On Sun, 12 Jun 2016 00:52:07 +0000, Jesse 1 Robinson <[email protected]> wrote:
>This has been a bugaboo for me for 20 years. From the get-go I had a userid >with full operator/sysprog authority. At some point I added ACS authority to >the same userid so that I could also manage other users. I discovered through >trial and error that I could not perform all functions with a single userid. >With ACS authority I could not perform sysprog duties and vice versa. I have >never seen this documented, and nothing in the user management dialog >indicates conflicting roles. Both roles can be selected for a single user, but >both roles do not work for the same user. > >Some other roles can be added besides ACS that still allow, for example, >management of CPC and LPAR definitions. ACS alone does not allow that. Does >anyone understand the boundaries? > Separation of duties. :-) I don't know if it is documented, but recently I deleted the shared userids for operations and sysprogs and a shared userid we had for ACS admin and defined individual userids for about 15-20 OS sysprogs and operators to close an audit gap. I had 2 userids for myself, one that was ACS admin (and also a backup userid) and my normal sysprog userid that I use bit that also had ACS. I was able to use my sysprog ID for everything I needed - so I though. But just the other day I noticed when I went into the SE (single object operations) I ended up with a userid of sooacsadmin instead of soosysprog and couldn't do diagnostics, model conversion etc. So I had to remove ACS from my userid and one other sysprog who had the ACS authority on his userid and now we both have 2 userids, one being for ACS admin only. All the "default" shared IBM userids are still there, but since they can only be accessed locally in the secure computer room, they were allowed to remain. Best regards, Mark -- Mark Zelden - Zelden Consulting Services - z/OS, OS/390 and MVS ITIL v3 Foundation Certified mailto:[email protected] Mark's MVS Utilities: http://www.mzelden.com/mvsutil.html Systems Programming expert at http://search390.techtarget.com/ateExperts/ ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
