Hi Skip, OPERATIONS users actually can grant privileges because they can create dataset profiles for any group. And if they own a profile they create, they can permit access to it.
In z/OS 2.2, you will be able to replace the assignment of AUDITOR authority with ROAUDIT, which truly is benign because it allows a user to look at all profiles and SETROPTS options without changing any audit settings. Just curious, in your 'elevated access' report, do you include users with UID 0 or access to BPX.SUPERUSER? Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel http://twitter.com/RSH_RACF www.rshconsulting.com ---------------------------------------------------------------------------- Upcoming RSH RACF Training - RACF Audit & Compliance Roadmap - DEC 5-9, 2016 - RACF Level I Administration - MAY 17-20, 2016 - RACF Level II Administration - SEPT 19-23, 2016 - RACF Level III Admin, Audit, & Compliance - JUN 14-16, 2016 - Securing z/OS UNIX - WebEx - JUL 25-29, 2016 ---------------------------------------------------------------------------- -----Original Message----- Date: Tue, 17 May 2016 16:37:50 +0000 From: Jesse 1 Robinson <jesse1.robin...@sce.com> Subject: Re: EXTERNAL: Re: [EXTERNAL] Re: smp/e sha-2 support? An interesting take on ADDSD. We produce a periodic report here on userids with 'elevated access', which includes SPECIAL, OPERATIONS, and AUDITOR (the benign type). OPERATIONS cannot grant privileges but could do a lot of damage. I consider AUDITOR vital for sysprogs in order to diagnose--not necessarily fix--security problems at odd hours. It's been pointed out to me that AUDITOR allows someone to change RACF audit rules. A far-fetched but not inconceivable exposure. I think that managers here are required now and again to 'confirm' the need for elevated access, but no major battles have ensued within my earshot. ;-) . . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-302-7535 Office robin...@sce.com -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of John McKown Sent: Tuesday, May 17, 2016 8:57 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: (External):Re: EXTERNAL: Re: [EXTERNAL] Re: smp/e sha-2 support? On Tue, May 17, 2016 at 9:41 AM, Mike Schwab <mike.a.sch...@gmail.com> wrote: > Any ID that can grant privileges to another ID. > By the above definition, _every_ id in RACF which has TSO capability is an administrator. How? Suppose that I am BUBBA. I log into TSO. I issue the commands: ADDSD MY.DATASET UACC(NONE) PERMIT MY.DATASET ID(FRED) ACCESS(UPDATE) I have granted priviliges to another ID, therefore I am an Admin user. I would really hope that what the auditor might be satisfied with would be people who are RACF SPECIAL or GROUP-SPECIAL. Of course, many of the z/OS sysprogs on this list know how to make a joke of any security, short of encrypted data to which they don't have the key. -- The unfacts, did we have them, are too imprecisely few to warrant our certitude. Maranatha! <>< John McKown ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN