You can exclude selected user profiles from the scope of IRR.LU.OWNER.owner and IRR.LU.TREE.owner processing so that users authorized by these IRR.LU resources cannot list user information for the excluded user profiles. To exclude selected users, define a profile in the FACILITY class to protect the IRR.LU.EXCLUDE.excluded-user resource, where excluded-user is the user ID you are excluding.

When you protect the IRR.LU.EXCLUDE.excluded-user resource with UACC(NONE) and give no general users or groups access, the user information of the excluded user cannot be listed even when the command issuer has READ access to the appropriate IRR.LU.OWNER.owner and IRR.LU.TREE.owner resource in the FACILITY class.

In other words, when a general user, who has no access to the IRR.LU.EXCLUDE.excluded-user resource, attempts to list the user profile of an excluded user, the LISTUSER command fails.

Users and groups that you authorize with READ access to the IRR.LU.EXCLUDE.excluded-user resource are allowed to list the profile of the excluded user when they also have READ access to the appropriate IRR.LU resource.

Tip: If you want to exclude a set of users with similar user IDs, use a generic name (such as GRPADM*) in place of the excluded user ID.

Restriction: Users who are authorized by the IRR.LISTUSER resource are not limited when you exclude user profiles with the IRR.LU.EXCLUDE.excluded-user resource in the FACILITY class. Excluded users are excluded only when the general user or group has authority through the IRR.LU.OWNER.owner or IRR.LU.TREE.owner resource in the FACILITY class.

User profiles with the SPECIAL, AUDITOR, or OPERATIONS attribute cannot be listed by users with authority through the IRR.LU resources. Therefore, you need not exclude users with these attributes using the IRR.LU.EXCLUDE.excluded-user resource.