
Careful, Sri will SORT you out... ;-D
>I would not recommend the use of RACFRW. It was stabilized in 1992 and won't report on the use of newer command operands such as NOEXPIRE. Bruce is better off using ICETOOL.
Or, better - lock up program RACFRW in PROGRAM Class, Profile RACFRW with no access at all.
ICETOOL is indeed better, since it produces ONE line per event where RACFRW produces several hard to read lines per event.
You can sort your records using Date in this YYYY-MM-DD format.
A nice feature is the BREAK(column,chars,CH) BTITLE('???') in ICETOOL statements. AFAIK, that is not possible with RACFRW.
I am now wondering, can RACFRW report on RACDCERT commands and usage of Custom Fields for userids?
>Our presentation on DFSORT and ICETOOL and its use with RACF might be of help. You'll find it on our "RACF Center" webpage along with other useful RACF information.
>http://www.rshconsulting.com/racfres.htm
I have a quick look there and see (on page 51) another method to use symbolics which I missed initially. Thanks.
Groete / Greetings
Elardus Engelbrecht
>Kolusu,
Careful, Sri will SORT you out... ;-D
>I would not recommend the use of RACFRW. It was stabilized in 1992 and won't report on the use of newer command operands such as NOEXPIRE. Bruce is better off using ICETOOL.
ICETOOL is indeed better, since it produces ONE line per event where RACFRW produces several hard to read lines per event.
You can sort your records using Date in this YYYY-MM-DD format.
A nice feature is the BREAK(column,chars,CH) BTITLE('???') in ICETOOL statements. AFAIK, that is not possible with RACFRW.
I am now wondering, can RACFRW report on RACDCERT commands and usage of Custom Fields for userids?
>Our presentation on DFSORT and ICETOOL and its use with RACF might be of help. You'll find it on our "RACF Center" webpage along with other useful RACF information.
>http://www.rshconsulting.com/racfres.htm
Groete / Greetings
Elardus Engelbrecht
Sri h Kolusu
Dec 14, 2017, 7:25:41 PM12/14/17
to
>>> Bruce My final JCL:-
Bruce,
I sent you a JCL offline which does all the reporting as well as uses
symbols and the userids can be dynamically passed. I don't have an input
data that has all the events that you are looking for.
>>> Martin Packer : This, I think, could use some Symbols love.
I agree and I also removed the individual sorts for each event type and
generated the report using the traditional reporting feature SECTIONS
along with symbols :)
>> Robert Hansel : Kolusu, I would not recommend the use of RACFRW. It was
passed it on to him.
>>Elardus : Careful, Sri will SORT you out... ;-D
Nooo. I am not a RACF expert, So I have to agree with Robert. You can try
the JCL that I sent offline and see if that works
Thanks,
Kolusu
DFSORT Development
IBM Corporation
IBM Mainframe Discussion List <IBM-...@LISTSERV.UA.EDU> wrote on
12/13/2017 10:53:45 PM:
> From: Bruce Hewson <bruce_...@HOTMAIL.COM>
> To: IBM-...@LISTSERV.UA.EDU
> Date: 12/13/2017 10:54 PM
> Subject: Re: DFSORT: RACFICE query - how to extract all commands
> containing some text value
> Sent by: IBM Mainframe Discussion List <IBM-...@LISTSERV.UA.EDU>
>
Bruce,
I sent you a JCL offline which does all the reporting as well as uses
symbols and the userids can be dynamically passed. I don't have an input
data that has all the events that you are looking for.
>>> Martin Packer : This, I think, could use some Symbols love.
I agree and I also removed the individual sorts for each event type and
generated the report using the traditional reporting feature SECTIONS
along with symbols :)
>> Robert Hansel : Kolusu, I would not recommend the use of RACFRW. It was
stabilized in 1992 and won't report on the use of newer command operands
such as NOEXPIRE. Bruce is better off using ICETOOL.
Thank you. Since OP is only interested in few of the event types , I just
such as NOEXPIRE. Bruce is better off using ICETOOL.
passed it on to him.
