Lucymarie,
RACF questions are always best asked on the RACF-L. That is the forum for
RACF related questions.
Now to your specific question... Auditor (system level or group level)
gives the user the ability to list any RACF base segment within scope.
What it does not do is give the ability to view segments (OMVS, TSO, CICS,
etc...) outside the base.
To give your auditor the ability to list the content of the TSO segment,
you would need to define FIELD USER.TSO.*, and permit them to the resource
with READ. Sample commands (assumes you've never used FIELD):
SETROPTS GENERIC(FIELD) GENCMD(FIELD)
RDEF FIELD USER.TSO.* UACC(NONE) OWNER( specify an owner here )
/* let users see their own TSO segment */
PE USER.TSO.* ID(&RACUID) ACCESS(READ)
/* let group "AUDITORS" view all users TSO segments */
PE USER.TSO.* ID(AUDITORS) ACCESS(READ)
SETROPTS CLASSACT(FIELD) RACLIST(FIELD)
Hayim
_____________________________________
Hayim Sokolsky, CISSP
Mainframe Security Architect
DTCC Corporate Information Security
18301 Bermuda Green Dr, MS 1-CIS
Tampa FL 33647-1760
Tel. (813) 470-2177
Lucymarie Ruth <lucymarie.r...@safeway.com>
Sent by: IBM Mainframe Discussion List <IBM-MAIN@bama.ua.edu>
2009.07.06 21:41
Please respond to
IBM Mainframe Discussion List <IBM-MAIN@bama.ua.edu>
To
IBM-MAIN@bama.ua.edu
cc
Subject
RACF AUDITOR authority and OMVS segment
Hi. The "z/OS V1R10.0 RACF Security Server RACF Administrator's
Guide" says that "The user who has the AUDITOR attribute can list all
of the profile information that is available to the SPECIAL user, as well
as information that is available to auditors." In table 40 in the same
manual, it says that a userid with AUDITOR authority can also specify
all operands of the RACF LISTUSER command.
However, one of our user's with AUDITOR authority received a
message that she did not authority to view an OMVS segment when
issueing this:
LU user-id NORACF OMVS
Is this a bug, a feature, or just an anomaly that needs to be explained?
Anyone else noticed this?
Lucymarie Ruth, Safeway, Inc.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
________________________________________________________
DTCC DISCLAIMER: This email and any files transmitted with it are
confidential and intended solely for the use of the individual or
entity to whom they are addressed. If you have received this email
in error, please notify us immediately and delete the email and any
attachments from your system. The recipient should check this email
and any attachments for the presence of viruses. The company
accepts no liability for any damage caused by any virus transmitted
by this email.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
