[prev in list] [next in list] [prev in thread] [next in thread] 

List:       racf-l
Subject:    Re: Zapping =?ISO-8859-1?Q?user=B4s_ACEE?=
From:       Walt Farrell <wfarrell () US ! IBM ! COM>
Date:       2011-12-22 15:57:37
Message-ID: 4EF35371.7010109 () us ! ibm ! com
[Download RAW message or body]

On 12/22/2011 10:38 AM, Russell D Hardgrove wrote:
> Itschak,    brilliant!!!         a third way  (okay there's even more if
> you 'zap' the database)
>
> Here is how it (Itschak's idea)    works     (5 steps    plus the  LAST
> (6th)  one ( not part of my test ) )
>
>
>
> 1)  this userid, group and STARTED info
> ag resgrp
> au resid dfltgrp(resgrp) special
> ALU RESID revoke nopassword   /* two key points so this id -cannot- be
> logged onto  */
> Rdef started resproc.* stdata(user(resid) group(resgrp) trace(yes))
> setr raclist(started) refresh

I'm confused, Russ. If he could create a user with SPECIAL, or define a
STARTED profile, wouldn't that usually indicate he's logged on to an ID
with SPECIAL already? And in that case, he wouldn't have the problem
he's talking about.

This is a good thing to have setup in advance, but after the fact if you
don't have it setup it doesn't help. (Much of simple emergency recovery
involves setting up the proper failsafe procedures before-hand.)

--
Walt Farrell
IBM STSM, z/OS Security Design
[prev in list] [next in list] [prev in thread] [next in thread]