Hi,
Could anyone please let me know the class name and profile for Revoke Privilege in RACF. I tried to find in Racf admin guide but i could'nt figure out.
. To gain a revoke privilege a user needs some classes and profiles permitted. So could you please let me know the facility name and profile which provides a ID to revoke others ID.revoke privilege(Not a class name or facility)
Whereas the PERMIT command, which allows groups or users access to resources, requiresAuthorization Required
The specified users and group must already be defined to RACF.
When issuing the CONNECT command as a RACF operator command, you might require sufficient authority to the proper resource in the OPERCMDS class. See z/OS Security Server RACF Security Administrator's Guide for further information.
To use the CONNECT command, you must have at least one of the following:
* The SPECIAL attribute
* The group-SPECIAL attribute in the group
* The ownership of the group
* JOIN or CONNECT authority in the group.
You cannot give a user a higher level of authority in the group than you have.
Note, for example, that someone with SPECIAL attribute is not required to have any access to classes or profiles -- that user id can CONNECT or PERMIT without regard to them.Authorization Required
When issuing the PERMIT command as a RACF operator command, you might require sufficient authority to the proper resource in the OPERCMDS class. See z/OS Security Server RACF Security Administrator's Guide for further information.
To perform any of the PERMIT functions, you must have sufficient authority over the resource. RACF makes the following checks until one of the conditions is met:
* You have the SPECIAL attribute.
* The profile is within the scope of a group in which you have the group-SPECIAL attribute.
* You are the owner of the resource.
* If the resource belongs to the DATASET class, the high-level qualifier of the profile name (or the qualifier supplied by the naming conventions routine or a command installation exit) is your user ID.
* If the resource belongs to the DATASET class, you must be the current owner of the profile or have the SPECIAL attribute, or the profile must be within the scope of a group in which you have the group-SPECIAL attribute.
* If the profile is in the FILE or DIRECTRY class, the second qualifier of the profile name is your user ID.
For discrete profiles only:
* You are on the standard access list for the resource and you have ALTER authority.
* Your current connect group (or, if list-of-groups checking is active, any group to which you are connected) is on the standard access list and has ALTER authority.
* The universal access authority is ALTER.