RACF User ID Management Question



All about SAF, RACF, encryption, Firewall, Risk assessment and integrity concepts

RACF User ID Management Question

Postby spassx » Tue Oct 26, 2010 12:55 am

Hello: I have a quick question: Is there a way to reconfigure RACF to not reuse a User ID that at any time was assigned to a person, even if the User account was deleted? Thank you.
spassx
 
Posts: 2
Joined: Tue Oct 26, 2010 12:35 am
Has thanked: 0 time
Been thanked: 0 time

Re: RACF User ID Management Question

Postby enrico-sorichetti » Tue Oct 26, 2010 12:00 pm

NO.
once a userid is deleted RACF forget about it....
if You have a forcing need of remembering past/gone userids
the only way is to just revoke them,
for a deeper cleaning delete all the segments and the groups associations
You will have lots of clutter in Your racf database anyway

the request seems a bit illogic from a good sense point of view
it would be like throw away the garbage and keep a copy of it
cheers
enrico
When I tell somebody to RTFM or STFW I usually have the page open in another tab/window of my browser,
so that I am sure that the information requested can be reached with a very small effort
enrico-sorichetti
Global moderator
 
Posts: 2994
Joined: Fri Apr 18, 2008 11:25 pm
Has thanked: 0 time
Been thanked: 164 times

Re: RACF User ID Management Question

Postby spassx » Tue Oct 26, 2010 6:04 pm

Thank you.
spassx
 
Posts: 2
Joined: Tue Oct 26, 2010 12:35 am
Has thanked: 0 time
Been thanked: 0 time

Re: RACF User ID Management Question

Postby dick scherrer » Tue Oct 26, 2010 11:08 pm

Hello,

If your system currently allows a "new" user to "inherit" stuff from some previous user, you have a major security problem. . . Well, imho. . .

Many (most) systems that i've supported assign the "Next" id to a new user so there is no issue with re-using an "old" id. It simply isn't done.
Hope this helps,
d.sch.
User avatar
dick scherrer
Global moderator
 
Posts: 6268
Joined: Sat Jun 09, 2007 8:58 am
Has thanked: 3 times
Been thanked: 93 times

Re: RACF User ID Management Question

Postby steve-myers » Wed Oct 27, 2010 6:39 am

Once a userid has been deleted it's completely gone. RACF has no way to remember the userid. Rather than delete userids, most sites REVOKE the IDs of the dearly departed (or possibly the not so dearly departed). This way the data sets and RACF access profiles related to the users do not also have to be deleted.
steve-myers
Global moderator
 
Posts: 2105
Joined: Thu Jun 03, 2010 6:21 pm
Has thanked: 4 times
Been thanked: 243 times


Return to Mainframe Security

 


  • Related topics
    Replies
    Views
    Last post