Unless things have changed, the problem is that RACF permissions granted
directly to a user to a dataset profile or other resource profile are
stored as part of that resource profile, not as part of a user
profile. While user attributes and group connections to a user are
easy to clone just by looking at or parsing a display of the
to-be-cloned user profile, unless your installation only grants
permissions via groups that are then connected to users, in the worst
case you are forced to examine ALL resource profiles to see which ones
had permissions for the to-be-cloned user profile and grant similar
permits to the new user profile.
While it could be done, It was judged impractical to examine all
resource-to-user permissions from the actual RACF database; so we used a
standard RACF utility to dump the RACF database in a format that could
then be uploaded into DB2 tables every night. The DB2 tables could be
efficiently queried to find what resource permits were granted to a
specific user and needed to be cloned, and we just cloned from userids
that we knew hadn't been changed since the last RACF DB2 table build.
We did use REXX code to do the cloning, but it used a combination of
RACF commands and DB2 queries to determine what needed to be done. Our
Rexx code was not completely generic, but was customized for our
installation's RACF standards and conventions, which meant that some
classes of resource profiles were only granted to group profiles and
could be safely ignored when cloning a user as they would be covered by
replicating the group connects for the user.
Joel C Ewing
On 1/17/20 12:25 PM, Charles Mills wrote:
X-posted RACF-L and IBM-MAIN.
A Google search reveals that the question "how do I clone a user in RACF?"
has been asked before and the answer is basically "buy Vanguard, Beta88 or
zSecure." People also mentioned "you might write a Rexx script to do this."
Not having one of those proprietary products I searched the CBT tape to see
if such a Rexx script were to be found there, without success.
So my question is: does anyone know of a CBT or similar tool to clone a RACF
user, or does anyone have a Rexx script that they might be willing to share?
Thanks,
Charles
--
Joel C. Ewing
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
