Perform the following steps to exclude selected user profiles from
the authority of a general user or group that is authorized through
the IRR.LU.OWNER.
owner or IRR.LU.TREE.
owner resource
in the FACILITY class.
- Define the following generic profiles in the FACILITY class, if
not already defined. Doing so ensures that an existing generic profile
does not inadvertently prevent you from successfully excluding selected
user profiles.
Example:
RDEFINE FACILITY IRR.LISTUSER.** UACC(NONE)
RDEFINE FACILITY IRR.LU.** UACC(NONE)
RDEFINE FACILITY IRR.LU.EXCLUDE.** UACC(READ)
- Define a profile to protect the IRR.LU.EXCLUDE.excluded-user resource
in the FACILITY class using UACC(NONE), where excluded-user is
the user ID you want to exclude.
Examples:
RDEFINE FACILITY IRR.LU.EXCLUDE.SHANNON UACC(NONE)
AUDIT(FAILURES(NONE) SUCCESSES(READ))
RDEFINE FACILITY IRR.LU.EXCLUDE.GRPADM* UACC(NONE)
AUDIT(FAILURES(NONE) SUCCESSES(READ))
______________________________________________________________________
- Optionally, authorize selected users and groups with READ access
to the IRR.LU.EXCLUDE.excluded-user resource. Perform this
step only when certain users or groups who are authorized to an IRR.LU
resource need to list the profile of the excluded user.
Example:
PERMIT IRR.LU.EXCLUDE.SHANNON CLASS(FACILITY) ID(HELPMGR) ACCESS(READ)
______________________________________________________________________
- Activate the FACILITY class if not already active.
Example:
SETROPTS CLASSACT(FACILITY)
If
the FACILITY class is already active and RACLISTed, refresh the FACILITY
class profiles.
SETROPTS RACLIST(FACILITY) REFRESH
______________________________________________________________________
You have now excluded selected user profiles from the authority
of a general user or group that is authorized through the IRR.LU.OWNER.owner or
IRR.LU.TREE.owner resource in the FACILITY class.
z/OS Security Server RACF Security Administrator's Guide
Copyright IBM Corporation 1990, 2014