RACF Trusted attribute on OPSMAIN/OPSOSF logon ids in CA OPS/MVS Event Management and Automation

Document ID : KB000016252
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

In reviewing security on some systems, it was discovered that the OPSMAIN/OPSOSF logon ids on RACF systems have the TRUSTED attribute.  I cannot find any reason why we did it that way as i don't see any references in the CA doc that it was required.

Question:

OPS/MVS RACF security question

Is there any value in keeping the TRUSTED attribute on the OPSMAIN/OPSOSF logon ids?

Environment:
CA OPS/MVS release 12.3
Answer:

Likely that someone, in the past, added the trusted attribute because OPS was not authorized to issue a specific command. If you are using the OPERCMDS command class and did not define OPS/MVS as allowed to issue all commands, you may run into problems with the trusted attribute being removed.

Additional Information: