[prev in list] [next in list] [prev in thread] [next in thread]
List: racf-l
Subject: Re: RACF-L Digest - 6 May 2016 to 7 May 2016 (#2016-87)
From: Jorge Garcia Juanino <jorgegjuanino () GMAIL ! COM>
Date: 2016-05-08 18:27:15
Message-ID: 22cf68a1-9bf1-7763-86aa-8bd80854b32d () gmail ! com
[Download RAW message or body]
Thanks Joel,
We have zSecure. We'll investigate command verifier for develop a
solution.
Regards
El 08/05/2016 a las 6:00, RACF-L automatic digest system escribió:
> There are 3 messages totaling 179 lines in this issue.
>
> Topics of the day:
>
> 1. Alu operation user (2)
> 2. How turn on SMF Event.Qualifier 1.0 Successful Logon?
>
> ----------------------------------------------------------------------
>
> Date: Sat, 7 May 2016 17:49:58 +0200
> From: Jorge Garcia Juanino <jorgegjuanino@GMAIL.COM>
> Subject: Alu operation user
>
> Hi,
>
>
>
> We need to develop a process for altuser password of a set operations users
> with a users with no protected attributes assigned (SPECIAL, OPERATION or
> AUDITOR). The IRR.PASSWORD.RESET and IRR.PWRESET.OWNER are not valid with
> users with protected attibutes. Is there any profiles in FACILITY or
> XFACILIT class for allow this operation in OPERATION users?. We don't want
> change the attributes of the users that execute the ALU command. These
> attributes should remain without changes.
>
>
>
> Regards
>
>
>
> Jorge Garcia Juanino
>
> Gerente sistemas z/OS
>
> ACTP – DIAC – Operación y Soporte EMEA
>
> MAPFRE
>
> Avenida del Talgo 100-103 – 3 ª Planta
>
> CP 28023 Madrid
>
> Tel. 91 581 27 34, Movil 618333559
>
> jgarci12@mapfre.com
>
>
>
> We need to develop a process for altuser password of a set operations users
> with a users with no protected attributes assigned (SPECIAL, OPERATION or
> AUDITOR). The IRR.PASSWORD.RESET and IRR.PWRESET.OWNER are not valid with
> users with protected attibutes. Is there any profiles in FACILITY or
> XFACILIT class for allow this operation in OPERATION users?. We don't want
> change the attributes of the users that execute the ALU command. These
> attributes should remain without changes.
>
>
>
> Regards
>
>
>
> Jorge Garcia Juanino
>
> Gerente sistemas z/OS
>
> ACTP – DIAC – Operación y Soporte EMEA
>
> MAPFRE
>
> Avenida del Talgo 100-103 – 3 ª Planta
>
> CP 28023 Madrid
>
> Tel. 91 581 27 34, Movil 618333559
>
> jgarci12@mapfre.com
>
> ------------------------------
>
> Date: Sat, 7 May 2016 19:48:55 +0000
> From: "Tilton, Joel" <jtilton@DTCC.COM>
> Subject: Re: Alu operation user
>
> Hello,
> There is no such profile in the FACILITY class that will give you authority to use \
> ALTUSER to change the password of someone with system SPECIAL, OPERATIONS or \
> AUDITOR.
> Is that what you want to do though?
>
> I might be misreading your response but at first you mention ALTUSER PASSWORD then \
> later you mention PROTECTED (removal of the password).
> Actually, none of the FACILITY class IRR authority checks for password reset are \
> meant to grant access to change the password of or even remove the password from a \
> system SPECIAL, OPERATIONS or AUDITOR user. You must be system SPECIAL to do that \
> and this is working as designed.
> I *think* if you grant group-special to a particular group and then changed the \
> owner on the UserIDs to match then you might be able to achieve what you want.
> Also, if you happen to have zSecure Command Verifier installed then you could \
> configure it to do what you want. Since it gets control before RACF does you can \
> set up command policies that grant authority to change passwords based on UserID \
> naming convention and the OWNER field. These policies will apply regardless of \
> whether the user has system SPECIAL, OPERATIONS or AUDITOR.
