Before you begin:
- Make sure the LISTUSER command issuer does not have READ access
to the IRR.LISTUSER resource in the FACILITY class.
Perform the following steps to limit the authority of a general
user or group to list user information in selected user profiles based
on the owner of the user profiles.
- Define the following generic profiles in the FACILITY class, if
not already defined. Doing so ensures that an existing generic profile
does not inadvertently prevent you from successfully limiting this
authority.
Example:
RDEFINE FACILITY IRR.LISTUSER.** UACC(NONE)
RDEFINE FACILITY IRR.LU.** UACC(NONE)
RDEFINE FACILITY IRR.LU.EXCLUDE.** UACC(READ)
- Define a profile to protect the IRR.LU.OWNER.owner resource
in the FACILITY class, where owner is the user ID or group
that owns the user profiles.
Example:
RDEFINE FACILITY IRR.LU.OWNER.GROUP3 UACC(NONE)
AUDIT(FAILURES(NONE) SUCCESSES(READ))
______________________________________________________________________
- Authorize the general users or groups.
Example:
PERMIT IRR.LU.OWNER.GROUP3 CLASS(FACILITY) ID(HELPDESK USER19) ACCESS(READ)
______________________________________________________________________
- Activate the FACILITY class if not already active.
Example:
SETROPTS CLASSACT(FACILITY)
If
the FACILITY class is already active and RACLISTed, refresh the FACILITY
class profiles.
SETROPTS RACLIST(FACILITY) REFRESH
______________________________________________________________________
You have now authorized a general user or group to list the base
segment of user profiles for selected users, including protected users,
and excluding users with the SPECIAL, OPERATION, or AUDITOR attribute,
based on the owner of the user profile.