Profile for Revoke



All about SAF, RACF, encryption, Firewall, Risk assessment and integrity concepts

Profile for Revoke

Postby jaggz » Fri Oct 29, 2010 3:50 pm

Hi,
Could anyone please let me know the class name and profile for Revoke Privilege in RACF. I tried to find in Racf admin guide but i could'nt figure out.
User avatar
jaggz
 
Posts: 356
Joined: Fri Jul 23, 2010 8:51 pm
Has thanked: 8 times
Been thanked: 4 times

Re: Profile for Revoke

 

Re: Profile for Revoke

Postby Robert Sample » Fri Oct 29, 2010 4:20 pm

I do not understand what you are asking. REVOKE is not a class name or facility in RACF -- it is a state; a user id may be revoked or not. If the user id is revoked, that user id is not allowed to sign onto the system. There's no profile associated with it -- revoked is an attribute of the user id itself.
Robert Sample
Global moderator
 
Posts: 3367
Joined: Sat Dec 19, 2009 8:32 pm
Location: Dubuque, Iowa, USA
Has thanked: 1 time
Been thanked: 222 times

Re: Profile for Revoke

Postby jaggz » Sat Oct 30, 2010 9:24 am

Please correct me if i am wrong. I do understand revoking a user needs a
revoke privilege(Not a class name or facility)
. To gain a revoke privilege a user needs some classes and profiles permitted. So could you please let me know the facility name and profile which provides a ID to revoke others ID.
User avatar
jaggz
 
Posts: 356
Joined: Fri Jul 23, 2010 8:51 pm
Has thanked: 8 times
Been thanked: 4 times

Re: Profile for Revoke

Postby Robert Sample » Sat Oct 30, 2010 9:43 am

You do not understand correctly. The RACF SPECIAL attribute -- which is assigned to a user id -- allows the user id to issue RACF commands, including revoking access.

I think you need to spend a long time reading the RACF manuals to gain a basic understanding of how RACF works. It does not appear from your posts so far that you have this basic understanding. The CONNECT command, for example, connects users to groups and the manual gives the authority required as
Authorization Required

The specified users and group must already be defined to RACF.

When issuing the CONNECT command as a RACF operator command, you might require sufficient authority to the proper resource in the OPERCMDS class. See z/OS Security Server RACF Security Administrator's Guide for further information.

To use the CONNECT command, you must have at least one of the following:

* The SPECIAL attribute
* The group-SPECIAL attribute in the group
* The ownership of the group
* JOIN or CONNECT authority in the group.

You cannot give a user a higher level of authority in the group than you have.
Whereas the PERMIT command, which allows groups or users access to resources, requires
Authorization Required

When issuing the PERMIT command as a RACF operator command, you might require sufficient authority to the proper resource in the OPERCMDS class. See z/OS Security Server RACF Security Administrator's Guide for further information.

To perform any of the PERMIT functions, you must have sufficient authority over the resource. RACF makes the following checks until one of the conditions is met:

* You have the SPECIAL attribute.
* The profile is within the scope of a group in which you have the group-SPECIAL attribute.
* You are the owner of the resource.
* If the resource belongs to the DATASET class, the high-level qualifier of the profile name (or the qualifier supplied by the naming conventions routine or a command installation exit) is your user ID.
* If the resource belongs to the DATASET class, you must be the current owner of the profile or have the SPECIAL attribute, or the profile must be within the scope of a group in which you have the group-SPECIAL attribute.
* If the profile is in the FILE or DIRECTRY class, the second qualifier of the profile name is your user ID.

For discrete profiles only:
* You are on the standard access list for the resource and you have ALTER authority.
* Your current connect group (or, if list-of-groups checking is active, any group to which you are connected) is on the standard access list and has ALTER authority.
* The universal access authority is ALTER.
Note, for example, that someone with SPECIAL attribute is not required to have any access to classes or profiles -- that user id can CONNECT or PERMIT without regard to them.

Bottom line: there is no facility or profile (both of which are RACF terms with highly specific meanings that do not apply to what you are asking) which allows an id to revoke users.
Robert Sample
Global moderator
 
Posts: 3367
Joined: Sat Dec 19, 2009 8:32 pm
Location: Dubuque, Iowa, USA
Has thanked: 1 time
Been thanked: 222 times

Re: Profile for Revoke

Postby jaggz » Mon Nov 01, 2010 9:36 am

Thanks Robert. Now you made it clear. Thanks again.
User avatar
jaggz
 
Posts: 356
Joined: Fri Jul 23, 2010 8:51 pm
Has thanked: 8 times
Been thanked: 4 times


Return to Mainframe Security