RACF Trusted attribute on OPSMAIN/OPSOSF logon ids in CA OPS/MVS Event Management and Automation

book

Article ID: 16252

calendar_today

Updated On:

Products

CA OPS/MVS Event Management & Automation

Issue/Introduction

In reviewing security on some systems, it was discovered that the OPSMAIN/OPSOSF logon ids on RACF systems have the TRUSTED attribute.  I cannot find any reason why we did it that way as i don't see any references in the CA doc that it was required.



OPS/MVS RACF security question

Is there any value in keeping the TRUSTED attribute on the OPSMAIN/OPSOSF logon ids?

Environment

CA OPS/MVS release 12.3

Resolution

Likely that someone, in the past, added the trusted attribute because OPS was not authorized to issue a specific command. If you are using the OPERCMDS command class and did not define OPS/MVS as allowed to issue all commands, you may run into problems with the trusted attribute being removed.

Additional Information

Assigning the RACF TRUSTED attribute