On 2/12/2007 10:35 AM, R.S. wrote:
Mautalen Juan Guillermo wrote:
Itschak:
I general i agree with you, but there are some exceptions where
surrogate authority proves useful even for users (persons).
Example:
I needed that 4 users could fully administrate some RACF profile.
Basically, they should be able to do what the OWNER of the profile is
able to do. However, you know that ownership of profiles only gives
administrative authority when the owner is actually a RACF USER and not
a RACF GROUP.
So, my solution was:
I specifically created a user and made it the OWNER of the profile. It
is a PROTECTED user.
Then, i gave those 4 users authority to submit jobs on behalf of it
(surrogate authority). This way, i managed to give those 4 users
"ownership" of the profile.
That's why we use group-special.
Right. Group-SPECIAL is the intended solution for that, not SURROGAT.
SURROGAT will work, but I think it would prove more cumbersome to use
(since users would have to submit batch jobs rather than issuing the
commands interactively).
Walt Farrell, CISSP
z/OS Security Design, IBM
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
