In reviewing security on some systems, it was discovered that the OPSMAIN/OPSOSF logon ids on RACF systems have the TRUSTED attribute. I cannot find any reason why we did it that way as i don't see any references in the CA doc that it was required.
OPS/MVS RACF security question
Is there any value in keeping the TRUSTED attribute on the OPSMAIN/OPSOSF logon ids?
Likely that someone, in the past, added the trusted attribute because OPS was not authorized to issue a specific command. If you are using the OPERCMDS command class and did not define OPS/MVS as allowed to issue all commands, you may run into problems with the trusted attribute being removed.