I suggest that you read Robert Henderson's paper on FACILITY class profiles.
http://www.rshconsulting.com/RSHpres/RSH_Consulting__FACILITY_Class__October_2015.pdf He has a lot of good papers at http://www.rshconsulting.com/racfres.htm#RSHpres Dennis Roach, CISSP, PMP AIG IAM Access Administration – Consumer | Identy & Access Management 2929 Allen Parkway, America Building, 3rd Floor | Houston, TX 77019 Phone: 713-831-8799 [email protected] | www.aig.com All opinions expressed by me are mine and may not agree with my employer or any person, company, or thing, living or dead, on or near this or any other planet, moon, asteroid, or other spatial object, natural or manufactured, since the beginning of time. -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Scott Ford Sent: Monday, June 20, 2016 5:27 PM To: [email protected] Subject: Re: IRRXUTIL not authorized, but it is. You need more than 'irr.radmin.listuser', it's performing and extract not listuser.. We use it in our product.... Scott On Monday, June 20, 2016, Itschak Mugzach <[email protected]> wrote: > Yes i did. Somehow, the "EXTRACT" permission was not covered by the > generic profile. may be it is a non-generic check? Other users was > able to use the service, but not the protected one. > > ITschak > > > ITschak Mugzach > Z/OS, ISV Products and Application Security & Risk Assessments > Professional > > On Mon, Jun 20, 2016 at 3:29 PM, Roach, Dennis <[email protected] > <javascript:;>> wrote: > > > FACILITY is RACLISTd. Did you refresh? > > > > Dennis Roach, CISSP, PMP > > AIG > > IAM Access Administration – Consumer | Identy & Access Management > > > > 2929 Allen Parkway, America Building, 3rd Floor | Houston, TX 77019 > > Phone: 713-831-8799 > > > > [email protected] | www.aig.com > > > > All opinions expressed by me are mine and may not agree with my > > employer or any person, company, or thing, living or dead, on or > > near this or any other planet, moon, asteroid, or other spatial > > object, natural or manufactured, since the beginning of time. > > > > -----Original Message----- > > From: IBM Mainframe Discussion List [mailto:[email protected] > <javascript:;>] On > > Behalf Of Itschak Mugzach > > Sent: Monday, June 20, 2016 1:44 PM > > To: [email protected] <javascript:;> > > Subject: IRRXUTIL not authorized, but it is. > > > > co-posted to ibm-main and racf-l (which said to be sleepy lately ;-) > > I have a rexx exec running a protected user with AUDITOR attribute > > that has read access to IRR.RADMIN.LISTUSER. on call x = > IRRXUTIL("extract","user", > > muki","mystem","r_") I get 12 12 8 8 24 which means the user is not > > authorized to the service. Am I missing something? > > > > ITschak > > > > -------------------------------------------------------------------- > > -- For IBM-MAIN subscribe / signoff / archive access instructions, > > send > email > > to [email protected] <javascript:;> with the message: INFO > IBM-MAIN > > > > -------------------------------------------------------------------- > > -- For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to [email protected] <javascript:;> with the message: > INFO IBM-MAIN > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to [email protected] <javascript:;> with the message: > INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
