IBM Mainframe Forum

Hello,

I am still fairly new to RACF however my boss asked me if there was a way that I could restrict our help desks ability to reset passwords even further then just limiting it to ID's that do not have any extra attributes.
I found this on IBM's website:

z/OS V1.10
RACF password administration design will be changed to allow more selective authority for resetting passwords to be granted. This support is designed to allow you to grant individuals the capability to reset passwords for one or more users or the users that are members of one or more groups without having the system-wide RACF SPECIAL attribute or access to the system-wide IRR.PASSWORD.RESET profile in the FACILITY class.

Our Helpdesk already has been given control access to irr.password.reset but again that gives them the ability to reset any password that doesn't have special, operations, etc. Is there any way to drill it down even further weather its something in RACF or a special utility that may need to be installed. I am really at a loss, any help would be greatly appreciated.

Thank you

You are already in the correct manual RACF Administrator's Guide. Chapt 25 Authorizing Help desk Functions
This manual does everything except issue the commands for you. You can Allow the help desk group by Owner, Tree, or exclude certain users.
Look a little more for the "Excluding Selected Users" to get what you want.