IBM Security Z Security

When I issue the REVOKE User command during an active user session, will it be issued immediately and the user session terminated? When exactly does the result of a REVOKE command show up? The documentation says "You can prevent a RACF® user from entering the system by assigning the REVOKE attribute on the ALTUSER command. This attribute is useful when you want to prevent a user from entering the system..." But what if the user is already active in the system?

Further on the documentation says: "You can also assign the REVOKE attribute on a group level by using the CONNECT command. If the user has the REVOKE attribute for a group, the user cannot enter the system by connecting to that particular group, or access resources as a member of that group." 

Will the Revoke Attribute be checked every time the group permissions are needed and every time the user tries to access resources? In other words will the revoke attribute show results immediately during an active user session?

Can someone help me? Is there some further documentation available somewhere? I am kind of lost in the jungle... :-)

Thank you!

  

------------------------------
Cornelia Eiselt
------------------------------

Hi Cornelia

The ALTUSER REVOKE command, as the documentation states, indeed prevents a user from entering the system. But if the user at the time or your ALTUSER REVOKE command is already logged on, that command does not affect the current active session of this user. In other words, as long as the user that you revoked does not log off, it can continue to use your system. 

Regarding the REVOKE attribute on a group connection. If that happens to be the user's default group, the user can no longer log on unless they specify another group name that they are connected to, during the logon action. If a REVOKE is specified for another group that a user is connected to, they can logon (with their default group) as usual without specifying a group name on the logon panel. In that case, the user automatically logs on using their default group. In that case, the user can work as usual except  when they attempt to access a resource that is permitted to the revoked group. The group REVOKE will prevent that this user can access resources that are permitted to the revoked group. When the user has access to that same resource via another connect group, they might still be allowed to access the involved resource. However, when the user only has access via the revoked group, that access will not be allowed until the connection to this group is resumed. 

I hope this answers your questions sufficiently.

------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM
------------------------------

Original Message:
Sent: Wed July 17, 2024 12:47 PM
From: Conny E.
Subject: RACF Revoke Command

When I issue the REVOKE User command during an active user session, will it be issued immediately and the user session terminated? When exactly does the result of a REVOKE command show up? The documentation says "You can prevent a RACF® user from entering the system by assigning the REVOKE attribute on the ALTUSER command. This attribute is useful when you want to prevent a user from entering the system..." But what if the user is already active in the system?

Further on the documentation says: "You can also assign the REVOKE attribute on a group level by using the CONNECT command. If the user has the REVOKE attribute for a group, the user cannot enter the system by connecting to that particular group, or access resources as a member of that group." 

Will the Revoke Attribute be checked every time the group permissions are needed and every time the user tries to access resources? In other words will the revoke attribute show results immediately during an active user session?

Can someone help me? Is there some further documentation available somewhere? I am kind of lost in the jungle... :-)

Thank you!

  

------------------------------
Cornelia Eiselt
------------------------------

The REVOKE command sets a flag in the user's profile, in principle it does not affect the user's current sessions.  The flag (also called REVOKE) is tested whenever a new session is initiated, in other words, an ACEE is created through RACINIT or RACROUTE REQ=VERIFY.

Existing sessions may be hindered when they initiate work in another address space such as HSM recalls, OMVS work and batch job submission.

A REVOKE at the user (profile) level will prevent subsequent logons from the user ID, it will not stop current logons.

A REVOKE at the group level is effected with a CONNECT user GROUP(group) REVOKE command.  It removes the user's authorities that were granted by means of this connect group.  If the user has only one connect group, logon will be impossible.

Group connect information is loaded at the time of logon and stored in the user's private area, so changes in their connect group information will be ineffective until they logoff and logon again.

Similar changes to the permits that a user has through their user ID (and not by means of a change in connect groups) can be put into effect through a SETROPTS REFRESH GENERIC(class), but changes to the connect groups won't be effective until you logoff and logon.

------------------------------
Rob van Hoboken
------------------------------