Steps for Excluding Selected Users

Perform the following steps to exclude selected user profiles from the authority of a general user or group that is authorized through the IRR.PWRESET.OWNER.owner or IRR.PWRESET.TREE.owner resource in the FACILITY class.
  1. Define the following generic profiles in the FACILITY class, if not already defined. Doing so ensures that an existing generic profile does not inadvertently prevent you from successfully excluding selected users.
    Example:
    RDEFINE FACILITY IRR.PASSWORD.RESET.**  UACC(NONE)
RDEFINE FACILITY IRR.PWRESET.**         UACC(NONE)
RDEFINE FACILITY IRR.PWRESET.EXCLUDE.** UACC(READ)
    If you use UPDATE or CONTROL access for any IRR.PWRESET profile, as described in Table 1, specify the higher level (UPDATE or CONTROL) with the UACC operand for the IRR.PWRESET.EXCLUDE.** profile instead of the UACC(READ) option shown in this example.
  2. Define a profile to protect the IRR.PWRESET.EXCLUDE.excluded-user resource in the FACILITY class, where excluded-user is the user ID you want to exclude.
    Examples:
    RDEFINE FACILITY IRR.PWRESET.EXCLUDE.SHANNON UACC(NONE)
   AUDIT(FAILURES(READ) SUCCESS(READ))
RDEFINE FACILITY IRR.PWRESET.EXCLUDE.GRPADM* UACC(NONE)
   AUDIT(FAILURES(READ) SUCCESS(READ))

    ______________________________________________________________________

  3. Optionally, authorize selected users and groups with READ, UPDATE, or CONTROL access to the IRR.PWRESET.EXCLUDE.excluded-user resource, according to Table 1. Perform this step only when certain users or groups who are authorized to an IRR.PWRESET resource need to resume the user ID or reset the password or password phrase of the excluded user.
    Examples:
    PERMIT IRR.PWRESET.EXCLUDE.SHANNON CLASS(FACILITY) ID(HELPMGR) ACCESS(READ)
PERMIT IRR.PWRESET.EXCLUDE.GRPADM* CLASS(FACILITY) ID(HELPMGR) ACCESS(CONTROL)

    ______________________________________________________________________

  4. Activate the FACILITY class if not already active.
    Example:
    SETROPTS CLASSACT(FACILITY)
    If the FACILITY class is already active and RACLISTed, refresh the FACILITY class profiles.
    SETROPTS RACLIST(FACILITY) REFRESH

    ______________________________________________________________________

You have now excluded selected user profiles from the authority of a general user or group that is authorized through the IRR.PWRESET.OWNER.owner or IRR.PWRESET.TREE.owner resource.