Dennis, I understand IRRXUTIL, and the reason for the return codes we see a lot of it...
Scott On Tuesday, June 21, 2016, Roach, Dennis <[email protected]> wrote: > I suggest that you read Robert Henderson's paper on FACILITY class > profiles. > > > http://www.rshconsulting.com/RSHpres/RSH_Consulting__FACILITY_Class__October_2015.pdf > > He has a lot of good papers at > http://www.rshconsulting.com/racfres.htm#RSHpres > > > > Dennis Roach, CISSP, PMP > AIG > IAM Access Administration – Consumer | Identy & Access Management > > 2929 Allen Parkway, America Building, 3rd Floor | Houston, TX 77019 > Phone: 713-831-8799 > > [email protected] | www.aig.com > > All opinions expressed by me are mine and may not agree with my employer > or any person, company, or thing, living or dead, on or near this or any > other planet, moon, asteroid, or other spatial object, natural or > manufactured, since the beginning of time. > > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:[email protected] > <javascript:;>] On Behalf Of Scott Ford > Sent: Monday, June 20, 2016 5:27 PM > To: [email protected] <javascript:;> > Subject: Re: IRRXUTIL not authorized, but it is. > > You need more than 'irr.radmin.listuser', it's performing and extract not > listuser.. > We use it in our product.... > > Scott > > On Monday, June 20, 2016, Itschak Mugzach <[email protected] > <javascript:;>> wrote: > > > Yes i did. Somehow, the "EXTRACT" permission was not covered by the > > generic profile. may be it is a non-generic check? Other users was > > able to use the service, but not the protected one. > > > > ITschak > > > > > > ITschak Mugzach > > Z/OS, ISV Products and Application Security & Risk Assessments > > Professional > > > > On Mon, Jun 20, 2016 at 3:29 PM, Roach, Dennis <[email protected] > <javascript:;> > > <javascript:;>> wrote: > > > > > FACILITY is RACLISTd. Did you refresh? > > > > > > Dennis Roach, CISSP, PMP > > > AIG > > > IAM Access Administration – Consumer | Identy & Access Management > > > > > > 2929 Allen Parkway, America Building, 3rd Floor | Houston, TX 77019 > > > Phone: 713-831-8799 > > > > > > [email protected] | www.aig.com > > > > > > All opinions expressed by me are mine and may not agree with my > > > employer or any person, company, or thing, living or dead, on or > > > near this or any other planet, moon, asteroid, or other spatial > > > object, natural or manufactured, since the beginning of time. > > > > > > -----Original Message----- > > > From: IBM Mainframe Discussion List [mailto:[email protected] > <javascript:;> > > <javascript:;>] On > > > Behalf Of Itschak Mugzach > > > Sent: Monday, June 20, 2016 1:44 PM > > > To: [email protected] <javascript:;> <javascript:;> > > > Subject: IRRXUTIL not authorized, but it is. > > > > > > co-posted to ibm-main and racf-l (which said to be sleepy lately ;-) > > > I have a rexx exec running a protected user with AUDITOR attribute > > > that has read access to IRR.RADMIN.LISTUSER. on call x = > > IRRXUTIL("extract","user", > > > muki","mystem","r_") I get 12 12 8 8 24 which means the user is not > > > authorized to the service. Am I missing something? > > > > > > ITschak > > > > > > -------------------------------------------------------------------- > > > -- For IBM-MAIN subscribe / signoff / archive access instructions, > > > send > > email > > > to [email protected] <javascript:;> <javascript:;> with the > message: INFO > > IBM-MAIN > > > > > > -------------------------------------------------------------------- > > > -- For IBM-MAIN subscribe / signoff / archive access instructions, > > > send email to [email protected] <javascript:;> <javascript:;> > with the message: > > INFO IBM-MAIN > > > > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, send > > email to [email protected] <javascript:;> <javascript:;> with > the message: > > INFO IBM-MAIN > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send email > to [email protected] <javascript:;> with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] <javascript:;> with the message: > INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
