Levels of authority
When you can delegate authority to a general user or group for
resuming user IDs and resetting passwords and password phrases, define
profiles in the FACILITY class to protect one or more of the following
resources based on the scope of authority you need to delegate.
- IRR.PASSWORD.RESET
- Use this resource when the scope of authority includes all users.
- IRR.PWRESET.OWNER.owner
- Use this resource when the scope of authority is a limited set of selected users based on owner of the user ID.
- IRR.PWRESET.TREE.owner
- Use this resource when the scope of authority is a limited set of selected users based on scope of a group tree.
- IRR.PWRESET.EXCLUDE.excluded-user
- Use this resource to exclude a user profile from the scope of IRR.PWRESET.OWNER.owner and IRR.PWRESET.TREE.owner authority.
Restriction: You cannot delegate authority through the IRR.PASSWORD.RESET
or IRR.PWRESET resources to authorize a general user or group to resume
a revoked user or reset the password or password phrase for a user
with any of the following attributes. Only users with the SPECIAL
attribute, or the appropriate group-SPECIAL attribute, have resume
and reset authorities for users with these attributes:
- SPECIAL
- OPERATIONS
- AUDITOR
- ROAUDIT
- PROTECTED.
Access authority to the
IRR.PASSWORD.RESET IRR.PWRESET.OWNER IRR.PWRESET.TREE IRR.PWRESET.EXCLUDE resources |
Authorities for using the ALTUSER command that
you can delegate to a general user or group |
---|---|
READ |
|
UPDATE |
|
CONTROL |
|
Note:
|