On Tue, 7 Jul 2009 09:48:12 -0400, Hayim Sokolsky <[email protected]> wrote:
>Now to your specific question... Auditor (system level or group level)
>gives the user the ability to list any RACF base segment within scope.
>What it does not do is give the ability to view segments (OMVS, TSO, CICS,
>etc...) outside the base.
>
>To give your auditor the ability to list the content of the OMVS segment,
>you would need to define FIELD USER.OMVS.*, and permit them to the
>resource with READ. Sample commands (assumes you've never used FIELD):
Sorry, Hayim, but users with AUDITOR do not need FIELD authority at least
according to our documentation. From the RACF Command Language Reference:
<quote>
Listing the other segments of a user profile: To list information from
segments other than the RACF segment for a user profile, including your own,
one of the following conditions must be true:
* You have the SPECIAL or AUDITOR attribute
* You have at least READ authority to the desired field within the
segment through field-level access checking.
</quote>
I agree, of course, that RACF questions should be on RACF-L rather than
IBM-MAIN.
--
Walt Farrell, CISSP
IBM STSM, z/OS Security Design
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
