Global Security Forum

 View Only
  • 1.  RESTRICTED userid

    Posted Fri July 31, 2020 05:47 PM
    It's been my understanding that a user with the RESTRICTED attribute needs explicit (i.e., userid, not group) authorization to access a protected resource.

    Page 85 of the SA Guide reads, "Restricted user IDs cannot be used
    to access protected resources they are not specifically authorized to access. Access
    authorization for restricted user IDs bypasses global access checking. In addition,
    the UACC of a resource and an ID(*) entry on the access list are not used to
    enable a restricted user ID to gain access."

    We had a restricted user ID generating repeated ICH408I messages and violations attempting to read a dataset profile with UACC(READ). 

    A colleague enabled access to that profile for a RACF group to which the restricted user is connected. To my surprise the security violations went away.

    Has something changed? Or have I been misunderstanding the RESTRICTED attribute all along?

    As  always, thanks in advance for any assistance.

    ------------------------------
    David Malbuff
    ------------------------------


  • 2.  RE: RESTRICTED userid

    Posted Mon August 03, 2020 02:01 AM
    Sorry, but you've misunderstood the Restricted attribute all along.

    Restricted users can gain access via either a direct permit to the userid, or to a group that the userid is connected too.  For example -- say you have a set of similar restricted userids, but all of them need the same permit or set of permits (for example, maybe TSOAUTH or TSOPROC or particular DATASETs like for ISPF) -- you can apply the permits to a group and then connect all of those Restricted ids to that group.  It can work well.  Good luck.

    ------------------------------
    Scott Tietjen CISSP
    ------------------------------