Page 1 of 1

protecting datasets with racf

PostPosted: Sun Nov 14, 2010 2:46 pm
by mosu
hi,

I have a few issues grasping some of the concepts behind protecting data sets.
For example, if for a group, say 'shop', i want all the data to be protected, I would say ADDSD SHOP.** UACC(NONE)
But then I want a group of users to be able to access/modify a part of the dataset. So I would do PERMIT SHOP.TEAMS.DEV.** ID(DEV) ACCESS(UPDATE)
now what i don't understand:
a) to be able to issue the second command I also need to do ADDSD SHOP.TEAMS.DEV.** UACC(NONE). Why is this since I already assigned UACC(NONE) to the SHOP?
b) is there an easy way to see who is on the PERMIT access list?

thanks :)

Re: protecting datasets with racf

PostPosted: Sun Nov 14, 2010 8:12 pm
by steve-myers
Before you can insert an access list for a profile (using PERMIT) you have to create the profile using ADDSD. SHOP.** is a separate profile. It would cover the data sets covered by SHOP.TEAMS.DEV.** if the profile didn't exist, but since it does exist it's as though SHOP.** no longer exists.

You can list the profile with the LISTSDS command:

LISTDSD DATASET('SHOP.TEAMS.DEV.**') AUTHUSER GENERIC

Since the profile contains a wild card character you don't have to specify the GENERIC keyword, which you would have to specify if it were a complete data set name:

LISTDSD DATASET('SHOP.TEAMS.DEV.SOURCE') AUTHUSER

would not work because there is no profile for SHOP.TEAMS.DEV.SOURCE, but if you specified GENERIC in the command it would list the SHOP.TEAMS.DEV.** profile.

Hope this helps,

Re: protecting datasets with racf

PostPosted: Mon Nov 15, 2010 4:01 am
by mosu
Hi,

Thanks, that helped a lot!

One more issue:

I am trying to give a user (supposed to be an admin) the permission to change passwords, revoke and resume user ids. If I get this right, group-special attribute should do it (and for revoking the only way I know). However, this would give him other rights that he shouldn't have. So I was thinking about using IRR.PASSWORD.RESET for this user, however I get the error 'not authorized to use IRR.PASSWORD.RESET' (or something like that). I cannot find anywhere in the manual what attributes you need to have to be able to use this (I have group-special).

Thanks again!

Re: protecting datasets with racf

PostPosted: Mon Nov 15, 2010 5:27 am
by steve-myers
Well, I did find a manual. My first thought when I read its description is IRR.PASSWORD.RESET gives too much authority, but after some thought I realized that you probably have to be able to "resume" a user when you change their password since the user was probably revoked when they need help.

The problem isn't too much authority, it's the authority is too wide. IRR.PASSWORD.RESET appears to allow any user to reset any other user.

Your immediate problem is you can't authorize its use. I think your problem is group-special can't PERMIT it, but the problem may also be that the profile was never established. You might also check if alternates might be more useful, though I think system-special might be required for any of them. See this topic.

Re: protecting datasets with racf

PostPosted: Mon Nov 15, 2010 6:11 am
by mosu
Hi,

In the end (and largely due to time constraints) I decided to give that user group-special and I will limit his data set access with a Permit command. I think this should be fine.

Thanks!

Re: protecting datasets with racf

PostPosted: Mon Nov 15, 2010 10:46 am
by steve-myers
I agree that group-special is probably your better choice. That user can do password resets and resume only the users in the group.

Re: protecting datasets with racf

PostPosted: Tue Jun 28, 2011 7:56 pm
by kudsi_tabrez
Hi,

I believe the user should be granted access over facility class profile IRR.PAASWORD.RESET

Re: protecting datasets with racf

PostPosted: Tue Jun 28, 2011 9:16 pm
by steve-myers
FACILITY/IRR.PASSWORD.RESET is a useful tool for help desk people to reset passwords. That's its intended use! However, it has nothing to do with protecting datasets.

Re: protecting datasets with racf

PostPosted: Thu Mar 15, 2012 10:45 pm
by angrybeaver
You can control the scope of the IRR.PASSWORD.RESET facility profiles to certain groups so it's not system-wide.

If link doesnt work google the full URI and they have a cached copy...

ftp://ftp.software.ibm.com/eserver/zser ... larity.pdf