Defining restricted user IDs
You can define a restricted user ID by assigning the RESTRICTED
attribute through the ADDUSER or ALTUSER command. Restricted user
IDs cannot be used to access protected resources they are not specifically
authorized to access. Access authorization for restricted user IDs
bypasses global access checking. In addition, the UACC of a resource
and an ID(*)
entry on the access
list are not used to enable a restricted user ID to gain access.
The RESTRICTED attribute does not prevent users from gaining access to z/OS UNIX file system resources unless you take certain steps. See Controlling access to file system resources for restricted users for information about preventing restricted users from gaining access to file system resources they are not explicitly authorized to access.
The RESTRICTED attribute can be added to shared user IDs, such
as PUBLIC and ANONYMOS, that are assigned by application servers that
allow users to enter the system without identifying themselves. Without
the RESTRICTED attribute, users that are assigned shared user IDs
can gain access to any resource that has an ID(*)
entry
in the access list, UACC, or global entry that allows access.
ALTUSER ANONYMOS RESTRICTED
A
restricted user ID has the RESTRICTED attribute displayed in the output
of the LISTUSER command.