z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Delegating the authority to reset passwords for only selected users

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

You can limit the authority of a general user or group to use the ALTUSER command (to resume user IDs and reset passwords and password phrases) by authorizing the user or group to do this for only a selected set of users. You can limit the selected set of users in the following ways:
  • Delegating by owner

    You can limit the authority of a general user or group to perform resume and reset functions based on the owner of the user profile. To do this, authorize the ALTUSER command issuer with the appropriate authority to the IRR.PWRESET.OWNER.owner resource in the FACILITY class.

    For details, see Delegating the authority to reset passwords by owner.

  • Delegating by group tree

    You can limit the authority of a general user or group to perform resume and reset functions for only users within the scope of a selected group tree. To do this, authorize the ALTUSER command issuer with the appropriate authority to the IRR.PWRESET.TREE.owner resource in the FACILITY class.

    For details, see Delegating the authority to reset passwords by group tree.

  • Excluding user profiles

    You can exclude selected users from the scope of IRR.PWRESET.OWNER.owner and IRR.PWRESET.TREE.owner processing. To do this, protect the IRR.PWRESET.EXCLUDE.user-ID resource in the FACILITY class.

    For details, see Excluding selected users.

To authorize a general user or group to use the ALTUSER command to perform resume and reset functions for only selected users, define a profile to protect the appropriate IRR.PWRESET.OWNER or IRR.PWRESET.TREE resource in the FACILITY class and authorize users and groups. If you do not define this profile, standard ALTUSER authority checking applies when RACF® determines whether the command issuer is authorized.

Restriction: The IRR.PWRESET.OWNER and IRR.PWRESET.TREE authorities do not apply when the target of the ALTUSER command is a protected user or has the SPECIAL, AUDITOR, or OPERATIONS attribute.

RACF does not log failed access attempts to IRR.PWRESET resources. Rather, these attempts are logged as ALTUSER command violations. Successful accesses to IRR.PWRESET resources are logged at the installation's discretion.

Parent topic: Delegating the authority to reset passwords and password phrases

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014