Hi All,
I need some help on OPERATIONS user attribute on RACF.
From the manual I understand that OPERATIONS attribute has full access authorization to all RACF protected resources in DATASETS and some storage related resource classes like DASDVOL,TAPEVOL etc.,
Hope a user with ALTER access to the dataset/resource profiles can also able to work on datasets, perform input/output operations on tape volume.
In that case , who/which team really need OPERATIONS attribute( like RACF administrators need RACF SPECIAL, auditors need RACF AUDITOR attribute)?
Which team require OPERATIONS attribute
-
willy jensen
- Posts: 474
- Joined: Thu Mar 10, 2016 5:03 pm
- Skillset: assembler rexx zOS ispf racf smf
- Referer: saw it in the experts foprum thought I could help here
Re: Which team require OPERATIONS attribute
Backup jobs, submitted using SURROGATE from a scheduler? No person should normally have it, it can be assigned by the RACF team if really needed for an emergency.
Just my 2 cents.
Just my 2 cents.
Re: Which team require OPERATIONS attribute
I had OPERATIONS and SPECIAL authority in previous role, I think it helps in working with storage volumes, Disaster recovery, replication, and some RACF tasks related to other user's datasets.
SPECIAL authority helped in running some zSecure audit reports, not really sure.
But it was a lawless shop where two people had all the available accesses and had to perform Storage, MVS, CICS, Endevor, some RACFadministration, Performance and Capacity. Fun times.
SPECIAL authority helped in running some zSecure audit reports, not really sure.
But it was a lawless shop where two people had all the available accesses and had to perform Storage, MVS, CICS, Endevor, some RACFadministration, Performance and Capacity. Fun times.
-
willy jensen
- Posts: 474
- Joined: Thu Mar 10, 2016 5:03 pm
- Skillset: assembler rexx zOS ispf racf smf
- Referer: saw it in the experts foprum thought I could help here
Re: Which team require OPERATIONS attribute
I think that security scopes also protects the personel. I remember one instance where something bad happened to production and I could safely say that it couldn't be me as I didn't have access, even though I was in the systems team. Of course in a purely system test environment I would like operations, just to be able to install and test products. In a prduction environment I'd rather not have that authority.
-
Robert Hansel
- Posts: 12
- Joined: Fri Sep 17, 2010 12:24 am
- Skillset: RACF Specialist
- Referer: Google Alerts
Re: Which team require OPERATIONS attribute
OPERATIONS use should only be necessary in rare instances where other storage administration authorities are insufficient to manage a dataset, such as deleting orphaned temporary datasets when TEMPDSN is active or managing a dataset where the RACF-indicated bit is ON but no discrete profile exists (better still, turn the bit OFF in such situations). Ideally, it should only be assigned to alternate "break-glass" storage administrators IDs or to vaulted IDs. I'm not a fan of assigning it to Firecall IDs as it grants too much authority. For more on the storage administration authorities that can replace OPERATIONS, see my presentation on this topic which is available on my website. Here's the link. I have replaced OPERATIONS use with these authorities on many occasions.
https://www.rshconsulting.com/RSHpres/R ... y_2019.pdf
https://www.rshconsulting.com/RSHpres/R ... y_2019.pdf
Regards, Bob
Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.rshconsulting.com
Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.rshconsulting.com