IBM Security Z Security

In our environment a number of systems programmers have ROAUDIT so that they can look at a RACF User/Group or a Dataset/General Resource Profile.   We are also implementing for UNIX FSACCESS.   Unfortunately the calls to FSACCESS are not made if the user has one of the system attributes like ROAUDIT, SPECIAL, or AUDITOR.

For a test i granted the user:
C4R.LISTDSD.=AUDITOR
C4R.LISTGRP.=AUDITOR
C4R.LISTUSER.=AUDITOR
C4R.RLIST.=AUDITOR
C4R.SEARCH.=AUDITOR

I been successful at using the scope profiles to let the ID use zSecure list the general resource and dataset profiles along with the access lists.  However getting user to list any user or group in zSecure has not worked out.    I have tried giving the user read access to:

CKG.RAC.**
CKG.RAC.ALL.**
CKG.RAC.SCP.**
CKG.SCP.**

But no luck.

The only way I been able to get the user to list any user or group is via CKR.READALL

Should I be able to set this up without CKR.READALL?    Basically trying to simulate ROAUDIT without granting ROAUDIT.   The user needs to be able to use RACF commands or zSecure.

I looked at the Access Monitor data to see if I was getting any RC8's, but the few that I see are unrelated to me listing users or groups.

Any suggestions?

------------------------------
Linnea Sullivan
------------------------------

Hi Linnea
CKR.READALL is designed to be the equivalent of ROAUDIT: it allows the user to see any and all profiles, and all non-masked fields in the profiles from within CKRCARLA driven displays/reports.  This control is described in  Appendix C. Restricted mode of the Installation and Deployment manual.

------------------------------
Rob van Hoboken
------------------------------

Original Message:
Sent: Wed August 26, 2020 03:22 PM
From: Linnea Sullivan
Subject: Uncontrolled / Controlled Temporary System Attributes

In our environment a number of systems programmers have ROAUDIT so that they can look at a RACF User/Group or a Dataset/General Resource Profile.   We are also implementing for UNIX FSACCESS.   Unfortunately the calls to FSACCESS are not made if the user has one of the system attributes like ROAUDIT, SPECIAL, or AUDITOR.

For a test i granted the user:
C4R.LISTDSD.=AUDITOR
C4R.LISTGRP.=AUDITOR
C4R.LISTUSER.=AUDITOR
C4R.RLIST.=AUDITOR
C4R.SEARCH.=AUDITOR

I been successful at using the scope profiles to let the ID use zSecure list the general resource and dataset profiles along with the access lists.  However getting user to list any user or group in zSecure has not worked out.    I have tried giving the user read access to:

CKG.RAC.**
CKG.RAC.ALL.**
CKG.RAC.SCP.**
CKG.SCP.**

But no luck.

The only way I been able to get the user to list any user or group is via CKR.READALL

Should I be able to set this up without CKR.READALL?    Basically trying to simulate ROAUDIT without granting ROAUDIT.   The user needs to be able to use RACF commands or zSecure.

I looked at the Access Monitor data to see if I was getting any RC8's, but the few that I see are unrelated to me listing users or groups.

Any suggestions?

------------------------------
Linnea Sullivan
------------------------------