The following examples delegate help desk authorities based on
the owner of user profiles.
- User ANDREW needs the abilities to view user profile information,
reset passwords and password phrases, resume user IDs, and use the
NOEXPIRED operand for users that are owned by TEAMLDR.
Examples:
RDEFINE FACILITY IRR.LU.OWNER.TEAMLDR UACC(NONE)
AUDIT(FAILURES(NONE) SUCCESSES(READ))
PERMIT IRR.LU.OWNER.TEAMLDR CLASS(FACILITY) ACCESS(READ) ID(ANDREW)
RDEFINE FACILITY IRR.PWRESET.OWNER.TEAMLDR UACC(NONE)
AUDIT(FAILURES(NONE) SUCCESSES(READ))
PERMIT IRR.PWRESET.OWNER.TEAMLDR CLASS(FACILITY) ACCESS(UPDATE) ID(ANDREW)
SETROPTS CLASSACT(FACILITY)
or, if the FACILITY class is already active and RACLISTed:
SETROPTS RACLIST(FACILITY) REFRESH
- The users connected to group HLPDESK8 need the abilities to view
user profile information, reset passwords and password phrases, and
resume user IDs for users that are owned by group AREA8. The following
commands also prevent the user profile of the help desk administration
user ID (HELPADM) from being listed and prevent its password from
being reset.
Examples:
RDEFINE FACILITY IRR.LU.OWNER.AREA8 UACC(NONE)
AUDIT(FAILURES(NONE) SUCCESSES(READ))
PERMIT IRR.LU.OWNER.AREA8 CLASS(FACILITY) ACCESS(READ) ID(HLPDESK8)
RDEFINE FACILITY IRR.LU.EXCLUDE.HELPADM UACC(NONE)
RDEFINE FACILITY IRR.PWRESET.OWNER.AREA8 UACC(NONE)
AUDIT(FAILURES(NONE) SUCCESSES(READ))
PERMIT IRR.PWRESET.OWNER.AREA8 CLASS(FACILITY) ACCESS(READ) ID(HLPDESK8)
RDEFINE FACILITY IRR.PWRESET.EXCLUDE.HELPADM UACC(NONE)
SETROPTS CLASSACT(FACILITY)
or, if the FACILITY class is already active and RACLISTed:
SETROPTS RACLIST(FACILITY) REFRESH
z/OS Security Server RACF Security Administrator's Guide
Copyright IBM Corporation 1990, 2014