Authorizing the envelope recipient

Authorize these same principals to the R_admin function (to retrieve envelopes from RACF®) using one of the following examples. Example 1 allows you to separately control retrieval of password envelopes and password phrase envelopes. Example 2 allows you to control retrieval of both password envelopes and password phrase envelopes using the same resource.

The FACILITY resource names shown in these examples are described in Controlling envelope retrieval.

Example 1:

RDEFINE FACILITY IRR.RADMIN.EXTRACT.PWENV UACC(NONE)
PERMIT IRR.RADMIN.EXTRACT.PWENV CLASS(FACILITY) ID(IDI1 APP2) ACCESS(READ)

RDEFINE FACILITY IRR.RADMIN.EXTRACT.PPENV UACC(NONE)
PERMIT IRR.RADMIN.EXTRACT.PPENV CLASS(FACILITY) ID(IDI1 APP2) ACCESS(READ)

Example 2:

RDEFINE FACILITY IRR.RADMIN.EXTRACT.* UACC(NONE)
PERMIT IRR.RADMIN.EXTRACT.* CLASS(FACILITY) ID(IDI1 APP2) ACCESS(READ)

Guideline: In general, authorize only trusted applications, not users, to extract envelopes.

Failed access attempts to these resources are logged by default. The log string of the audit record contains the user ID whose envelope is being retrieved. If you use a generic profile (shown in Example 2), look for the resource name in the audit record and you can distinguish whether a password envelope or password phrase envelope was retrieved.

Guideline: Given the sensitive nature of this function, you should log successful accesses as well. For example, a user with the RACF AUDITOR attribute can execute the following command:

RALTER FACILITY IRR.RADMIN.EXTRACT.* GLOBALAUDIT(ALL(READ))

If the FACILITY class is already ACTIVE and RACLISTed, refresh the class.

SETROPTS RACLIST(FACILITY) REFRESH