>>Elardus : Careful, Sri will SORT you out... ;-D
Nooo. I am not a RACF expert, So I have to agree with Robert. You can try
the JCL that I sent offline and see if that works
Thanks,
Kolusu
DFSORT Development
IBM Corporation
12/13/2017 10:53:45 PM:
> From: Bruce Hewson <bruce_...@HOTMAIL.COM>
> To: IBM-...@LISTSERV.UA.EDU
> Date: 12/13/2017 10:54 PM
> Subject: Re: DFSORT: RACFICE query - how to extract all commands
> containing some text value
> Sent by: IBM Mainframe Discussion List <IBM-...@LISTSERV.UA.EDU>
>
> Thanks all, especially to Kolusu & Elardus.
>
> My final JCL:-
>
> My final JCL:-
Elardus Engelbrecht
Dec 15, 2017, 3:01:48 AM12/15/17
to
Sri h Kolusu wrote:
>>>Elardus : Careful, Sri will SORT you out... ;-D
>Nooo. I am not a RACF expert, So I have to agree with Robert.
Hahaha, and I am not a SORT expert. ;-)
>>>Elardus : Careful, Sri will SORT you out... ;-D
>Nooo. I am not a RACF expert, So I have to agree with Robert.
>You can try the JCL that I sent offline and see if that works
I also tested out the SS with a string like ABC, it will catch ids ABCD, ABC123, ABC, etc. Amazing.
I am amazed how you use Symbolic names and then re-use them in the BUILD statement.
So instead using 055:<location which can change in the future>,008,
... this is one looking better: 055:EVT_USER_ID,
So, I can then use the symbolic list in a dataset and have all my jobs refer to that. One place to change if the IRRADU00 output changes in the future.
Ok, what I am currently doing is this:
I use a COPY and then using OUTFILE to direct the output to different Temp datasets (think a 'splice' in other way) based on selection criterias. Then the DISPLAY is used to make the output pretty and place them somewhere else for distribution.
With this setup I could also do an ONE-PASS of the IRRADU00 or IRRDBU00 outputs and produces various reports with ONE jobstep.
//TOOLIN DD *
COPY FROM(INDD) USING(ALSS)
DISPLAY FROM(TEMPAA) LIST(PRINTAA) -
TITLE('ADDUSER')-
.....
DISPLAY FROM(TEMPAW) LIST(PRINTAW) -
TITLE('ALTUSER')-
.....
... etc ...
//ALSSCNTL DD *
OPTION VLSHRT
OPTION DYNSPC=512,SIZE=E999999999,MAINSIZE=MAX
SORT FIELDS=(32,10,CH,A,23,8,CH,A,63,8,CH,A)
OUTFIL FNAMES=TEMPAA,
INCLUDE=(5,8,CH,EQ,C'ADDUSER')
OUTFIL FNAMES=TEMPAW,
INCLUDE=(5,8,CH,EQ,C'ALTUSER')
... etc ...
Many thanks Sri for your excellent example.
And thanks to Bruce to start the whole story.
Thank too to Robert S Hansel for assisting all of us.
Now, today is Friday and I think everything is SORTed out.
Groete / Greetings
Elardus Engelbrecht
Sri h Kolusu
Dec 15, 2017, 11:05:08 AM12/15/17
to
Elardus,
Thank you for your kind words
Kolusu
Thank you for your kind words
Kolusu
Date: 12/15/2017 01:02 AM
Subject: Re: DFSORT: RACFICE query - how to extract all commands
containing some text value
Sent by: IBM Mainframe Discussion List <IBM-...@LISTSERV.UA.EDU>
Subject: Re: DFSORT: RACFICE query - how to extract all commands
containing some text value
Sent by: IBM Mainframe Discussion List <IBM-...@LISTSERV.UA.EDU>
Bruce Hewson
Dec 15, 2017, 9:35:30 PM12/15/17
to
Kolusu,
Thank you very much for your JCL.
