[prev in list] [next in list] [prev in thread] [next in thread] 

List:       racf-l
Subject:    Re: Alu operation user
From:       "Tilton, Joel" <jtilton () DTCC ! COM>
Date:       2016-05-07 19:48:55
Message-ID: 3A1BC82C736F804BBED213AAA3D13C016BF551A0 () SXEMBP02 ! corp ! dtcc ! com
[Download RAW message or body]

Hello,
There is no such profile in the FACILITY class that will give you authority to use \
ALTUSER to change the password of someone with system SPECIAL, OPERATIONS or AUDITOR.

Is that what you want to do though?

I might be misreading your response but at first you mention ALTUSER PASSWORD then \
later you mention PROTECTED (removal of the password).

Actually, none of the FACILITY class IRR authority checks for password reset are \
meant to grant access to change the password of or even remove the password from a \
system SPECIAL, OPERATIONS or AUDITOR user.  You must be system SPECIAL to do that \
and this is working as designed.

I *think* if you grant group-special to a particular group and then changed the owner \
on the UserIDs to match then you might be able to achieve what you want.

Also, if you happen to have zSecure Command Verifier installed then you could \
configure it to do what you want. Since it gets control before RACF does you can set \
up command policies that grant authority to change passwords based on UserID naming \
convention and the OWNER field.   These policies will apply regardless of whether the \
user has system SPECIAL, OPERATIONS or AUDITOR.

Hope that helps,

Joel Tilton
Senior Security Engineer
EC Mainframe Security Engineering
DTCC Tampa
jtilton@dtcc.com
+1 813-470-2160

Visit us at www.dtcc.com or follow us on Twitter @The_DTCC and on LinkedIn.
To learn about career opportunities at DTCC, please visit dtcc.com/careers.

Classification:   DTCC Non-Confidential (WHITE)

The views I have expressed in this email are my own personal views, and are not \
endorsed or supported by, and do not necessarily express or reflect, the views, \
                positions or strategies of my employer.
-----Original Message-----
From: RACF Discussion List [mailto:RACF-L@LISTSERV.UGA.EDU] On Behalf Of Jorge Garcia \
                Juanino
Sent: Saturday, May 07, 2016 11:50 AM
To: RACF-L@LISTSERV.UGA.EDU
Subject: Alu operation user

Hi,



We need to develop a process for altuser password of a set operations users with a \
users with no protected attributes assigned (SPECIAL, OPERATION or AUDITOR). The \
IRR.PASSWORD.RESET and IRR.PWRESET.OWNER are not valid with users with protected \
attibutes. Is there any profiles in FACILITY or XFACILIT class for allow this \
operation in OPERATION users?. We don't want change the attributes of the users that \
execute the ALU command. These attributes should remain without changes.



Regards



Jorge Garcia Juanino

Gerente sistemas z/OS

ACTP – DIAC – Operación y Soporte EMEA

MAPFRE

Avenida del Talgo 100-103 – 3 ª Planta

CP 28023 Madrid

Tel. 91 581 27 34, Movil 618333559

jgarci12@mapfre.com



We need to develop a process for altuser password of a set operations users with a \
users with no protected attributes assigned (SPECIAL, OPERATION or AUDITOR). The \
IRR.PASSWORD.RESET and IRR.PWRESET.OWNER are not valid with users with protected \
attibutes. Is there any profiles in FACILITY or XFACILIT class for allow this \
operation in OPERATION users?. We don't want change the attributes of the users that \
execute the ALU command. These attributes should remain without changes.



Regards



Jorge Garcia Juanino

Gerente sistemas z/OS

ACTP – DIAC – Operación y Soporte EMEA

MAPFRE

Avenida del Talgo 100-103 – 3 ª Planta

CP 28023 Madrid

Tel. 91 581 27 34, Movil 618333559

jgarci12@mapfre.com
DTCC DISCLAIMER: This email and any files transmitted with it are confidential and \
intended solely for the use of the individual or entity to whom they are addressed. \
If you have received this email in error, please notify us immediately and delete the \
email and any attachments from your system. The recipient should check this email and \
any attachments for the presence of viruses.  The company accepts no liability for \
any damage caused by any virus transmitted by this email.


[prev in list] [next in list] [prev in thread] [next in thread]