z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Delegating help desk authorities for all users, excluding selected users

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

In this scenario, an installation currently delegates the ability to reset passwords and list users to a group called HELPDESK by authorizing READ access to the IRR.PASSWORD.RESET profile and the IRR.LISTUSER profile in the FACILITY class. The installation wants to continue to delegate these abilities to the HELPDESK group but now wants to prevent the passwords of two users from being reset. In other words, users who are members of the HELPDESK group need to be authorized to reset passwords and list user profiles for all users except the group-SPECIAL users SHANNON and ANDREW.

The following examples remove the previous authorities from the HELPDESK group and then delegate the authority to reset passwords and list profiles for all users, excluding the two selected users.

  1. Remove the HELPDESK group from the access list of the IRR.PASSWORD.RESET and IRR.LISTUSER profiles.
    Examples:
    PERMIT IRR.PASSWORD.RESET CLASS(FACILITY) ID(HELPDESK) RESET
PERMIT IRR.LISTUSER CLASS(FACILITY) ID(HELPDESK) RESET

SETROPTS CLASSACT(FACILITY)
   or, if the FACILITY class is already active and RACLISTed:
   SETROPTS RACLIST(FACILITY) REFRESH
  2. Delegate help desk authorities to the HELPDESK group using the IRR.LU and IRR.PWRESET profiles, excluding selected users.
    Examples:
    RDEFINE FACILITY IRR.LU.OWNER.* UACC(NONE) 
   AUDIT(FAILURES(NONE) SUCCESSES(READ))
PERMIT IRR.LU.OWNER.* CLASS(FACILITY) ACCESS(READ) ID(HELPDESK)

RDEFINE FACILITY IRR.PWRESET.OWNER.* UACC(NONE) 
   AUDIT(FAILURES(NONE) SUCCESSES(READ))
PERMIT IRR.PWRESET.OWNER.* CLASS(FACILITY) ACCESS(READ) ID(HELPDESK)

RDEFINE FACILITY IRR.PWRESET.EXCLUDE.ANDREW UACC(NONE)
RDEFINE FACILITY IRR.PWRESET.EXCLUDE.SHANNON UACC(NONE)

RDEFINE FACILITY IRR.LU.EXCLUDE.ANDREW UACC(NONE)
RDEFINE FACILITY IRR.LU.EXCLUDE.SHANNON UACC(NONE)

SETROPTS CLASSACT(FACILITY)
   or, if the FACILITY class is already active and RACLISTed:
   SETROPTS RACLIST(FACILITY) REFRESH
    Note: In this scenario, there are no other profiles beginning with IRR.PWRESET.OWNER or IRR.LU.OWNER. If there are, then the HELPDESK group must be given READ access to each such profile.
Parent topic: Examples of delegating help desk authorities

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014