I was RACF admin at ADF and due to the huge workload in managing the Defence forces, we assigned GROUP SPECIAL to different divisional admins. It reduced the workload for us, particularly password resets. It reduced our workload down to creating Dataset aliases to enable TSO access.
We had an automated process to remove users who were inactive past a certain elapsed time. On Thu, Jan 13, 2022 at 5:39 AM Carmen Vitullo <cvitu...@hughes.net> wrote: > I think that's how we allowed group owners to manage their own group and > password change/reset without bothering the RACF ADMIN > > but that was many moons ago :( > > > Carmen > > On 1/12/2022 12:33 PM, Wayne Bickerdike wrote: > > GROUP SPECIAL may work. > > > > On Wed, Jan 12, 2022, 22:04 Gadi Ben-Avi<gad...@malam.com> wrote: > > > >> The user issuing the command also has CONTROL access to IRR.PWRESET.TREE > >> > >> It seems like it won't work, and I'll have to find a workaround. > >> > >> Gadi > >> > >> -----Original Message----- > >> From: IBM Mainframe Discussion List<IBM-MAIN@LISTSERV.UA.EDU> On > Behalf > >> Of Attila Fogarasi > >> Sent: Wednesday, January 12, 2022 12:48 PM > >> To:IBM-MAIN@LISTSERV.UA.EDU > >> Subject: Re: Change password > >> > >> For completeness, also through Facility IRR.PWRESET.OWNER or > >> IRR.PWRESET.TREE or by being owner of the user profile, for ordinary > >> userids. > >> However userids with some powerful attributes, such as SPECIAL, > >> OPERATIONS, AUDITOR and PROTECTED cannot be manipulated without having > >> SPECIAL authority. > >> > >> > >> On Wed, Jan 12, 2022 at 9:41 PM Itschak Mugzach < > >> 00000305158ad67d-dmarc-requ...@listserv.ua.edu> wrote: > >> > >>> Gadi, > >>> > >>> allow the user (that enter the command) to facility irr.password.reset > >>> > >>> *| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere > >>> Platform* *|* *Information Security Continuous Monitoring for Z/OS, > >>> zLinux and IBM I **| * > >>> > >>> *|* *Email**:i_mugz...@securiteam.co.il **|* *Mob**: +972 522 986404 > >>> **|* > >>> *Skype**: ItschakMugzach **|* *Web**:www.Securiteam.co.il **|* > >>> > >>> > >>> > >>> > >>> > >>> On Wed, Jan 12, 2022 at 12:28 PM Gadi Ben-Avi<gad...@malam.com> > wrote: > >>> > >>>> Hi, > >>>> I would like to allow a user that does not have the special or group > >>>> special attribute to issue the following command succefully: > >>>> alu uuuu password(xxxx) resume noexpire revoke ( 01/13/22 ) > >>>> > >>>> Is this possible? > >>>> Right now the command fails with > >>>> ICH408I USER(OP01 ) GROUP(OPER ) NAME(OPER-01 ) > >>>> PARTIAL VIOLATION ON COMMAND ALTUSER > >>>> > >>>> > >>>> We are running z/OS v2.4. > >>>> > >>>> Gadi > >>>> > >>>> -------------------------------------------------------------------- > >>>> -- For IBM-MAIN subscribe / signoff / archive access instructions, > >>>> send email tolists...@listserv.ua.edu with the message: INFO > >>>> IBM-MAIN > >>>> > >>> ---------------------------------------------------------------------- > >>> For IBM-MAIN subscribe / signoff / archive access instructions, send > >>> email tolists...@listserv.ua.edu with the message: INFO IBM-MAIN > >>> > >> ---------------------------------------------------------------------- > >> For IBM-MAIN subscribe / signoff / archive access instructions, send > email > >> tolists...@listserv.ua.edu with the message: INFO IBM-MAIN > >> > >> Email secured by Check Point > >> > >> ---------------------------------------------------------------------- > >> For IBM-MAIN subscribe / signoff / archive access instructions, > >> send email tolists...@listserv.ua.edu with the message: INFO IBM-MAIN > >> > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email tolists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > -- > /I am not bound to win, but I am bound to be true. I am not bound to > succeed, but I am bound to live by the light that I have. I must stand > with anybody that stands right, and stand with him while he is right, > and part with him when he goes wrong. *Abraham Lincoln*/ > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- Wayne V. Bickerdike ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