I have tweaked it a little to modify the column layout, moving the "who did it" to the end of the line, and keeping "what happened" at the start.
Some minor displacement corrections also.
Very useful JCL.
Thank you very much.
Bruce
//ITSXSA3U JOB (ACCT#),'RACF USER=CSMADMIN',
// CLASS=U,
// MSGCLASS=W,
// MSGLEVEL=(1,1),
// NOTIFY=&SYSUID
//*
//*******************************************************************
//* THIS WILL READ THE SMF EXTRACT DATASET OF RACF RELATED SMF
//* RECORDS (TYPES 30, 80, 81, 82, 83) AND USE THE SORT TOOL
//* TO SORT THE DATA AND GENERATE A REPORT.
//*
//* THIS JOB WILL REPORT ALL SMF EVENTS FOR A SELECTED USERID.
//*
//*******************************************************************
//*
// SET USERNAME='CSMADMIN'
// SET REPORT='ITSXSA3.RACFICE.REPORT.CSMADMIN.REFORMAT'
//*
//*****************************************************************
//* Unload the SMF data for RACF records and format them using **
//* IRRADU00 **
//*****************************************************************
//SMFDUMP EXEC PGM=IFASMFDP
//SYSPRINT DD SYSOUT=*
//ADUPRINT DD SYSOUT=*
//SMFDATA DD DISP=SHR,DSN=ITSXSA3.SMFACCUM.CPBK.HB
// DD DISP=SHR,DSN=ITSXSA3.SMFACCUM.CPRD.HB
//OUTDD DD DSN=&&IRASMF,DISP=(NEW,PASS),
// SPACE=(CYL,(100,100),RLSE),
// UNIT=(SYSDA,4),
// BLKSIZE=32760
//SMFOUT DD DUMMY
//SYSIN DD *
INDD(SMFDATA,OPTIONS(DUMP))
OUTDD(SMFOUT,TYPE(000:255))
ABEND(NORETRY)
USER2(IRRADU00)
USER3(IRRADU86)
/*
//*****************************************************************
//* create the consolidated report for an user based on the **
//* Event type using DFSORT. The username can be dynamically **
//* passed. Look at the SET statment up above for the username **
//* The following Event Types are reported **
//* ADDUSER/ALTUSER/CONNECT/PASSWORD/PERMIT/RALTER/RDEFINE **
//*****************************************************************
//UAREPORT EXEC PGM=SORT,PARM='JP1"&USERNAME"'
//*
//PRINT DD DSN=&REPORT.,
// DISP=(NEW,CATLG,DELETE),
// UNIT=3390,
// SPACE=(TRK,(15,15))
//*
//SYSOUT DD SYSOUT=*
//SYMNOUT DD SYSOUT=*
//SYMNAMES DD *
RDW,1,4,BI
EVENT_TYPE,*,8,CH
