z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


The CLAUTH (class authority) attribute

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

Users receive the CLAUTH attribute on a class-by-class basis. You cannot assign the CLAUTH attribute at the user or group level. If a user has the CLAUTH attribute in a class, or in a class that shares the same POSIT value in the class descriptor table (CDT), RACF® allows the user to define profiles in that class.

The classes you can specify with CLAUTH are the USER class and any general resource class.

Note:
  1. The authority of all users to define profiles in general resource classes can be limited by issuing the SETROPTS GENERICOWNER command. For more information, see Restricting the creation of general resource profiles (GENERICOWNER option).
  2. You must activate the class for which a user has the CLAUTH attribute to enable the user to define profiles in that class.
  3. A user's authority to define profiles extends to any class that has the same POSIT value in the class descriptor table (CDT). For example, if you give a user CLAUTH(TERMINAL), that user can also define profiles in class GTERMINL, because both of these classes have the same POSIT value.

    For information about the POSIT values of classes in the dynamic portion of the CDT, and for general information about the CDT, see Administering the dynamic class descriptor table (CDT). For the information about the POSIT values of the classes in the static CDT, see the description of the class descriptor table (CDT) in z/OS Security Server RACF Macros and Interfaces.

    You should give the CLAUTH attribute only to those users who are responsible for defining profiles to RACF in the specified classes and in any classes with the same POSIT value.

  4. A user to whom you assign the CLAUTH attribute for the USER class is authorized to define new users to RACF with the ADDUSER command, as long as the user is the owner of or has JOIN authority in the new user's default group.

The CLAUTH attribute can be delegated only by a user with the SPECIAL attribute, or by a user who has both the authority to update the user profile and the CLAUTH attribute for the class authority being delegated.

For a list of the RACF commands that the CLAUTH attribute allows users to issue, see Table 1.

Parent topic: User attributes

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014