Walt,
I stand corrected. I assume that reference is for System-Special and
System-Auditor only.
It does looks like a documentation conflict between the Command Language
Reference and the RACF Security Administrator's Guide. In the SAG, under
"7.3 Field-level access checking" there is a statement:
"Note: If you do not activate the FIELD class and activate SETROPTS
RACLIST processing for the FIELD class, only SPECIAL users can access
fields in segments (other than the base segment) of RACF profiles. "
As I didn't have time to test, I assumed this implied that AUDITOR users
would not have READ access. My bad.
Hayim
_____________________________________
Hayim Sokolsky, CISSP
Mainframe Security Architect
DTCC Corporate Information Security
18301 Bermuda Green Dr, MS 1-CIS
Tampa FL 33647-1760
Tel. (813) 470-2177
Walt Farrell <[email protected]>
Sent by: IBM Mainframe Discussion List <[email protected]>
2009.07.07 11:45
Please respond to
IBM Mainframe Discussion List <[email protected]>
To
[email protected]
cc
Subject
Re: RACF AUDITOR authority and OMVS segment
On Tue, 7 Jul 2009 09:48:12 -0400, Hayim Sokolsky <[email protected]>
wrote:
>Now to your specific question... Auditor (system level or group level)
>gives the user the ability to list any RACF base segment within scope.
>What it does not do is give the ability to view segments (OMVS, TSO,
CICS,
>etc...) outside the base.
>
>To give your auditor the ability to list the content of the OMVS segment,
>you would need to define FIELD USER.OMVS.*, and permit them to the
>resource with READ. Sample commands (assumes you've never used FIELD):
Sorry, Hayim, but users with AUDITOR do not need FIELD authority at least
according to our documentation. From the RACF Command Language Reference:
<quote>
Listing the other segments of a user profile: To list information from
segments other than the RACF segment for a user profile, including your
own,
one of the following conditions must be true:
* You have the SPECIAL or AUDITOR attribute
* You have at least READ authority to the desired field within the
segment through field-level access checking.
</quote>
I agree, of course, that RACF questions should be on RACF-L rather than
IBM-MAIN.
--
Walt Farrell, CISSP
IBM STSM, z/OS Security Design
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
________________________________________________________
DTCC DISCLAIMER: This email and any files transmitted with it are
confidential and intended solely for the use of the individual or
entity to whom they are addressed. If you have received this email
in error, please notify us immediately and delete the email and any
attachments from your system. The recipient should check this email
and any attachments for the presence of viruses. The company
accepts no liability for any damage caused by any virus transmitted
by this email.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
