When crossing segment boundaries in query about USERs or GROUPs it is often easier to start with TYPE=ID and do lookups.
Also, LJDATE is not necessarily the best field to determine whether users have logged on, since it also reflects when an administrator last changed the profile. LAST_CONNECT_DATE is generally more accurate unless connects have been removed since the last logon. This query will tell which users logged on at least once, but the last time was more than 120 days ago:
n type=id title='TSO users logged on but longer than 120 days ago'
s tso=yes :last_connect_date<today-120
d id :name :ljdate :last_connect_date
In addition, the query would tell which users have never logged with their current set of connects:
n type=id title='TSO users never logged on with current connects'
s tso=yes :last_connect_date>today+10000
d id :name :ljdate :last_connect_date
The latter is a bit tricky because 'last_connect_date' is internally a julian date in packed decimal that is set to 'FFFFFF'X when not in use yet.
------------------------------
Hans Schoone
Chief Architect zSecure
IBM
Delft
------------------------------
Original Message:
Sent: Mon January 31, 2022 02:46 AM
From: Jeroen Tiggelman
Subject: List of TSO users not logged on for long time
Hi Mohammed,
In the RACF database a logical user profile is contained in multiple records, called profile segments--a BASE segment and a variable number of application segments that can be present or absent. The specification on the SELECT statement is to specify the physical record. There are no records that are at the same time BASE and TSO segment, therefore you get no results on that specification.
In the user interface there is an option "Segment presence" in RA.U. If you tag that and choose the TSO segment, and you don't specify additional selections on the contents of the TSO segment, the code that is generated will look somewhat like this:
n required segment=TSO n=selsegm outlim=0 s c=user MASK=P* segment=TSO sortlist segment n rds proflist=selsegm required allowrestrict i=base segment=BASE n=baseud t=:t1, st='Users like P* with last logon < TODAY-120, norevoke, segment TSO', sumhelppanel=CKRT3SBP, nodetailinherit helppanel=c2rt3utd detailhelppanel=c2rt3ude s s=base c=user MASK=P* last_connect_date<TODAY-120, ( norevoke)
The query here separately selects the TSO and BASE segments. The first newlist for the TSO segment generates no output because of OUTLIM=0. (OUTLIM specifies the maximum number of records to output.) Its use is as a selection filter for the second newlist only. The first newlist is named SELSEGM (through the NAME= parameter, which can be abbreviated to N=) and the second newlist uses it as a filter by specifying PROFLIST=SELSEGM--PROFLIST specifies that only profiles that are selected in the named newlist should be listed. "Profile" here means the entire user profile--this is how CARLa connects the various physical segments to each other logically.
The minimum you need would be something like:
newlist name=tsousers outlim=0select class=user segment=tsosortlist keynewlist proflist=tsousers ....
I hope this helps.
Regards,
------------------------------
Jeroen Tiggelman
Software Development and Level 3 Support Manager IBM Security zSecure Suite
IBM
Delft
Original Message:
Sent: Sun January 30, 2022 10:59 PM
From: Mohammed Ibrahem
Subject: List of TSO users not logged on for long time
Hi All
i am trying to get a list of users that not logged on for more 120 days with the below code
select class=user segment=base mask=p* not(revoke) ,
LJDATE<TODAY-120
sortlist key("USER_ID",10) key:name("USER_NAME",25),key:INSTDATA,
LJDATE("LAST_CONNECT_DATE") LJTIME("LAST_CONNECT_TIME")
endmerge
but i want to select on only users with TSO logon
i tried to make select ((class=user segment=base) and (class=user segment=TSO)) but it did not work
Please adivse
thanks
------------------------------
Mohammed Ibrahem
------------------------------