> Hope that helps,
>
> Joel Tilton
> Senior Security Engineer
> EC Mainframe Security Engineering
> DTCC Tampa
> jtilton@dtcc.com
> +1 813-470-2160
>
> Visit us at www.dtcc.com or follow us on Twitter @The_DTCC and on LinkedIn.
> To learn about career opportunities at DTCC, please visit dtcc.com/careers.
>
> Classification: DTCC Non-Confidential (WHITE)
>
> The views I have expressed in this email are my own personal views, and are not \
> endorsed or supported by, and do not necessarily express or reflect, the views, \
> positions or strategies of my employer.
> -----Original Message-----
> From: RACF Discussion List [mailto:RACF-L@LISTSERV.UGA.EDU] On Behalf Of Jorge \
> Garcia Juanino
> Sent: Saturday, May 07, 2016 11:50 AM
> To: RACF-L@LISTSERV.UGA.EDU
> Subject: Alu operation user
>
> Hi,
>
>
>
> We need to develop a process for altuser password of a set operations users with a \
> users with no protected attributes assigned (SPECIAL, OPERATION or AUDITOR). The \
> IRR.PASSWORD.RESET and IRR.PWRESET.OWNER are not valid with users with protected \
> attibutes. Is there any profiles in FACILITY or XFACILIT class for allow this \
> operation in OPERATION users?. We don't want change the attributes of the users \
> that execute the ALU command. These attributes should remain without changes.
>
>
> Regards
>
>
>
> Jorge Garcia Juanino
>
> Gerente sistemas z/OS
>
> ACTP – DIAC – Operación y Soporte EMEA
>
> MAPFRE
>
> Avenida del Talgo 100-103 – 3 ª Planta
>
> CP 28023 Madrid
>
> Tel. 91 581 27 34, Movil 618333559
>
> jgarci12@mapfre.com
>
>
>
> We need to develop a process for altuser password of a set operations users with a \
> users with no protected attributes assigned (SPECIAL, OPERATION or AUDITOR). The \
> IRR.PASSWORD.RESET and IRR.PWRESET.OWNER are not valid with users with protected \
> attibutes. Is there any profiles in FACILITY or XFACILIT class for allow this \
> operation in OPERATION users?. We don't want change the attributes of the users \
> that execute the ALU command. These attributes should remain without changes.
>
>
> Regards
>
>
>
> Jorge Garcia Juanino
>
> Gerente sistemas z/OS
>
> ACTP – DIAC – Operación y Soporte EMEA
>
> MAPFRE
>
> Avenida del Talgo 100-103 – 3 ª Planta
>
> CP 28023 Madrid
>
> Tel. 91 581 27 34, Movil 618333559
>
> jgarci12@mapfre.com
> DTCC DISCLAIMER: This email and any files transmitted with it are confidential and \
> intended solely for the use of the individual or entity to whom they are addressed. \
> If you have received this email in error, please notify us immediately and delete \
> the email and any attachments from your system. The recipient should check this \
> email and any attachments for the presence of viruses. The company accepts no \
> liability for any damage caused by any virus transmitted by this email.
>
> ------------------------------
>
> Date: Sat, 7 May 2016 14:13:20 -0700
> From: Charles Mills <charlesm@MCN.ORG>
> Subject: How turn on SMF Event.Qualifier 1.0 Successful Logon?
>
> I am sure if I read enough manuals I could solve this but I suspect someone
> here knows the answer right off: on a particular system the user is seeing
> other SMF Type 80 records but not Successful Logon records. What has to be
> turned on (in addition to SMF 80 for the particular subsystem in PARMLIB) to
> get these?
>
>
>
> Thanks!
>
>
>
> Charles Mills
>
> ------------------------------
>
> End of RACF-L Digest - 6 May 2016 to 7 May 2016 (#2016-87)
> **********************************************************
---
El software de antivirus Avast ha analizado este correo electrónico en busca de \
virus. https://www.avast.com/antivirus
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic