add new user to RACF



All about SAF, RACF, encryption, Firewall, Risk assessment and integrity concepts

add new user to RACF

Postby XY09 » Sat Nov 19, 2011 9:28 pm

Hello Team,
Is it possible to add new RACF user to RACF database without having SPECIAL attribute.

Thanks in advance!!!.

Thanks,
XY09.
XY09
 
Posts: 25
Joined: Mon Apr 26, 2010 9:19 am
Has thanked: 0 time
Been thanked: 0 time

Re: add new user to RACF

Postby enrico-sorichetti » Sun Nov 20, 2011 12:26 am

NO.

but... why not check Yourself starting from
http://www-03.ibm.com/systems/z/os/zos/ ... index.html

and proceeding to the bookshelf for the zOS level You are interested in ?
cheers
enrico
When I tell somebody to RTFM or STFW I usually have the page open in another tab/window of my browser,
so that I am sure that the information requested can be reached with a very small effort
enrico-sorichetti
Global moderator
 
Posts: 2994
Joined: Fri Apr 18, 2008 11:25 pm
Has thanked: 0 time
Been thanked: 164 times

Re: add new user to RACF

Postby dick scherrer » Sun Nov 20, 2011 12:52 am

Hello,

If you are not specificlly authotized to add users to racf, trying to do so may be an offense that justifies termination.
Hope this helps,
d.sch.
User avatar
dick scherrer
Global moderator
 
Posts: 6268
Joined: Sat Jun 09, 2007 8:58 am
Has thanked: 3 times
Been thanked: 93 times

Re: add new user to RACF

Postby Robert Hansel » Tue Nov 22, 2011 2:43 am

In order to add a user to RACF without System SPECIAL, you need either:

1) Group-SPECIAL and CLAUTH(USER), provided the default group (DFLTGRP) of the new user is within the scope of groups for the Group-SPECIAL user, or

2) Group JOIN authority and CLAUTH(USER), provided the DFLTGRP of the new user is the same as the group for the JOIN authority user.

CLAUTH is an abbreviation for Class Authorization and is a user profile attribute. It must be assigned by a System SPECIAL user.

These authorities let you add a new user but not add or change user profile segments (e.g., TSO, OMVS). For that you will need FIELD class profile permissions.
Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.rshconsulting.com
Robert Hansel
 
Posts: 4
Joined: Fri Sep 17, 2010 12:24 am
Has thanked: 0 time
Been thanked: 0 time

Re: add new user to RACF

Postby steve-myers » Tue Nov 22, 2011 11:05 am

Mr. Hansel is correct, plus you usually have to do other things to properly create a new user.
  • Create a master catalog alias to a user catalog for the user. If your site has multiple systems this must be done for the master catalog for each system.
  • Create a RACF dataset profile (usually userid.* or userid.**) for the user.
  • Your site may have additional requirements.
steve-myers
Global moderator
 
Posts: 2105
Joined: Thu Jun 03, 2010 6:21 pm
Has thanked: 4 times
Been thanked: 243 times

Re: add new user to RACF

Postby XY09 » Fri Jan 20, 2012 8:08 pm

Thank you Steve & Robert for your help.

I had given all the authorities for a particular user, he is able to define new user(s) in the GROUP where he has JOIN , group-SPECIAL, CLAUTH(USER), TSO & OMVS FIELD class authorities but he is not able to define the new user profiles to racf. Please help me on this.

I am getting below message while defining DI60609.* user profile.

"ICH09025I NOT AUTHORIZED TO RACF PROTECT DI60609.*".

Appreciate your help!!!.

Thanks,
xy09.
XY09
 
Posts: 25
Joined: Mon Apr 26, 2010 9:19 am
Has thanked: 0 time
Been thanked: 0 time

Re: add new user to RACF

Postby Robert Sample » Fri Jan 20, 2012 8:25 pm

It is not clear if you are referring to two separate problems in your post, or just one. For the ICH09025I message you're getting, the RACF Command Language Reference manual indicates for ADDSD:
Authorization Required

When issuing the ADDSD command as a RACF operator command, you might require sufficient authority to the proper resource in the OPERCMDS class. See z/OS Security Server RACF Security Administrator's Guide for further information.

...removed text ...
The level of authority you need to use the ADDSD command and the types of profiles you can define are:

To protect a user data set with RACF, one of the following must be true:

The high-level qualifier of the data set name (or the qualifier supplied by the RACF naming conventions table or by a command installation exit) must match your user ID.

You must have the SPECIAL attribute.

The user ID for the data set profile must be within the scope of a group in which you have the group-SPECIAL attribute.

To protect a group data set with RACF, one of the following must be true:

You must have at least CREATE authority in the group.

You must have the SPECIAL attribute.

You must have the OPERATIONS attribute and not be connected to the group.

The data set profile must be within the scope of the group in which you have the group-SPECIAL attribute.

The data set profile must be within the scope of the group in which you have the group-OPERATIONS attribute, and you must not be connected to the group.
Robert Sample
Global moderator
 
Posts: 3719
Joined: Sat Dec 19, 2009 8:32 pm
Location: Dubuque, Iowa, USA
Has thanked: 1 time
Been thanked: 279 times

Re: add new user to RACF

Postby steve-myers » Fri Jan 20, 2012 10:07 pm

I don't think XY09 read ALL of Mr. Handel's post.
steve-myers
Global moderator
 
Posts: 2105
Joined: Thu Jun 03, 2010 6:21 pm
Has thanked: 4 times
Been thanked: 243 times

Re: add new user to RACF

Postby NicC » Sat Jan 21, 2012 1:45 pm

Hansel, Steve. Hansel!
The problem I have is that people can explain things quickly but I can only comprehend slowly.
Regards
Nic
NicC
Global moderator
 
Posts: 3025
Joined: Sun Jul 04, 2010 12:13 am
Location: Pushing up the daisies (almost)
Has thanked: 4 times
Been thanked: 136 times

Re: add new user to RACF

Postby steve-myers » Sat Jan 21, 2012 5:55 pm

Finger check!
steve-myers
Global moderator
 
Posts: 2105
Joined: Thu Jun 03, 2010 6:21 pm
Has thanked: 4 times
Been thanked: 243 times


Return to Mainframe Security

 


  • Related topics
    Replies
    Views
    Last post