Before you begin: Ensure that your plan to maintain UNIX access control lists (ACLs)
and GID memberships includes the new unique UIDs and GIDs generated
by this method.
Perform the following steps to enable RACF® to automatically assign unique UIDs and
GIDs for users who use z/OS® UNIX services:
- See your system programmer to ensure that your RACF database is enabled for AIM stage 3.
For
details about using the IRRIRA00 utility to advance the RACF database to AIM stage 3, see z/OS Security Server RACF System Programmer's Guide.
______________________________________________________________________
- Define the SHARED.IDS profile, if not already defined, in the
UNIXPRIV class and activate and RACLIST the UNIXPRIV class. For instructions,
see Defining the SHARED.IDS profile in the UNIXPRIV class.
______________________________________________________________________
- Define the BPX.NEXT.USER profile in the FACILITY class, if not
already defined. For instructions, see Setting up the BPX.NEXT.USER profile.
______________________________________________________________________
- (Optional) Define a user profile to use as a model
profile from which RACF can
extract OMVS segment information. (You will specify the name of this
profile in the APPLDATA field of the BPX.UNIQUE.USER profile in the
FACILITY class in Step 5.)
Guidelines:
- Define the model profile to ensure that users who are automatically
assigned unique UIDs are assigned adequate OMVS information to enable
them to use UNIX services.
- Omit UID for this profile. No UID is required for its intended
purpose.
- Use this user profile only as the model profile for the BPX.UNIQUE.USER
profile. Do not use the user ID for any other purpose.
- Limit the use of this user ID by assigning the RESTRICTED and
NOPASSWORD attributes.
- Grant no access authority to the user ID. Do not add the user
ID to RACF access lists or
connect it to RACF groups that
might grant resource access.
- You can specify the string &RACUID in
the HOME directory path name to have RACF substitute
the user ID in the path name when the OMVS segment is created. If
you specify &RACUID in uppercase, RACF substitutes the user ID in
uppercase. If you specify any character in the string &RACUID in
lowercase, RACF substitutes
the user ID in lowercase.
- Only the first occurrence of the string is substituted.
- If you are sharing the RACF database
with a release of z/OS earlier
than V2R1 that does not have APAR OA42554 installed
and that uses BPX.UNIQUE.USER to assign OMVS segments, the &RACUID string is not replaced when an OMVS segment is created
on that system.
- If the substitution would result in a home directory path name
that exceeds the maximum length of 1023 characters, substitution does
not occur.
Example: The following command
defines a model profile that contains a HOME value in the OMVS segment.
ADDUSER BPXMODEL NAME('OMVS model user profile')
OMVS(HOME('/tmp') PROGRAM('/bin/sh'))
NOPASSWORD RESTRICTED
Example: The following command defines a model profile
that substitutes the user ID in lowercase in the HOME value.
ADDUSER BPXMODEL NAME('OMVS model user profile')
OMVS(HOME('/u/&racuid') PROGRAM('/bin/sh'))
NOPASSWORD RESTRICTED
If the user TANIA has an OMVS
segment created as a result of BPX.UNIQUE.USER processing, the home
directory that is created is
/u/tania.
______________________________________________________________________
- Define the BPX.UNIQUE.USER profile in the FACILITY
class and specify the name of the model profile in the APPLDATA field.
Example:
RDEFINE FACILITY BPX.UNIQUE.USER APPLDATA('BPXMODEL')
Rule: Specify
no generic characters in the BPX.UNIQUE.USER profile name.
If
you do not want to propagate any OMVS information from a model profile,
do not specify APPLDATA.
Example:
RDEFINE FACILITY BPX.UNIQUE.USER
______________________________________________________________________
- If the FACILITY class is RACLISTed, activate your new FACILITY
profiles by refreshing the FACILITY class.
Example:
SETROPTS RACLIST(FACILITY) REFRESH
You
need not activate and RACLIST the FACILITY class to enable automatic
assignment of unique IDs. However, if the FACILITY class is already
RACLISTed, you must refresh the class.
______________________________________________________________________
You have now enabled RACF to
automatically assign unique IDs for users without OMVS segments when
they use z/OS UNIX services. All users are now able to access z/OS UNIX services
because they are automatically assigned a UID when they attempt to
access a z/OS UNIX service for the first time.
If you want to prevent certain users from being able to access z/OS UNIX services,
define an OMVS segment with no UID for those users. This prevents
their user IDs from being automatically assigned a UID. When they
attempt to use a z/OS UNIX service, the dub will fail,
and a daemon will be unable to switch to these user IDs.
Example:
ALTUSER TSOADM1 OMVS(NOUID)