z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


General considerations for user ID delegation

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

This topic discusses things to consider for delegating administrative tasks to other users.
  • In general, centralize first, delegate later.
  • Consider the trade-offs:
    • Should one user handle all of the administration workload?
    • Should many users all be learning RACF® simultaneously?
  • RACF groups (not users) should own resource profiles.
  • Authorize groups rather than users to resource profiles.
  • Delegate power (group-SPECIAL) with care.
  • Have standby SPECIAL and OPERATIONS user IDs for emergency situations.

    Guideline: Carefully limit who has knowledge of the passwords for standby user IDs, and change those passwords when personnel changes occur.

  • After control has been given, it is difficult to take it away again.
  • Group-SPECIAL is the most powerful authority a user can have at the group level.
    • Group-SPECIAL enables the user to use more commands.
    • Group-SPECIAL also percolates to other groups, as far as the scope of the group allows.
Choose the best option for your installation.
  • For authority over a single group of users based on protection objectives, use JOIN and CLAUTH(USER).
  • For authority over one or more groups of users based on protection objectives and scope of the group, use group-SPECIAL and CLAUTH(USER).
Note: The group-SPECIAL attribute allows password resetting for user IDs within the group whereas JOIN does not.

Figure 1 shows delegating authority in another way.

Figure 1. Delegating authority (user profiles)Delegating authority (user profiles)

A user with the SPECIAL attribute has full authority over all users and groups. By contrast, a user without the SPECIAL attribute might require a combination of authorities to complete the same tasks with limited scope.

For example, to create a new RACF user, the creating user without the SPECIAL attribute must have at least one of the following and have the CLAUTH(USER) attribute:

  • JOIN group authority in the new user's default group

    or

  • Be the owner of the new user's default group

    or

  • Have group-SPECIAL in the new user's default group

    or

  • Have SPECIAL
For detailed information about the authorities required for the following administrative tasks related to user ID delegation, see the "Authorization required" topic for the associated RACF command in z/OS Security Server RACF Command Language Reference.
User ID delegation tasks Associated RACF command
Create a new RACF user ADDUSER
Connect or remove an existing RACF user CONNECT or REMOVE
Reset passwords or modify fields in a user profile ALTUSER
List user profile information LISTUSER
Delete a user DELUSER

For details about the group-SPECIAL attribute, see User attributes at the group level and The SPECIAL or group-SPECIAL attribute.

For details about delegating administrative tasks to help desk personnel, see Authorizing help desk functions.

Parent topic: Defining groups and users

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014