SKIP,1
EVENT_QUAL,*,8,CH
SKIP,1
TIME_WRITTEN,*,8,CH
SKIP,1
DATE_WRITTEN,*,10,CH
SKIP,1
SYSTEM_SMFID,*,4,CH
SKIP,1
VIOLATION,*,4,CH
SKIP,1
USER_NDFND,*,4,CH
SKIP,1
USER_WARNING,*,4,CH
SKIP,1
EVT_USER_ID,*,8,CH
SKIP,1
EVT_GRP_ID,*,8,CH
SKIP,1
AUTH_NORMAL,*,4,CH
SKIP,1
AUTH_SPECIAL,*,4,CH
SKIP,1
AUTH_OPER,*,4,CH
SKIP,1
AUTH_AUDIT,*,4,CH
SKIP,1
AUTH_EXIT,*,4,CH
SKIP,1
AUTH_FAILSFT,*,4,CH
SKIP,1
AUTH_BYPASS,*,4,CH
SKIP,1
AUTH_TRUSTED,*,4,CH
SKIP,1
LOG_CLASS,*,4,CH
SKIP,1
LOG_USER,*,4,CH
SKIP,1
LOG_SPECIAL,*,4,CH
SKIP,1
LOG_ACCESS,*,4,CH
SKIP,1
LOG_RACINIT,*,4,CH
SKIP,1
LOG_ALWAYS,*,4,CH
SKIP,1
LOG_CMDVIOL,*,4,CH
SKIP,1
LOG_GLOBAL,*,4,CH
SKIP,1
TERM_LEVEL,*,3,CH
SKIP,1
BACKOUT_FAIL,*,4,CH
SKIP,1
PROF_SAME,*,4,CH
SKIP,1
TERM,*,8,CH
SKIP,1
JOB_NAME,*,8,CH
SKIP,1
READ_TIME,*,8,CH
SKIP,1
READ_DATE,*,10,CH
SKIP,1
SMF_USER_ID,*,8,CH
SKIP,1
LOG_LEVEL,*,4,CH
SKIP,1
LOG_VMEVENT,*,4,CH
SKIP,1
LOG_LOGOPT,*,4,CH
SKIP,1
LOG_SECL,*,4,CH
SKIP,1
LOG_COMPATM,*,4,CH
SKIP,1
LOG_APPLAUD,*,4,CH
SKIP,1
LOG_NONOMVS,*,4,CH
SKIP,1
LOG_OMVSNPRV,*,4,CH
SKIP,1
AUTH_OMVSSU,*,4,CH
SKIP,1
AUTH_OMVSSYS,*,4,CH
SKIP,1
USR_SECL,*,8,CH
SKIP,1
RACF_VERSION,*,4,CH
//SORTIN DD DISP=SHR,DSN=&&IRASMF
/*
//SYSIN DD *
OPTION VLSCMP
INCLUDE COND=(01,8192,SS,EQ,JP1,AND,
(EVENT_TYPE,EQ,C'ADDUSER ',OR,
EVENT_TYPE,EQ,C'ALTUSER ',OR,
EVENT_TYPE,EQ,C'CONNECT ',OR,
EVENT_TYPE,EQ,C'PASSWORD',OR,
EVENT_TYPE,EQ,C'PERMIT ',OR,
EVENT_TYPE,EQ,C'RALTER ',OR,
EVENT_TYPE,EQ,C'RDEFINE '))
INREC BUILD=(01,1000) $ BUILD REQD DATA
SORT FIELDS=(EVENT_TYPE,A) $ SORT EVENT TYPE
OUTREC IFTHEN=(WHEN=(5,8,CH,EQ,C'ADDUSER'),
OVERLAY=(1001:508,008, $ USERID
1011:08X, $ OWNER
1021:08X, $ CLASS
1031:35X, $ RESOURCE
1071:295,020, $ USER NAME
1095:517,138)), $ KEYWORDS
IFTHEN=(WHEN=(5,8,CH,EQ,C'ALTUSER'),
OVERLAY=(1001:522,008, $ USERID
1011:286,008, $ OWNER
1021:08X, $ CLASS
1031:35X, $ RESOURCE
1071:295,020, $ USER NAME
1095:531,127)), $ KEYWORDS
IFTHEN=(WHEN=(5,8,CH,EQ,C'CONNECT'),
OVERLAY=(1001:498,008, $ USERID
1011:08X, $ OWNER
1021:08X, $ CLASS
1031:35X, $ RESOURCE
1071:295,020, $ USER NAME
1095:507,138)), $ KEYWORDS
IFTHEN=(WHEN=(5,8,CH,EQ,C'PASSWORD'),
