Levels of authority

When you can delegate authority to a general user or group for resuming user IDs and resetting passwords and password phrases, define profiles in the FACILITY class to protect one or more of the following resources based on the scope of authority you need to delegate.

IRR.PASSWORD.RESET: Use this resource when the scope of authority includes all users.
IRR.PWRESET.OWNER.owner: Use this resource when the scope of authority is a limited set of selected users based on owner of the user ID.
IRR.PWRESET.TREE.owner: Use this resource when the scope of authority is a limited set of selected users based on scope of a group tree.
IRR.PWRESET.EXCLUDE.excluded-user: Use this resource to exclude a user profile from the scope of IRR.PWRESET.OWNER.owner and IRR.PWRESET.TREE.owner authority.

Restriction: You cannot delegate authority through the IRR.PASSWORD.RESET or IRR.PWRESET resources to authorize a general user or group to resume a revoked user or reset the password or password phrase for a user with any of the following attributes. Only users with the SPECIAL attribute, or the appropriate group-SPECIAL attribute, have resume and reset authorities for users with these attributes:

SPECIAL
OPERATIONS
AUDITOR
ROAUDIT
PROTECTED.

Table 1. Authorities you can delegate based on the access level to the IRR.PASSWORD.RESET, IRR.PWRESET.OWNER, IRR.PWRESET.TREE, and IRR.PWRESET.EXCLUDE resources
Access authority to the IRR.PASSWORD.RESET IRR.PWRESET.OWNER IRR.PWRESET.TREE IRR.PWRESET.EXCLUDE resources	Authorities for using the ALTUSER command that you can delegate to a general user or group
READ	Permits use of the PASSWORD operand to change a user's password (and set as expired). Restriction: You cannot use the PASSWORD operand to add a password for a user who does not have one. Permits use of the PHRASE operand to change a user's password phrase (and set as expired). Restriction: You cannot use the PHRASE operand to add a password phrase for a user who does not have one. Permits use of the RESUME operand, without specifying a date, to resume a revoked user.
UPDATE	Permits all authorities of READ access. Permits use of the NOEXPIRED operand with the PASSWORD or PHRASE operand. (See Notes®.)
CONTROL	Permits all authorities of UPDATE access. Permits use of the PASSWORD or PHRASE operand to reset a user's password or password phrase within the system's minimum change interval.
Note: Neither being the owner of the user profile, nor having the group-SPECIAL attribute, provides sufficient authority to use the NOEXPIRED operand. Only users who have the SPECIAL attribute can use the NOEXPIRED operand for users who have the SPECIAL, OPERATIONS, AUDITOR, or ROAUDIT attribute.