In our environment a number of systems programmers have ROAUDIT so that they can look at a RACF User/Group or a Dataset/General Resource Profile. We are also implementing for UNIX FSACCESS. Unfortunately the calls to FSACCESS are not made if the user has one of the system attributes like ROAUDIT, SPECIAL, or AUDITOR.
For a test i granted the user:
C4R.LISTDSD.=AUDITOR
C4R.LISTGRP.=AUDITOR
C4R.LISTUSER.=AUDITOR
C4R.RLIST.=AUDITOR
C4R.SEARCH.=AUDITOR
I been successful at using the scope profiles to let the ID use zSecure list the general resource and dataset profiles along with the access lists. However getting user to list any user or group in zSecure has not worked out. I have tried giving the user read access to:
CKG.RAC.**
CKG.RAC.ALL.**
CKG.RAC.SCP.**
CKG.SCP.**
But no luck.
The only way I been able to get the user to list any user or group is via CKR.READALL
Should I be able to set this up without CKR.READALL? Basically trying to simulate ROAUDIT without granting ROAUDIT. The user needs to be able to use RACF commands or zSecure.
I looked at the Access Monitor data to see if I was getting any RC8's, but the few that I see are unrelated to me listing users or groups.
Any suggestions?------------------------------
Linnea Sullivan
------------------------------