OVERLAY=(1001:08X, $ USERID
1011:286,008, $ OWNER
1021:08X, $ CLASS
1031:35X, $ RESOURCE
1071:295,020, $ USER NAME
1095:498,138)), $ KEYWORDS
IFTHEN=(WHEN=(5,8,CH,EQ,C'PERMIT'),
OVERLAY=(1001:08X, $ USERID
1011:08X, $ OWNER
1021:286,008, $ CLASS
1031:507,035, $ RESOURCE
1071:304,020, $ USER NAME
1095:763,100)), $ KEYWORDS
IFTHEN=(WHEN=(5,8,CH,EQ,C'RALTER',OR,
5,8,CH,EQ,C'RDEFINE'),
OVERLAY=(1001:08X, $ USERID
1011:295,008, $ OWNER
1021:286,008, $ CLASS
1031:516,024, $ RESOURCE
1071:304,020, $ USER NAME
1095:772,100)) $ KEYWORDS
OUTFIL FNAMES=PRINT,REMOVECC,VTOF,
BUILD=(001:DATE_WRITTEN,
014:TIME_WRITTEN,
025:SYSTEM_SMFID,
033:EVENT_QUAL,
044:EVENT_TYPE,
055:1001,008, $ USERID
065:1011,008, $ OWNER
075:1021,008, $ CLASS
085:1031,035, $ RESOURCE
122:1095,138, $ KEYWORDS
262:EVT_USER_ID,
272:EVT_GRP_ID,
282:TERM,
292:JOB_NAME,
302:1071,020, $ USER NAME
500:X),
SECTIONS=(EVENT_TYPE,
HEADER3=(/,
001:'RACF ',
006:EVENT_TYPE,
015:'Command Report',
037:DATE=(4MD/),
055:TIME=(24:),8X,
120:'Page',
125:PAGE,/,/,
001:'DATE',
014:'TIME',
025:'SMFID',
033:'RESULT',
044:'COMMAND',
055:'USER ID',
065:'OWNER',
075:'CLASS',
085:'RESOURCE',
122:'KEYWORDS USED',
262:'ISSUER',
272:'GROUP',
282:'TERMINAL',
292:'JOB NAME',
302:'USER NAME'/,
001:010'-',
014:008'-',
025:004'-',
033:008'-',
044:008'-',
055:008'-',
065:008'-',
075:008'-',
085:035'-',
122:138'-',
262:008'-',
272:008'-',
282:008'-',
292:008'-',
302:020'-'))
/*
Thank you very much for your JCL.
I have tweaked it a little to modify the column layout, moving the "who did it" to the end of the line, and keeping "what happened" at the start.
Some minor displacement corrections also.
Very useful JCL.
Thank you very much.
Bruce
//ITSXSA3U JOB (ACCT#),'RACF USER=CSMADMIN',
// CLASS=U,
// MSGCLASS=W,
// MSGLEVEL=(1,1),
// NOTIFY=&SYSUID
//*
//*******************************************************************
//* THIS WILL READ THE SMF EXTRACT DATASET OF RACF RELATED SMF
//* RECORDS (TYPES 30, 80, 81, 82, 83) AND USE THE SORT TOOL
//* TO SORT THE DATA AND GENERATE A REPORT.
//*
//* THIS JOB WILL REPORT ALL SMF EVENTS FOR A SELECTED USERID.
