Users receive the CLAUTH attribute on a class-by-class basis.
You cannot assign the CLAUTH attribute at the user or group level.
If a user has the CLAUTH attribute in a class, or in a class that
shares the same POSIT value in the class descriptor table (CDT), RACF® allows the user to define
profiles in that class.
The classes you can specify with CLAUTH are the USER class and
any general resource class.
Note: - The authority of all users to
define profiles in general resource classes can be limited by issuing
the SETROPTS GENERICOWNER command. For more information, see Restricting the creation of general resource profiles (GENERICOWNER option).
- You must activate the class for which a user has the CLAUTH attribute
to enable the user to define profiles in that class.
- A user's authority to define profiles extends to any class that
has the same POSIT value in the class descriptor table (CDT). For
example, if you give a user CLAUTH(TERMINAL), that user can also define
profiles in class GTERMINL, because both of these classes have the
same POSIT value.
For information about the POSIT values of classes
in the dynamic portion of the CDT, and for general information about
the CDT, see Administering the dynamic class descriptor table (CDT). For the information
about the POSIT values of the classes in the static CDT, see the description
of the class descriptor table (CDT) in z/OS Security Server RACF Macros and Interfaces.
You
should give the CLAUTH attribute only to those users who are responsible
for defining profiles to RACF in
the specified classes and in any classes with the same POSIT value.
- A user to whom you assign the CLAUTH attribute for the USER class
is authorized to define new users to RACF with
the ADDUSER command, as long as the user is the owner of or has JOIN
authority in the new user's default group.
The CLAUTH attribute can be delegated only
by a user with the SPECIAL attribute, or by a user who has both the
authority to update the user profile and the CLAUTH attribute for
the class authority being delegated.
For a list of the RACF commands
that the CLAUTH attribute allows users to issue, see Table 1.