That's similar to my configuration, one ACSADMIN account, one SYSPROG and one SERVICE account, they we created groups, OPERATIONS, SYSPROG...etc, and assigned the appropriate tasks and objects to the group, then we use LDAP for userid validation, I add the user to the HMC and connect them to the right group, kinda like RACF users and groups, so when the operations manager calls to add a user I just add the user, give them access to the correct group, and its done.
----- Original Message ----- From: "Tom Mathias" <[email protected]> To: [email protected] Sent: Tuesday, February 14, 2017 10:49:36 AM Subject: Re: New HMC user issue (z12BC) You were able to respond before I could... Your write-up is correct. I suspect he has made the new users be "service" type users. Service-type users can not do anything disruptive (like an IPL) unless the object is in service mode. The service person can only IPL the LPAR or work with a channel that is in service mode, which the customer should do. This helps prevent the service person from targeting the wrong object with a disruptive operation. I recommend that each new user be distinct and there should be at least one (and probably two) access administrators who can manage HMC users. Tom ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
