Environment
NetIQ Identity Manager
Situation
The RACF User which the Driver is using is currently configure as "Special". What are the minimum rights that the user needs to sync the password.
Resolution
Here is IBM's documentation on password change security:
To reset passwords and password phrases or to resume user IDs, you must have at least one of the following authorizations:
- You have the SPECIAL attribute.
- You have group-SPECIAL authority over the user profile.
- You are the OWNER of the user profile.
- You have sufficient access to the IRR.PASSWORD.RESET resource in the FACILITY class.
- You have sufficient access to an appropriate resource in the FACILITY class (IRR.PWRESET.OWNER.owner or IRR.PWRESET.TREE.owner), and both of the following conditions are also true:
- The other user does not have the SPECIAL, OPERATIONS, AUDITOR, or PROTECTED attribute.
- You are not excluded from altering the user by the IRR.PWRESET.EXCLUDE.excluded-user resource in the FACILITY class.
Here's another IBM doc that explains how to delegate password reset authority: