As a general objective, all users should be defined to RACF®. Users who are not
defined to RACF can use the
system virtually unimpeded, unless, of course, they attempt to access
data to which they are unauthorized.
The users you must initially define are those you have selected
for the pilot project and the central core of personnel who maintain
and operate the system itself. Other users can then be defined as
determined by convenience and the priority of their security needs.
You should consider defining the following users to RACF:
- Interactive users of CICS®, IMS™, TSO/E, NetView®, or other products that support logging
on at a terminal.
- z/OS UNIX users.
You use RACF commands to define
users to z/OS UNIX.
The z/OS UNIX attributes
are kept in the OMVS segment of the user's profile and can be specified
in addition to any existing attributes. The new attributes extend
the user's capabilities to include the use of z/OS UNIX functions.
In order to use z/OS UNIX services,
a user must have z/OS UNIX attributes
defined, such as an z/OS UNIX user identifier
(UID) in his or her user profile and a z/OS UNIX group identifier
(GID) in the group profile of his or her current connect group (the
user's default group or the one specified on the TSO LOGON screen
or job card). For more information, see RACF and z/OS UNIX.
- Users who submit batch jobs without first logging on to a terminal
(such as through a physical card reader).
- MVS™ or JES system operators.
You should work with your MVS or
JES system programmer to determine which MVS and
JES system operators should be defined to RACF. For more information, see Defining and grouping operators.
- Started procedures.
- Node names in an NJE network.
- RJP or RJE remote workstations or nodes.
- Console IDs if LOGON(AUTO) is specified in the CONSOLxx member
of SYS1.PARMLIB. For more information, see z/OS MVS Initialization and Tuning Reference.
There are some advantages in defining all users to RACF:
- Defining all users provides for better administrative control
over who is using the system. This in turn can reduce misuse of system
resources.
- Attempted violations by undefined users are difficult to investigate,
because they do not have user IDs that are associated with real persons
or processes.
Whether all users are eventually defined to RACF is your decision. You might deem individual
accountability for a certain segment of the user population unnecessary
in some cases. Note that this can reduce your ability to determine
exactly who took security-relevant actions.