IBM Mainframe Forum

Hello Everyone!

I'm learning RACF, and I'm exploring the zSecure tool, but making a report of who has the Special attribute in the System, I figured out that more than one user that is not the system RACF administrator has the attribute.

For example, I don't know if tasks of the system needs to have the Special attribute like Tivoli or Control-M or groups that are part of the CICS subsystem or a group with default access to TSO.

Best Regards!

The SPECIAL attribute allows a user to enter RACF commands (including adding users, giving users permission to access resources, and work with certificates). I wouldn't think Tivoli or Control-M or CICS groups or default ANYTHING should have SPECIAL. SPECIAL grants a lot of access and most sites don't want more than one (or a few in the security group) person or people having that kind of authority.

Mr. Sample is basically correct. One thing an auditor should be doing is to find out who has RACF SPECIAL and flag anyone who is not a RACF admin. The real RACF admins should remove the attribute from people that don't need it.

Actually, in some ways I regard OPERATIONS as more dangerous as they can access essentially any data set. Obviously the storage management group requires OPERATIONS, as does the userid assigned to tasks like HSM or whatever your site uses for automated storage management.

When I was doing a security admin role many years ago, there were two "Emergency" users with the special attribute.
These were fully audited, and the person wishing access to either id had to physically report to the site security office and sign for the envelope containing the id & password, showing their id badge too, just to keep it all legal.
Access was restricted to the sysprogs and the operations area, with all permitted names being held on a list for the site security people to check too.
For in hours requests, us security bods were there, eager and willing to please our customers