//*
//*******************************************************************
//*
// SET USERNAME='CSMADMIN'
// SET REPORT='ITSXSA3.RACFICE.REPORT.CSMADMIN.REFORMAT'
//*
//*****************************************************************
//* Unload the SMF data for RACF records and format them using **
//* IRRADU00 **
//*****************************************************************
//SMFDUMP EXEC PGM=IFASMFDP
//SYSPRINT DD SYSOUT=*
//ADUPRINT DD SYSOUT=*
//SMFDATA DD DISP=SHR,DSN=ITSXSA3.SMFACCUM.CPBK.HB
// DD DISP=SHR,DSN=ITSXSA3.SMFACCUM.CPRD.HB
//OUTDD DD DSN=&&IRASMF,DISP=(NEW,PASS),
// SPACE=(CYL,(100,100),RLSE),
// UNIT=(SYSDA,4),
// BLKSIZE=32760
//SMFOUT DD DUMMY
//SYSIN DD *
INDD(SMFDATA,OPTIONS(DUMP))
OUTDD(SMFOUT,TYPE(000:255))
ABEND(NORETRY)
USER2(IRRADU00)
USER3(IRRADU86)
/*
//*****************************************************************
//* create the consolidated report for an user based on the **
//* Event type using DFSORT. The username can be dynamically **
//* passed. Look at the SET statment up above for the username **
//* The following Event Types are reported **
//* ADDUSER/ALTUSER/CONNECT/PASSWORD/PERMIT/RALTER/RDEFINE **
//*****************************************************************
//UAREPORT EXEC PGM=SORT,PARM='JP1"&USERNAME"'
//*
//PRINT DD DSN=&REPORT.,
// DISP=(NEW,CATLG,DELETE),
// UNIT=3390,
// SPACE=(TRK,(15,15))
//*
//SYSOUT DD SYSOUT=*
//SYMNOUT DD SYSOUT=*
//SYMNAMES DD *
RDW,1,4,BI
EVENT_TYPE,*,8,CH
SKIP,1
EVENT_QUAL,*,8,CH
SKIP,1
TIME_WRITTEN,*,8,CH
SKIP,1
DATE_WRITTEN,*,10,CH
SKIP,1
SYSTEM_SMFID,*,4,CH
SKIP,1
VIOLATION,*,4,CH
SKIP,1
USER_NDFND,*,4,CH
SKIP,1
USER_WARNING,*,4,CH
SKIP,1
EVT_USER_ID,*,8,CH
SKIP,1
EVT_GRP_ID,*,8,CH
SKIP,1
AUTH_NORMAL,*,4,CH
SKIP,1
AUTH_SPECIAL,*,4,CH
SKIP,1
AUTH_OPER,*,4,CH
SKIP,1
AUTH_AUDIT,*,4,CH
SKIP,1
AUTH_EXIT,*,4,CH
SKIP,1
AUTH_FAILSFT,*,4,CH
SKIP,1
AUTH_BYPASS,*,4,CH
SKIP,1
AUTH_TRUSTED,*,4,CH
SKIP,1
LOG_CLASS,*,4,CH
SKIP,1
LOG_USER,*,4,CH
SKIP,1
LOG_SPECIAL,*,4,CH
SKIP,1
LOG_ACCESS,*,4,CH
SKIP,1
LOG_RACINIT,*,4,CH
SKIP,1
LOG_ALWAYS,*,4,CH
SKIP,1
LOG_CMDVIOL,*,4,CH
SKIP,1
LOG_GLOBAL,*,4,CH
SKIP,1
TERM_LEVEL,*,3,CH
SKIP,1
BACKOUT_FAIL,*,4,CH
SKIP,1
PROF_SAME,*,4,CH
SKIP,1
TERM,*,8,CH
SKIP,1
JOB_NAME,*,8,CH
SKIP,1
READ_TIME,*,8,CH
SKIP,1
READ_DATE,*,10,CH
SKIP,1
SMF_USER_ID,*,8,CH
SKIP,1
LOG_LEVEL,*,4,CH
SKIP,1
LOG_VMEVENT,*,4,CH
SKIP,1
LOG_LOGOPT,*,4,CH
SKIP,1
LOG_SECL,*,4,CH
SKIP,1
LOG_COMPATM,*,4,CH
SKIP,1
LOG_APPLAUD,*,4,CH
SKIP,1
LOG_NONOMVS,*,4,CH
SKIP,1
LOG_OMVSNPRV,*,4,CH
SKIP,1
