You do not understand correctly. The RACF SPECIAL attribute -- which is assigned to a user id -- allows the user id to issue RACF commands, including revoking access.
I think you need to spend a long time reading the RACF manuals to gain a basic understanding of how RACF works. It does not appear from your posts so far that you have this basic understanding. The CONNECT command, for example, connects users to groups and the manual gives the authority required as
The specified users and group must already be defined to RACF.
When issuing the CONNECT command as a RACF operator command, you might require sufficient authority to the proper resource in the OPERCMDS class. See z/OS Security Server RACF Security Administrator's Guide for further information.
To use the CONNECT command, you must have at least one of the following:
* The SPECIAL attribute
* The group-SPECIAL attribute in the group
* The ownership of the group
* JOIN or CONNECT authority in the group.
You cannot give a user a higher level of authority in the group than you have.
Whereas the PERMIT command, which allows groups or users access to resources, requires
When issuing the PERMIT command as a RACF operator command, you might require sufficient authority to the proper resource in the OPERCMDS class. See z/OS Security Server RACF Security Administrator's Guide for further information.
To perform any of the PERMIT functions, you must have sufficient authority over the resource. RACF makes the following checks until one of the conditions is met:
* You have the SPECIAL attribute.
* The profile is within the scope of a group in which you have the group-SPECIAL attribute.
* You are the owner of the resource.
* If the resource belongs to the DATASET class, the high-level qualifier of the profile name (or the qualifier supplied by the naming conventions routine or a command installation exit) is your user ID.
* If the resource belongs to the DATASET class, you must be the current owner of the profile or have the SPECIAL attribute, or the profile must be within the scope of a group in which you have the group-SPECIAL attribute.
* If the profile is in the FILE or DIRECTRY class, the second qualifier of the profile name is your user ID.
For discrete profiles only:
* You are on the standard access list for the resource and you have ALTER authority.
* Your current connect group (or, if list-of-groups checking is active, any group to which you are connected) is on the standard access list and has ALTER authority.
* The universal access authority is ALTER.
Note, for example, that someone with SPECIAL attribute is not required to have any access to classes or profiles -- that user id can CONNECT or PERMIT without regard to them.Bottom line: there is no facility or profile (both of which are RACF terms with highly specific meanings that do not apply to what you are asking) which allows an id to revoke users.