On Thu, 25 May 2017 12:14:46 -0400, scott Ford <[email protected]> wrote:
>In reading through the RACF manual I have a question about STC definitions. >We have a STC that is doing RACF provisioning. The question is if I change >the below RDEFINE from TRUSTED(YES) to TRUSTED(NO) will still be able to >issue RACF commands ..we pass them through the RACF callable service >R_admin and we have an id with the appropriate authority. > >RDEFINE STARTED racfidname.* STDATA(USER(racfidname) - > GROUP(secure-grp) TRUSTED(YES) PRIVILEGED(NO) TRACE(NO)) - > UACC(NONE) AUDIT(FAILURES(READ)) TRUSTED does not let you issue RACF commands. It lets you get access to resources when they are checked by RACROUTE REQUEST=AUTH. Issuing commands requires SPECIAL or other authorities listed in the RACF Command Language Reference. However, when issuing commands via R_admin you need access to additional R_admin-specific resources. Having TRUSTED will let that additional security checking succeed, so if you remove TRUSTED you will need to grant access to those additional resources documented with the R_admin callable service. (By the way, I strongly recommend asking RACF questions on the RACF-L mailing list, not IBM-MAIN. You'll find more RACF experts there.) -- Walt ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
