Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Authorizing the envelope recipient z/OS Security Server RACF Security Administrator's Guide SA23-2289-00 |
|
Authorize these same principals to the R_admin function (to retrieve envelopes from RACF®) using one of the following examples. Example 1 allows you to separately control retrieval of password envelopes and password phrase envelopes. Example 2 allows you to control retrieval of both password envelopes and password phrase envelopes using the same resource. The FACILITY resource names shown in these examples are described in Controlling envelope retrieval. Example 1:
Example 2:
Guideline: In general, authorize only trusted applications, not users, to extract envelopes. Failed access attempts to these resources are logged by default. The log string of the audit record contains the user ID whose envelope is being retrieved. If you use a generic profile (shown in Example 2), look for the resource name in the audit record and you can distinguish whether a password envelope or password phrase envelope was retrieved. Guideline: Given the sensitive nature of this function,
you should log successful accesses as well. For example, a user with
the RACF AUDITOR attribute
can execute the following command:
If the FACILITY class is already ACTIVE and RACLISTed, refresh
the class.
|
Copyright IBM Corporation 1990, 2014
|