z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Delegating the authority to list user information in only selected user profiles

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

You can limit the authority of a general user or group to list user information by authorizing the user or group to list only a selected set of user profiles. You can limit the selected set of user profiles in the following ways:
  • Delegating by owner

    You can limit the authority of a general user or group to list user information in user profiles based on the owner of the user profile. To do this, authorize the LISTUSER command issuer with READ authority to the IRR.LU.OWNER.owner resource in the FACILITY class.

    For details, see Delegating the authority to list user information by owner.

  • Delegating by group tree

    You can limit the authority of a general user or group to list user information in only user profiles that are within the scope of a selected group tree. To do this, authorize the LISTUSER command issuer with READ authority to the IRR.LU.TREE.owner resource in the FACILITY class.

    For details, see Delegating the authority to list user information by group tree.

  • Excluding user profiles

    You can exclude selected user profiles from the scope of IRR.LU.OWNER.owner and IRR.LU.TREE.owner processing. To do this, protect the IRR.LU.EXCLUDE.user-ID resource in the FACILITY class.

    For details, see Excluding selected user profiles.

To authorize a general user or group to list user information in only selected user profiles, define a profile to protect the appropriate IRR.LU.OWNER or IRR.LU.TREE resource in the FACILITY class and grant READ access to authorize users and groups. If you do not define this profile, standard LISTUSER authority checking applies when RACF® determines whether the command issuer is authorized.

The IRR.LU.OWNER and IRR.LU.TREE authorities authorize a general user to list the base segment in the profile of any user—based on owner or scope of the group tree—including protected users. Restriction: These authorities do not apply when the target of the LISTUSER command has the SPECIAL, AUDITOR, or OPERATIONS attribute.

RACF does not log failed access attempts to IRR.LU resources. Successful accesses to IRR.LU resources are logged at the installation's discretion.

Parent topic: Delegating the authority to list user information

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014