|
View previous topic :: View next topic
|
| Author |
Message |
tmisicko
New User
Joined: 20 Jul 2010
Posts: 5
Location: Harrisburg, PA
|
|
|
|
Hello,
I am a RACF security admin (2 years) and my boss recently asked me to find a means to restrict our helpdesks ability to reset passwords. Currently our helpdesk has control access to IRR.PASSWORD.RESET which basically gives them the ability to reset ANY user who doesn't have 'SPECIAL'. I've checked these forums, IBM, and googled it and still haven't found a single shop that has done this elsewhere. Is it possible to limit their ability any further or should I just throw in the towel and tell him it can't be done?
Thanks in advance for your advice / help,
Tim |
|
| Back to top |
|
 |
PeterHolland
Global Moderator
Joined: 27 Oct 2009
Posts: 2481
Location: Netherlands, Amstelveen
|
|
|
|
Fire the helpdesk is an option.
Or take their functionality away for doing that kind of things.
Helpdesks shouldnt have the power to reset users etc., the RACF people
only have to do those things after probably talking to some managers. |
|
| Back to top |
|
|
tmisicko
New User
Joined: 20 Jul 2010
Posts: 5
Location: Harrisburg, PA
|
|
|
|
Trust me I have thought about it but with over 13,000 users on our system us 5 lowly racf admins wouldn't be able to do anything other then reset passwords all day.  |
|
| Back to top |
|
|
PeterHolland
Global Moderator
Joined: 27 Oct 2009
Posts: 2481
Location: Netherlands, Amstelveen
|
|
|
|
Then i believe there is something very wrong in that/your organization.
I was working for a company with lots more than 13000 users, and only
2 or 3 people were allowed to reset users. And only after a good reason
was given to do that. |
|
| Back to top |
|
|
superk
Global Moderator
Joined: 26 Apr 2004
Posts: 4652
Location: Raleigh, NC, USA
|
|
|
|
| We addressed this with automation, since the Help Desk/Command Center guys don't have the ability to reset passwords, and the security guys didn't want to have to provide 24x7 support. When automation detects a password being suspended, it issues the reset command. It also logs this action and sends an email to the security team. Three resets in a row are allowed (for a unique id) before the automation stops, at which time a problem ticket is created for the security team, a call-out is placed, and they take it from there. |
|
| Back to top |
|
|
tmisicko
New User
Joined: 20 Jul 2010
Posts: 5
Location: Harrisburg, PA
|
|
|
|
That may work I'll have to discuss it with the boss.
Thank you |
|
| Back to top |
|
|
PeterHolland
Global Moderator
Joined: 27 Oct 2009
Posts: 2481
Location: Netherlands, Amstelveen
|
|
|
|
| superk wrote: |
| We addressed this with automation, since the Help Desk/Command Center guys don't have the ability to reset passwords, and the security guys didn't want to have to provide 24x7 support. When automation detects a password being suspended, it issues the reset command. It also logs this action and sends an email to the security team. Three resets in a row are allowed (for a unique id) before the automation stops, at which time a problem ticket is created for the security team, a call-out is placed, and they take it from there. |
That is very recognizable for me, we did that too (or something the same),
worked perfectly. But then you need automation to catch (i believe) ICH
messages. |
|
| Back to top |
|
|
|
|
