IBM Mainframe Forum

Hi All,
I need some help on OPERATIONS user attribute on RACF.
From the manual I understand that OPERATIONS attribute has full access authorization to all RACF protected resources in DATASETS and some storage related resource classes like DASDVOL,TAPEVOL etc.,

Hope a user with ALTER access to the dataset/resource profiles can also able to work on datasets, perform input/output operations on tape volume.
In that case , who/which team really need OPERATIONS attribute( like RACF administrators need RACF SPECIAL, auditors need RACF AUDITOR attribute)?

Backup jobs, submitted using SURROGATE from a scheduler? No person should normally have it, it can be assigned by the RACF team if really needed for an emergency.
Just my 2 cents.

I had OPERATIONS and SPECIAL authority in previous role, I think it helps in working with storage volumes, Disaster recovery, replication, and some RACF tasks related to other user's datasets.
SPECIAL authority helped in running some zSecure audit reports, not really sure.
But it was a lawless shop where two people had all the available accesses and had to perform Storage, MVS, CICS, Endevor, some RACFadministration, Performance and Capacity. Fun times.

I think that security scopes also protects the personel. I remember one instance where something bad happened to production and I could safely say that it couldn't be me as I didn't have access, even though I was in the systems team. Of course in a purely system test environment I would like operations, just to be able to install and test products. In a prduction environment I'd rather not have that authority.

OPERATIONS use should only be necessary in rare instances where other storage administration authorities are insufficient to manage a dataset, such as deleting orphaned temporary datasets when TEMPDSN is active or managing a dataset where the RACF-indicated bit is ON but no discrete profile exists (better still, turn the bit OFF in such situations). Ideally, it should only be assigned to alternate "break-glass" storage administrators IDs or to vaulted IDs. I'm not a fan of assigning it to Firecall IDs as it grants too much authority. For more on the storage administration authorities that can replace OPERATIONS, see my presentation on this topic which is available on my website. Here's the link. I have replaced OPERATIONS use with these authorities on many occasions.
https://www.rshconsulting.com/RSHpres/R ... y_2019.pdf