IBM Security Z Security

Expand all | Collapse all

Uncontrolled / Controlled Temporary System Attributes

  • 1.  Uncontrolled / Controlled Temporary System Attributes

    Posted Wed August 26, 2020 03:23 PM
    In our environment a number of systems programmers have ROAUDIT so that they can look at a RACF User/Group or a Dataset/General Resource Profile.   We are also implementing for UNIX FSACCESS.   Unfortunately the calls to FSACCESS are not made if the user has one of the system attributes like ROAUDIT, SPECIAL, or AUDITOR.

    For a test i granted the user:

    I been successful at using the scope profiles to let the ID use zSecure list the general resource and dataset profiles along with the access lists.  However getting user to list any user or group in zSecure has not worked out.    I have tried giving the user read access to:


    But no luck.

    The only way I been able to get the user to list any user or group is via CKR.READALL

    Should I be able to set this up without CKR.READALL?    Basically trying to simulate ROAUDIT without granting ROAUDIT.   The user needs to be able to use RACF commands or zSecure.

    I looked at the Access Monitor data to see if I was getting any RC8's, but the few that I see are unrelated to me listing users or groups.

    Any suggestions?

    Linnea Sullivan

  • 2.  RE: Uncontrolled / Controlled Temporary System Attributes

    Posted Thu August 27, 2020 01:58 AM
    Hi Linnea
    CKR.READALL is designed to be the equivalent of ROAUDIT: it allows the user to see any and all profiles, and all non-masked fields in the profiles from within CKRCARLA driven displays/reports.  This control is described in  Appendix C. Restricted mode of the Installation and Deployment manual.

    Rob van Hoboken