AUTH_OMVSSU,*,4,CH
SKIP,1
AUTH_OMVSSYS,*,4,CH
SKIP,1
USR_SECL,*,8,CH
SKIP,1
RACF_VERSION,*,4,CH
//SORTIN DD DISP=SHR,DSN=&&IRASMF
/*
//SYSIN DD *
OPTION VLSCMP
INCLUDE COND=(01,8192,SS,EQ,JP1,AND,
(EVENT_TYPE,EQ,C'ADDUSER ',OR,
EVENT_TYPE,EQ,C'ALTUSER ',OR,
EVENT_TYPE,EQ,C'CONNECT ',OR,
EVENT_TYPE,EQ,C'PASSWORD',OR,
EVENT_TYPE,EQ,C'PERMIT ',OR,
EVENT_TYPE,EQ,C'RALTER ',OR,
EVENT_TYPE,EQ,C'RDEFINE '))
INREC BUILD=(01,1000) $ BUILD REQD DATA
SORT FIELDS=(EVENT_TYPE,A) $ SORT EVENT TYPE
OUTREC IFTHEN=(WHEN=(5,8,CH,EQ,C'ADDUSER'),
OVERLAY=(1001:508,008, $ USERID
1011:08X, $ OWNER
1021:08X, $ CLASS
1031:35X, $ RESOURCE
1071:295,020, $ USER NAME
1095:517,138)), $ KEYWORDS
IFTHEN=(WHEN=(5,8,CH,EQ,C'ALTUSER'),
OVERLAY=(1001:522,008, $ USERID
1011:286,008, $ OWNER
1021:08X, $ CLASS
1031:35X, $ RESOURCE
1071:295,020, $ USER NAME
1095:531,127)), $ KEYWORDS
IFTHEN=(WHEN=(5,8,CH,EQ,C'CONNECT'),
OVERLAY=(1001:498,008, $ USERID
1011:08X, $ OWNER
1021:08X, $ CLASS
1031:35X, $ RESOURCE
1071:295,020, $ USER NAME
1095:507,138)), $ KEYWORDS
IFTHEN=(WHEN=(5,8,CH,EQ,C'PASSWORD'),
OVERLAY=(1001:08X, $ USERID
1011:286,008, $ OWNER
1021:08X, $ CLASS
1031:35X, $ RESOURCE
1071:295,020, $ USER NAME
1095:498,138)), $ KEYWORDS
IFTHEN=(WHEN=(5,8,CH,EQ,C'PERMIT'),
OVERLAY=(1001:08X, $ USERID
1011:08X, $ OWNER
1021:286,008, $ CLASS
1031:507,035, $ RESOURCE
1071:304,020, $ USER NAME
1095:763,100)), $ KEYWORDS
IFTHEN=(WHEN=(5,8,CH,EQ,C'RALTER',OR,
5,8,CH,EQ,C'RDEFINE'),
OVERLAY=(1001:08X, $ USERID
1011:295,008, $ OWNER
1021:286,008, $ CLASS
1031:516,024, $ RESOURCE
1071:304,020, $ USER NAME
1095:772,100)) $ KEYWORDS
OUTFIL FNAMES=PRINT,REMOVECC,VTOF,
BUILD=(001:DATE_WRITTEN,
014:TIME_WRITTEN,
025:SYSTEM_SMFID,
033:EVENT_QUAL,
044:EVENT_TYPE,
055:1001,008, $ USERID
065:1011,008, $ OWNER
075:1021,008, $ CLASS
085:1031,035, $ RESOURCE
122:1095,138, $ KEYWORDS
262:EVT_USER_ID,
272:EVT_GRP_ID,
282:TERM,
292:JOB_NAME,
302:1071,020, $ USER NAME
500:X),
SECTIONS=(EVENT_TYPE,
HEADER3=(/,
001:'RACF ',
006:EVENT_TYPE,
015:'Command Report',
037:DATE=(4MD/),
055:TIME=(24:),8X,
120:'Page',
125:PAGE,/,/,
001:'DATE',
014:'TIME',
025:'SMFID',
033:'RESULT',
044:'COMMAND',
055:'USER ID',
065:'OWNER',
075:'CLASS',
085:'RESOURCE',
122:'KEYWORDS USED',
262:'ISSUER',
272:'GROUP',
282:'TERMINAL',
292:'JOB NAME',
302:'USER NAME'/,
001:010'-',
014:008'-',
025:004'-',
033:008'-',
044:008'-',
055:008'-',
065:008'-',
075:008'-',
085:035'-',
122:138'-',
262:008'-',
272:008'-',
282:008'-',
292:008'-',
302:020'-'))
/*
0 new messages