Discussion:
General RACF question for Walt
(too old to reply)
Blake, Daniel J [CTR]
2018-08-06 11:14:00 UTC
Permalink
Raw Message
Walt,

Years ago I was called to assist two different customers who both screwed up the only Special userid. In both cases I was able to switch to the IBM supplied RACF data bases that came with a ServerPac. Logged in with IBMUSER, switched back and reset the SPECIAL userid.

This was many years ago and I don't have a RACF protected system to play on. Is this option still available?

Thanks

;-D an



----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Mike Schwab
2018-08-06 14:12:12 UTC
Permalink
Raw Message
Isn't that what the SYS1.UADS dataset is for? To allow signons without a
security system? And it using the 8th character as a sequence digit lead to
the 7 character TSO limit.

On Monday, August 6, 2018, Blake, Daniel J [CTR] <
Post by Blake, Daniel J [CTR]
Walt,
Years ago I was called to assist two different customers who both screwed
up the only Special userid. In both cases I was able to switch to the IBM
supplied RACF data bases that came with a ServerPac. Logged in with
IBMUSER, switched back and reset the SPECIAL userid.
This was many years ago and I don't have a RACF protected system to play
on. Is this option still available?
Thanks
;-D an
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
--
Mike A Schwab, Springfield IL USA
Where do Forest Rangers go to get away from it all?

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Elardus Engelbrecht
2018-08-06 14:39:55 UTC
Permalink
Raw Message
Isn't that what the SYS1.UADS dataset is for? To allow signons without a security system?
Indeed, but these ids must be pre-defined and tested in the first place in UADS.

Anyways, I believe the original poster who really screwed up his system, should by now approach IBM for assistance.

One minute of lockup, holdup, unscheduled downtime, etc. is a serious NO-NO in a production system.

Groete / Greetings
Elardus Engelbrecht

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Walt Farrell
2018-08-06 14:50:56 UTC
Permalink
Raw Message
Post by Blake, Daniel J [CTR]
Years ago I was called to assist two different customers who both screwed up the only Special userid. In both cases I was able to switch to the IBM supplied RACF data bases that came with a ServerPac. Logged in with IBMUSER, switched back and reset the SPECIAL userid.
This was many years ago and I don't have a RACF protected system to play on. Is this option still available?
It's hard to say whether that would work. For one thing, without an IPL you can only switch to a database of the same name as the one(s) you're already using.

Every shop should have procedures in place for handling a situation like this without an IPL, and should also have additional procedures in place to IPL a "one-pack" recovery system in case their normal recovery procedures don't work for some reason.

A few common procedures that can help without an IPL:
(1) The ability for someone with SPECIAL to logon to an MVS operator console and issue RACF commands.
(2) An STC with SPECIAL that will issue an ALTUSER RESUME for one or more of the SPECIAL users.
(3) The ability for someone with SPECIAL to logon to TSO without using a session manager.

There are others, but those are easy. They do need to be setup in advance and tested regularly, along with recovery procedures for other critical system components (no JES, no catalog, etc.).
--
Walt

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Loading...