[prev in list] [next in list] [prev in thread] [next in thread]
List: racf-l
Subject: Re: Alu operation user
From: "Tilton, Joel" <jtilton () DTCC ! COM>
Date: 2016-05-07 19:48:55
Message-ID: 3A1BC82C736F804BBED213AAA3D13C016BF551A0 () SXEMBP02 ! corp ! dtcc ! com
[Download RAW message or body]
Hello,
There is no such profile in the FACILITY class that will give you authority to use \
ALTUSER to change the password of someone with system SPECIAL, OPERATIONS or AUDITOR.
Is that what you want to do though?
I might be misreading your response but at first you mention ALTUSER PASSWORD then \
later you mention PROTECTED (removal of the password).
Actually, none of the FACILITY class IRR authority checks for password reset are \
meant to grant access to change the password of or even remove the password from a \
system SPECIAL, OPERATIONS or AUDITOR user. You must be system SPECIAL to do that \
and this is working as designed.
I *think* if you grant group-special to a particular group and then changed the owner \
on the UserIDs to match then you might be able to achieve what you want.
Also, if you happen to have zSecure Command Verifier installed then you could \
configure it to do what you want. Since it gets control before RACF does you can set \
up command policies that grant authority to change passwords based on UserID naming \
convention and the OWNER field. These policies will apply regardless of whether the \
user has system SPECIAL, OPERATIONS or AUDITOR.
Hope that helps,
Joel Tilton
Senior Security Engineer
EC Mainframe Security Engineering
DTCC Tampa
jtilton@dtcc.com
+1 813-470-2160
Visit us at www.dtcc.com or follow us on Twitter @The_DTCC and on LinkedIn.
To learn about career opportunities at DTCC, please visit dtcc.com/careers.
Classification: DTCC Non-Confidential (WHITE)
The views I have expressed in this email are my own personal views, and are not \
endorsed or supported by, and do not necessarily express or reflect, the views, \
positions or strategies of my employer.
-----Original Message-----
From: RACF Discussion List [mailto:RACF-L@LISTSERV.UGA.EDU] On Behalf Of Jorge Garcia \
Juanino
Sent: Saturday, May 07, 2016 11:50 AM
To: RACF-L@LISTSERV.UGA.EDU
Subject: Alu operation user
Hi,
We need to develop a process for altuser password of a set operations users with a \
users with no protected attributes assigned (SPECIAL, OPERATION or AUDITOR). The \
IRR.PASSWORD.RESET and IRR.PWRESET.OWNER are not valid with users with protected \
attibutes. Is there any profiles in FACILITY or XFACILIT class for allow this \
operation in OPERATION users?. We don't want change the attributes of the users that \
execute the ALU command. These attributes should remain without changes.
Regards
Jorge Garcia Juanino
Gerente sistemas z/OS
ACTP – DIAC – Operación y Soporte EMEA
MAPFRE
Avenida del Talgo 100-103 – 3 ª Planta
CP 28023 Madrid
Tel. 91 581 27 34, Movil 618333559
jgarci12@mapfre.com
We need to develop a process for altuser password of a set operations users with a \
users with no protected attributes assigned (SPECIAL, OPERATION or AUDITOR). The \
IRR.PASSWORD.RESET and IRR.PWRESET.OWNER are not valid with users with protected \
attibutes. Is there any profiles in FACILITY or XFACILIT class for allow this \
operation in OPERATION users?. We don't want change the attributes of the users that \
execute the ALU command. These attributes should remain without changes.
Regards
Jorge Garcia Juanino
Gerente sistemas z/OS
ACTP – DIAC – Operación y Soporte EMEA
MAPFRE
Avenida del Talgo 100-103 – 3 ª Planta
CP 28023 Madrid
Tel. 91 581 27 34, Movil 618333559
jgarci12@mapfre.com
DTCC DISCLAIMER: This email and any files transmitted with it are confidential and \
intended solely for the use of the individual or entity to whom they are addressed. \
If you have received this email in error, please notify us immediately and delete the \
email and any attachments from your system. The recipient should check this email and \
any attachments for the presence of viruses. The company accepts no liability for \
any damage caused by any virus transmitted by this email.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic