IBM Security Z Security

I have a function that only needs to perform an RLIST on 4 specific classes.    Instead of giving them ROAUDIT I opted with C4R.RLIST.=CTLAUD.   This seems to give them the ability to list profiles in those 4 classes.    But it also gives them the ability to list profiles in any generalized resource classes.

From looking at my Access Monitor data, I do not see any resources calls being made to the classes they are trying to list.   I was hoping to restrict the user to only listing profiles in those 4 classes.

Is it possible?

I know I can do a number of controls with users having =CTLSPEC, but I don't think I see the same ability for =CTLAUD.

------------------------------
Linnea Sullivan
------------------------------

Hi Linnea
Command Verifier was originally designed to prevent administrators from making (dangerous or non-compliant) changes to (selected) profiles.  This is reflected by the field names in the policy profiles, that allow/restrict changes those fields in the target profiles.  At the time there was no need to restrict the ability to list information.
Controlled privilege (special and auditor) requires the presence of profiles related to the parameters on the RACF command issued, and authority for the issuer on those profiles.  However, there are no policy profiles to prevent issuing LIST commands.
Consequently, permitting a user on the C4R.RLIST.=CTLAUD profile simply allows all RLIST commands, irrespective of class or profile key.  Same applies to =CTLSPEC. You may want to raise an RFE to have class specification for LISTxxxx and RLIST in a policy profile added.  Or a combination of class and profile (mask).

------------------------------
Rob van Hoboken
------------------------------