Portal | Manuals | References | Downloads | Info | Programs | JCLs | Master the Mainframes
IBM Mainframe Computers Forums Index
 
Register
 
IBM Mainframe Computers Forums Index Mainframe: Search IBM Mainframe Forum: FAQ Memberlist Usergroups Profile Log in to check your private messages Log in
 

 

Restricting Helpdesks ability to reset certain passwords

 
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> All Other Mainframe Topics
View previous topic :: :: View next topic  
Author Message
tmisicko

New User


Joined: 20 Jul 2010
Posts: 5
Location: Harrisburg, PA

PostPosted: Mon Jul 26, 2010 7:04 pm    Post subject: Restricting Helpdesks ability to reset certain passwords
Reply with quote

Hello,

I am a RACF security admin (2 years) and my boss recently asked me to find a means to restrict our helpdesks ability to reset passwords. Currently our helpdesk has control access to IRR.PASSWORD.RESET which basically gives them the ability to reset ANY user who doesn't have 'SPECIAL'. I've checked these forums, IBM, and googled it and still haven't found a single shop that has done this elsewhere. Is it possible to limit their ability any further or should I just throw in the towel and tell him it can't be done?

Thanks in advance for your advice / help,

Tim
Back to top
View user's profile Send private message

PeterHolland

Global Moderator


Joined: 27 Oct 2009
Posts: 2435
Location: Netherlands, Amstelveen

PostPosted: Mon Jul 26, 2010 7:07 pm    Post subject:
Reply with quote

Fire the helpdesk is an option.
Or take their functionality away for doing that kind of things.
Helpdesks shouldnt have the power to reset users etc., the RACF people
only have to do those things after probably talking to some managers.
Back to top
View user's profile Send private message
tmisicko

New User


Joined: 20 Jul 2010
Posts: 5
Location: Harrisburg, PA

PostPosted: Mon Jul 26, 2010 7:11 pm    Post subject:
Reply with quote

Trust me I have thought about it but with over 13,000 users on our system us 5 lowly racf admins wouldn't be able to do anything other then reset passwords all day. icon_neutral.gif
Back to top
View user's profile Send private message
PeterHolland

Global Moderator


Joined: 27 Oct 2009
Posts: 2435
Location: Netherlands, Amstelveen

PostPosted: Mon Jul 26, 2010 7:21 pm    Post subject:
Reply with quote

Then i believe there is something very wrong in that/your organization.
I was working for a company with lots more than 13000 users, and only
2 or 3 people were allowed to reset users. And only after a good reason
was given to do that.
Back to top
View user's profile Send private message
superk

Moderator Team Head


Joined: 26 Apr 2004
Posts: 4649
Location: Raleigh, NC, USA

PostPosted: Mon Jul 26, 2010 7:24 pm    Post subject: Reply to: Restricting Helpdesks ability to reset certain pas
Reply with quote

We addressed this with automation, since the Help Desk/Command Center guys don't have the ability to reset passwords, and the security guys didn't want to have to provide 24x7 support. When automation detects a password being suspended, it issues the reset command. It also logs this action and sends an email to the security team. Three resets in a row are allowed (for a unique id) before the automation stops, at which time a problem ticket is created for the security team, a call-out is placed, and they take it from there.
Back to top
View user's profile Send private message
tmisicko

New User


Joined: 20 Jul 2010
Posts: 5
Location: Harrisburg, PA

PostPosted: Mon Jul 26, 2010 8:01 pm    Post subject:
Reply with quote

That may work I'll have to discuss it with the boss.

Thank you
Back to top
View user's profile Send private message
PeterHolland

Global Moderator


Joined: 27 Oct 2009
Posts: 2435
Location: Netherlands, Amstelveen

PostPosted: Mon Jul 26, 2010 8:58 pm    Post subject: Re: Reply to: Restricting Helpdesks ability to reset certain
Reply with quote

superk wrote:
We addressed this with automation, since the Help Desk/Command Center guys don't have the ability to reset passwords, and the security guys didn't want to have to provide 24x7 support. When automation detects a password being suspended, it issues the reset command. It also logs this action and sends an email to the security team. Three resets in a row are allowed (for a unique id) before the automation stops, at which time a problem ticket is created for the security team, a call-out is placed, and they take it from there.


That is very recognizable for me, we did that too (or something the same),
worked perfectly. But then you need automation to catch (i believe) ICH
messages.
Back to top
View user's profile Send private message
View previous topic :: :: View next topic  
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> All Other Mainframe Topics All times are GMT + 6 Hours
Page 1 of 1

 

Search our Forum:

Similar Topics
Topic Author Forum Replies Posted
No new posts Delete record or Reset RC code using ... mpawan Compuware & Other Tools 4 Tue Jul 26, 2016 3:52 pm
No new posts Linkedin passwords hacked vasanthz PC Guides & IT News 0 Fri May 20, 2016 5:00 am
No new posts Batch reset browse tvinodkumar7 COBOL Programming 8 Wed Jun 24, 2015 5:51 pm
No new posts Socketexception:Connection reset erro... Thamilselvi CICS 0 Fri Apr 26, 2013 6:56 am
No new posts CICS - The value is getting Reset. krunalbafna CICS 11 Fri Dec 30, 2011 1:13 pm


Facebook
Back to Top
 
Mainframe Wiki | Forum Rules | Bookmarks | Subscriptions | FAQ | Tutorials | Contact Us