z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Steps for delegating the authority to reset passwords by owner

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

Before you begin:
  • Make sure the ALTUSER command issuer does not have similar access to the IRR.PASSWORD.RESET resource in the FACILITY class.
Perform the following steps to limit the authority of a general user or group to resume user IDs and reset passwords and password phrases based on the owner of the user profiles.
  1. Define the following generic profiles in the FACILITY class, if not already defined. Doing so ensures that an existing generic profile does not inadvertently prevent you from successfully limiting this authority.
    Example:
    RDEFINE FACILITY IRR.PASSWORD.RESET.**  UACC(NONE)
RDEFINE FACILITY IRR.PWRESET.**         UACC(NONE)
RDEFINE FACILITY IRR.PWRESET.EXCLUDE.** UACC(READ)

    If you use UPDATE or CONTROL access for any IRR.PWRESET profile, as described in Table 1, specify the higher level (UPDATE or CONTROL) with the UACC operand for the IRR.PWRESET.EXCLUDE.** profile instead of the UACC(READ) option shown in this example.

  2. Define a profile to protect the IRR.PWRESET.OWNER.owner resource in the FACILITY class, where owner is the user ID or group that owns the user profiles.
    Example:
    RDEFINE FACILITY IRR.PWRESET.OWNER.GROUP3 UACC(NONE)
   AUDIT(FAILURES(NONE) SUCCESSES(READ))

    ______________________________________________________________________

  3. Authorize the general users or groups.
    Example:
    PERMIT IRR.PWRESET.OWNER.GROUP3 CLASS(FACILITY)
   ID(HELPDESK USER19) ACCESS(READ)

    See Levels of authority for restrictions and details about authority based on the access level to the IRR.PWRESET.OWNER.owner resource in the FACILITY class.

    ______________________________________________________________________

  4. Activate the FACILITY class if not already active.
    Example:
    SETROPTS CLASSACT(FACILITY)
    If the FACILITY class is already active and RACLISTed, refresh the FACILITY class profiles.
    SETROPTS RACLIST(FACILITY) REFRESH

    ______________________________________________________________________

You have now authorized a general user or group to resume user IDs and reset passwords and password phrases for selected users, excluding protected users, and users with the SPECIAL, OPERATION, or AUDITOR attribute, based on the owner of the user profile.

Parent topic: Delegating the authority to reset passwords by owner

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014