View previous topic :: View next topic
|
Author |
Message |
tmisicko
New User
Joined: 20 Jul 2010 Posts: 5 Location: Harrisburg, PA
|
|
|
|
Hello,
I am a RACF security admin (2 years) and my boss recently asked me to find a means to restrict our helpdesks ability to reset passwords. Currently our helpdesk has control access to IRR.PASSWORD.RESET which basically gives them the ability to reset ANY user who doesn't have 'SPECIAL'. I've checked these forums, IBM, and googled it and still haven't found a single shop that has done this elsewhere. Is it possible to limit their ability any further or should I just throw in the towel and tell him it can't be done?
Thanks in advance for your advice / help,
Tim |
|
Back to top |
|
|
PeterHolland
Global Moderator
Joined: 27 Oct 2009 Posts: 2481 Location: Netherlands, Amstelveen
|
|
|
|
Fire the helpdesk is an option.
Or take their functionality away for doing that kind of things.
Helpdesks shouldnt have the power to reset users etc., the RACF people
only have to do those things after probably talking to some managers. |
|
Back to top |
|
|
tmisicko
New User
Joined: 20 Jul 2010 Posts: 5 Location: Harrisburg, PA
|
|
|
|
Trust me I have thought about it but with over 13,000 users on our system us 5 lowly racf admins wouldn't be able to do anything other then reset passwords all day. |
|
Back to top |
|
|
PeterHolland
Global Moderator
Joined: 27 Oct 2009 Posts: 2481 Location: Netherlands, Amstelveen
|
|
|
|
Then i believe there is something very wrong in that/your organization.
I was working for a company with lots more than 13000 users, and only
2 or 3 people were allowed to reset users. And only after a good reason
was given to do that. |
|
Back to top |
|
|
superk
Global Moderator
Joined: 26 Apr 2004 Posts: 4652 Location: Raleigh, NC, USA
|
|
|
|
We addressed this with automation, since the Help Desk/Command Center guys don't have the ability to reset passwords, and the security guys didn't want to have to provide 24x7 support. When automation detects a password being suspended, it issues the reset command. It also logs this action and sends an email to the security team. Three resets in a row are allowed (for a unique id) before the automation stops, at which time a problem ticket is created for the security team, a call-out is placed, and they take it from there. |
|
Back to top |
|
|
tmisicko
New User
Joined: 20 Jul 2010 Posts: 5 Location: Harrisburg, PA
|
|
|
|
That may work I'll have to discuss it with the boss.
Thank you |
|
Back to top |
|
|
PeterHolland
Global Moderator
Joined: 27 Oct 2009 Posts: 2481 Location: Netherlands, Amstelveen
|
|
|
|
superk wrote: |
We addressed this with automation, since the Help Desk/Command Center guys don't have the ability to reset passwords, and the security guys didn't want to have to provide 24x7 support. When automation detects a password being suspended, it issues the reset command. It also logs this action and sends an email to the security team. Three resets in a row are allowed (for a unique id) before the automation stops, at which time a problem ticket is created for the security team, a call-out is placed, and they take it from there. |
That is very recognizable for me, we did that too (or something the same),
worked perfectly. But then you need automation to catch (i believe) ICH
messages. |
|
Back to top |
|
|
|