Before you begin:
- Make sure the LISTUSER command issuer does not have READ access
to the IRR.LISTUSER resource in the FACILITY class.
- Ensure that list-of-groups-checking (SETROPTS GRPLIST) is enabled.
Perform the following steps to authorize a general user to list
user information in selected user profiles based on the scope of a
group tree.
- Define the following generic profiles in the FACILITY class, if
not already defined. Doing so ensures that an existing generic profile
does not inadvertently prevent you from successfully limiting this
authority.
Example:
RDEFINE FACILITY IRR.LISTUSER.** UACC(NONE)
RDEFINE FACILITY IRR.LU.** UACC(NONE)
RDEFINE FACILITY IRR.LU.EXCLUDE.** UACC(READ)
- Define a profile to protect the IRR.LU.TREE.owner resource
in the FACILITY class, where owner is the group that is at
the top of a group tree.
Example:
RDEFINE FACILITY IRR.LU.TREE.GROUP1 UACC(NONE)
AUDIT(FAILURES(NONE) SUCCESSES(READ))
______________________________________________________________________
- Authorize the general users or groups.
Example:
PERMIT IRR.LU.TREE.GROUP1 CLASS(FACILITY) ID(HELPDESK USER19) ACCESS(READ)
______________________________________________________________________
- Activate the FACILITY class if not already active.
Example:
SETROPTS CLASSACT(FACILITY)
If
the FACILITY class is already active and RACLISTed, refresh the FACILITY
class profiles.
SETROPTS RACLIST(FACILITY) REFRESH
______________________________________________________________________
You have now authorized a general user or group to list the base
segment of user profiles for selected users, including protected users,
and excluding users with the SPECIAL, OPERATION, or AUDITOR attribute,
based on the scope of a group tree.
z/OS Security Server RACF Security Administrator's Guide
Copyright IBM Corporation 1990, 2014