Page 1 of 1

add new user to RACF

PostPosted: Sat Nov 19, 2011 9:28 pm
by XY09
Hello Team,
Is it possible to add new RACF user to RACF database without having SPECIAL attribute.

Thanks in advance!!!.

Thanks,
XY09.

Re: add new user to RACF

PostPosted: Sun Nov 20, 2011 12:26 am
by enrico-sorichetti
NO.

but... why not check Yourself starting from
http://www-03.ibm.com/systems/z/os/zos/ ... index.html

and proceeding to the bookshelf for the zOS level You are interested in ?

Re: add new user to RACF

PostPosted: Sun Nov 20, 2011 12:52 am
by dick scherrer
Hello,

If you are not specificlly authotized to add users to racf, trying to do so may be an offense that justifies termination.

Re: add new user to RACF

PostPosted: Tue Nov 22, 2011 2:43 am
by Robert Hansel
In order to add a user to RACF without System SPECIAL, you need either:

1) Group-SPECIAL and CLAUTH(USER), provided the default group (DFLTGRP) of the new user is within the scope of groups for the Group-SPECIAL user, or

2) Group JOIN authority and CLAUTH(USER), provided the DFLTGRP of the new user is the same as the group for the JOIN authority user.

CLAUTH is an abbreviation for Class Authorization and is a user profile attribute. It must be assigned by a System SPECIAL user.

These authorities let you add a new user but not add or change user profile segments (e.g., TSO, OMVS). For that you will need FIELD class profile permissions.

Re: add new user to RACF

PostPosted: Tue Nov 22, 2011 11:05 am
by steve-myers
Mr. Hansel is correct, plus you usually have to do other things to properly create a new user.
  • Create a master catalog alias to a user catalog for the user. If your site has multiple systems this must be done for the master catalog for each system.
  • Create a RACF dataset profile (usually userid.* or userid.**) for the user.
  • Your site may have additional requirements.

Re: add new user to RACF

PostPosted: Fri Jan 20, 2012 8:08 pm
by XY09
Thank you Steve & Robert for your help.

I had given all the authorities for a particular user, he is able to define new user(s) in the GROUP where he has JOIN , group-SPECIAL, CLAUTH(USER), TSO & OMVS FIELD class authorities but he is not able to define the new user profiles to racf. Please help me on this.

I am getting below message while defining DI60609.* user profile.

"ICH09025I NOT AUTHORIZED TO RACF PROTECT DI60609.*".

Appreciate your help!!!.

Thanks,
xy09.

Re: add new user to RACF

PostPosted: Fri Jan 20, 2012 8:25 pm
by Robert Sample
It is not clear if you are referring to two separate problems in your post, or just one. For the ICH09025I message you're getting, the RACF Command Language Reference manual indicates for ADDSD:
Authorization Required

When issuing the ADDSD command as a RACF operator command, you might require sufficient authority to the proper resource in the OPERCMDS class. See z/OS Security Server RACF Security Administrator's Guide for further information.

...removed text ...
The level of authority you need to use the ADDSD command and the types of profiles you can define are:

To protect a user data set with RACF, one of the following must be true:

The high-level qualifier of the data set name (or the qualifier supplied by the RACF naming conventions table or by a command installation exit) must match your user ID.

You must have the SPECIAL attribute.

The user ID for the data set profile must be within the scope of a group in which you have the group-SPECIAL attribute.

To protect a group data set with RACF, one of the following must be true:

You must have at least CREATE authority in the group.

You must have the SPECIAL attribute.

You must have the OPERATIONS attribute and not be connected to the group.

The data set profile must be within the scope of the group in which you have the group-SPECIAL attribute.

The data set profile must be within the scope of the group in which you have the group-OPERATIONS attribute, and you must not be connected to the group.

Re: add new user to RACF

PostPosted: Fri Jan 20, 2012 10:07 pm
by steve-myers
I don't think XY09 read ALL of Mr. Handel's post.

Re: add new user to RACF

PostPosted: Sat Jan 21, 2012 1:45 pm
by NicC
Hansel, Steve. Hansel!

Re: add new user to RACF

PostPosted: Sat Jan 21, 2012 5:55 pm
by steve-myers
Finger check!