What rights are needed by the RACF driver to pick up password changes in RACF

  • Document ID:7011303
  • Creation Date:02-Nov-2012
  • Modified Date:02-Nov-2012
    • Micro Focus Products:
      Identity Manager

Environment

NetIQ Identity Manager

Situation

The RACF User which the Driver is using is currently configure as "Special". What are the minimum rights that the user needs to sync the password.

Resolution

 Here is IBM's documentation on password change security:
To reset passwords and password phrases or to resume user IDs, you must have at least one of the following authorizations:
  • You have the SPECIAL attribute.
  • You have group-SPECIAL authority over the user profile.
  • You are the OWNER of the user profile.
  • You have sufficient access to the IRR.PASSWORD.RESET resource in the FACILITY class.
  • You have sufficient access to an appropriate resource in the FACILITY class (IRR.PWRESET.OWNER.owner or IRR.PWRESET.TREE.owner), and both of the following conditions are also true:
    • The other user does not have the SPECIAL, OPERATIONS, AUDITOR, or PROTECTED attribute.
    • You are not excluded from altering the user by the IRR.PWRESET.EXCLUDE.excluded-user resource in the FACILITY class.
    For more information about the IRR.PWRESET profiles, see z/OS Security Server RACF Security Administrator's Guide.
Here's another IBM doc that explains how to delegate password reset authority: