I still not understand why irr.radmin.* defined with uaxx(read) didn't alow only the protected user to use extract. The user is protected not restricted...
ITschak בתאריך 21 ביונ 2016 16:01, "Scott Ford" <[email protected]> כתב: > Dennis, > > I understand IRRXUTIL, and the reason for the return codes we see a lot of > it... > > > Scott > > On Tuesday, June 21, 2016, Roach, Dennis <[email protected]> wrote: > > > I suggest that you read Robert Henderson's paper on FACILITY class > > profiles. > > > > > > > http://www.rshconsulting.com/RSHpres/RSH_Consulting__FACILITY_Class__October_2015.pdf > > > > He has a lot of good papers at > > http://www.rshconsulting.com/racfres.htm#RSHpres > > > > > > > > Dennis Roach, CISSP, PMP > > AIG > > IAM Access Administration – Consumer | Identy & Access Management > > > > 2929 Allen Parkway, America Building, 3rd Floor | Houston, TX 77019 > > Phone: 713-831-8799 > > > > [email protected] | www.aig.com > > > > All opinions expressed by me are mine and may not agree with my employer > > or any person, company, or thing, living or dead, on or near this or any > > other planet, moon, asteroid, or other spatial object, natural or > > manufactured, since the beginning of time. > > > > -----Original Message----- > > From: IBM Mainframe Discussion List [mailto:[email protected] > > <javascript:;>] On Behalf Of Scott Ford > > Sent: Monday, June 20, 2016 5:27 PM > > To: [email protected] <javascript:;> > > Subject: Re: IRRXUTIL not authorized, but it is. > > > > You need more than 'irr.radmin.listuser', it's performing and extract not > > listuser.. > > We use it in our product.... > > > > Scott > > > > On Monday, June 20, 2016, Itschak Mugzach <[email protected] > > <javascript:;>> wrote: > > > > > Yes i did. Somehow, the "EXTRACT" permission was not covered by the > > > generic profile. may be it is a non-generic check? Other users was > > > able to use the service, but not the protected one. > > > > > > ITschak > > > > > > > > > ITschak Mugzach > > > Z/OS, ISV Products and Application Security & Risk Assessments > > > Professional > > > > > > On Mon, Jun 20, 2016 at 3:29 PM, Roach, Dennis <[email protected] > > <javascript:;> > > > <javascript:;>> wrote: > > > > > > > FACILITY is RACLISTd. Did you refresh? > > > > > > > > Dennis Roach, CISSP, PMP > > > > AIG > > > > IAM Access Administration – Consumer | Identy & Access Management > > > > > > > > 2929 Allen Parkway, America Building, 3rd Floor | Houston, TX 77019 > > > > Phone: 713-831-8799 > > > > > > > > [email protected] | www.aig.com > > > > > > > > All opinions expressed by me are mine and may not agree with my > > > > employer or any person, company, or thing, living or dead, on or > > > > near this or any other planet, moon, asteroid, or other spatial > > > > object, natural or manufactured, since the beginning of time. > > > > > > > > -----Original Message----- > > > > From: IBM Mainframe Discussion List [mailto:[email protected] > > <javascript:;> > > > <javascript:;>] On > > > > Behalf Of Itschak Mugzach > > > > Sent: Monday, June 20, 2016 1:44 PM > > > > To: [email protected] <javascript:;> <javascript:;> > > > > Subject: IRRXUTIL not authorized, but it is. > > > > > > > > co-posted to ibm-main and racf-l (which said to be sleepy lately ;-) > > > > I have a rexx exec running a protected user with AUDITOR attribute > > > > that has read access to IRR.RADMIN.LISTUSER. on call x = > > > IRRXUTIL("extract","user", > > > > muki","mystem","r_") I get 12 12 8 8 24 which means the user is not > > > > authorized to the service. Am I missing something? > > > > > > > > ITschak > > > > > > > > -------------------------------------------------------------------- > > > > -- For IBM-MAIN subscribe / signoff / archive access instructions, > > > > send > > > email > > > > to [email protected] <javascript:;> <javascript:;> with the > > message: INFO > > > IBM-MAIN > > > > > > > > -------------------------------------------------------------------- > > > > -- For IBM-MAIN subscribe / signoff / archive access instructions, > > > > send email to [email protected] <javascript:;> <javascript:;> > > with the message: > > > INFO IBM-MAIN > > > > > > > > > > ---------------------------------------------------------------------- > > > For IBM-MAIN subscribe / signoff / archive access instructions, send > > > email to [email protected] <javascript:;> <javascript:;> with > > the message: > > > INFO IBM-MAIN > > > > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, send > email > > to [email protected] <javascript:;> with the message: INFO > IBM-MAIN > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to [email protected] <javascript:;> with the message: > > INFO IBM-MAIN > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
